provide an option to disable logging rejected packets

manifests/inet_filter.pp

@@ -45,9 +45,13 @@
     'INPUT-jump_global':
       order   => '04',
       content => 'jump global';
-    'INPUT-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'INPUT-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),
+    }
   }
   if $nftables::reject_with {
     nftables::rule {
@@ -74,9 +78,13 @@
     'OUTPUT-jump_global':
       order   => '04',
       content => 'jump global';
-    'OUTPUT-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'OUTPUT-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),
+    }
   }
   if $nftables::reject_with {
     nftables::rule {
@@ -100,9 +108,13 @@
     'FORWARD-jump_global':
       order   => '03',
       content => 'jump global';
-    'FORWARD-log_discarded':
-      order   => '97',
-      content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
+  }
+  if $nftables::log_discarded {
+    nftables::rule {
+      'FORWARD-log_discarded':
+        order   => '97',
+        content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });
+    }
   }
   if $nftables::reject_with {
     nftables::rule {

manifests/init.pp

@@ -121,6 +121,7 @@
   Hash $sets = {},
   String $log_prefix = '[nftables] %<chain>s %<comment>s',
   String[1] $nat_table_name = 'nat',
+  Boolean $log_discarded = true,
   Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets',
   Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable',
   Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask',