Skip to content

Commit

Permalink
Support logging to NFLOG group
Browse files Browse the repository at this point in the history
  • Loading branch information
deric committed Sep 14, 2024
1 parent 78f0eee commit 8a7b2f9
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 5 deletions.
10 changes: 10 additions & 0 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ The following parameters are available in the `nftables` class:
* [`log_prefix`](#-nftables--log_prefix)
* [`log_discarded`](#-nftables--log_discarded)
* [`log_limit`](#-nftables--log_limit)
* [`log_group`](#-nftables--log_group)
* [`reject_with`](#-nftables--reject_with)
* [`in_out_conntrack`](#-nftables--in_out_conntrack)
* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
Expand Down Expand Up @@ -328,6 +329,15 @@ disable rate limiting.

Default value: `'3/minute burst 5 packets'`

##### <a name="-nftables--log_group"></a>`log_group`

Data type: `Optional[Integer]`

When specified, the Linux kernel will pass the packet to nfnetlink_log
which will send the log through a netlink socket to the specified group.

Default value: `undef`

##### <a name="-nftables--reject_with"></a>`reject_with`

Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`
Expand Down
3 changes: 2 additions & 1 deletion manifests/inet_filter.pp
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
$_reject_rule = epp('nftables/reject_rule.epp',
{
'log_prefix' => sprintf($nftables::log_prefix, { 'chain' => '%<chain>s', 'comment' => 'Rejected: ' }),
'log_limit' => $nftables::log_limit
'log_limit' => $nftables::log_limit,
'log_group' => $nftables::log_group,
}
)

Expand Down
5 changes: 5 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@
# to the rules that log discarded traffic. Set to false to
# disable rate limiting.
#
# @param log_group
# When specified, the Linux kernel will pass the packet to nfnetlink_log
# which will send the log through a netlink socket to the specified group.
#
# @param reject_with
# How to discard packets not matching any rule. If `false`, the
# fate of the packet will be defined by the chain policy (normally
Expand Down Expand Up @@ -147,6 +151,7 @@
Hash $rules = {},
Hash $sets = {},
String $log_prefix = '[nftables] %<chain>s %<comment>s',
Optional[Integer] $log_group = undef,
String[1] $nat_table_name = 'nat',
Stdlib::Unixpath $inmem_rules_hash_file = '/var/tmp/puppet-nft-memhash',
Boolean $log_discarded = true,
Expand Down
32 changes: 32 additions & 0 deletions spec/classes/inet_filter_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -571,6 +571,38 @@
}
end

context 'custom log group' do
let(:params) do
{
log_group: 1,
}
end

it {
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
target: 'nftables-inet-filter-chain-INPUT',
content: %r{^ limit rate 5/minute log prefix "\[nftables\] INPUT Rejected: " group 1$},
order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
)
}

it {
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
target: 'nftables-inet-filter-chain-OUTPUT',
content: %r{^ limit rate 5/minute log prefix "\[nftables\] OUTPUT Rejected: " group 1$},
order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
)
}

it {
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
target: 'nftables-inet-filter-chain-FORWARD',
content: %r{^ limit rate 5/minute log prefix "\[nftables\] FORWARD Rejected: " group 1$},
order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
)
}
end

context 'no reject rule, use chain policy without explicit reject' do
let(:params) do
{
Expand Down
8 changes: 4 additions & 4 deletions templates/reject_rule.epp
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<% if $log_limit { -%>
limit rate <%= $log_limit %> log prefix "<%= $log_prefix %>" flags all counter
<% } else { -%>
log prefix "<%= $log_prefix %>" flags all counter
<% } -%>
limit rate <%= $log_limit -%>
<% } -%> log prefix "<%= $log_prefix %>"<% if $log_group { -%>
group <%= $log_group -%>
<% } else { -%> flags all counter <% } -%>

0 comments on commit 8a7b2f9

Please sign in to comment.