Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
- Puppet >= 6.1.0 < 8.0.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppet-conntrackd', '2.0.0'Learn more about managing modules with a PuppetfileDocumentation
puppet-module-conntrackd
Puppet module to manage conntrackd.
Have a look at REFERENCE.md or the main module class
(init.pp) to see what this module does on a node plus
usage examples.
Compatibility
Supports both ipv4 and ipv6, all conntrackd options and all sync modes.
Compatible with Debian, Ubuntu and RedHat, Fedora, Centos, Scientific distros.
This module is designed to work with Puppet version 4.10 or newer.
Requirements
This module has the following dependencies:
- stdlib Version 4.19.0 or newer.
For a full (and up-to-date) list of dependencies, please see metadata.json.
Usage examples
Install and manage the conntrackd service
include 'conntrackd'
Multicast Sync over eth1 using the default FTFW sync mode:
class { 'conntrackd':
protocol => 'Multicast',
interface => 'eth1',
ipv4_address => $multicast_address,
ipv4_interface => $facts['networking']['interfaces']['eth1']['ip'],
}
UDP Sync over eth2 using the ALARM sync mode:
class { 'conntrackd':
sync_mode => 'ALARM',
protocol => 'UDP',
interface => 'eth2',
ipv4_address => $facts['networking']['interfaces']['eth2']['ip'],
udp_ipv4_dest => $other_remote_host,
}
Remove service, package and configuration of conntrackd:
class { 'conntrackd':
ensure => 'absent',
}
You can find more examples in the examples dir.
Links
- Official conntrackd website http://conntrack-tools.netfilter.org/conntrackd.html
- Official project page https://github.com/voxpupuli/puppet-conntrackd
License, Copyright
See COPYING and NOTICE file in the root directory of this module.
Author
- Written initially by Ian Bissett bisscuitt@gmail.com @bisscuitt
- This module is now maintained by VoxPupuli
Reference
Table of Contents
Classes
Public Classes
conntrackd: This class is able to install or remove conntrackd on a node. Itconntrackd::config: This class exists to coordinate all configuration for the conntrackd daemon
Private Classes
conntrackd::package: This class exists to coordinate all software package management relatedconntrackd::service: This class exists to coordinate all service management related actions,
Classes
conntrackd
conntrackd
manages the status and configuration of the service.
Examples
Installation, make sure service is running and will be started at boot time:
class { 'conntrackd': }
Removal/decommissioning:
class { 'conntrackd':
ensure => 'absent',
}
Install everything but disable service(s) afterwards
class { 'conntrackd':
status => 'disabled',
}
Parameters
The following parameters are available in the conntrackd class:
ensureautoupgradestatuspackageservice_nameservice_hasrestartservice_hasstatusservice_patternservice_statusconfig_dirconfig_filenamenicehashsizelogfilesysloglockfilesock_pathsock_backlogignore_ips_ipv4ignore_ips_ipv6tcp_flowsnetlinkbuffersizenetlinkbuffersizemaxgrowthnetlinkoverrunresyncnetlinkeventsreliablepollsecseventiterationlimitsync_moderesend_queue_sizeack_window_sizedisable_external_cachedisable_internal_cacherefresh_timecache_timeoutcommit_timeoutpurge_timeoutprotocolinterfaceipv4_addressipv4_interfacemcast_groupsndsocketbufferrcvsocketbufferchecksumudp_ipv6_addressudp_ipv4_destudp_ipv6_destudp_portfilter_accept_protocolstcp_window_trackingtrack_tcp_statesscheduler_typescheduler_prioritystats_logfilestats_netlink_reliablestats_sysloghashlimit
ensure
Data type: Enum['present', 'absent']
String. Controls if the managed resources shall be present or absent. If set to absent:
- The managed software packages are being uninstalled.
- Any traces of the packages will be purged as good as possible. This may
include existing configuration files. The exact behavior is provider
dependent. Q.v.:
- Puppet type reference: {package, "purgeable"}[http://j.mp/xbxmNP]
- {Puppet's package provider source code}[http://j.mp/wtVCaL]
- System modifications (if any) will be reverted as good as possible (e.g. removal of created users, services, changed log settings, ...).
- This is thus destructive and should be used with care. Defaults to present.
autoupgrade
Data type: Boolean
Boolean. If set to true, any managed package gets upgraded on each Puppet run when the package provider is able to find a newer version than the present one. The exact behavior is provider dependent. Q.v.:
- Puppet type reference: {package, "upgradeable"}[http://j.mp/xbxmNP]
- {Puppet's package provider source code}[http://j.mp/wtVCaL] Defaults to false.
status
Data type: Enum[ 'enabled', 'disabled', 'running', 'unmanaged' ]
String to define the status of the service. Possible values:
- enabled: Service is running and will be started at boot time.
- disabled: Service is stopped and will not be started at boot time.
- running: Service is running but will not be started at boot time. You can use this to start a service on the first Puppet run instead of the system startup.
- unmanaged: Service will not be started at boot time and Puppet does not care whether the service is running or not. For example, this may be useful if a cluster management software is used to decide when to start the service plus assuring it is running on the desired node. Defaults to enabled. The singular form ("service") is used for the sake of convenience. Of course, the defined status affects all services if more than one is managed (see service.pp to check if this is the case).
package
Data type: Array
The name(s) of the conntrack package(s)
service_name
Data type: String
The name of the conntrackd service
service_hasrestart
Data type: Boolean
The service hasrestart attribute
service_hasstatus
Data type: Boolean
The service hasstatus attribute
service_pattern
Data type: String
The service pattern attribute
service_status
Data type: String
The service status attribute
config_dir
Data type: String
Top-level directory for configuration
config_filename
Data type: String
Config file name
nice
Data type: Integer[-20,19]
integer: Nice value of the conntrackd process range: -19 to +19 Default: -1
hashsize
Data type: Integer
integer: Number of buckets in the cache hashtable. Default: 32768
logfile
Data type: String
string: fully qualified path to the logfile or 'Off' (directory must exist and be writable) values: on, off, Default: off
syslog
Data type: String
string: enable syslog logging values: on, off or Default: on
lockfile
Data type: String
string: fully qualified path to the lockfile Default: /var/lock/conntrack.lock
sock_path
Data type: String
string: fully qualified path to the UNIX socket used for configuration Default: /var/run/conntrackd.ctl
sock_backlog
Data type: Integer
integer: sets the blacklog ofr the UNIX socket Default: 20
ignore_ips_ipv4
Data type: Array
array: list of IPv4 addresses to ignore. should include this node's address Default: [ '127.0.0.1', '192.168.0.1', '10.1.1.1' ]
ignore_ips_ipv6
Data type: Array
array: list of IPv4 addresses to ignore. should include this node's address Default: [ '::1' ]
tcp_flows
Data type: Array
array: list of flows to monitor allowed: 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]
netlinkbuffersize
Data type: Integer
integer: Netlink event socket buffer size Default: 2097152
netlinkbuffersizemaxgrowth
Data type: Integer
integer: The daemon doubles the size of the netlink event socket buffer size if it detects netlink event message dropping . This clause sets the maximum buffer size growth that can be reached. Default: 8388608
netlinkoverrunresync
Data type: String
boolean: If the daemon detects that Netlink is dropping state-change events, it automatically schedules a resynchronization against the Kernel after 30 seconds (default value) Default: on
netlinkeventsreliable
Data type: String
boolean: If you want reliable event reporting over Netlink, set on this option. If you set on this clause, it is a good idea to set off NetlinkOverrunResync. Default: Off
pollsecs
Data type: Optional[Integer]
integer: By default, the daemon receives state updates following an event-driven model. You can modify this behaviour by switching to polling mode with the PollSecs clause. Default: Off
eventiterationlimit
Data type: Integer
integer: The daemon prioritizes the handling of state-change events coming from the core. With this clause, you can set the maximum number of state-change events (coming from kernel-space) that the daemon will handle after which it will handle other events coming from the network or userspace Default: 100
sync_mode
Data type: Enum['FTFW', 'NOTRACK', 'ALARM']
string: The syncronisation mode to use values: one of: FTFW, NOTRACK or ALARM Default: FTFW
resend_queue_size
Data type: Integer
integer: Size of the resend queue (in objects) Default: 131072
ack_window_size
Data type: Integer
integer: acknowledgement window size. If you decrease this value, the number of acknowlegdments increases Default: 300
disable_external_cache
Data type: String
boolean: This clause allows you to disable the external cache. Thus, the state entries are directly injected into the kernel conntrack table. Default: Off
disable_internal_cache
Data type: String
boolean: This clause allows you to disable the internal cache. Default: Off
refresh_time
Data type: Integer
integer: ALARM Mode: If a conntrack entry is not modified in <= 15 seconds, then a message is broadcasted. Default: 15
cache_timeout
Data type: Integer
integer: If we don't receive a notification about the state of an entry in the external cache after N seconds, then remove it. Default: 180
commit_timeout
Data type: Integer
integer: This parameter allows you to set an initial fixed timeout for the committed entries when this node goes from backup to primary. Default: 180
purge_timeout
Data type: Integer
integer: If the firewall replica goes from primary to backup, the conntrackd -t command is invoked in the script. This command schedules a flush of the table in N seconds. Default: 60
protocol
Data type: Enum['Multicast', 'UDP']
string: The protocol to use for syncing. values: Multicast or UDP Default: Multicast
interface
Data type: String
string: Dedicated physical interface for communicating with the other host. value: Default: undef
ipv4_address
Data type: String
string: Multicast mode only: The multicast address to commuincate over value: Must be set for Multicast mode: Default: 255.0.0.50
ipv4_interface
Data type: String
string: The ip address to bind to for multicast and UDP connections. value: Must be set for Multicast or UDP mode: Default: undef
mcast_group
Data type: String
integer: The multicast group to use for Multicast mode Default: 3780
sndsocketbuffer
Data type: Integer
integer: The multicast sender uses a buffer to enqueue the packets that are going to be transmitted. Default: 1249280
rcvsocketbuffer
Data type: Integer
integer: The multicast receiver uses a buffer to enqueue the packets that the socket is pending to handle. Default: 1249280
checksum
Data type: String
integer: Enable/Disable message checksumming. Default: on
udp_ipv6_address
Data type: Optional[String]
string: The IPv6 interface address to bind to in UDP mode Default: undef
udp_ipv4_dest
Data type: Optional[String]
string: The IPv4 interface of the other node when UDP is enabled Default: undef
udp_ipv6_dest
Data type: Optional[String]
string: The IPv6 interface of the other node when UDP is enabled Default: undef
udp_port
Data type: Integer
integer: The UDP port to communicate over (should be the same on both nodes) Default: 3780
filter_accept_protocols
Data type: Array
array: Accept only certain protocols values: TCP, SCTP, DCCP, UDP, ICMP, IPv6-ICMP Default: [ 'TCP', 'SCTP', 'DCCP' ]
tcp_window_tracking
Data type: String
boolean: TCP state-entries have window tracking disabled by default, you can enable it with this option. Default: Off
track_tcp_states
Data type: Array
array: The specific TCP states to sync Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]
scheduler_type
Data type: String
string: Select a different scheduler for the daemon. See man sched_setscheduler(2) for more information. Using a RT scheduler reduces the chances to overrun the Netlink buffer. values: RR, FIFO Default: FIFO
scheduler_priority
Data type: String
integer: scheduler process priority range: 0 - 99 Default: 99
stats_logfile
Data type: Optional[String]
string: enable logging of stastics to a file values: fully qualified path to the statis logfile or 'Off' Default: undef
stats_netlink_reliable
Data type: String
boolean: If you want reliable event reporting over Netlink, set on this option. If you set on this clause, it is a good idea to set off NetlinkOverrunResync. Default: Off
stats_syslog
Data type: Optional[String]
string: enable syslog logging of statistics values: on, off or
hashlimit
Data type: Optional[Integer]
integer: Maximum number of conntracks in table Default: 2x the value of /proc/sys/net/netfilter/nf_conntrack_max
Default value: undef
conntrackd::config
conntrackd::config
Parameters
The following parameters are available in the conntrackd::config class:
ensurenicehashsizehashlimitlogfilesysloglockfilesock_pathsock_backlogignore_ips_ipv4ignore_ips_ipv6tcp_flowsnetlinkbuffersizenetlinkbuffersizemaxgrowthnetlinkoverrunresyncnetlinkeventsreliablepollsecseventiterationlimitsync_moderesend_queue_sizeack_window_sizedisable_external_cachedisable_internal_cacherefresh_timecache_timeoutcommit_timeoutpurge_timeoutprotocolinterfaceipv4_addressipv4_interfacemcast_groupsndsocketbufferrcvsocketbufferchecksumudp_ipv6_addressudp_ipv4_destudp_ipv6_destudp_portfilter_accept_protocolstcp_window_trackingtrack_tcp_statesscheduler_typescheduler_prioritystats_logfilestats_netlink_reliablestats_syslog
ensure
Data type: Enum['present', 'absent']
String. Controls if the managed resources shall be present or absent. Default: present.
Default value: $conntrackd::ensure
nice
Data type: Integer[-20,19]
integer: Nice value of the conntrackd process range: -19 to +19 Default: -1
Default value: $conntrackd::nice
hashsize
Data type: Integer
integer: Number of buckets in the cache hashtable. Default: 32768
Default value: $conntrackd::hashsize
hashlimit
Data type: Integer
integer: Maximum number of conntracks in table Default: 2x the value of /proc/sys/net/netfilter/nf_conntrack_max
Default value: $conntrackd::_hashlimit
logfile
Data type: String
string: fully qualified path to the logfile or 'Off' (directory must exist and be writable) values: on, off, Default: off
Default value: $conntrackd::logfile
syslog
Data type: String
string: enable syslog logging values: on, off or Default: on
Default value: $conntrackd::syslog
lockfile
Data type: String
string: fully qualified path to the lockfile Default: /var/lock/conntrack.lock
Default value: $conntrackd::lockfile
sock_path
Data type: String
string: fully qualified path to the UNIX socket used for configuration Default: /var/run/conntrackd.ctl
Default value: $conntrackd::sock_path
sock_backlog
Data type: Integer
integer: sets the blacklog ofr the UNIX socket Default: 20
Default value: $conntrackd::sock_backlog
ignore_ips_ipv4
Data type: Array
array: list of IPv4 addresses to ignore. should include this node's address Default: [ '127.0.0.1', '192.168.0.1', '10.1.1.1' ]
Default value: $conntrackd::ignore_ips_ipv4
ignore_ips_ipv6
Data type: Array
array: list of IPv4 addresses to ignore. should include this node's address Default: [ '::1' ]
Default value: $conntrackd::ignore_ips_ipv6
tcp_flows
Data type: Array
array: list of flows to monitor allowed: 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]
Default value: $conntrackd::tcp_flows
netlinkbuffersize
Data type: Integer
integer: Netlink event socket buffer size Default: 2097152
Default value: $conntrackd::netlinkbuffersize
netlinkbuffersizemaxgrowth
Data type: Integer
integer: The daemon doubles the size of the netlink event socket buffer size if it detects netlink event message dropping . This clause sets the maximum buffer size growth that can be reached. Default: 8388608
Default value: $conntrackd::netlinkbuffersizemaxgrowth
netlinkoverrunresync
Data type: String
boolean: If the daemon detects that Netlink is dropping state-change events, it automatically schedules a resynchronization against the Kernel after 30 seconds (default value) Default: on
Default value: $conntrackd::netlinkoverrunresync
netlinkeventsreliable
Data type: String
boolean: If you want reliable event reporting over Netlink, set on this option. If you set on this clause, it is a good idea to set off NetlinkOverrunResync. Default: Off
Default value: $conntrackd::netlinkeventsreliable
pollsecs
Data type: Optional[Integer]
integer: By default, the daemon receives state updates following an event-driven model. You can modify this behaviour by switching to polling mode with the PollSecs clause. Default: Off
Default value: $conntrackd::pollsecs
eventiterationlimit
Data type: Integer
integer: The daemon prioritizes the handling of state-change events coming from the core. With this clause, you can set the maximum number of state-change events (coming from kernel-space) that the daemon will handle after which it will handle other events coming from the network or userspace Default: 100
Default value: $conntrackd::eventiterationlimit
sync_mode
Data type: Enum['FTFW', 'NOTRACK', 'ALARM']
string: The syncronisation mode to use values: one of: FTFW, NOTRACK or ALARM Default: FTFW
Default value: $conntrackd::sync_mode
resend_queue_size
Data type: Integer
integer: Size of the resend queue (in objects) Default: 131072
Default value: $conntrackd::resend_queue_size
ack_window_size
Data type: Integer
integer: acknowledgement window size. If you decrease this value, the number of acknowlegdments increases Default: 300
Default value: $conntrackd::ack_window_size
disable_external_cache
Data type: String
boolean: This clause allows you to disable the external cache. Thus, the state entries are directly injected into the kernel conntrack table. Default: Off
Default value: $conntrackd::disable_external_cache
disable_internal_cache
Data type: String
boolean: This clause allows you to disable the internal cache. Default: Off
Default value: $conntrackd::disable_internal_cache
refresh_time
Data type: Integer
integer: ALARM Mode: If a conntrack entry is not modified in <= 15 seconds, then a message is broadcasted. Default: 15
Default value: $conntrackd::refresh_time
cache_timeout
Data type: Integer
integer: If we don't receive a notification about the state of an entry in the external cache after N seconds, then remove it. Default: 180
Default value: $conntrackd::cache_timeout
commit_timeout
Data type: Integer
integer: This parameter allows you to set an initial fixed timeout for the committed entries when this node goes from backup to primary. Default: 180
Default value: $conntrackd::commit_timeout
purge_timeout
Data type: Integer
integer: If the firewall replica goes from primary to backup, the conntrackd -t command is invoked in the script. This command schedules a flush of the table in N seconds. Default: 60
Default value: $conntrackd::purge_timeout
protocol
Data type: Enum['Multicast', 'UDP']
string: The protocol to use for syncing. values: Multicast or UDP Default: Multicast
Default value: $conntrackd::protocol
interface
Data type: String
string: Dedicated physical interface for communicating with the other host. value: Default: undef
Default value: $conntrackd::interface
ipv4_address
Data type: String
string: Multicast mode only: The multicast address to commuincate over value: Must be set for Multicast mode: Default: 255.0.0.50
Default value: $conntrackd::ipv4_address
ipv4_interface
Data type: String
string: The ip address to bind to for multicast and UDP connections. value: Must be set for Multicast or UDP mode: Default: undef
Default value: $conntrackd::ipv4_interface
mcast_group
Data type: String
integer: The multicast group to use for Multicast mode Default: 3780
Default value: $conntrackd::mcast_group
sndsocketbuffer
Data type: Integer
integer: The multicast sender uses a buffer to enqueue the packets that are going to be transmitted. Default: 1249280
Default value: $conntrackd::sndsocketbuffer
rcvsocketbuffer
Data type: Integer
integer: The multicast receiver uses a buffer to enqueue the packets that the socket is pending to handle. Default: 1249280
Default value: $conntrackd::rcvsocketbuffer
checksum
Data type: String
integer: Enable/Disable message checksumming. Default: on
Default value: $conntrackd::checksum
udp_ipv6_address
Data type: Optional[String]
string: The IPv6 interface address to bind to in UDP mode Default: undef
Default value: $conntrackd::udp_ipv6_address
udp_ipv4_dest
Data type: Optional[String]
string: The IPv4 interface of the other node when UDP is enabled Default: undef
Default value: $conntrackd::udp_ipv4_dest
udp_ipv6_dest
Data type: Optional[String]
string: The IPv6 interface of the other node when UDP is enabled Default: undef
Default value: $conntrackd::udp_ipv6_dest
udp_port
Data type: Integer
integer: The UDP port to communicate over (should be the same on both nodes) Default: 3780
Default value: $conntrackd::udp_port
filter_accept_protocols
Data type: Array
array: Accept only certain protocols values: TCP, SCTP, DCCP, UDP, ICMP, IPv6-ICMP Default: [ 'TCP', 'SCTP', 'DCCP' ]
Default value: $conntrackd::filter_accept_protocols
tcp_window_tracking
Data type: String
boolean: TCP state-entries have window tracking disabled by default, you can enable it with this option. Default: Off
Default value: $conntrackd::tcp_window_tracking
track_tcp_states
Data type: Array
array: The specific TCP states to sync Default: [ 'ESTABLISHED', 'CLOSED', 'TIME_WAIT', 'CLOSE_WAIT' ]
Default value: $conntrackd::track_tcp_states
scheduler_type
Data type: String
string: Select a different scheduler for the daemon. See man sched_setscheduler(2) for more information. Using a RT scheduler reduces the chances to overrun the Netlink buffer. values: RR, FIFO Default: FIFO
Default value: $conntrackd::scheduler_type
scheduler_priority
Data type: String
integer: scheduler process priority range: 0 - 99 Default: 99
Default value: $conntrackd::scheduler_priority
stats_logfile
Data type: Optional[String]
string: enable logging of stastics to a file values: fully qualified path to the statis logfile or 'Off' Default: undef
Default value: $conntrackd::stats_logfile
stats_netlink_reliable
Data type: String
boolean: If you want reliable event reporting over Netlink, set on this option. If you set on this clause, it is a good idea to set off NetlinkOverrunResync. Default: Off
Default value: $conntrackd::stats_netlink_reliable
stats_syslog
Data type: Optional[String]
string: enable syslog logging of statistics values: on, off or
Default value: $conntrackd::stats_syslog
Changelog
All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v2.0.0 (2022-08-13)
Breaking changes:
- Drop EoL Puppet 4/5 support; require 6.1 or newer #3 (bastelfreak)
Merged pull requests:
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs-stdlib (>= 4.19.0 < 9.0.0)
Copyright 2012 Ian Bissett <bisscuitt@gmail.com>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.