Projet

Général

Profil

Révision 24a5a2a7

ID24a5a2a7885caff92435663acfce34ae52ea9947
Parent 72aad4a2
Enfant e3c56ff6

Ajouté par tr il y a plus de 4 ans

Enable conntrack in FORWARD

Voir les différences:

manifests/inet_filter.pp
115 115 
      content => 'jump global';
116 116 
    'FORWARD-log_discarded':
117 117 
      order   => '97',
118 
      content => sprintf($_reject_rule, { 'chain' => 'FORWARD' }),
118 
      content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
119 119 
  }
120 120 
  if $nftables::reject_with {
121 121 
    nftables::rule{
......
124 124 
        content => "reject with ${$nftables::reject_with}";
125 125 
    }
126 126 
  }
127 
  if $nftables::fwd_conntrack {
128 
    nftables::rule{
129 
      'FORWARD-accept_established_related':
130 
        order   => '05',
131 
        content => 'ct state established,related accept';
132 
      'FORWARD-drop_invalid':
133 
        order   => '06',
134 
        content => 'ct state invalid drop';
135 
    }
136 
  }
127 137 

  		




  128
  138
  
    
  # basic outgoing rules


  		




  129
  139
  
    
  if $nftables::out_all {


  		












  

    
      manifests/init.pp
    
  





  59
  59
  
    
#   Adds INPUT and OUTPUT rules to allow traffic that's part of an


  		




  60
  60
  
    
#   established connection and also to drop invalid packets.


  		




  61
  61
  
    
#


  		




  
  62
  
    
# @param fwd_conntrack


  		




  
  63
  
    
#   Adds FORWARD rules to allow traffic that's part of an


  		




  
  64
  
    
#   established connection and also to drop invalid packets.


  		




  
  65
  
    
#


  		




  62
  66
  
    
# @param firewalld_enable


  		




  63
  67
  
    
#   Configures how the firewalld systemd service unit is enabled. It might be


  		




  64
  68
  
    
#   useful to set this to false if you're externaly removing firewalld from


  		




  ......




  74
  78
  
    
  Boolean $out_icmp              = true,


  		




  75
  79
  
    
  Boolean $out_all               = false,


  		




  76
  80
  
    
  Boolean $in_out_conntrack      = true,


  		




  
  81
  
    
  Boolean $fwd_conntrack         = false,


  		




  77
  82
  
    
  Boolean $nat                   = true,


  		




  78
  83
  
    
  Hash $rules                    = {},


  		




  79
  84
  
    
  Hash $sets                     = {},


  		












  

    
      spec/classes/inet_filter_spec.rb
    
  





  597
  597
  
    
        let(:params) do


  		




  598
  598
  
    
          {


  		




  599
  599
  
    
            'in_out_conntrack' => false,


  		




  
  600
  
    
            'fwd_conntrack'    => false,


  		




  600
  601
  
    
          }


  		




  601
  602
  
    
        end


  		




  602
  603
  
    

  		












Formats disponibles :  Unified diff