provide an option to disable logging rejected packets

voxpupuli · Oct 23, 2023 · 81c186b · 81c186b
1 parent 34cbd61
commit 81c186b
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 9 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -168,6 +168,7 @@ The following parameters are available in the `nftables` class:
 * [`nft_path`](#-nftables--nft_path)
 * [`echo`](#-nftables--echo)
 * [`default_config_mode`](#-nftables--default_config_mode)
+* [`log_discarded`](#-nftables--log_discarded)
 
 ##### <a name="-nftables--out_all"></a>`out_all`
 
@@ -370,6 +371,14 @@ Data type: `Stdlib::Filemode`
 The default file & dir mode for configuration files and directories. The
 default varies depending on the system, and is set in the module's data.
 
+##### <a name="-nftables--log_discarded"></a>`log_discarded`
+
+Data type: `Boolean`
+
+
+
+Default value: `true`
+
 ### <a name="nftables--bridges"></a>`nftables::bridges`
 
 allow forwarding traffic on bridges

diff --git a/manifests/inet_filter.pp b/manifests/inet_filter.pp
@@ -45,9 +45,13 @@
     'INPUT-jump_global':
       order   => '04',
       content => 'jump global';
-    'INPUT-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'INPUT-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
+    }
   }
   if $nftables::reject_with {
     nftables::rule {
@@ -74,9 +78,13 @@
     'OUTPUT-jump_global':
       order   => '04',
       content => 'jump global';
-    'OUTPUT-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'OUTPUT-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
+    }
   }
   if $nftables::reject_with {
     nftables::rule {
@@ -100,9 +108,13 @@
     'FORWARD-jump_global':
       order   => '03',
       content => 'jump global';
-    'FORWARD-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'FORWARD-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
+    }
   }
   if $nftables::reject_with {
     nftables::rule {

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -121,6 +121,7 @@
   Hash $sets = {},
   String $log_prefix = '[nftables] %<chain>s %<comment>s',
   String[1] $nat_table_name = 'nat',
+  Boolean $log_discarded = true,
   Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets',
   Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable',
   Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask',