X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=modules%2Fferm%2Ftemplates%2Fferm.conf.erb;h=5d63f8d0fd00bd625d036d00c73fbda50dc8e27e;hb=cdf648b13dacc11edd25af11c93a67dbe7097743;hp=5f77ce48530fb0a42ce3e63f195229299b8764f1;hpb=a2aea510648d1d58789365a2d0b7bae76fcca37b;p=dsa-puppet.git

diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb
index 5f77ce48..5d63f8d0 100644
--- a/modules/ferm/templates/ferm.conf.erb
+++ b/modules/ferm/templates/ferm.conf.erb
@@ -7,6 +7,24 @@
 
 @include 'conf.d/';
 
+<% if @lsbmajdistrelease >= '8' -%>
+domain (ip ip6) {
+        table filter {
+              chain log_and_reject {
+                      NFLOG nflog-prefix "REJECT: ";
+                      proto tcp REJECT reject-with tcp-reset;
+                      REJECT;
+              }
+
+              chain log_or_drop {
+                      mod hashlimit hashlimit-name nflogreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+                      mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
+                      DROP;
+              }
+
+        }
+}
+<% else -%>
 domain ip {
         table filter {
               chain log_and_reject {
@@ -38,6 +56,7 @@ domain ip6 {
               }
         }
 }
+<% end -%>
 domain (ip ip6) {
         table filter {
               chain INPUT {
@@ -64,6 +83,7 @@ domain (ip ip6) {
         }
 }
 
+@hook pre "umask 0177; rm -f /var/run/iptables-ferm.checksum /var/run/ip6tables-ferm.checksum";
 @hook post "umask 0177; iptables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/iptables-ferm.checksum";
 @hook post "umask 0177; ip6tables-save | sed -e 's/\[.*//' -e 's/^#.*//' | sha256sum > /var/run/ip6tables-ferm.checksum";
 # vim:set et: