Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / manifests / init.pp @ c88d259d

Historique | Voir | Annoter | Télécharger (8,92 ko)

# Date Auteur Commentaire
6097389c 2025-02-05 17:36 Tim Meusel

init.pp: Purge trailing whitespace
16fd95b1 2024-08-04 04:10 canihavethisone

Update init.pp comments
e0bb7852 2024-08-03 23:15 canihavethisone

Change default hash location to /var/tmp to survive reboots and avoid bogus nftables reload
c1bd001d 2024-08-03 21:16 canihavethisone

Added shell provider to execs. Hash generate now in array. Ran rubocop:autocorrect
c00bcf2d 2024-08-03 09:47 canihavethisone

Changed path to use fact. Partial conversion of execs to arrays
3016d428 2024-08-03 00:02 canihavethisone

Change exec title
0b2ccdda 2024-08-02 23:58 canihavethisone

Fix typos
c6941cfe 2024-08-02 23:30 canihavethisone

Correct docstring
0b1e3353 2024-08-02 23:25 canihavethisone

Added purge_unmanaged_rules new variant of method
a528bf59 2024-06-27 06:33 Steve Traylen

New clobber_default_config paramter

Certain OSes namely Debian and Archlinux provide default rules
with the OS.

This module has always respected those rules and appended all of
its own rules to the end of the existing rules.

The new parameter `clobber_default_config` if set `true` (default `false`)...
eac19d14 2023-12-20 14:51 Tim Meusel

Make "dropping invalid packets" configureable

It doesn't make sense to explicitly drop those pakets when the default
policy is already `DROP`. Also some applications, like ceph, are known
to send packets that might be marked as invalid.
a9bbb10d 2023-10-28 09:05 Vadym Chepkov

provide an option to disable logging rejected packets
d7e26575 2023-08-26 17:47 Tim Meusel

init.pp: disable check_unsafe_interpolations
5b13f220 2023-07-31 17:16 Javier Angulo

change parameters order: required before optional
0b7bcb5d 2023-01-04 05:01 mh

Align filemode on RedHat to distro default

The RPM acutally ships the configuration and directory with
0600/0700 while this module sets the mode to 0640/0750.

However, this has the drawback that on new nftables RPM versions,
we are setting it back to the modules mode and triggering an nft...
1fd3f550 2022-08-19 09:07 Luis Fernández Álvarez

Add all families as a valid noflush pattern

nftables has more valid families than the ones currently accepted by the
module.

This patch adds support for all the families currently supported as per
the documentation at:
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
008c95d7 2022-07-06 02:31 Kienan Stewart

Add Debian support
cc9fc807 2022-07-05 12:04 Tim Meusel

systemctl: Use relative path
7fb93f38 2022-07-05 08:50 Tim Meusel

make path to echo configureable
8842a597 2022-07-05 08:23 Tim Meusel

make path to `nft` binary configureable
0c9bc308 2022-02-27 11:05 hashworks

Add support for Arch Linux

Arch Linux stores the configuration in a different path and does not
provide firewalld without explicit installation.

This basically the same as #66 – I've reused their code since it hasn't
been merged in a while.
2063deaf 2022-02-26 09:19 hashworks

Fix typos in initial reference examples
fcb79d73 2021-09-07 05:37 Ben Morrice

support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid...
7b9d6ffc 2021-05-31 04:42 Nacho Barrientos

Allow creating a totally empty firewall

By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.

The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
09cba182 2021-01-18 10:36 Steve Traylen

Enable parameter_documentation lint

The linter checks that every parameter has been documented.

While corrections have been made to great many classes some more
complicated examples have been left for now. Should be updated
as the files get touched.

https://github.com/domcleal/puppet-lint-param-docs
f0bd8791 2020-12-09 10:58 duritong

Merge pull request #34 from traylenator/dedupe_flush

Remove duplicate flush on reload
b9785000 2020-12-09 09:42 Steve Traylen

Correct layout of ignore chain example
ce22630b 2020-12-09 05:37 Steve Traylen

Remove duplicate flush on reload

When nftables was reloaded a flush was being done both in the systemd
reload call and in the nft script itself.
c4b1b93b 2020-12-08 07:58 Steve Traylen

Comment why firewalld_enable parameter is required (#40)
31b17627 2020-12-07 11:18 Steve Traylen

Use single line for each parameter definition
11bf7237 2020-12-07 09:51 Steve Traylen

lint_fix results
e3c56ff6 2020-12-03 03:48 keachi

Merge pull request #29 from keachi/fwd_conntrack

Enable conntrack in FORWARD
24a5a2a7 2020-12-02 15:05 tr

Enable conntrack in FORWARD
03d9e7da 2020-12-01 03:09 Steve Traylen

New parameter noflush_tables to selectivly skip flush

Introduces a new structured fact nftables

```yaml
nftables:
tables:
- inet-filter
- ip-nat
- ip6-nat
- inet-f2b-table
```

By default the nft script will continue to contain `nft flush ruleset`...
902ceaac 2020-11-29 13:18 keachi

Merge pull request #22 from cernops/log_limit

Set a customisable rate limit to the logging rules
802d80d1 2020-11-27 03:35 Nacho Barrientos

Allow sourcing sets from Hiera
82d10659 2020-11-26 15:39 Nacho Barrientos

Allow disabling default NAT tables and chains
30462da1 2020-11-26 05:19 Steve Traylen

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```...
b10c6216 2020-11-24 10:37 Nacho Barrientos

Set a customisable rate limit to the logging rules
92461926 2020-11-24 07:53 duritong

Merge pull request #16 from cernops/icmp

Move ICMP stuff to separate classes allowing better customisation
ae9872e2 2020-11-24 04:17 Nacho Barrientos

Make masking Service['firewalld'] configurable
79e9a23f 2020-11-21 03:10 Nacho Barrientos

Move ICMP stuff to separate classes
ea96d5db 2020-11-19 10:15 Nacho Barrientos

Move ct rules from global to INPUT and OUTPUT
ac0af4aa 2020-11-19 03:16 Nacho Barrientos

Allow tables to add comments to $log_prefix
70727742 2020-11-16 04:50 Nacho Barrientos

Add a parameter to control the fate of discarded packets
ed827383 2020-11-15 04:44 Nacho Barrientos

Allow customising the log prefix
66ed7f61 2020-10-26 02:15 mh

migrate create_resource to the generic loop over hash approach

create_resource is notorious for not providing exact line/file info
when something fails. Since in puppet you can now loop over hashes
and you have the splat assignment operator. This means you get much...
b3a7a6dd 2020-10-23 13:46 tr

Allow to inject custom rules
e17693e3 2020-10-20 08:29 Steve Traylen

New parameter out_all, default false

In order to allow all outbound traffic a parameter is
added to enable a simple `allow` entry on the out chain.

Default is false so backwards compatible.

If true all the other out_bound rules (ntp, ...) will be disabled...
f02562f2 2020-08-30 07:18 tr

Stop and mask firewalld service
c8092701 2020-08-30 06:17 tr

Split init class
c8894978 2020-08-30 06:09 tr

Use default
38a67c59 2020-08-30 05:45 tr

Rewrite ip-nat to concat
5df9303f 2020-08-30 05:24 tr

Replace filter with inet-filter
8efbdf9a 2020-08-29 19:05 tr

Refactoring
5acb554a 2020-08-29 12:06 tr

Write some spec tests for init class
e140adff 2020-08-29 10:46 tr

Linting
5933ab8e 2020-08-29 10:14 tr

Set NAT only for IPv4
188e569f 2020-08-29 09:14 tr

Remove out rule ntp

Duplicate to chrony, but chrony allows every sport (which is required by
chrony).
cd664666 2020-08-29 08:55 tr

Allow http by default

CentOS mirrors are only available over http.
be0b08e1 2020-08-29 08:28 tr

Apply a base firewall

Allow all services to install updates and manage the node.
0ba57c66 2020-08-29 05:50 mh

initial release