Activité
Du 2020-10-16 au 2021-01-13
2021-01-13
2020-12-15
- 05:14 Révision 2bcfc1aa: [blacksmith] Bump version to 1.0.1-rc0
- 05:07 Révision bc1b0f1a: Release 1.0.0 (#49)
- * Release 1.0.0
Co-authored-by: duritong <peter.meier+github@immerda.ch>
2020-12-14
- 05:35 Révision 5d71ec69: Merge pull request #56 from traylenator/ports
- Use Stdlib::Port everywhere in place of Integer
- 05:07 Révision 94a80621: Use Stdlib::Port everywhere in place of Integer
- Use Stdlib::Port in place of Integer for ports
Fixes #37 - 03:46 Révision b1085d8d: Merge pull request #55 from traylenator/moredocs
- Docs for nftables::set
- 03:27 Révision c868cae3: Update manifests/set.pp
- 03:06 Révision 13f4e4c6: Docs for nftables::set
- 02:26 Révision b3040dd8: Merge pull request #42 from duritong/terminology
- switch not the server naming
2020-12-13
2020-12-11
- 02:38 Révision 38205751: Merge pull request #47 from cernops/issue45
- Prefix custom tables with custom- so they're loaded
- 02:25 Révision 948ebc98: Prefix custom tables with custom- so they're loaded
- 02:19 Révision bacf254e: Merge pull request #48 from cernops/config_template
- Several fixes for nftables::config
2020-12-10
- 15:21 Révision c2800a39: Merge pull request #50 from traylenator/moretests
- Correct nfs3 invalid udp /tcp matching rule and more tests
- 09:21 Révision 2075a727: Correct NFS udp and tcp port matching
- There was a missing `th` from rule which from the examples in the man
page is meant to be there.
Cannot find the doc... - 09:20 Révision d8752442: test that bad configuration leaves service running
- 09:20 Révision cfcafde5: test that all classes can be included
- 09:20 Révision cba0cb86: Merge pull request #52 from cernops/simplerule_reference
- Remove a blank separating the doc string and the code
- 06:53 Révision b46c9ce9: Remove a blank separating the doc string and the code
- Otherwise the generator of the docs does not do the job :/
- 06:14 Révision c7e37bdc: Merge pull request #51 from bastelfreak/puppet7
- Enable Puppet 7 support
- 05:31 Révision e0be8190: Enable Puppet 7 support
- 02:51 Révision 3fe51d68: Merge pull request #33 from cernops/simplerule
- Add nftables::simplerule
- 02:24 Révision c5418fd3: Validate table spec
- 02:24 Révision 04f5c035: Fix context name (removes dup)
- 02:23 Révision 294a38ff: Implement intended failure
- 02:23 Révision fcb1d356: Auto fill simple table configuration
2020-12-09
- 11:45 Révision 4d63adda: Refresh REFERENCE
- 11:44 Révision 83382bb5: Add nftables::simplerule
- 11:44 Révision fb65734d: s/setname/rulename
- 11:44 Révision 3a52fb41: Richer dport
- 11:44 Révision 316bc3f8: Allow IPv4 and IPv6 only rules
- 11:44 Révision d38aab5b: Test passing a port without protocol
- 11:44 Révision aaa37172: Implement nftables:;simplerule::daddr
- 11:44 Révision d43ced4d: Implement nftables:;simplerule::counter
- 11:44 Révision 4ec94616: Re-document and add example
- 11:44 Révision 2489f932: Correct error message
- 11:44 Révision 2cc54308: Remove optional modifier on $table
- It does not really make sense to pass undef to nftables::rule
- 11:44 Révision 467ea4e2: Lint fixes
- 11:44 Révision 6793d286: Handle dport internally always as an array
- 11:44 Révision fb58f7b3: Remove double spacing
- 11:44 Révision 77abc10b: Implement nftables::simplerule::sport
- 11:44 Révision af15de48: Recommend using nftables::rule
- 11:44 Révision 2f28cced: Document nftables::simplerule's parameters
- 11:44 Révision 5944b9cb: Allow some other types of verdicts
- 11:44 Révision abb04c95: Mention nftables::simplerule in the README
- 11:44 Révision 3a469f2b: Implement nftables::simplerule::saddr
- 11:44 Révision 6739966c: Sort template parameters alphabetically
- 11:44 Révision 09b07e56: Encapsulate port-related exprs in Nftables::Port
- 11:44 Révision f1ef02c5: Encapsulate addr-related exprs in Nftables::Addr
- 11:44 Révision 55277023: Align template parameters
- 11:44 Révision 42e7f3ea: Relax type validation in template
- It comes already validated from the calling class.
- 10:58 Révision f0bd8791: Merge pull request #34 from traylenator/dedupe_flush
- Remove duplicate flush on reload
- 10:34 Révision 354a3ea5: Merge pull request #44 from traylenator/formatting
- Correct layout of ignore table example
- 09:42 Révision b9785000: Correct layout of ignore chain example
- 05:37 Révision ce22630b: Remove duplicate flush on reload
- When nftables was reloaded a flush was being done both in the systemd
reload call and in the nft script itself. - 04:55 Révision 03d8e696: Merge pull request #41 from traylenator/rubocop
- rubocop corrections
- 04:37 Révision 139ec11d: Merge pull request #43 from cernops/doc_typos
- Fix typos and formatting in the README
- 04:08 Révision 1330c27e: Add a hint about changing default output configuration
- 04:06 Révision 8ded326d: Fix typo in class name
- 04:06 Révision 4ed97e58: Add a separation between the header and the content
- 04:06 Révision 620da9a6: Add remark about the global chain
- 04:06 Révision 0f31ffbe: Fix grammatical error
- 04:05 Révision 1ffab17b: Add full stop
2020-12-08
- 11:49 Révision da8956d3: Enable rubocop check
- Will submit centrally if all well.
- 11:49 Révision 7e5b657a: rubocop:auto_correct fixes
- 09:23 Révision 492ca838: Disable Disable TrailingCommaInArguments early
- Can be reverted once
https://github.com/voxpupuli/voxpupuli-test/pull/36
is released - 07:58 Révision c4b1b93b: Comment why firewalld_enable parameter is required (#40)
- 07:54 Révision bd5145ab: Add basic configuration validation acceptance test (#38)
- * Add basic configuration validation acceptance test
It is not possible to start the nftables service within docker ...
2020-12-07
- 11:23 Révision 7db6f797: Merge pull request #36 from traylenator/modulesync
- modulesync 4.0.0 and general alignment to voxpupuli.
- 11:18 Révision 31b17627: Use single line for each parameter definition
- 11:18 Révision 5b4c71bc: Correctly remove puppet4 support
- 11:18 Révision 4630574b: Correct author, add tags and issues to metadata
- 10:13 Révision 59c1ddf4: Mock with mocha
- 09:56 Révision b09d43bf: Adapt metadata to voxpupuli name space
- 09:51 Révision 11bf7237: lint_fix results
- 09:25 Révision 78f22811: modulesync 4.0.0
- 09:21 Révision 8897f7d0: Drop duritong .sync.yml
2020-12-03
- 03:48 Révision e3c56ff6: Merge pull request #29 from keachi/fwd_conntrack
- Enable conntrack in FORWARD
2020-12-02
- 15:05 Révision 24a5a2a7: Enable conntrack in FORWARD
- 08:03 Révision ed8e4643: Merge pull request #32 from dvanders/ceph_nfs
- Add Ceph and NFS rules
- 05:37 Révision f4e9e995: Test ceph rules
- Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
- 05:37 Révision d0c972c3: Test NFS rules
- Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
2020-12-01
- 15:05 Révision c3be15e0: Merge pull request #31 from traylenator/selective
- New parameter noflush_tables to selectivly skip flush
- 05:42 Révision 5210e023: Add NFS-related rules
- Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
- 04:33 Révision bbc93ede: Add ceph related rules
- Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
- 03:09 Révision 03d9e7da: New parameter noflush_tables to selectivly skip flush
- Introduces a new structured fact nftables
```yaml
nftables:
tables:
- inet-filter
- ip-nat
- ip6-nat
...
2020-11-30
- 07:21 Révision 9fe75e32: Merge pull request #30 from traylenator/slc
- Scientific Linux 8 will never exist
- 05:27 Révision 2ccf856b: Scientific Linux 8 will never exist
- As per
https://listserv.fnal.gov/scripts/wa.exe?A2=ind1904&L=SCIENTIFIC-LINUX-ANNOUNCE&P=78
2020-11-29
- 13:22 Révision 72aad4a2: Merge pull request #28 from traylenator/simplify
- Do not test nftables::rules repeatadly
- 13:18 Révision 902ceaac: Merge pull request #22 from cernops/log_limit
- Set a customisable rate limit to the logging rules
2020-11-27
- 06:07 Révision d5a61536: Merge pull request #26 from cernops/hiera_sets
- Allow sourcing sets from Hiera
- 06:06 Révision 6b80ac21: Merge pull request #27 from traylenator/reference
- Refresh REFERENCE
- 05:21 Révision 300b7382: Do not test nftables::rules repeatadly
- Rather than testing the contents of nftable::rules just test
that nftables::rules instance is correct.
The existing ... - 04:01 Révision 7f6cacc5: Refresh REFERENCE
- 03:35 Révision 802d80d1: Allow sourcing sets from Hiera
2020-11-26
- 16:09 Révision 7395300c: Merge pull request #25 from cernops/no_nat
- Allow disabling default NAT tables and chains
- 15:39 Révision 82d10659: Allow disabling default NAT tables and chains
- 15:07 Révision bd549474: Merge pull request #10 from traylenator/reload
- Reload rules atomically and verify rules before deploy
- 05:19 Révision 30462da1: Reload rules atomically
- Background: The unit file for nftables on CentOS 8 contains:
```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf...
2020-11-24
- 10:37 Révision b10c6216: Set a customisable rate limit to the logging rules
- 07:53 Révision 92461926: Merge pull request #16 from cernops/icmp
- Move ICMP stuff to separate classes allowing better customisation
- 07:51 Révision 587e522e: Merge pull request #20 from cernops/firewalld_mask
- Make masking Service['firewalld'] optional
- 04:17 Révision ae9872e2: Make masking Service['firewalld'] configurable
2020-11-21
2020-11-20
- 10:52 Révision def3893c: Merge pull request #15 from traylenator/fixtests
- Correct bad merge
- 03:52 Révision 8b97e6a3: Correct bad merge
- There was a bad merge between
* https://github.com/duritong/puppet-nftables/pull/13
* https://github.com/duritong/pu...
2020-11-19
- 15:56 Révision a5f5fb12: Merge pull request #13 from traylenator/comment
- Add comments for all the nftable::rules entries
- 15:53 Révision 21d0496e: Merge pull request #14 from cernops/ct_away
- Move conntrack rules from global to INPUT and OUTPUT
- 15:11 Révision 7b14f6d9: Merge pull request #6 from traylenator/afs
- Add rules for afs3_callback in and out rules for kerberos and openafs.
- 10:15 Révision ea96d5db: Move ct rules from global to INPUT and OUTPUT
- 09:19 Révision 61f03b47: Switch $order$fragmenta/b to $order-$fragment-a/b
- 08:31 Révision e53053ce: Add comments for all the nftable::rules entries
- For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for t... - 05:28 Révision 9e5b8bf0: Merge pull request #12 from cernops/log_format
- Allow tables to add comments to $log_prefix
- 03:16 Révision ac0af4aa: Allow tables to add comments to $log_prefix
2020-11-18
- 15:25 Révision ef3e9ad6: Merge pull request #8 from cernops/ai5973
- Allow raw sets and dashes in set names
- 11:02 Révision 9785cd54: lint fix
- 07:18 Révision f3f2870f: Add rules for afs3_callback
- In particular the afs callback to the cache manager(7001) which is UDP and always
IPv4 since there OpenAFS does not s... - 07:18 Révision 215aee13: Add kerberos out and openafs_client out
2020-11-17
- 09:53 Révision 5e0146c2: Merge pull request #7 from cernops/reject_with
- Add a parameter to control the fate of discarded traffic
2020-11-16
- 09:19 Révision 7bb485c5: Allow dashes in set names
- 09:16 Révision 9f0498e3: Relax nftables::set::type making it optional
- This is needed in case nftables::set is passed raw configuration via
source or content. - 04:50 Révision 70727742: Add a parameter to control the fate of discarded packets
2020-11-15
- 16:37 Révision 0cf43fdf: Merge pull request #4 from cernops/dhcp6
- Add classes encapsulating rules for DHCPv6 client traffic (in/out)
- 13:41 Révision 37b2a3b7: Add class nftables::services::dhcpv6_client
- 10:51 Révision 883389dc: Merge pull request #5 from cernops/custom_log_prefix
- Allow customising the log prefix
- 10:47 Révision 43566263: Add rules for outgoing and incoming DHCPv6 client traffic
- 04:44 Révision ed827383: Allow customising the log prefix
2020-11-13
- 14:21 Révision 317b8d01: Merge pull request #3 from cernops/ai5973
- Add support for named sets
- 09:57 Révision 20b96360: Add support for named sets
- 09:55 Révision e4c32222: Use concat for table conf generation
- This way other components of the module will be able to add extra stuff
to the table definitions like sets.
2020-11-05
- 16:43 Révision 18ec6f48: Fix rulenames which includes an index
- The rulename has a regex pattern `[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
which allows an index at the end of the r... - 16:37 Révision e5eb7424: Allow to specify prometheus source addresses
2020-10-28
- 15:53 Révision e73f2e97: Fix rule node exporter
- 15:50 Révision 8227cb1c: Manage rule in dns
- 15:47 Révision cb50fd79: Add rule in node_exporter
- 14:50 Révision e105f149: Include table ip6 nat
- 14:40 Révision 248ef9d5: Add basic ip6 nat chains
2020-10-27
- 02:22 Révision 579e27df: Fix the regex for bridge names
- 02:22 Révision 2c00d766: Replace dashes with underlines
- Docker daemon bridges contains dashes, replace them with underlines to
fit the naming concept.
2020-10-26
- 02:15 Révision 66ed7f61: migrate create_resource to the generic loop over hash approach
- create_resource is notorious for not providing exact line/file info
when something fails. Since in puppet you can now...
2020-10-25
2020-10-24
- 06:02 Révision fd0eaeca: Add class bridges
- Allow traffic from any bridge to itself by default
2020-10-23
- 13:47 Révision c1224db5: Move filter rules to inet_filter class
- 13:46 Révision b3a7a6dd: Allow to inject custom rules
- 13:19 Révision 0f63a915: Git ignore .ruby-version
- 05:55 Révision 8726ba4c: Switch back to Ruby 2.5
- ```
can't modify frozen String: "true"
```
[Ticket IAC-1146](https://tickets.puppetlabs.com/browse/IAC-1146)
2020-10-20
- 12:55 Révision b171ac7f: fix offenses
- 11:36 Révision 9511e610: Merge pull request #1 from traylenator/all
- New parameter out_all, default false
- 08:29 Révision e17693e3: New parameter out_all, default false
- In order to allow all outbound traffic a parameter is
added to enable a simple `allow` entry on the out chain.
Defau...
2020-10-16
- 11:17 Révision 3f91610b: Merge branch 'pdk' into 'master'
- Add a PDK configuration and run PDK convert
See merge request immerda/puppet-modules/nftables!1 - 11:14 Révision 9d7d63a6: Only test with Ruby 2.7 and Puppet 6
- 10:29 Révision 01d8a819: Styling to make tests green
- 09:52 Révision 705bb26f: Add travis ci configuration
Formats disponibles : Atom