Révision eac19d14
Make "dropping invalid packets" configureable
It doesn't make sense to explicitly drop those pakets when the default
policy is already `DROP`. Also some applications, like ceph, are known
to send packets that might be marked as invalid.
| REFERENCE.md | ||
|---|---|---|
| 168 | 168 |
* [`log_limit`](#-nftables--log_limit) |
| 169 | 169 |
* [`reject_with`](#-nftables--reject_with) |
| 170 | 170 |
* [`in_out_conntrack`](#-nftables--in_out_conntrack) |
| 171 |
* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid) |
|
| 171 | 172 |
* [`fwd_conntrack`](#-nftables--fwd_conntrack) |
| 173 |
* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid) |
|
| 172 | 174 |
* [`firewalld_enable`](#-nftables--firewalld_enable) |
| 173 | 175 |
* [`noflush_tables`](#-nftables--noflush_tables) |
| 174 | 176 |
* [`rules`](#-nftables--rules) |
| ... | ... | |
| 324 | 326 |
|
| 325 | 327 |
Default value: `true` |
| 326 | 328 |
|
| 329 |
##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid` |
|
| 330 |
|
|
| 331 |
Data type: `Boolean` |
|
| 332 |
|
|
| 333 |
Drops invalid packets in INPUT and OUTPUT |
|
| 334 |
|
|
| 335 |
Default value: `$in_out_conntrack` |
|
| 336 |
|
|
| 327 | 337 |
##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack` |
| 328 | 338 |
|
| 329 | 339 |
Data type: `Boolean` |
| ... | ... | |
| 333 | 343 |
|
| 334 | 344 |
Default value: `false` |
| 335 | 345 |
|
| 346 |
##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid` |
|
| 347 |
|
|
| 348 |
Data type: `Boolean` |
|
| 349 |
|
|
| 350 |
Drops invalid packets in FORWARD |
|
| 351 |
|
|
| 352 |
Default value: `$fwd_conntrack` |
|
| 353 |
|
|
| 336 | 354 |
##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable` |
| 337 | 355 |
|
| 338 | 356 |
Data type: `Variant[Boolean[false], Enum['mask']]` |
Formats disponibles : Unified diff