Drop outgoing IPv4 multicast traffic at AQL

Some packages like gst-rtsp-server1.0 generate multicast traffic in
their testsuite. This triggers protections at AQL. Avoid this by
dropping all the outgoing IPv4 multicast traffic.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>

diff --git a/modules/ferm/manifests/aql.pp b/modules/ferm/manifests/aql.pp
new file mode 100644 (file)
index 0000000..b5578e2
--- /dev/null
+++ b/modules/ferm/manifests/aql.pp
@@ -0,0 +1,10 @@
+class ferm::aql {
+       @ferm::rule { 'dsa-drop-multicast':
+               domain      => 'ip',
+               description => 'drop multicast traffic to avoid triggering protection',
+               table       => 'filter',
+               chain       => 'OUTPUT',
+               rule        => 'destination 224.0.0.0/24 jump log_or_drop'
+       }
+}
+

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index f736213..d6c4343 100644 (file)
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -3,6 +3,10 @@ class ferm::per_host {
                include ferm::zivit
        }
 
+       if (scope.lookupvar('site::nodeinfo')['hoster']['name'] == "aql") {
+               include ferm::aq
+       }
+
        case $::hostname {
                czerny,clementi: {
                        @ferm::rule { 'dsa-upsmon':