aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/chain.pp16
-rw-r--r--manifests/config.pp15
-rw-r--r--manifests/init.pp28
-rw-r--r--manifests/rule.pp11
4 files changed, 53 insertions, 17 deletions
diff --git a/manifests/chain.pp b/manifests/chain.pp
index 5b21912..6a01607 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -1,10 +1,12 @@
# defined resource which creates all rules for one chain
-# @param policy [Ferm::Policies] Set the default policy for a CHAIN
-# @param disable_conntrack [Boolean] disable/enable usage of conntrack
-# @param chain [Ferm::Chains] name of the chain that should be managed
+# @param policy Set the default policy for a CHAIN
+# @param disable_conntrack Disable/Enable usage of conntrack
+# @param chain Name of the chain that should be managed
+# @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched
define ferm::chain (
Ferm::Policies $policy,
Boolean $disable_conntrack,
+ Boolean $log_dropped_packets,
Ferm::Chains $chain = $name,
) {
@@ -24,4 +26,12 @@ define ferm::chain (
),
order => '01',
}
+
+ if $log_dropped_packets {
+ concat::fragment{"${chain}-footer":
+ target => "/etc/ferm.d/chains/${chain}.conf",
+ content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
+ order => '99',
+ }
+ }
}
diff --git a/manifests/config.pp b/manifests/config.pp
index ff69c06..1736fa6 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -35,15 +35,18 @@ class ferm::config {
}
ferm::chain{'INPUT':
- policy => $ferm::input_policy,
- disable_conntrack => $ferm::disable_conntrack,
+ policy => $ferm::input_policy,
+ disable_conntrack => $ferm::disable_conntrack,
+ log_dropped_packets => $ferm::input_log_dropped_packets,
}
ferm::chain{'FORWARD':
- policy => $ferm::forward_policy,
- disable_conntrack => $ferm::disable_conntrack,
+ policy => $ferm::forward_policy,
+ disable_conntrack => $ferm::disable_conntrack,
+ log_dropped_packets => $ferm::forward_log_dropped_packets,
}
ferm::chain{'OUTPUT':
- policy => $ferm::output_policy,
- disable_conntrack => $ferm::disable_conntrack,
+ policy => $ferm::output_policy,
+ disable_conntrack => $ferm::disable_conntrack,
+ log_dropped_packets => $ferm::output_log_dropped_packets,
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index 0096c3a..82f163c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -7,30 +7,39 @@
# manage_service => true,
# }
#
-# @param manage_service [Boolean] disable/enable the management of the ferm daemon
+# @param manage_service Disable/Enable the management of the ferm daemon
# Default value: false
# Allowed values: (true|false)
-# @param manage_configfile [Boolean] disable/enable the management of the ferm default config
+# @param manage_configfile Disable/Enable the management of the ferm default config
# Default value: false
# Allowed values: (true|false)
-# @param configfile [Stdlib::Absolutepath] path to the config file
+# @param configfile Path to the config file
# Default value: /etc/ferm.conf
# Allowed values: Stdlib::Absolutepath
-# @param disable_conntrack [Boolean] disable/enable the generation of conntrack rules
+# @param disable_conntrack Disable/Enable the generation of conntrack rules
# Default value: false
# Allowed values: (true|false)
-# @param forward_policy [Ferm::Policies] default policy for the FORWARD chain
+# @param forward_policy Default policy for the FORWARD chain
# Default value: DROP
# Allowed values: (ACCEPT|DROP|REJECT)
-# @param output_policy [Ferm::Policies] default policy for the OUTPUT chain
+# @param output_policy Default policy for the OUTPUT chain
# Default value: ACCEPT
# Allowed values: (ACCEPT|DROP|REJECT)
-# @param input_policy [Ferm::Policies] default policy for the INPUT chain
+# @param input_policy Default policy for the INPUT chain
# Default value: DROP
# Allowed values: (ACCEPT|DROP|REJECT)
-# @param rules a hash that holds all data for ferm::rule
+# @param rules A hash that holds all data for ferm::rule
# Default value: Empty Hash
# Allowed value: Any Hash
+# @param forward_log_dropped_packets Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched
+# Default value: false
+# Allowed values: (true|false)
+# @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched
+# Default value: false
+# Allowed values: (true|false)
+# @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched
+# Default value: false
+# Allowed values: (true|false)
class ferm (
Boolean $manage_service,
Boolean $manage_configfile,
@@ -39,6 +48,9 @@ class ferm (
Ferm::Policies $forward_policy,
Ferm::Policies $output_policy,
Ferm::Policies $input_policy,
+ Boolean $forward_log_dropped_packets,
+ Boolean $output_log_dropped_packets,
+ Boolean $input_log_dropped_packets,
Hash $rules,
) {
contain ferm::install
diff --git a/manifests/rule.pp b/manifests/rule.pp
index 7b94210..6f448f9 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -1,3 +1,14 @@
+# defined resource which creates a single rule in a specific chain
+# @param chain Configure the chain where we want to add the rule
+# @param policy Configure what we want to do with the packet (drop, accept, log...)
+# @param proto Which protocol do we want to match, typically UDP or TCP
+# @param comment A comment that will be added to the ferm config and to ip{,6}tables
+# @param dport The destination port, can be a range as string or a single port number as integer
+# @param sport The source port, can be a range as string or a single port number as integer
+# @param saddr The source address we want to match
+# @param daddr The destination address we want to match
+# @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types)
+# @param ensure Set the rule to present or absent
define ferm::rule (
Ferm::Chains $chain,
Ferm::Policies $policy,