X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Ftemplates%2Fferm.conf.erb;fp=modules%2Fferm%2Ftemplates%2Fferm.conf.erb;h=da573e56a14dad20ae9a4cd2fcfcccd6d2537593;hb=ea40bd344ef38e1b4263a09143d7b68a8883ee98;hp=5f77ce48530fb0a42ce3e63f195229299b8764f1;hpb=a2aea510648d1d58789365a2d0b7bae76fcca37b;p=dsa-puppet.git

diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb
index 5f77ce48..da573e56 100644
--- a/modules/ferm/templates/ferm.conf.erb
+++ b/modules/ferm/templates/ferm.conf.erb
@@ -7,6 +7,24 @@
 
 @include 'conf.d/';
 
+<% if @lsbmajdistrelease >= '8' -%>
+domain (ip ip6) {
+        table filter {
+              chain log_and_reject {
+                      NFLOG nflog-prefix "REJECT: ";
+                      proto tcp REJECT reject-with tcp-reset;
+                      REJECT;
+              }
+
+              chain log_or_drop {
+                      mod hashlimit hashlimit-name nflogreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+                      mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
+                      DROP;
+              }
+
+        }
+}
+<% else -%>
 domain ip {
         table filter {
               chain log_and_reject {
@@ -38,6 +56,7 @@ domain ip6 {
               }
         }
 }
+<% end -%>
 domain (ip ip6) {
         table filter {
               chain INPUT {