Added --set-log-denied option

voxpupuli · Sep 12, 2017 · 51dafa7 · 51dafa7
1 parent b48c3a7
commit 51dafa7
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ class { 'firewalld': }
 * `service_ensure`: Whether the service should be running or not (default: running)
 * `service_enable`: Whether to enable the service
 * `default_zone`: Optional, set the default zone for interfaces (default: undef)
+* `log_denied`: Optional, (firewalld-0.4.3.2-8+) Log denied packets, can be one of `off`, `all`, `multicast`, `unicast`, `broadcast` (default: undef)
 * `zones`: A hash of [firewalld zones](#firewalld-zones) to configure
 * `ports`: A hash of [firewalld ports](#firewalld-ports) to configure
 * `services`: A hash of [firewalld services](#firewalld-service) to configure

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -57,7 +57,8 @@
   Boolean $purge_direct_rules        = false,
   Boolean $purge_direct_chains       = false,
   Boolean $purge_direct_passthroughs = false,
-  Optional[String]  $default_zone     = undef
+  Optional[String] $default_zone     = undef,
+  Optional[Enum['off','all','unicast','broadcast','multicast']] $log_denied = undef
 ) {
 
     package { $package:
@@ -174,6 +175,12 @@
       }
     }
 
+    if $log_denied {
+      exec { 'firewalld::set_log_denied':
+        command => "firewall-cmd --set-log-denied ${log_denied} && firewall-cmd --reload",
+        unless  => "[ $(firewall-cmd --get-log-denied) = ${log_denied} ]",
+      }
+    }
 
     # Set dependencies using resource chaining so that resource declarations made
     # outside of this class (eg: from the profile) also get their dependencies set

diff --git a/tests/test.pp b/tests/test.pp
@@ -1,6 +1,6 @@
 
 class { 'firewalld':
-  default_zone => 'restricted',
+  log_denied => 'multicast'
 }
 
 firewalld_zone { 'restricted':
@@ -9,3 +9,13 @@
   purge_rich_rules => true,
 }
 
+firewalld_rich_rule { 'McAffee':
+  ensure => present,
+  source => '10.10.10.50',
+  port => {
+    'port' => 8803,
+    'protocol' => 'tcp',
+  },
+  zone => 'public',
+  action => 'accept',
+}