From cd38691675da20ff4f38f18b2505955694ea56e4 Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Wed, 15 Apr 2020 09:57:09 +0200
Subject: make dropping of pakets marked as invalid optional

---
 templates/ferm_chain_header.conf.epp | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'templates/ferm_chain_header.conf.epp')

diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp
index 938958b..3c92e7a 100644
--- a/templates/ferm_chain_header.conf.epp
+++ b/templates/ferm_chain_header.conf.epp
@@ -1,5 +1,6 @@
 <%- | Optional[Ferm::Policies] $policy,
       Boolean $disable_conntrack,
+      Boolean $drop_invalid_packets_with_conntrack,
 | -%>
 # THIS FILE IS MANAGED BY PUPPET
 <%- if $policy { -%>
@@ -10,5 +11,7 @@ policy <%= $policy %>;
 <% unless $disable_conntrack { -%>
 # connection tracking
 mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT;
+<% if $drop_invalid_packets_with_conntrack { -%>
 mod conntrack ctstate INVALID DROP;
 <% } -%>
+<% } -%>
-- 
cgit v1.2.3