diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/chain.pp | 16 | ||||
-rw-r--r-- | manifests/config.pp | 15 | ||||
-rw-r--r-- | manifests/init.pp | 28 | ||||
-rw-r--r-- | manifests/rule.pp | 11 |
4 files changed, 53 insertions, 17 deletions
diff --git a/manifests/chain.pp b/manifests/chain.pp index 5b21912..6a01607 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -1,10 +1,12 @@ # defined resource which creates all rules for one chain -# @param policy [Ferm::Policies] Set the default policy for a CHAIN -# @param disable_conntrack [Boolean] disable/enable usage of conntrack -# @param chain [Ferm::Chains] name of the chain that should be managed +# @param policy Set the default policy for a CHAIN +# @param disable_conntrack Disable/Enable usage of conntrack +# @param chain Name of the chain that should be managed +# @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched define ferm::chain ( Ferm::Policies $policy, Boolean $disable_conntrack, + Boolean $log_dropped_packets, Ferm::Chains $chain = $name, ) { @@ -24,4 +26,12 @@ define ferm::chain ( ), order => '01', } + + if $log_dropped_packets { + concat::fragment{"${chain}-footer": + target => "/etc/ferm.d/chains/${chain}.conf", + content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }), + order => '99', + } + } } diff --git a/manifests/config.pp b/manifests/config.pp index ff69c06..1736fa6 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -35,15 +35,18 @@ class ferm::config { } ferm::chain{'INPUT': - policy => $ferm::input_policy, - disable_conntrack => $ferm::disable_conntrack, + policy => $ferm::input_policy, + disable_conntrack => $ferm::disable_conntrack, + log_dropped_packets => $ferm::input_log_dropped_packets, } ferm::chain{'FORWARD': - policy => $ferm::forward_policy, - disable_conntrack => $ferm::disable_conntrack, + policy => $ferm::forward_policy, + disable_conntrack => $ferm::disable_conntrack, + log_dropped_packets => $ferm::forward_log_dropped_packets, } ferm::chain{'OUTPUT': - policy => $ferm::output_policy, - disable_conntrack => $ferm::disable_conntrack, + policy => $ferm::output_policy, + disable_conntrack => $ferm::disable_conntrack, + log_dropped_packets => $ferm::output_log_dropped_packets, } } diff --git a/manifests/init.pp b/manifests/init.pp index 0096c3a..82f163c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,30 +7,39 @@ # manage_service => true, # } # -# @param manage_service [Boolean] disable/enable the management of the ferm daemon +# @param manage_service Disable/Enable the management of the ferm daemon # Default value: false # Allowed values: (true|false) -# @param manage_configfile [Boolean] disable/enable the management of the ferm default config +# @param manage_configfile Disable/Enable the management of the ferm default config # Default value: false # Allowed values: (true|false) -# @param configfile [Stdlib::Absolutepath] path to the config file +# @param configfile Path to the config file # Default value: /etc/ferm.conf # Allowed values: Stdlib::Absolutepath -# @param disable_conntrack [Boolean] disable/enable the generation of conntrack rules +# @param disable_conntrack Disable/Enable the generation of conntrack rules # Default value: false # Allowed values: (true|false) -# @param forward_policy [Ferm::Policies] default policy for the FORWARD chain +# @param forward_policy Default policy for the FORWARD chain # Default value: DROP # Allowed values: (ACCEPT|DROP|REJECT) -# @param output_policy [Ferm::Policies] default policy for the OUTPUT chain +# @param output_policy Default policy for the OUTPUT chain # Default value: ACCEPT # Allowed values: (ACCEPT|DROP|REJECT) -# @param input_policy [Ferm::Policies] default policy for the INPUT chain +# @param input_policy Default policy for the INPUT chain # Default value: DROP # Allowed values: (ACCEPT|DROP|REJECT) -# @param rules a hash that holds all data for ferm::rule +# @param rules A hash that holds all data for ferm::rule # Default value: Empty Hash # Allowed value: Any Hash +# @param forward_log_dropped_packets Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched +# Default value: false +# Allowed values: (true|false) +# @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched +# Default value: false +# Allowed values: (true|false) +# @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched +# Default value: false +# Allowed values: (true|false) class ferm ( Boolean $manage_service, Boolean $manage_configfile, @@ -39,6 +48,9 @@ class ferm ( Ferm::Policies $forward_policy, Ferm::Policies $output_policy, Ferm::Policies $input_policy, + Boolean $forward_log_dropped_packets, + Boolean $output_log_dropped_packets, + Boolean $input_log_dropped_packets, Hash $rules, ) { contain ferm::install diff --git a/manifests/rule.pp b/manifests/rule.pp index 7b94210..6f448f9 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,3 +1,14 @@ +# defined resource which creates a single rule in a specific chain +# @param chain Configure the chain where we want to add the rule +# @param policy Configure what we want to do with the packet (drop, accept, log...) +# @param proto Which protocol do we want to match, typically UDP or TCP +# @param comment A comment that will be added to the ferm config and to ip{,6}tables +# @param dport The destination port, can be a range as string or a single port number as integer +# @param sport The source port, can be a range as string or a single port number as integer +# @param saddr The source address we want to match +# @param daddr The destination address we want to match +# @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types) +# @param ensure Set the rule to present or absent define ferm::rule ( Ferm::Chains $chain, Ferm::Policies $policy, |