Révision a9bbb10d
provide an option to disable logging rejected packets
| REFERENCE.md | ||
|---|---|---|
| 157 | 157 |
* [`nat_table_name`](#-nftables--nat_table_name) |
| 158 | 158 |
* [`sets`](#-nftables--sets) |
| 159 | 159 |
* [`log_prefix`](#-nftables--log_prefix) |
| 160 |
* [`log_discarded`](#-nftables--log_discarded) |
|
| 160 | 161 |
* [`log_limit`](#-nftables--log_limit) |
| 161 | 162 |
* [`reject_with`](#-nftables--reject_with) |
| 162 | 163 |
* [`in_out_conntrack`](#-nftables--in_out_conntrack) |
| ... | ... | |
| 278 | 279 |
|
| 279 | 280 |
Default value: `'[nftables] %<chain>s %<comment>s'` |
| 280 | 281 |
|
| 282 |
##### <a name="-nftables--log_discarded"></a>`log_discarded` |
|
| 283 |
|
|
| 284 |
Data type: `Boolean` |
|
| 285 |
|
|
| 286 |
Allow to log discarded packets |
|
| 287 |
|
|
| 288 |
Default value: `true` |
|
| 289 |
|
|
| 281 | 290 |
##### <a name="-nftables--log_limit"></a>`log_limit` |
| 282 | 291 |
|
| 283 | 292 |
Data type: `Variant[Boolean[false], String]` |
| manifests/inet_filter.pp | ||
|---|---|---|
| 45 | 45 |
'INPUT-jump_global': |
| 46 | 46 |
order => '04', |
| 47 | 47 |
content => 'jump global'; |
| 48 |
'INPUT-log_discarded': |
|
| 49 |
order => '97', |
|
| 50 |
content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
|
|
| 48 |
} |
|
| 49 |
if $nftables::log_discarded {
|
|
| 50 |
nftables::rule {
|
|
| 51 |
'INPUT-log_discarded': |
|
| 52 |
order => '97', |
|
| 53 |
content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
|
|
| 54 |
} |
|
| 51 | 55 |
} |
| 52 | 56 |
if $nftables::reject_with {
|
| 53 | 57 |
nftables::rule {
|
| ... | ... | |
| 74 | 78 |
'OUTPUT-jump_global': |
| 75 | 79 |
order => '04', |
| 76 | 80 |
content => 'jump global'; |
| 77 |
'OUTPUT-log_discarded': |
|
| 78 |
order => '97', |
|
| 79 |
content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
|
|
| 81 |
} |
|
| 82 |
if $nftables::log_discarded {
|
|
| 83 |
nftables::rule {
|
|
| 84 |
'OUTPUT-log_discarded': |
|
| 85 |
order => '97', |
|
| 86 |
content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
|
|
| 87 |
} |
|
| 80 | 88 |
} |
| 81 | 89 |
if $nftables::reject_with {
|
| 82 | 90 |
nftables::rule {
|
| ... | ... | |
| 100 | 108 |
'FORWARD-jump_global': |
| 101 | 109 |
order => '03', |
| 102 | 110 |
content => 'jump global'; |
| 103 |
'FORWARD-log_discarded': |
|
| 104 |
order => '97', |
|
| 105 |
content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
|
|
| 111 |
} |
|
| 112 |
if $nftables::log_discarded {
|
|
| 113 |
nftables::rule {
|
|
| 114 |
'FORWARD-log_discarded': |
|
| 115 |
order => '97', |
|
| 116 |
content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
|
|
| 117 |
} |
|
| 106 | 118 |
} |
| 107 | 119 |
if $nftables::reject_with {
|
| 108 | 120 |
nftables::rule {
|
| manifests/init.pp | ||
|---|---|---|
| 55 | 55 |
# * chain: Will be replaced by the name of the chain. |
| 56 | 56 |
# * comment: Allows chains to add extra comments. |
| 57 | 57 |
# |
| 58 |
# @param log_discarded |
|
| 59 |
# Allow to log discarded packets |
|
| 60 |
# |
|
| 58 | 61 |
# @param log_limit |
| 59 | 62 |
# String with the content of a limit statement to be applied |
| 60 | 63 |
# to the rules that log discarded traffic. Set to false to |
| ... | ... | |
| 121 | 124 |
Hash $sets = {},
|
| 122 | 125 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 123 | 126 |
String[1] $nat_table_name = 'nat', |
| 127 |
Boolean $log_discarded = true, |
|
| 124 | 128 |
Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets', |
| 125 | 129 |
Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable', |
| 126 | 130 |
Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask', |
Formats disponibles : Unified diff