aboutsummaryrefslogtreecommitdiff
path: root/manifests/chain.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/chain.pp')
-rw-r--r--manifests/chain.pp17
1 files changed, 10 insertions, 7 deletions
diff --git a/manifests/chain.pp b/manifests/chain.pp
index 0593cc8..54eb455 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -8,6 +8,7 @@
# }
#
# @param disable_conntrack Disable/Enable usage of conntrack. By default, we enable conntrack only for the filter INPUT chain
+# @param drop_invalid_packets_with_conntrack Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false` in this chain. You can set this to false if your policy is DROP.
# @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched
# @param policy Set the default policy for CHAIN (works only for builtin chains)
# Allowed values: (ACCEPT|DROP) (see Ferm::Policies type)
@@ -19,11 +20,12 @@
#
define ferm::chain (
Boolean $log_dropped_packets,
- Boolean $disable_conntrack = true,
- String[1] $chain = $name,
- Optional[Ferm::Policies] $policy = undef,
- Ferm::Tables $table = 'filter',
- Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions,
+ Boolean $drop_invalid_packets_with_conntrack = false,
+ Boolean $disable_conntrack = true,
+ String[1] $chain = $name,
+ Optional[Ferm::Policies] $policy = undef,
+ Ferm::Tables $table = 'filter',
+ Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions,
) {
# prevent unmanaged files due to new naming schema
# keep the default "filter" chains in the original location
@@ -54,8 +56,9 @@ define ferm::chain (
target => $filename,
content => epp(
"${module_name}/ferm_chain_header.conf.epp", {
- 'policy' => $policy,
- 'disable_conntrack' => $disable_conntrack,
+ 'policy' => $policy,
+ 'disable_conntrack' => $disable_conntrack,
+ 'drop_invalid_packets_with_conntrack' => $drop_invalid_packets_with_conntrack,
}
),
order => '01',
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-18 22:58:15 +0000