Puppet Class: conntrackd::config

Defined in:
manifests/config.pp

Summary

This class exists to coordinate all configuration for the conntrackd daemon

Overview

# conntrackd::config

Parameters:

  • ensure (Enum['present', 'absent']) (defaults to: $conntrackd::ensure)

    String. Controls if the managed resources shall be present or absent. Default: present.

  • nice (Integer[-20,19]) (defaults to: $conntrackd::nice)

    integer: Nice value of the conntrackd process range: -19 to +19 Default: -1

  • hashsize (Integer) (defaults to: $conntrackd::hashsize)

    integer: Number of buckets in the cache hashtable. Default: 32768

  • hashlimit (Integer) (defaults to: $conntrackd::_hashlimit)

    integer: Maximum number of conntracks in table Default: 2x the value of /proc/sys/net/netfilter/nf_conntrack_max

  • logfile (String) (defaults to: $conntrackd::logfile)

    string: fully qualified path to the logfile or ‘Off’

    (directory must exist and be writable)

    values: on, off, <path to file> Default: off

  • syslog (String) (defaults to: $conntrackd::syslog)

    string: enable syslog logging values: on, off or <syslog facility> Default: on

  • lockfile (String) (defaults to: $conntrackd::lockfile)

    string: fully qualified path to the lockfile Default: /var/lock/conntrack.lock

  • sock_path (String) (defaults to: $conntrackd::sock_path)

    string: fully qualified path to the UNIX socket used for configuration Default: /var/run/conntrackd.ctl

  • sock_backlog (Integer) (defaults to: $conntrackd::sock_backlog)

    integer: sets the blacklog ofr the UNIX socket Default: 20

  • ignore_ips_ipv4 (Array) (defaults to: $conntrackd::ignore_ips_ipv4)

    array: list of IPv4 addresses to ignore.

    should include this node's address

    Default: [ '127.0.0.1', '192.168.0.1', '10.1.1.1' ]

  • ignore_ips_ipv6 (Array) (defaults to: $conntrackd::ignore_ips_ipv6)

    array: list of IPv4 addresses to ignore.

    should include this node's address

    Default: [ '::1' ]

  • tcp_flows (Array) (defaults to: $conntrackd::tcp_flows)

    array: list of flows to monitor allowed: ‘ESTABLISHED’, ‘CLOSED’, ‘TIME_WAIT’, ‘CLOSE_WAIT’ Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]

  • netlinkbuffersize (Integer) (defaults to: $conntrackd::netlinkbuffersize)

    integer: Netlink event socket buffer size Default: 2097152

  • netlinkbuffersizemaxgrowth (Integer) (defaults to: $conntrackd::netlinkbuffersizemaxgrowth)

    integer: The daemon doubles the size of the netlink event socket buffer size

    if it detects netlink event message dropping . This clause sets the
maximum buffer size growth that can be reached.

    Default: 8388608

  • netlinkoverrunresync (String) (defaults to: $conntrackd::netlinkoverrunresync)

    boolean: If the daemon detects that Netlink is dropping state-change events,

    it automatically schedules a resynchronization against the Kernel
after 30 seconds (default value)

    Default: on

  • netlinkeventsreliable (String) (defaults to: $conntrackd::netlinkeventsreliable)

    boolean: If you want reliable event reporting over Netlink, set on this

    option. If you set on this clause, it is a good idea to set off
NetlinkOverrunResync.

    Default: Off

  • pollsecs (Optional[Integer]) (defaults to: $conntrackd::pollsecs)

    integer: By default, the daemon receives state updates following an

    event-driven model. You can modify this behaviour by switching to
polling mode with the PollSecs clause.

    Default: Off

  • eventiterationlimit (Integer) (defaults to: $conntrackd::eventiterationlimit)

    integer: The daemon prioritizes the handling of state-change events coming

    from the core. With this clause, you can set the maximum number of
state-change events (coming from kernel-space) that the daemon
will handle after which it will handle other events coming from the
network or userspace

    Default: 100

  • sync_mode (Enum['FTFW', 'NOTRACK', 'ALARM']) (defaults to: $conntrackd::sync_mode)

    string: The syncronisation mode to use values: one of: FTFW, NOTRACK or ALARM Default: FTFW

  • resend_queue_size (Integer) (defaults to: $conntrackd::resend_queue_size)

    integer: Size of the resend queue (in objects) Default: 131072

  • ack_window_size (Integer) (defaults to: $conntrackd::ack_window_size)

    integer: acknowledgement window size. If you decrease this

    value, the number of acknowlegdments increases

    Default: 300

  • disable_external_cache (String) (defaults to: $conntrackd::disable_external_cache)

    boolean: This clause allows you to disable the external cache. Thus,

    the state entries are directly injected into the kernel
conntrack table.

    Default: Off

  • disable_internal_cache (String) (defaults to: $conntrackd::disable_internal_cache)

    boolean: This clause allows you to disable the internal cache. Default: Off

  • refresh_time (Integer) (defaults to: $conntrackd::refresh_time)

    integer: ALARM Mode: If a conntrack entry is not modified in <= 15 seconds,

    then a message is broadcasted.

    Default: 15

  • cache_timeout (Integer) (defaults to: $conntrackd::cache_timeout)

    integer: If we don’t receive a notification about the state of

    an entry in the external cache after N seconds, then
remove it.

    Default: 180

  • commit_timeout (Integer) (defaults to: $conntrackd::commit_timeout)

    integer: This parameter allows you to set an initial fixed timeout

    for the committed entries when this node goes from backup
to primary.

    Default: 180

  • purge_timeout (Integer) (defaults to: $conntrackd::purge_timeout)

    integer: If the firewall replica goes from primary to backup,

    the conntrackd -t command is invoked in the script.
This command schedules a flush of the table in N seconds.

    Default: 60

  • protocol (Enum['Multicast', 'UDP']) (defaults to: $conntrackd::protocol)

    string: The protocol to use for syncing. values: Multicast or UDP Default: Multicast

  • interface (String) (defaults to: $conntrackd::interface)

    string: Dedicated physical interface for communicating with the other host. value: <interface name> Default: undef

  • ipv4_address (String) (defaults to: $conntrackd::ipv4_address)

    string: Multicast mode only: The multicast address to commuincate over value: Must be set for Multicast mode: <multicast address> Default: 255.0.0.50

  • ipv4_interface (String) (defaults to: $conntrackd::ipv4_interface)

    string: The ip address to bind to for multicast and UDP connections. value: Must be set for Multicast or UDP mode: <ipaddress> Default: undef

  • mcast_group (String) (defaults to: $conntrackd::mcast_group)

    integer: The multicast group to use for Multicast mode Default: 3780

  • sndsocketbuffer (Integer) (defaults to: $conntrackd::sndsocketbuffer)

    integer: The multicast sender uses a buffer to enqueue the packets

    that are going to be transmitted.

    Default: 1249280

  • rcvsocketbuffer (Integer) (defaults to: $conntrackd::rcvsocketbuffer)

    integer: The multicast receiver uses a buffer to enqueue the packets

    that the socket is pending to handle.

    Default: 1249280

  • checksum (String) (defaults to: $conntrackd::checksum)

    integer: Enable/Disable message checksumming. Default: on

  • udp_ipv6_address (Optional[String]) (defaults to: $conntrackd::udp_ipv6_address)

    string: The IPv6 interface address to bind to in UDP mode Default: undef

  • udp_ipv4_dest (Optional[String]) (defaults to: $conntrackd::udp_ipv4_dest)

    string: The IPv4 interface of the other node when UDP is enabled Default: undef

  • udp_ipv6_dest (Optional[String]) (defaults to: $conntrackd::udp_ipv6_dest)

    string: The IPv6 interface of the other node when UDP is enabled Default: undef

  • udp_port (Integer) (defaults to: $conntrackd::udp_port)

    integer: The UDP port to communicate over (should be the same on both nodes) Default: 3780

  • filter_accept_protocols (Array) (defaults to: $conntrackd::filter_accept_protocols)

    array: Accept only certain protocols values: TCP, SCTP, DCCP,

    <tt>UDP</tt>, <tt>ICMP</tt>, <tt>IPv6-ICMP</tt>

    Default: [ 'TCP', 'SCTP', 'DCCP' ]

  • tcp_window_tracking (String) (defaults to: $conntrackd::tcp_window_tracking)

    boolean: TCP state-entries have window tracking disabled by default,

    you can enable it with this option.

    Default: Off

  • track_tcp_states (Array) (defaults to: $conntrackd::track_tcp_states)

    array: The specific TCP states to sync Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]

  • scheduler_type (String) (defaults to: $conntrackd::scheduler_type)

    string: Select a different scheduler for the daemon.

    See man sched_setscheduler(2) for more information. Using a RT
scheduler reduces the chances to overrun the Netlink buffer.

    values: RR, FIFO Default: FIFO

  • scheduler_priority (String) (defaults to: $conntrackd::scheduler_priority)

    integer: scheduler process priority range: 0 - 99 Default: 99

  • stats_logfile (Optional[String]) (defaults to: $conntrackd::stats_logfile)

    string: enable logging of stastics to a file values: fully qualified path to the statis logfile or ‘Off’ Default: undef

  • stats_netlink_reliable (String) (defaults to: $conntrackd::stats_netlink_reliable)

    boolean: If you want reliable event reporting over Netlink, set on this

    option. If you set on this clause, it is a good idea to set off
NetlinkOverrunResync.

    Default: Off

  • stats_syslog (Optional[String]) (defaults to: $conntrackd::stats_syslog)

    string: enable syslog logging of statistics values: on, off or <syslog facility>

Author:



242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
 
# File 'manifests/config.pp', line 242

class conntrackd::config (
  Enum['present', 'absent']        $ensure                     = $conntrackd::ensure,
  Enum['Multicast', 'UDP']         $protocol                   = $conntrackd::protocol,
  Integer[-20,19]                  $nice                       = $conntrackd::nice,
  Integer                          $hashsize                   = $conntrackd::hashsize,
  Integer                          $hashlimit                  = $conntrackd::_hashlimit,
  String                           $logfile                    = $conntrackd::logfile,
  String                           $syslog                     = $conntrackd::syslog,
  String                           $lockfile                   = $conntrackd::lockfile,
  String                           $sock_path                  = $conntrackd::sock_path,
  Integer                          $sock_backlog               = $conntrackd::sock_backlog,
  Array                            $ignore_ips_ipv4            = $conntrackd::ignore_ips_ipv4,
  Array                            $ignore_ips_ipv6            = $conntrackd::ignore_ips_ipv6,
  Array                            $tcp_flows                  = $conntrackd::tcp_flows,
  Integer                          $netlinkbuffersize          = $conntrackd::netlinkbuffersize,
  Integer                          $netlinkbuffersizemaxgrowth = $conntrackd::netlinkbuffersizemaxgrowth,
  String                           $netlinkoverrunresync       = $conntrackd::netlinkoverrunresync,
  String                           $netlinkeventsreliable      = $conntrackd::netlinkeventsreliable,
  Optional[Integer]                $pollsecs                   = $conntrackd::pollsecs,
  Integer                          $eventiterationlimit        = $conntrackd::eventiterationlimit,
  Enum['FTFW', 'NOTRACK', 'ALARM'] $sync_mode                  = $conntrackd::sync_mode,
  Integer                          $resend_queue_size          = $conntrackd::resend_queue_size,
  Integer                          $ack_window_size            = $conntrackd::ack_window_size,
  String                           $disable_external_cache     = $conntrackd::disable_external_cache,
  String                           $disable_internal_cache     = $conntrackd::disable_internal_cache,
  Integer                          $refresh_time               = $conntrackd::refresh_time,
  Integer                          $cache_timeout              = $conntrackd::cache_timeout,
  Integer                          $commit_timeout             = $conntrackd::commit_timeout,
  Integer                          $purge_timeout              = $conntrackd::purge_timeout,
  String                           $interface                  = $conntrackd::interface,
  String                           $ipv4_address               = $conntrackd::ipv4_address,
  String                           $ipv4_interface             = $conntrackd::ipv4_interface,
  String                           $mcast_group                = $conntrackd::mcast_group,
  Integer                          $sndsocketbuffer            = $conntrackd::sndsocketbuffer,
  Integer                          $rcvsocketbuffer            = $conntrackd::rcvsocketbuffer,
  String                           $checksum                   = $conntrackd::checksum,
  Optional[String]                 $udp_ipv6_address           = $conntrackd::udp_ipv6_address,
  Optional[String]                 $udp_ipv4_dest              = $conntrackd::udp_ipv4_dest,
  Optional[String]                 $udp_ipv6_dest              = $conntrackd::udp_ipv6_dest,
  Integer                          $udp_port                   = $conntrackd::udp_port,
  Array                            $filter_accept_protocols    = $conntrackd::filter_accept_protocols,
  String                           $tcp_window_tracking        = $conntrackd::tcp_window_tracking,
  Array                            $track_tcp_states           = $conntrackd::track_tcp_states,
  String                           $scheduler_type             = $conntrackd::scheduler_type,
  String                           $scheduler_priority         = $conntrackd::scheduler_priority,
  Optional[String]                 $stats_logfile              = $conntrackd::stats_logfile,
  String                           $stats_netlink_reliable     = $conntrackd::stats_netlink_reliable,
  Optional[String]                 $stats_syslog               = $conntrackd::stats_syslog,

) {
  assert_private()

  #### Config management

  if $ensure == 'present' {
    # set params: in operation
    $config_exists     = 'present'
    $config_dir_exists = 'directory'
  } else {
    # set params: removal
    $config_exists     = 'absent'
    $config_dir_exists = 'absent'
  }

  # sanity check some paramaters
  if $protocol == 'UDP' {
    if $ipv4_address == undef and $udp_ipv6_address == undef {
      fail("\"${module_name}\": protocol \"${protocol}\" requires atleast one of: ipv4_address, ipv6_address to be specified")
    }
    if $ipv4_address and $udp_ipv4_dest == undef {
      fail("\"${module_name}\": protocol \"${protocol}\" udp_ipv4_dest must be specified if ipv4_address is specified")
    }
    if $udp_ipv6_address and $udp_ipv6_dest == undef {
      fail("\"${module_name}\": protocol \"${protocol}\" udp_ipv6_dest must be specified if ipv6_address is specified")
    }
  }

  # manage config dir
  file { 'conntrackd-confdir':
    ensure => $config_dir_exists,
    path   => $conntrackd::config_dir,
    mode   => '0755',
  }

  # configuration file
  file { 'conntrackd-config':
    ensure  => $config_exists,
    path    => "${conntrackd::config_dir}/${conntrackd::config_filename}",
    content => epp('conntrackd/conntrackd.conf.epp'),
    mode    => '0644',
    require => File['conntrackd-confdir'],
    notify  => Service['conntrackd'],
  }
}