Puppet Class: iptables::rules::mod_recent

Defined in:
manifests/rules/mod_recent.pp

Overview

A wrapper for managing the xt_recent portion of iptables settings

It is mainly meant to be a helper class but can be used alone if required.

Parameters:

  • notify_iptables (Boolean) (defaults to: true)

    Notify the IPTables service when complete

  • ip_list_tot (Integer[0]) (defaults to: 200)

    The number of addresses remembered per table

    *This effectively becomes the maximum size of your ban list

    • Be aware that more addresses means more load on your system

  • ip_pkt_list_tot (Integer[0]) (defaults to: 20)

    The number of packets per address remembered

  • ip_list_hash_size (Integer[0]) (defaults to: 0)

    Hash table size

    • 0 means to calculate it based on “ip_list_tot“

  • ip_list_perms (String) (defaults to: '0640')

    Permissions for “/proc/net/xt_recent/*“ files

  • ip_list_uid (Integer[0]) (defaults to: 0)

    Numerical UID for ownership of “/proc/net/xt_recent/*“ files

  • ip_list_gid (Integer[0]) (defaults to: 0)

    Numerical GID for ownership of “/proc/net/xt_recent/*“ files

Author:

  • Trevor Vaughan <tvaughan@onyxpoint.com>



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'manifests/rules/mod_recent.pp', line 34

class iptables::rules::mod_recent (
  Boolean    $notify_iptables   = true,
  Integer[0] $ip_list_tot       = 200,
  Integer[0] $ip_pkt_list_tot   = 20,
  Integer[0] $ip_list_hash_size = 0,
  String     $ip_list_perms     = '0640',
  Integer[0] $ip_list_uid       = 0,
  Integer[0] $ip_list_gid       = 0
) {
  file { '/etc/modprobe.d/xt_recent.conf':
    ensure  => 'file',
    owner   => 'root',
    group   => 'root',
    mode    => '0640',
    content => "options xt_recent ip_list_tot=${ip_list_tot} ip_pkt_list_tot=${ip_pkt_list_tot} ip_list_hash_size=${ip_list_hash_size} ip_list_perms=${ip_list_perms} ip_list_uid=${ip_list_uid} ip_list_gid=${ip_list_gid}"
  }

  ### This is here due to an issue where changes to
  # /etc/modprobe.d/xt_recent.conf that happen *after* the module is loaded
  # will cause a kernel panic if the buffer sizes are *increased*
  #
  # Comment this section out and run the acceptance tests if you want to see if
  # it has been fixed
  #
  # Presently affects both EL6 and EL7 systems
  exec { 'reload xt_recent':
    command     => '/sbin/rmmod xt_recent ||: && /sbin/modprobe xt_recent ||:',
    refreshonly => true
  }

  File['/etc/modprobe.d/xt_recent.conf'] ~> Exec['reload xt_recent']

  ### End workaround for kernel panic

  xt_recent { '/sys/module/xt_recent/parameters':
    ip_list_tot       => $ip_list_tot,
    ip_pkt_list_tot   => $ip_pkt_list_tot,
    ip_list_hash_size => $ip_list_hash_size,
    ip_list_perms     => $ip_list_perms,
    ip_list_uid       => $ip_list_uid,
    ip_list_gid       => $ip_list_gid
  }

  if str2bool($notify_iptables) {
    Xt_recent['/sys/module/xt_recent/parameters'] ~> Class['iptables::service']
  }
}