6 files changed, 74 insertions, 10 deletions

diff --git a/REFERENCE.md b/REFERENCE.md
index 4a3283a..ec71f8f 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -160,6 +160,14 @@ Default policy for the INPUT chain
 
 Default value: 'DROP'
 
+##### `input_drop_invalid_packets_with_conntrack`
+
+Data type: `Boolean`
+
+Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false`. You can set this to false if your policy is DROP. This only effects the INPUT chain.
+
+Default value: `false`
+
 ##### `rules`
 
 Data type: `Hash`
@@ -247,6 +255,14 @@ Disable/Enable usage of conntrack. By default, we enable conntrack only for the
 
 Default value: `true`
 
+##### `drop_invalid_packets_with_conntrack`
+
+Data type: `Boolean`
+
+Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false` in this chain. You can set this to false if your policy is DROP.
+
+Default value: `false`
+
 ##### `log_dropped_packets`
 
 Data type: `Boolean`
diff --git a/manifests/chain.pp b/manifests/chain.pp
index 0593cc8..54eb455 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -8,6 +8,7 @@
 #   }
 #
 # @param disable_conntrack Disable/Enable usage of conntrack. By default, we enable conntrack only for the filter INPUT chain
+# @param drop_invalid_packets_with_conntrack Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false` in this chain. You can set this to false if your policy is DROP.
 # @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched
 # @param policy Set the default policy for CHAIN (works only for builtin chains)
 #   Allowed values: (ACCEPT|DROP) (see Ferm::Policies type)
@@ -19,11 +20,12 @@
 #
 define ferm::chain (
   Boolean $log_dropped_packets,
-  Boolean $disable_conntrack           = true,
-  String[1] $chain                     = $name,
-  Optional[Ferm::Policies] $policy     = undef,
-  Ferm::Tables $table                  = 'filter',
-  Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions,
+  Boolean $drop_invalid_packets_with_conntrack = false,
+  Boolean $disable_conntrack                   = true,
+  String[1] $chain                             = $name,
+  Optional[Ferm::Policies] $policy             = undef,
+  Ferm::Tables $table                          = 'filter',
+  Array[Enum['ip','ip6']] $ip_versions         = $ferm::ip_versions,
 ) {
   # prevent unmanaged files due to new naming schema
   # keep the default "filter" chains in the original location
@@ -54,8 +56,9 @@ define ferm::chain (
     target  => $filename,
     content => epp(
       "${module_name}/ferm_chain_header.conf.epp", {
-        'policy'            => $policy,
-        'disable_conntrack' => $disable_conntrack,
+        'policy'                              => $policy,
+        'disable_conntrack'                   => $disable_conntrack,
+        'drop_invalid_packets_with_conntrack' => $drop_invalid_packets_with_conntrack,
       }
     ),
     order   => '01',
diff --git a/manifests/config.pp b/manifests/config.pp
index bd08e96..5876bd7 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -46,9 +46,10 @@ class ferm::config {
   }
 
   ferm::chain{'INPUT':
-    policy              => $ferm::input_policy,
-    disable_conntrack   => $ferm::input_disable_conntrack,
-    log_dropped_packets => $ferm::input_log_dropped_packets,
+    policy                              => $ferm::input_policy,
+    disable_conntrack                   => $ferm::input_disable_conntrack,
+    log_dropped_packets                 => $ferm::input_log_dropped_packets,
+    drop_invalid_packets_with_conntrack => $ferm::input_drop_invalid_packets_with_conntrack,
   }
   ferm::chain{'FORWARD':
     policy              => $ferm::forward_policy,
diff --git a/manifests/init.pp b/manifests/init.pp
index 4c69452..b1d051e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -38,6 +38,7 @@
 # @param forward_policy Default policy for the FORWARD chain
 # @param output_policy Default policy for the OUTPUT chain
 # @param input_policy Default policy for the INPUT chain
+# @param input_drop_invalid_packets_with_conntrack Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false`. You can set this to false if your policy is DROP. This only effects the INPUT chain.
 # @param rules A hash that holds all data for ferm::rule
 # @param chains A hash that holds all data for ferm::chain
 # @param forward_log_dropped_packets Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched
@@ -61,6 +62,7 @@ class ferm (
   Boolean $forward_log_dropped_packets = false,
   Boolean $output_log_dropped_packets = false,
   Boolean $input_log_dropped_packets = false,
+  Boolean $input_drop_invalid_packets_with_conntrack = false,
   Hash $rules = {},
   Hash $chains = {},
   Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'],
diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb
index f827dc2..0dd2399 100644
--- a/spec/acceptance/ferm_spec.rb
+++ b/spec/acceptance/ferm_spec.rb
@@ -67,6 +67,7 @@ describe 'ferm' do
 
     describe command('iptables-save') do
       its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m }
+      its(:stdout) { is_expected.not_to match %r{state INVALID -j DROP} }
     end
 
     describe iptables do
@@ -122,5 +123,43 @@ describe 'ferm' do
         end
       end
     end
+
+    context 'with dropping INVALID pakets' do
+      pp2 = %(
+        class { 'ferm':
+          manage_service                            => true,
+          manage_configfile                         => true,
+          manage_initfile                           => #{manage_initfile}, # CentOS-6 does not provide init script
+          forward_policy                            => 'DROP',
+          output_policy                             => 'ACCEPT',
+          input_policy                              => 'DROP',
+          input_drop_invalid_packets_with_conntrack => true,
+          rules             => {
+            'allow_acceptance_tests' => {
+              chain  => 'INPUT',
+              action => 'ACCEPT',
+              proto  => tcp,
+              dport  => 22,
+            },
+          },
+          ip_versions      => ['ip'], #only ipv4 available with CI
+        }
+      )
+
+      it 'works with no error' do
+        apply_manifest(pp2, catch_failures: true)
+      end
+      it 'works idempotently' do
+        apply_manifest(pp2, catch_changes: true)
+      end
+
+      describe service('ferm') do
+        it { is_expected.to be_running }
+      end
+
+      describe command('iptables-save') do
+        its(:stdout) { is_expected.to match %r{INPUT.*state INVALID -j DROP} }
+      end
+    end
   end
 end
diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp
index 938958b..3c92e7a 100644
--- a/templates/ferm_chain_header.conf.epp
+++ b/templates/ferm_chain_header.conf.epp
@@ -1,5 +1,6 @@
 <%- | Optional[Ferm::Policies] $policy,
       Boolean $disable_conntrack,
+      Boolean $drop_invalid_packets_with_conntrack,
 | -%>
 # THIS FILE IS MANAGED BY PUPPET
 <%- if $policy { -%>
@@ -10,5 +11,7 @@ policy <%= $policy %>;
 <% unless $disable_conntrack { -%>
 # connection tracking
 mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT;
+<% if $drop_invalid_packets_with_conntrack { -%>
 mod conntrack ctstate INVALID DROP;
 <% } -%>
+<% } -%>