Puppet Class: conntrackd

Defined in:: manifests/init.pp

Summary

This class is able to install or remove conntrackd on a node. It

Overview

# conntrackd

manages the status and configuration of the service.

Examples:

Installation, make sure service is running and will be started at boot time:

class { 'conntrackd': }

Removal/decommissioning:

class { 'conntrackd':
  ensure => 'absent',
}

Install everything but disable service(s) afterwards

class { 'conntrackd':
  status => 'disabled',
}

Parameters:

ensure (Enum['present', 'absent']) —
String. Controls if the managed resources shall be present or absent. If set to absent:
- The managed software packages are being uninstalled.
- Any traces of the packages will be purged as good as possible. This may include existing configuration files. The exact behavior is provider dependent. Q.v.:
  - Puppet type reference: package, “purgeable”
  - Puppet’s package provider source code
- System modifications (if any) will be reverted as good as possible (e.g. removal of created users, services, changed log settings, …).
- This is thus destructive and should be used with care.
Defaults to present.
autoupgrade (Boolean) —
Boolean. If set to true, any managed package gets upgraded on each Puppet run when the package provider is able to find a newer version than the present one. The exact behavior is provider dependent. Q.v.:
- Puppet type reference: package, “upgradeable”
- Puppet’s package provider source code
Defaults to false.
status (Enum[ 'enabled', 'disabled', 'running', 'unmanaged' ]) —
String to define the status of the service. Possible values:
- enabled: Service is running and will be started at boot time.
- disabled: Service is stopped and will not be started at boot time.
- running: Service is running but will not be started at boot time. You can use this to start a service on the first Puppet run instead of the system startup.
- unmanaged: Service will not be started at boot time and Puppet does not care whether the service is running or not. For example, this may be useful if a cluster management software is used to decide when to start the service plus assuring it is running on the desired node.
Defaults to enabled. The singular form (“service”) is used for the sake of convenience. Of course, the defined status affects all services if more than one is managed (see service.pp to check if this is the case).
package (Array) —

The name(s) of the conntrack package(s)
service_name (String) —

The name of the conntrackd service
service_hasrestart (Boolean) —

The service ‘hasrestart` attribute
service_hasstatus (Boolean) —

The service ‘hasstatus` attribute
service_pattern (String) —

The service ‘pattern` attribute
service_status (String) —

The service ‘status` attribute
config_dir (String) —

Top-level directory for configuration
config_filename (String) —

Config file name
nice (Integer[-20,19]) —

integer: Nice value of the conntrackd process range: -19 to +19 Default: -1
hashsize (Integer) —

integer: Number of buckets in the cache hashtable. Default: 32768
logfile (String) —
string: fully qualified path to the logfile or ‘Off’
```
(directory must exist and be writable)
```
values: on, off, <path to file> Default: off
syslog (String) —

string: enable syslog logging values: on, off or <syslog facility> Default: on
lockfile (String) —

string: fully qualified path to the lockfile Default: /var/lock/conntrack.lock
sock_path (String) —

string: fully qualified path to the UNIX socket used for configuration Default: /var/run/conntrackd.ctl
sock_backlog (Integer) —

integer: sets the blacklog ofr the UNIX socket Default: 20
ignore_ips_ipv4 (Array) —
array: list of IPv4 addresses to ignore.
```
should include this node's address
```
Default: [ '127.0.0.1', '192.168.0.1', '10.1.1.1' ]
ignore_ips_ipv6 (Array) —
array: list of IPv4 addresses to ignore.
```
should include this node's address
```
Default: [ '::1' ]
tcp_flows (Array) —

array: list of flows to monitor allowed: ‘ESTABLISHED’, ‘CLOSED’, ‘TIME_WAIT’, ‘CLOSE_WAIT’ Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]
netlinkbuffersize (Integer) —

integer: Netlink event socket buffer size Default: 2097152
netlinkbuffersizemaxgrowth (Integer) —
integer: The daemon doubles the size of the netlink event socket buffer size
```
if it detects netlink event message dropping . This clause sets the
maximum buffer size growth that can be reached.
```
Default: 8388608
netlinkoverrunresync (String) —
boolean: If the daemon detects that Netlink is dropping state-change events,
```
it automatically schedules a resynchronization against the Kernel
after 30 seconds (default value)
```
Default: on
netlinkeventsreliable (String) —
boolean: If you want reliable event reporting over Netlink, set on this
```
option. If you set on this clause, it is a good idea to set off
NetlinkOverrunResync.
```
Default: Off
pollsecs (Optional[Integer]) —
integer: By default, the daemon receives state updates following an
```
event-driven model. You can modify this behaviour by switching to
polling mode with the PollSecs clause.
```
Default: Off

eventiterationlimit (Integer) —

integer: The daemon prioritizes the handling of state-change events coming

from the core. With this clause, you can set the maximum number of
state-change events (coming from kernel-space) that the daemon
will handle after which it will handle other events coming from the
network or userspace

Default: 100

sync_mode (Enum['FTFW', 'NOTRACK', 'ALARM']) —

string: The syncronisation mode to use values: one of: FTFW, NOTRACK or ALARM Default: FTFW
resend_queue_size (Integer) —

integer: Size of the resend queue (in objects) Default: 131072
ack_window_size (Integer) —
integer: acknowledgement window size. If you decrease this
```
value, the number of acknowlegdments increases
```
Default: 300
disable_external_cache (String) —
boolean: This clause allows you to disable the external cache. Thus,
```
the state entries are directly injected into the kernel
conntrack table.
```
Default: Off
disable_internal_cache (String) —

boolean: This clause allows you to disable the internal cache. Default: Off
refresh_time (Integer) —
integer: ALARM Mode: If a conntrack entry is not modified in <= 15 seconds,
```
then a message is broadcasted.
```
Default: 15
cache_timeout (Integer) —
integer: If we don’t receive a notification about the state of
```
an entry in the external cache after N seconds, then
remove it.
```
Default: 180
commit_timeout (Integer) —
integer: This parameter allows you to set an initial fixed timeout
```
for the committed entries when this node goes from backup
to primary.
```
Default: 180

purge_timeout (Integer) —

integer: If the firewall replica goes from primary to backup,

the conntrackd -t command is invoked in the script.
This command schedules a flush of the table in N seconds.

Default: 60

protocol (Enum['Multicast', 'UDP']) —

string: The protocol to use for syncing. values: Multicast or UDP Default: Multicast
interface (String) —

string: Dedicated physical interface for communicating with the other host. value: <interface name> Default: undef
ipv4_address (String) —

string: Multicast mode only: The multicast address to commuincate over value: Must be set for Multicast mode: <multicast address> Default: 255.0.0.50
ipv4_interface (String) —

string: The ip address to bind to for multicast and UDP connections. value: Must be set for Multicast or UDP mode: <ipaddress> Default: undef
mcast_group (String) —

integer: The multicast group to use for Multicast mode Default: 3780
sndsocketbuffer (Integer) —
integer: The multicast sender uses a buffer to enqueue the packets
```
that are going to be transmitted.
```
Default: 1249280
rcvsocketbuffer (Integer) —
integer: The multicast receiver uses a buffer to enqueue the packets
```
that the socket is pending to handle.
```
Default: 1249280
checksum (String) —

integer: Enable/Disable message checksumming. Default: on
udp_ipv6_address (Optional[String]) —

string: The IPv6 interface address to bind to in UDP mode Default: undef
udp_ipv4_dest (Optional[String]) —

string: The IPv4 interface of the other node when UDP is enabled Default: undef
udp_ipv6_dest (Optional[String]) —

string: The IPv6 interface of the other node when UDP is enabled Default: undef
udp_port (Integer) —

integer: The UDP port to communicate over (should be the same on both nodes) Default: 3780
filter_accept_protocols (Array) —
array: Accept only certain protocols values: TCP, SCTP, DCCP,
```
<tt>UDP</tt>, <tt>ICMP</tt>, <tt>IPv6-ICMP</tt>
```
Default: [ 'TCP', 'SCTP', 'DCCP' ]
tcp_window_tracking (String) —
boolean: TCP state-entries have window tracking disabled by default,
```
you can enable it with this option.
```
Default: Off
track_tcp_states (Array) —

array: The specific TCP states to sync Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]

scheduler_type (String) —

string: Select a different scheduler for the daemon.

See man sched_setscheduler(2) for more information. Using a RT
scheduler reduces the chances to overrun the Netlink buffer.

values: RR, FIFO Default: FIFO

scheduler_priority (String) —

integer: scheduler process priority range: 0 - 99 Default: 99
stats_logfile (Optional[String]) —

string: enable logging of stastics to a file values: fully qualified path to the statis logfile or ‘Off’ Default: undef
stats_netlink_reliable (String) —
boolean: If you want reliable event reporting over Netlink, set on this
```
option. If you set on this clause, it is a good idea to set off
NetlinkOverrunResync.
```
Default: Off
stats_syslog (Optional[String]) —

string: enable syslog logging of statistics values: on, off or <syslog facility>
hashlimit (Optional[Integer]) (defaults to: undef) —

integer: Maximum number of conntracks in table Default: 2x the value of /proc/sys/net/netfilter/nf_conntrack_max

Author:

Ian Bissett <bisscuitt@gmail.com>

# File 'manifests/init.pp', line 300

class conntrackd (
  Enum['present', 'absent']        $ensure,
  Boolean                          $autoupgrade,
  # Workaround for https://github.com/voxpupuli/puppet-lint-trailing_comma-check/issues/16
  # lint:ignore:trailing_comma
  Enum[
    'enabled',
    'disabled',
    'running',
    'unmanaged'
  ]                                $status,
  # lint:endignore
  Array                            $package,
  String                           $service_name,
  Boolean                          $service_hasrestart,
  Boolean                          $service_hasstatus,
  String                           $service_pattern,
  String                           $service_status,
  String                           $config_dir,
  String                           $config_filename,
  Integer[-20,19]                  $nice,
  Integer                          $hashsize,
  String                           $logfile,
  String                           $syslog,
  String                           $lockfile,
  String                           $sock_path,
  Integer                          $sock_backlog,
  Array                            $ignore_ips_ipv4,
  Array                            $ignore_ips_ipv6,
  Array                            $tcp_flows,

  Integer                          $netlinkbuffersize,
  Integer                          $netlinkbuffersizemaxgrowth,
  String                           $netlinkoverrunresync,
  String                           $netlinkeventsreliable,
  Optional[Integer]                $pollsecs,
  Integer                          $eventiterationlimit,

  Enum['FTFW', 'NOTRACK', 'ALARM'] $sync_mode,
  Integer                          $resend_queue_size,
  Integer                          $ack_window_size,
  String                           $disable_external_cache,
  String                           $disable_internal_cache,
  Integer                          $refresh_time,
  Integer                          $cache_timeout,
  Integer                          $commit_timeout,
  Integer                          $purge_timeout,

  Enum['Multicast', 'UDP']         $protocol,
  String                           $interface,
  String                           $ipv4_address,
  String                           $ipv4_interface,
  String                           $mcast_group,
  Integer                          $sndsocketbuffer,
  Integer                          $rcvsocketbuffer,
  String                           $checksum,
  Optional[String]                 $udp_ipv6_address,
  Optional[String]                 $udp_ipv4_dest,
  Optional[String]                 $udp_ipv6_dest,
  Integer                          $udp_port,

  Array                            $filter_accept_protocols,

  String                           $tcp_window_tracking,
  Array                            $track_tcp_states,

  String                           $scheduler_type,
  String                           $scheduler_priority,

  Optional[String]                 $stats_logfile,
  String                           $stats_netlink_reliable,
  Optional[String]                 $stats_syslog,

  # -- Set the hashlimit to be double the sysctl valueof net.nf_conntrack_max
  #    uses custom fact defined in this module
  Optional[Integer]                $hashlimit                  = undef,
) {
  #### Validate parameters
  if $hashlimit {
    $_hashlimit = $hashlimit
  } elsif $facts['nf_conntrack_max'] {
    $_hashlimit = $facts['nf_conntrack_max'] * 2
  } else {
    $_hashlimit = 131072
  }

  #### Manage actions

  # package
  include conntrackd::package

  # service
  include conntrackd::service

  #### Manage relationships

  if $ensure == 'present' {
    include conntrackd::config

    # we need the software before running a service
    Class['conntrackd::package'] -> Class['conntrackd::config'] ~> Class['conntrackd::service']
  } else {
    # make sure all services are getting stopped before software removal
    Class['conntrackd::service'] -> Class['conntrackd::package']
  }
}