New nftables::file type to include raw file
For example:
```puppetnftables::file{'geoip': content => "include \"/files/geoipsets/dbip/*.ipv4\"\n",}```
will right a file or content into the nftables configuration.
The file written will be included in configuration....
Merge pull request #144 from duritong/fix-143-properly-escape-rulename
Properly escape bridge in rulename
fix #143 - properly escape rulename for interfaces
Add all families as a valid noflush pattern
nftables has more valid families than the ones currently accepted by themodule.
This patch adds support for all the families currently supported as perthe documentation at:https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
chrony: Allow filtering for outgoing NTP servers
Add rule to allow outgoing whois queries
Update manifests/rules/pxp_agent.pp
Co-authored-by: Steve Traylen <steve.traylen@cern.ch>
Add class for outgoing PXP connections
Add class for pxp-agent firewalling
Add Debian support
systemctl: Use relative path
make path to echo configureable
make path to `nft` binary configureable
Add support for Arch Linux
Arch Linux stores the configuration in a different path and does notprovide firewalld without explicit installation.
This basically the same as #66 – I've reused their code since it hasn'tbeen merged in a while.
Merge pull request #112 from keachi/ospf_protocol
Use protocol number instead of label
Fix typos in initial reference examples
The label was `ospf` and will be `ospfigp` in the future. Instead ofcreating a map use the protocol number to be compatible with newerversions.
support a different table name for 'nat'- Some applications (such as libvirt) still use iptables to inject firewall rules- iptables will refuse to update tables that were initially created with nft- This commit allows defining the name of the 'nat' table in order to avoid...
fix datatype for $dport
fix datatype for $table
Allow declaring the same set in several tables
Closes #100
Allow creating a totally empty firewall
By setting `nftables::inet_filter` and `nftables::nat` to `false`users can now start off from a totally empty firewall and add thetables, chains and rules they'd like.
The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
Add rules for QEMU/libvirt guests
Add optional handling of chains
Fix doc defaults
Add newline & more tests
Add Docker-CE default rules
Add rules for Apache ActiveMQ
Merge pull request #73 from Koumbit/global_chain_not_hardcoded
start declaring the 'global' chain with module resources
the 'global' chain is a vestigial piece of early development on thismodule, but it can be useful for creating fast short-circuits likeblocking traffic that match a certain set of IPs.
in the current state we can't inject rules inside the 'global' chain...
Improve nftables::rule's documentation (#68)
add some mail related outgoing rules
Merge pull request #64 from traylenator/params
Enable parameter_documentation lint
Merge pull request #62 from glpatcern/master
Added Samba in rules
The linter checks that every parameter has been documented.
While corrections have been made to great many classes some morecomplicated examples have been left for now. Should be updatedas the files get touched.
https://github.com/domcleal/puppet-lint-param-docs
Removed unneeded parentheses
Updated docs
Co-authored-by: Nacho Barrientos <nacho@criptonita.com>
Made ctdb rule parameterized
Pull up rule regexp to type aliases
Align simplerule and rule rulename requirements
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
Update manifests/set.pp
Docs for nftables::set
switch naming to puppetserver
Prefix custom tables with custom- so they're loaded
Merge pull request #48 from cernops/config_template
Several fixes for nftables::config
Merge pull request #50 from traylenator/moretests
Correct nfs3 invalid udp /tcp matching rule and more tests
Correct NFS udp and tcp port matching
There was a missing `th` from rule which from the examples in the manpage is meant to be there.
Cannot find the docs for what `th` does.
Remove a blank separating the doc string and the code
Otherwise the generator of the docs does not do the job :/
Validate table spec
Implement intended failure
Auto fill simple table configuration
Encapsulate addr-related exprs in Nftables::Addr
Encapsulate port-related exprs in Nftables::Port
Sort template parameters alphabetically
Implement nftables::simplerule::saddr
Allow some other types of verdicts
Document nftables::simplerule's parameters
Recommend using nftables::rule
Implement nftables::simplerule::sport
Remove double spacing
Lint fixes
Remove optional modifier on $table
It does not really make sense to pass undef to nftables::rule
Correct error message
Re-document and add example
Implement nftables:;simplerule::counter
Implement nftables:;simplerule::daddr
Allow IPv4 and IPv6 only rules
Richer dport
s/setname/rulename
Add nftables::simplerule
Merge pull request #34 from traylenator/dedupe_flush
Remove duplicate flush on reload
Correct layout of ignore chain example
When nftables was reloaded a flush was being done both in the systemdreload call and in the nft script itself.
Comment why firewalld_enable parameter is required (#40)
Use single line for each parameter definition
lint_fix results
Merge pull request #29 from keachi/fwd_conntrack
Enable conntrack in FORWARD
Merge pull request #32 from dvanders/ceph_nfs
Add Ceph and NFS rules
Add NFS-related rules
Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
Add ceph related rules
New parameter noflush_tables to selectivly skip flush
Introduces a new structured fact nftables
```yamlnftables: tables: - inet-filter - ip-nat - ip6-nat - inet-f2b-table```
By default the nft script will continue to contain `nft flush ruleset`...
Merge pull request #22 from cernops/log_limit
Set a customisable rate limit to the logging rules
Allow sourcing sets from Hiera
Allow disabling default NAT tables and chains
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```ExecStart=/sbin/nft -f /etc/sysconfig/nftables.confExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'ExecStop=/sbin/nft flush ruleset```...
Merge pull request #16 from cernops/icmp
Move ICMP stuff to separate classes allowing better customisation
Make masking Service['firewalld'] configurable
Move ICMP stuff to separate classes
Merge pull request #13 from traylenator/comment
Add comments for all the nftable::rules entries
Merge pull request #14 from cernops/ct_away
Move conntrack rules from global to INPUT and OUTPUT
Merge pull request #6 from traylenator/afs
Add rules for afs3_callback in and out rules for kerberos and openafs.
Move ct rules from global to INPUT and OUTPUT
Switch $order$fragmenta/b to $order-$fragment-a/b
For each nftable::rule this adds an extra concat fragment toadd a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules backto puppet code more obvious. When adding a new rule it should be more...
Allow tables to add comments to $log_prefix
Merge pull request #8 from cernops/ai5973
Allow raw sets and dashes in set names
