Révision 2ad7193b
Support logging to NFLOG group
| REFERENCE.md | ||
|---|---|---|
| 171 | 171 |
* [`log_prefix`](#-nftables--log_prefix) |
| 172 | 172 |
* [`log_discarded`](#-nftables--log_discarded) |
| 173 | 173 |
* [`log_limit`](#-nftables--log_limit) |
| 174 |
* [`log_group`](#-nftables--log_group) |
|
| 174 | 175 |
* [`reject_with`](#-nftables--reject_with) |
| 175 | 176 |
* [`in_out_conntrack`](#-nftables--in_out_conntrack) |
| 176 | 177 |
* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid) |
| ... | ... | |
| 331 | 332 |
|
| 332 | 333 |
Default value: `'3/minute burst 5 packets'` |
| 333 | 334 |
|
| 335 |
##### <a name="-nftables--log_group"></a>`log_group` |
|
| 336 |
|
|
| 337 |
Data type: `Optional[Integer]` |
|
| 338 |
|
|
| 339 |
When specified, the Linux kernel will pass the packet to nfnetlink_log |
|
| 340 |
which will send the log through a netlink socket to the specified group. |
|
| 341 |
|
|
| 342 |
Default value: `undef` |
|
| 343 |
|
|
| 334 | 344 |
##### <a name="-nftables--reject_with"></a>`reject_with` |
| 335 | 345 |
|
| 336 | 346 |
Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]` |
| manifests/inet_filter.pp | ||
|---|---|---|
| 3 | 3 |
$_reject_rule = epp('nftables/reject_rule.epp',
|
| 4 | 4 |
{
|
| 5 | 5 |
'log_prefix' => sprintf($nftables::log_prefix, { 'chain' => '%<chain>s', 'comment' => 'Rejected: ' }),
|
| 6 |
'log_limit' => $nftables::log_limit |
|
| 6 |
'log_limit' => $nftables::log_limit, |
|
| 7 |
'log_group' => $nftables::log_group, |
|
| 7 | 8 |
} |
| 8 | 9 |
) |
| 9 | 10 |
|
| manifests/init.pp | ||
|---|---|---|
| 72 | 72 |
# to the rules that log discarded traffic. Set to false to |
| 73 | 73 |
# disable rate limiting. |
| 74 | 74 |
# |
| 75 |
# @param log_group |
|
| 76 |
# When specified, the Linux kernel will pass the packet to nfnetlink_log |
|
| 77 |
# which will send the log through a netlink socket to the specified group. |
|
| 78 |
# |
|
| 75 | 79 |
# @param reject_with |
| 76 | 80 |
# How to discard packets not matching any rule. If `false`, the |
| 77 | 81 |
# fate of the packet will be defined by the chain policy (normally |
| ... | ... | |
| 147 | 151 |
Hash $rules = {},
|
| 148 | 152 |
Hash $sets = {},
|
| 149 | 153 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 154 |
Optional[Integer[0]] $log_group = undef, |
|
| 150 | 155 |
String[1] $nat_table_name = 'nat', |
| 151 | 156 |
Stdlib::Unixpath $inmem_rules_hash_file = '/var/tmp/puppet-nft-memhash', |
| 152 | 157 |
Boolean $log_discarded = true, |
| spec/classes/inet_filter_spec.rb | ||
|---|---|---|
| 571 | 571 |
} |
| 572 | 572 |
end |
| 573 | 573 |
|
| 574 |
context 'custom log group' do |
|
| 575 |
let(:params) do |
|
| 576 |
{
|
|
| 577 |
log_group: 1, |
|
| 578 |
log_limit: '5/minute', |
|
| 579 |
} |
|
| 580 |
end |
|
| 581 |
|
|
| 582 |
it {
|
|
| 583 |
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
|
| 584 |
target: 'nftables-inet-filter-chain-INPUT', |
|
| 585 |
content: %r{^ limit rate 5/minute log prefix "\[nftables\] INPUT Rejected: " group 1$},
|
|
| 586 |
order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b' |
|
| 587 |
) |
|
| 588 |
} |
|
| 589 |
|
|
| 590 |
it {
|
|
| 591 |
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
|
| 592 |
target: 'nftables-inet-filter-chain-OUTPUT', |
|
| 593 |
content: %r{^ limit rate 5/minute log prefix "\[nftables\] OUTPUT Rejected: " group 1$},
|
|
| 594 |
order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b' |
|
| 595 |
) |
|
| 596 |
} |
|
| 597 |
|
|
| 598 |
it {
|
|
| 599 |
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
|
| 600 |
target: 'nftables-inet-filter-chain-FORWARD', |
|
| 601 |
content: %r{^ limit rate 5/minute log prefix "\[nftables\] FORWARD Rejected: " group 1$},
|
|
| 602 |
order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b' |
|
| 603 |
) |
|
| 604 |
} |
|
| 605 |
end |
|
| 606 |
|
|
| 574 | 607 |
context 'no reject rule, use chain policy without explicit reject' do |
| 575 | 608 |
let(:params) do |
| 576 | 609 |
{
|
| templates/reject_rule.epp | ||
|---|---|---|
| 1 | 1 |
<% if $log_limit { -%>
|
| 2 |
limit rate <%= $log_limit %> log prefix "<%= $log_prefix %>" flags all counter |
|
| 3 |
<% } else { -%>
|
|
| 4 |
log prefix "<%= $log_prefix %>" flags all counter |
|
| 5 |
<% } -%> |
|
| 2 |
limit rate <%= $log_limit %><%= ' ' -%> |
|
| 3 |
<% } -%> log prefix "<%= $log_prefix %>"<% if $log_group { -%>
|
|
| 4 |
group <%= $log_group -%> |
|
| 5 |
<% } else { %> flags all counter<% } -%>
|
|
Formats disponibles : Unified diff