Puppet Class: profile::firewall::nftables_throttling
- Defined in:
- modules/profile/manifests/firewall/nftables_throttling.pp
Summary
manages nftables based throttlingOverview
SPDX-License-Identifier: Apache-2.0 TODO: ↑ this will have to be renamed to match the new config where we count packets per ip.
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'modules/profile/manifests/firewall/nftables_throttling.pp', line 12
class profile::firewall::nftables_throttling (
Wmflib::Ensure $ensure = lookup('profile::firewall::nftables_throttling::ensure',
{ default_value => present }),
Integer $max_connections = lookup('profile::firewall::nftables_throttling::max_connections',
{ default_value => 32 }), # allow 32 parallel connections
Integer $burst_value = lookup('profile::firewall::nftables_throttling::burst_value',
{ default_value => 96 }), # allow for a connection burst 3
# times higher than max_connections by default
Integer $throttle_duration = lookup('profile::firewall::nftables_throttling::throttle_duration',
{ default_value => 300 }), # ban clients above for 300 seconds
Integer $tracking_timeout = lookup('profile::firewall::nftables_throttling::tracking_timeout',
{ default_value => 150 }), # track clients for half the time they would be throttled
Enum['accept', 'drop'] $nft_policy = lookup('profile::firewall::nftables_throttling::nft_policy',
{ default_value => 'accept' }),
Boolean $nft_logging = lookup('profile::firewall::nftables_throttling::nft_logging',
{ default_value => false }),
Integer $port = lookup('profile::firewall::nftables_throttling::port',
{ default_value => 443 }),
# TODO: Import them from confd/requestctl later T348734
Array[Stdlib::IP::Address] $abusers = lookup('profile::firewall::nftables_throttling::abusers',
{ default_value => [] }),
) {
$nft_do_log = $nft_logging ? {
true => 'log ',
default => '',
}
# add throttling nftables chain T366882
nftables::file { 'throttling-chain':
ensure => $ensure,
order => 99,
content => template('profile/firewall/throttling.nft.erb'),
}
$ensure_abusers = empty($abusers) ? {
true => 'absent',
default => 'present',
}
# nftables has a problem with dropping of empty sets, so make sure we just create the drop rule if needed
# Otherwise the sets have to be created with the dynamic flag
$ipv4_abusers = $abusers.filter |$ip| { $ip =~ Stdlib::IP::Address::V4 }
$ipv6_abusers = $abusers.filter |$ip| { $ip =~ Stdlib::IP::Address::V6 }
$ensure_abusers_v4 = empty($ipv4_abusers) ? {
true => 'absent',
default => 'present',
}
$ensure_abusers_v6 = empty($ipv6_abusers) ? {
true => 'absent',
default => 'present',
}
# Create a nftables set ABUSERS and drop all traffic
nftables::set { 'ABUSERS':
ensure => $ensure_abusers,
hosts => $abusers,
}
nftables::file::input { 'drop-abuser-nets-v4':
ensure => $ensure_abusers_v4,
order => 9,
content => @(EOF/L),
ip saddr @ABUSERS_ipv4 drop
| EOF
}
nftables::file::input { 'drop-abuser-nets-v6':
ensure => $ensure_abusers_v6,
order => 9,
content => @(EOF/L),
ip6 saddr @ABUSERS_ipv6 drop
| EOF
}
}
|