/ - Diff - puppet nftables - Koumbit's Redmine

Révision b10c6216

ID	b10c62165276b133767ca89024cbf866c89226a2
Parent	92461926
Enfant	902ceaac

Ajouté par Nacho Barrientos il y a plus de 4 ans

Set a customisable rate limit to the logging rules

     # manage basic chains in table inet filter
     class nftables::inet_filter inherits nftables {
       $_log_prefix_discard = sprintf($nftables::log_prefix, { 'chain' => '%<chain>s', 'comment' => 'Rejected: ' })
       $_reject_rule = epp('nftables/reject_rule.epp',
+        {
           'log_prefix' => sprintf($nftables::log_prefix, { 'chain' => '%<chain>s', 'comment' => 'Rejected: ' }),
           'log_limit'  => $nftables::log_limit
+        }
+      )
       nftables::config{
         'inet-filter':
-...
           content => 'jump global';
         'INPUT-log_discarded':
           order   => '97',
           content => "log prefix \"${sprintf($_log_prefix_discard, { 'chain' => 'INPUT' })}\" flags all counter";
           content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
+      }
       if $nftables::reject_with {
         nftables::rule{
-...
           content => 'jump global';
         'OUTPUT-log_discarded':
           order   => '97',
           content => "log prefix \"${sprintf($_log_prefix_discard, { 'chain' => 'OUTPUT' })}\" flags all counter";
           content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
+      }
       if $nftables::reject_with {
         nftables::rule{
-...
           content => 'jump global';
         'FORWARD-log_discarded':
           order   => '97',
           content => "log prefix \"${sprintf($_log_prefix_discard, { 'chain' => 'FORWARD' })}\" flags all counter";
           content => sprintf($_reject_rule, { 'chain' => 'FORWARD' }),
+      }
       if $nftables::reject_with {
         nftables::rule{

     #    * chain: Will be replaced by the name of the chain.
     #    * comment: Allows chains to add extra comments.
+    #
     # @param log_limit
     #  String with the content of a limit statement to be applied
     #  to the rules that log discarded traffic. Set to false to
     #  disable rate limiting.
+    #
     # @param reject_with
     #   How to discard packets not matching any rule. If `false`, the
     #   fate of the packet will be defined by the chain policy (normally
-...
       Boolean $in_out_conntrack      = true,
       Hash $rules                    = {},
       String $log_prefix             = '[nftables] %<chain>s %<comment>s',
       Variant[Boolean[false], String]
         $log_limit                   = '3/minute burst 5 packets',
       Variant[Boolean[false], Pattern[
         /icmp(v6|x)? type .+|tcp reset/]]
         $reject_with                 = 'icmpx type port-unreachable',

             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
+              )
+            }
-...
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
+              )
+            }
-...
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
+              )
+            }
-...
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  log prefix \"test " flags all counter$},
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"test " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  log prefix \"test " flags all counter$},
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"test " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  log prefix \"test " flags all counter$},
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"test " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
+              )
+            }
-...
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  log prefix \" bar \[INPUT\] " flags all counter$},
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \" bar \[INPUT\] " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \" bar \[OUTPUT\] " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \" bar \[FORWARD\] " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
+              )
+            }
           end
           context 'no log limit' do
             let(:params) do
+              {
                 'log_limit' => false,
+              }
             end
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
+              )
+            }
           end
           context 'custom log limit' do
             let(:params) do
+              {
                 'log_limit' => '5/minute',
+              }
             end
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 5/minute log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  log prefix \" bar \[OUTPUT\] " flags all counter$},
                 content: %r{^  limit rate 5/minute log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  log prefix \" bar \[FORWARD\] " flags all counter$},
                 content: %r{^  limit rate 5/minute log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
+              )
+            }

templates/reject_rule.epp
	1	<% if $log_limit { -%>
	2	limit rate <%= $log_limit %> log prefix "<%= $log_prefix %>" flags all counter
	3	<% } else { -%>
	4	log prefix "<%= $log_prefix %>" flags all counter
	5	<% } -%>

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision b10c6216