[MediaWiki-commits] [Gerrit] operations/puppet[production]: Configure connection tracking sysctl settings in ferm

Wed, 09 Nov 2016 05:38:47 -0800 

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320590

Change subject: Configure connection tracking sysctl settings in ferm
......................................................................

Configure connection tracking sysctl settings in ferm

Connection tracking parameters cannot be set via the default
/etc/sysctl.d hierarchy; it needs to be ensured that these
are set after ferm is started (which loads the connection
tracking kernel modules which configure the respective sysctl
options).

Provide a ferm configuration file which runs the sysctl
commands after setting up all the rules and services.

Bug: T136094
Change-Id: I9d1be6387fae30e15207d2047b1e25a717d6bfa6
---
A modules/base/files/firewall/conntrack-sysctl.conf
M modules/base/manifests/firewall.pp
2 files changed, 8 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/90/320590/1

diff --git a/modules/base/files/firewall/conntrack-sysctl.conf 
b/modules/base/files/firewall/conntrack-sysctl.conf
new file mode 100644
index 0000000..23cedc3
--- /dev/null
+++ b/modules/base/files/firewall/conntrack-sysctl.conf
@@ -0,0 +1,2 @@
+@def $SYSCTL_SET_CONNTRACK_MAX = `/sbin/sysctl -q -w 
net.netfilter.nf_conntrack_max=262144`;
+@def $SYSCTL_SET_CONNTRACK_TIMEOUT = `/sbin/sysctl -q -w 
net.netfilter.nf_conntrack_tcp_timeout_time_wait=65`;
diff --git a/modules/base/manifests/firewall.pp 
b/modules/base/manifests/firewall.pp
index 680b3ba..96c3a7b 100644
--- a/modules/base/manifests/firewall.pp
+++ b/modules/base/manifests/firewall.pp
@@ -37,6 +37,12 @@
         source => 
'puppet:///modules/base/firewall/main-input-default-drop.conf',
     }
 
+    ferm::conf { 'sysctl':
+        ensure => $ensure,
+        prio   => '99',
+        source => 'puppet:///modules/base/firewall/conntrack-sysctl.conf',
+    }
+
     ferm::rule { 'bastion-ssh':
         ensure => $ensure,
         rule   => 'proto tcp dport ssh saddr $BASTION_HOSTS ACCEPT;',

-- 
To view, visit https://gerrit.wikimedia.org/r/320590
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9d1be6387fae30e15207d2047b1e25a717d6bfa6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to