Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / manifests @ 8b131276

# Date Auteur Commentaire
8b131276 2023-08-09 18:53 Tim Meusel

Add rule to allow incoming spotify broadcast
80b384c8 2023-08-09 17:57 Tim Meusel

Add rule to allow incoming multicast traffic
5b13f220 2023-07-31 17:16 Javier Angulo

change parameters order: required before optional
ea29e235 2023-06-19 12:58 Simon Hoenscheid

add ldap and active directory rules
666c3138 2023-04-29 14:53 Louis-Philippe Véronneau

Fix typo in icinga2 rule documentation
7030bde0 2023-03-23 05:28 Luis Fernández Álvarez

Add bridge as a valid family for chain tables
509ef14f 2023-01-29 12:29 Tim Meusel

Merge pull request #149 from hugendudel/netdev_support

Allow netdev as table family in defined type nftables::chain
0b7bcb5d 2023-01-04 05:01 mh

Align filemode on RedHat to distro default

The RPM acutally ships the configuration and directory with
0600/0700 while this module sets the mode to 0640/0750.

However, this has the drawback that on new nftables RPM versions,
we are setting it back to the modules mode and triggering an nft...
a1f09048 2022-10-24 16:59 Tim Meusel

Add class for outgoing HKP firewalling
cdd872a9 2022-09-07 08:34 Harm Endres

Allow netdev as table family in defined type nftables::chain
9e42547b 2022-09-04 16:35 mh

split conntrack management into dedicated classes so they get consumeable
331b8d85 2022-09-01 05:22 Steve Traylen

New nftables::file type to include raw file

For example:

```puppet
nftables::file{'geoip':
content => "include \"/files/geoipsets/dbip/*.ipv4\"\n",
}
```

will right a file or content into the nftables configuration.

The file written will be included in configuration....
9d61323e 2022-08-26 07:47 Steve Traylen

Merge pull request #144 from duritong/fix-143-properly-escape-rulename

Properly escape bridge in rulename
cb38423a 2022-08-24 03:06 mh

fix #143 - properly escape rulename for interfaces
1fd3f550 2022-08-19 09:07 Luis Fernández Álvarez

Add all families as a valid noflush pattern

nftables has more valid families than the ones currently accepted by the
module.

This patch adds support for all the families currently supported as per
the documentation at:
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
7937a13b 2022-07-11 04:18 Tim Meusel

chrony: Allow filtering for outgoing NTP servers
2b1896c1 2022-07-10 06:42 Tim Meusel

Add rule to allow outgoing whois queries
9ad64784 2022-07-07 11:04 Tim Meusel

Update manifests/rules/pxp_agent.pp

Co-authored-by: Steve Traylen <>
194e05d5 2022-07-07 08:53 Tim Meusel

Add class for outgoing PXP connections
7f74df2e 2022-07-07 08:10 Tim Meusel

Add class for pxp-agent firewalling
008c95d7 2022-07-06 02:31 Kienan Stewart

Add Debian support
cc9fc807 2022-07-05 12:04 Tim Meusel

systemctl: Use relative path
7fb93f38 2022-07-05 08:50 Tim Meusel

make path to echo configureable
8842a597 2022-07-05 08:23 Tim Meusel

make path to `nft` binary configureable
0c9bc308 2022-02-27 11:05 hashworks

Add support for Arch Linux

Arch Linux stores the configuration in a different path and does not
provide firewalld without explicit installation.

This basically the same as #66 – I've reused their code since it hasn't
been merged in a while.
d1988178 2022-02-26 12:53 Tim Meusel

Merge pull request #112 from keachi/ospf_protocol

Use protocol number instead of label
2063deaf 2022-02-26 09:19 hashworks

Fix typos in initial reference examples
cbe342b9 2021-11-17 01:51 tr

Use protocol number instead of label

The label was `ospf` and will be `ospfigp` in the future. Instead of
creating a map use the protocol number to be compatible with newer
versions.
fcb79d73 2021-09-07 05:37 Ben Morrice

support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid...
de3e7bb0 2021-07-24 09:44 Tim Meusel

fix datatype for $dport
324b6851 2021-07-24 09:43 Tim Meusel

fix datatype for $table
c94658e1 2021-07-06 11:46 Nacho Barrientos

Allow declaring the same set in several tables

Closes #100
7b9d6ffc 2021-05-31 04:42 Nacho Barrientos

Allow creating a totally empty firewall

By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.

The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
cd2a3cbf 2021-03-25 03:30 Nacho Barrientos

Add rules for QEMU/libvirt guests
1bf717d9 2021-03-23 08:34 Luis Fernández Álvarez

Add optional handling of chains
9dca9bc3 2021-03-23 06:29 Luis Fernández Álvarez

Fix doc defaults
c3515492 2021-03-19 08:48 Luis Fernández Álvarez

Add newline & more tests
6be2adf7 2021-03-19 07:12 Luis Fernández Álvarez

Add Docker-CE default rules
771b3256 2021-03-15 09:59 Nacho Barrientos

Add rules for Apache ActiveMQ
942569ea 2021-02-14 10:00 duritong

Merge pull request #73 from Koumbit/global_chain_not_hardcoded

start declaring the 'global' chain with module resources
1a4f336e 2021-02-11 16:42 Gabriel Filion

start declaring the 'global' chain with module resources

the 'global' chain is a vestigial piece of early development on this
module, but it can be useful for creating fast short-circuits like
blocking traffic that match a certain set of IPs.

in the current state we can't inject rules inside the 'global' chain...
13f26dfc 2021-01-26 07:17 Nacho Barrientos

Improve nftables::rule's documentation (#68)
19908f41 2021-01-18 14:07 mh

add some mail related outgoing rules
e2031b31 2021-01-18 11:18 Tim Meusel

Merge pull request #64 from traylenator/params

Enable parameter_documentation lint
e977eb3b 2021-01-18 11:17 Tim Meusel

Merge pull request #62 from glpatcern/master

Added Samba in rules
09cba182 2021-01-18 10:36 Steve Traylen

Enable parameter_documentation lint

The linter checks that every parameter has been documented.

While corrections have been made to great many classes some more
complicated examples have been left for now. Should be updated
as the files get touched.

https://github.com/domcleal/puppet-lint-param-docs
354a82d9 2021-01-18 10:19 Giuseppe Lo Presti

Removed unneeded parentheses
4470f70c 2021-01-18 09:36 Giuseppe Lo Presti

Updated docs

Co-authored-by: Nacho Barrientos <>
e743f82e 2021-01-18 08:35 Giuseppe Lo Presti

Made ctdb rule parameterized
8c00b818 2021-01-18 07:37 Nacho Barrientos

Pull up rule regexp to type aliases
a6f61c62 2021-01-18 05:51 Giuseppe Lo Presti

Added Samba in rules
6a4ffead 2021-01-13 11:10 Nacho Barrientos

Align simplerule and rule rulename requirements
94a80621 2020-12-14 05:07 Steve Traylen

Use Stdlib::Port everywhere in place of Integer

Use Stdlib::Port in place of Integer for ports

Fixes #37
c868cae3 2020-12-14 03:27 Tim Meusel

Update manifests/set.pp
13f4e4c6 2020-12-14 03:06 Steve Traylen

Docs for nftables::set
04176b0e 2020-12-13 16:52 mh

switch naming to puppetserver
948ebc98 2020-12-11 02:25 Nacho Barrientos

Prefix custom tables with custom- so they're loaded
bacf254e 2020-12-11 02:19 Nacho Barrientos

Merge pull request #48 from cernops/config_template

Several fixes for nftables::config
c2800a39 2020-12-10 15:21 duritong

Merge pull request #50 from traylenator/moretests

Correct nfs3 invalid udp /tcp matching rule and more tests
2075a727 2020-12-10 09:21 Steve Traylen

Correct NFS udp and tcp port matching

There was a missing `th` from rule which from the examples in the man
page is meant to be there.

Cannot find the docs for what `th` does.
b46c9ce9 2020-12-10 06:53 Nacho Barrientos

Remove a blank separating the doc string and the code

Otherwise the generator of the docs does not do the job :/
c5418fd3 2020-12-10 02:24 Nacho Barrientos

Validate table spec
294a38ff 2020-12-10 02:23 Nacho Barrientos

Implement intended failure
fcb1d356 2020-12-10 02:23 Nacho Barrientos

Auto fill simple table configuration
f1ef02c5 2020-12-09 11:44 Nacho Barrientos

Encapsulate addr-related exprs in Nftables::Addr
09b07e56 2020-12-09 11:44 Nacho Barrientos

Encapsulate port-related exprs in Nftables::Port
6739966c 2020-12-09 11:44 Nacho Barrientos

Sort template parameters alphabetically
3a469f2b 2020-12-09 11:44 Nacho Barrientos

Implement nftables::simplerule::saddr
5944b9cb 2020-12-09 11:44 Nacho Barrientos

Allow some other types of verdicts
2f28cced 2020-12-09 11:44 Nacho Barrientos

Document nftables::simplerule's parameters
af15de48 2020-12-09 11:44 Nacho Barrientos

Recommend using nftables::rule
77abc10b 2020-12-09 11:44 Nacho Barrientos

Implement nftables::simplerule::sport
fb58f7b3 2020-12-09 11:44 Nacho Barrientos

Remove double spacing
467ea4e2 2020-12-09 11:44 Nacho Barrientos

Lint fixes
2cc54308 2020-12-09 11:44 Nacho Barrientos

Remove optional modifier on $table

It does not really make sense to pass undef to nftables::rule
2489f932 2020-12-09 11:44 Nacho Barrientos

Correct error message
4ec94616 2020-12-09 11:44 Nacho Barrientos

Re-document and add example
d43ced4d 2020-12-09 11:44 Nacho Barrientos

Implement nftables:;simplerule::counter
aaa37172 2020-12-09 11:44 Nacho Barrientos

Implement nftables:;simplerule::daddr
316bc3f8 2020-12-09 11:44 Nacho Barrientos

Allow IPv4 and IPv6 only rules
3a52fb41 2020-12-09 11:44 Nacho Barrientos

Richer dport
fb65734d 2020-12-09 11:44 Nacho Barrientos

s/setname/rulename
83382bb5 2020-12-09 11:44 Nacho Barrientos

Add nftables::simplerule
f0bd8791 2020-12-09 10:58 duritong

Merge pull request #34 from traylenator/dedupe_flush

Remove duplicate flush on reload
b9785000 2020-12-09 09:42 Steve Traylen

Correct layout of ignore chain example
ce22630b 2020-12-09 05:37 Steve Traylen

Remove duplicate flush on reload

When nftables was reloaded a flush was being done both in the systemd
reload call and in the nft script itself.
c4b1b93b 2020-12-08 07:58 Steve Traylen

Comment why firewalld_enable parameter is required (#40)
31b17627 2020-12-07 11:18 Steve Traylen

Use single line for each parameter definition
11bf7237 2020-12-07 09:51 Steve Traylen

lint_fix results
e3c56ff6 2020-12-03 03:48 keachi

Merge pull request #29 from keachi/fwd_conntrack

Enable conntrack in FORWARD
24a5a2a7 2020-12-02 15:05 tr

Enable conntrack in FORWARD
ed8e4643 2020-12-02 08:03 duritong

Merge pull request #32 from dvanders/ceph_nfs

Add Ceph and NFS rules
5210e023 2020-12-01 05:42 Dan van der Ster

Add NFS-related rules

Signed-off-by: Dan van der Ster <>
bbc93ede 2020-12-01 04:33 Dan van der Ster

Add ceph related rules

Signed-off-by: Dan van der Ster <>
03d9e7da 2020-12-01 03:09 Steve Traylen

New parameter noflush_tables to selectivly skip flush

Introduces a new structured fact nftables

```yaml
nftables:
tables:
- inet-filter
- ip-nat
- ip6-nat
- inet-f2b-table
```

By default the nft script will continue to contain `nft flush ruleset`...
902ceaac 2020-11-29 13:18 keachi

Merge pull request #22 from cernops/log_limit

Set a customisable rate limit to the logging rules
802d80d1 2020-11-27 03:35 Nacho Barrientos

Allow sourcing sets from Hiera
82d10659 2020-11-26 15:39 Nacho Barrientos

Allow disabling default NAT tables and chains
30462da1 2020-11-26 05:19 Steve Traylen

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```...
b10c6216 2020-11-24 10:37 Nacho Barrientos

Set a customisable rate limit to the logging rules