Révision eac19d14
Make "dropping invalid packets" configureable
It doesn't make sense to explicitly drop those pakets when the default
policy is already `DROP`. Also some applications, like ceph, are known
to send packets that might be marked as invalid.
| manifests/init.pp | ||
|---|---|---|
| 73 | 73 |
# Adds INPUT and OUTPUT rules to allow traffic that's part of an |
| 74 | 74 |
# established connection and also to drop invalid packets. |
| 75 | 75 |
# |
| 76 |
# @param in_out_drop_invalid |
|
| 77 |
# Drops invalid packets in INPUT and OUTPUT |
|
| 78 |
# |
|
| 76 | 79 |
# @param fwd_conntrack |
| 77 | 80 |
# Adds FORWARD rules to allow traffic that's part of an |
| 78 | 81 |
# established connection and also to drop invalid packets. |
| 79 | 82 |
# |
| 83 |
# @param fwd_drop_invalid |
|
| 84 |
# Drops invalid packets in FORWARD |
|
| 85 |
# |
|
| 80 | 86 |
# @param firewalld_enable |
| 81 | 87 |
# Configures how the firewalld systemd service unit is enabled. It might be |
| 82 | 88 |
# useful to set this to false if you're externaly removing firewalld from |
| ... | ... | |
| 117 | 123 |
Boolean $out_icmp = true, |
| 118 | 124 |
Boolean $out_all = false, |
| 119 | 125 |
Boolean $in_out_conntrack = true, |
| 126 |
Boolean $in_out_drop_invalid = $in_out_conntrack, |
|
| 120 | 127 |
Boolean $fwd_conntrack = false, |
| 128 |
Boolean $fwd_drop_invalid = $fwd_conntrack, |
|
| 121 | 129 |
Boolean $inet_filter = true, |
| 122 | 130 |
Boolean $nat = true, |
| 123 | 131 |
Hash $rules = {},
|
Formats disponibles : Unified diff