provide an option to disable logging rejected packets

voxpupuli · Oct 28, 2023 · a9bbb10 · a9bbb10
1 parent 34cbd61
commit a9bbb10
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 9 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -157,6 +157,7 @@ The following parameters are available in the `nftables` class:
 * [`nat_table_name`](#-nftables--nat_table_name)
 * [`sets`](#-nftables--sets)
 * [`log_prefix`](#-nftables--log_prefix)
+* [`log_discarded`](#-nftables--log_discarded)
 * [`log_limit`](#-nftables--log_limit)
 * [`reject_with`](#-nftables--reject_with)
 * [`in_out_conntrack`](#-nftables--in_out_conntrack)
@@ -278,6 +279,14 @@ two variables using standard sprintf() string-formatting:
 
 Default value: `'[nftables] %<chain>s %<comment>s'`
 
+##### <a name="-nftables--log_discarded"></a>`log_discarded`
+
+Data type: `Boolean`
+
+Allow to log discarded packets
+
+Default value: `true`
+
 ##### <a name="-nftables--log_limit"></a>`log_limit`
 
 Data type: `Variant[Boolean[false], String]`

diff --git a/manifests/inet_filter.pp b/manifests/inet_filter.pp
@@ -45,9 +45,13 @@
     'INPUT-jump_global':
       order   => '04',
       content => 'jump global';
-    'INPUT-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'INPUT-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
+    }
   }
   if $nftables::reject_with {
     nftables::rule {
@@ -74,9 +78,13 @@
     'OUTPUT-jump_global':
       order   => '04',
       content => 'jump global';
-    'OUTPUT-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'OUTPUT-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
+    }
   }
   if $nftables::reject_with {
     nftables::rule {
@@ -100,9 +108,13 @@
     'FORWARD-jump_global':
       order   => '03',
       content => 'jump global';
-    'FORWARD-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'FORWARD-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
+    }
   }
   if $nftables::reject_with {
     nftables::rule {

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -55,6 +55,9 @@
 #    * chain: Will be replaced by the name of the chain.
 #    * comment: Allows chains to add extra comments.
 #
+# @param log_discarded
+#   Allow to log discarded packets
+#
 # @param log_limit
 #  String with the content of a limit statement to be applied
 #  to the rules that log discarded traffic. Set to false to
@@ -121,6 +124,7 @@
   Hash $sets = {},
   String $log_prefix = '[nftables] %<chain>s %<comment>s',
   String[1] $nat_table_name = 'nat',
+  Boolean $log_discarded = true,
   Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets',
   Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable',
   Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask',