ferm: use NFLOG instead of LOG/ULOG on jessie

[dsa-puppet.git] / modules / ferm / templates / ferm.conf.erb

diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb
index 5f77ce48530fb0a42ce3e63f195229299b8764f1..da573e56a14dad20ae9a4cd2fcfcccd6d2537593 100644 (file)
--- a/modules/ferm/templates/ferm.conf.erb
+++ b/modules/ferm/templates/ferm.conf.erb
@@ -7,6 +7,24 @@
 
 @include 'conf.d/';
 
+<% if @lsbmajdistrelease >= '8' -%>
+domain (ip ip6) {
+        table filter {
+              chain log_and_reject {
+                      NFLOG nflog-prefix "REJECT: ";
+                      proto tcp REJECT reject-with tcp-reset;
+                      REJECT;
+              }
+
+              chain log_or_drop {
+                      mod hashlimit hashlimit-name nflogreject  hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second jump log_and_reject;
+                      mod hashlimit hashlimit-name nfloglogdrop hashlimit-mode srcip hashlimit-burst 10 hashlimit 1/second NFLOG nflog-prefix "DROP: ";
+                      DROP;
+              }
+
+        }
+}
+<% else -%>
 domain ip {
         table filter {
               chain log_and_reject {
@@ -38,6 +56,7 @@ domain ip6 {
               }
         }
 }
+<% end -%>
 domain (ip ip6) {
         table filter {
               chain INPUT {