Révision eac19d14
Make "dropping invalid packets" configureable
It doesn't make sense to explicitly drop those pakets when the default
policy is already `DROP`. Also some applications, like ceph, are known
to send packets that might be marked as invalid.
| REFERENCE.md | ||
|---|---|---|
| 168 | 168 |
* [`log_limit`](#-nftables--log_limit) |
| 169 | 169 |
* [`reject_with`](#-nftables--reject_with) |
| 170 | 170 |
* [`in_out_conntrack`](#-nftables--in_out_conntrack) |
| 171 |
* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid) |
|
| 171 | 172 |
* [`fwd_conntrack`](#-nftables--fwd_conntrack) |
| 173 |
* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid) |
|
| 172 | 174 |
* [`firewalld_enable`](#-nftables--firewalld_enable) |
| 173 | 175 |
* [`noflush_tables`](#-nftables--noflush_tables) |
| 174 | 176 |
* [`rules`](#-nftables--rules) |
| ... | ... | |
| 324 | 326 |
|
| 325 | 327 |
Default value: `true` |
| 326 | 328 |
|
| 329 |
##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid` |
|
| 330 |
|
|
| 331 |
Data type: `Boolean` |
|
| 332 |
|
|
| 333 |
Drops invalid packets in INPUT and OUTPUT |
|
| 334 |
|
|
| 335 |
Default value: `$in_out_conntrack` |
|
| 336 |
|
|
| 327 | 337 |
##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack` |
| 328 | 338 |
|
| 329 | 339 |
Data type: `Boolean` |
| ... | ... | |
| 333 | 343 |
|
| 334 | 344 |
Default value: `false` |
| 335 | 345 |
|
| 346 |
##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid` |
|
| 347 |
|
|
| 348 |
Data type: `Boolean` |
|
| 349 |
|
|
| 350 |
Drops invalid packets in FORWARD |
|
| 351 |
|
|
| 352 |
Default value: `$fwd_conntrack` |
|
| 353 |
|
|
| 336 | 354 |
##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable` |
| 337 | 355 |
|
| 338 | 356 |
Data type: `Variant[Boolean[false], Enum['mask']]` |
| manifests/inet_filter/fwd_conntrack.pp | ||
|---|---|---|
| 4 | 4 |
'FORWARD-accept_established_related': |
| 5 | 5 |
order => '05', |
| 6 | 6 |
content => 'ct state established,related accept'; |
| 7 |
'FORWARD-drop_invalid': |
|
| 7 |
} |
|
| 8 |
if $nftables::fwd_drop_invalid {
|
|
| 9 |
nftables::rule { 'FORWARD-drop_invalid':
|
|
| 8 | 10 |
order => '06', |
| 9 | 11 |
content => 'ct state invalid drop'; |
| 12 |
} |
|
| 10 | 13 |
} |
| 11 | 14 |
} |
| manifests/inet_filter/in_out_conntrack.pp | ||
|---|---|---|
| 4 | 4 |
'INPUT-accept_established_related': |
| 5 | 5 |
order => '05', |
| 6 | 6 |
content => 'ct state established,related accept'; |
| 7 |
'INPUT-drop_invalid': |
|
| 8 |
order => '06', |
|
| 9 |
content => 'ct state invalid drop'; |
|
| 10 | 7 |
'OUTPUT-accept_established_related': |
| 11 | 8 |
order => '05', |
| 12 | 9 |
content => 'ct state established,related accept'; |
| 13 |
'OUTPUT-drop_invalid': |
|
| 10 |
} |
|
| 11 |
if $nftables::in_out_drop_invalid {
|
|
| 12 |
nftables::rule { 'INPUT-drop_invalid':
|
|
| 13 |
order => '06', |
|
| 14 |
content => 'ct state invalid drop', |
|
| 15 |
} |
|
| 16 |
nftables::rule { 'OUTPUT-drop_invalid':
|
|
| 14 | 17 |
order => '06', |
| 15 | 18 |
content => 'ct state invalid drop'; |
| 19 |
} |
|
| 16 | 20 |
} |
| 17 | 21 |
} |
| manifests/init.pp | ||
|---|---|---|
| 73 | 73 |
# Adds INPUT and OUTPUT rules to allow traffic that's part of an |
| 74 | 74 |
# established connection and also to drop invalid packets. |
| 75 | 75 |
# |
| 76 |
# @param in_out_drop_invalid |
|
| 77 |
# Drops invalid packets in INPUT and OUTPUT |
|
| 78 |
# |
|
| 76 | 79 |
# @param fwd_conntrack |
| 77 | 80 |
# Adds FORWARD rules to allow traffic that's part of an |
| 78 | 81 |
# established connection and also to drop invalid packets. |
| 79 | 82 |
# |
| 83 |
# @param fwd_drop_invalid |
|
| 84 |
# Drops invalid packets in FORWARD |
|
| 85 |
# |
|
| 80 | 86 |
# @param firewalld_enable |
| 81 | 87 |
# Configures how the firewalld systemd service unit is enabled. It might be |
| 82 | 88 |
# useful to set this to false if you're externaly removing firewalld from |
| ... | ... | |
| 117 | 123 |
Boolean $out_icmp = true, |
| 118 | 124 |
Boolean $out_all = false, |
| 119 | 125 |
Boolean $in_out_conntrack = true, |
| 126 |
Boolean $in_out_drop_invalid = $in_out_conntrack, |
|
| 120 | 127 |
Boolean $fwd_conntrack = false, |
| 128 |
Boolean $fwd_drop_invalid = $fwd_conntrack, |
|
| 121 | 129 |
Boolean $inet_filter = true, |
| 122 | 130 |
Boolean $nat = true, |
| 123 | 131 |
Hash $rules = {},
|
| spec/classes/inet_filter/fwd_conntrack_spec.rb | ||
|---|---|---|
| 3 | 3 |
require 'spec_helper' |
| 4 | 4 |
|
| 5 | 5 |
describe 'nftables::inet_filter::fwd_conntrack' do |
| 6 |
on_supported_os.each do |os, _os_facts|
|
|
| 6 |
on_supported_os.each do |os, os_facts| |
|
| 7 | 7 |
context "on #{os}" do
|
| 8 |
let :pre_condition do |
|
| 9 |
'include nftables' |
|
| 10 |
end |
|
| 11 |
let :facts do |
|
| 12 |
os_facts |
|
| 13 |
end |
|
| 14 |
|
|
| 15 |
it { is_expected.to compile.with_all_deps }
|
|
| 16 |
|
|
| 8 | 17 |
it {
|
| 9 | 18 |
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related').with(
|
| 10 | 19 |
target: 'nftables-inet-filter-chain-FORWARD', |
| ... | ... | |
| 13 | 22 |
) |
| 14 | 23 |
} |
| 15 | 24 |
|
| 16 |
it {
|
|
| 17 |
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid').with(
|
|
| 18 |
target: 'nftables-inet-filter-chain-FORWARD', |
|
| 19 |
content: %r{^ ct state invalid drop$},
|
|
| 20 |
order: '06-nftables-inet-filter-chain-FORWARD-rule-drop_invalid-b' |
|
| 21 |
) |
|
| 22 |
} |
|
| 25 |
it { is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid') }
|
|
| 26 |
|
|
| 27 |
context 'with fwd_drop_invalid=true' do |
|
| 28 |
let :pre_condition do |
|
| 29 |
'class { "nftables": fwd_drop_invalid => true}'
|
|
| 30 |
end |
|
| 31 |
|
|
| 32 |
it {
|
|
| 33 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid').with(
|
|
| 34 |
target: 'nftables-inet-filter-chain-FORWARD', |
|
| 35 |
content: %r{^ ct state invalid drop$},
|
|
| 36 |
order: '06-nftables-inet-filter-chain-FORWARD-rule-drop_invalid-b' |
|
| 37 |
) |
|
| 38 |
} |
|
| 39 |
end |
|
| 23 | 40 |
end |
| 24 | 41 |
end |
| 25 | 42 |
end |
| spec/classes/inet_filter/in_out_conntrack_spec.rb | ||
|---|---|---|
| 3 | 3 |
require 'spec_helper' |
| 4 | 4 |
|
| 5 | 5 |
describe 'nftables::inet_filter::in_out_conntrack' do |
| 6 |
let(:pre_condition) { 'Exec{path => "/bin"}' }
|
|
| 7 |
|
|
| 8 |
on_supported_os.each do |os, _os_facts| |
|
| 6 |
on_supported_os.each do |os, os_facts| |
|
| 7 |
let :pre_condition do |
|
| 8 |
'include nftables' |
|
| 9 |
end |
|
| 9 | 10 |
context "on #{os}" do
|
| 11 |
let :facts do |
|
| 12 |
os_facts |
|
| 13 |
end |
|
| 14 |
|
|
| 15 |
it { is_expected.to compile.with_all_deps }
|
|
| 16 |
|
|
| 10 | 17 |
it {
|
| 11 | 18 |
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related').with(
|
| 12 | 19 |
target: 'nftables-inet-filter-chain-INPUT', |
| ... | ... | |
| 38 | 45 |
order: '06-nftables-inet-filter-chain-OUTPUT-rule-drop_invalid-b' |
| 39 | 46 |
) |
| 40 | 47 |
} |
| 48 |
|
|
| 49 |
context 'with in_out_drop_invalid=false' do |
|
| 50 |
let :pre_condition do |
|
| 51 |
'class { "nftables": in_out_drop_invalid => false}'
|
|
| 52 |
end |
|
| 53 |
|
|
| 54 |
it { is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid') }
|
|
| 55 |
it { is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid') }
|
|
| 56 |
end |
|
| 41 | 57 |
end |
| 42 | 58 |
end |
| 43 | 59 |
end |
Formats disponibles : Unified diff