Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / manifests @ b10c6216

# Date Auteur Commentaire
b10c6216 2020-11-24 10:37 Nacho Barrientos

Set a customisable rate limit to the logging rules
92461926 2020-11-24 07:53 duritong

Merge pull request #16 from cernops/icmp

Move ICMP stuff to separate classes allowing better customisation
ae9872e2 2020-11-24 04:17 Nacho Barrientos

Make masking Service['firewalld'] configurable
79e9a23f 2020-11-21 03:10 Nacho Barrientos

Move ICMP stuff to separate classes
a5f5fb12 2020-11-19 15:56 duritong

Merge pull request #13 from traylenator/comment

Add comments for all the nftable::rules entries
21d0496e 2020-11-19 15:53 duritong

Merge pull request #14 from cernops/ct_away

Move conntrack rules from global to INPUT and OUTPUT
7b14f6d9 2020-11-19 15:11 keachi

Merge pull request #6 from traylenator/afs

Add rules for afs3_callback in and out rules for kerberos and openafs.
ea96d5db 2020-11-19 10:15 Nacho Barrientos

Move ct rules from global to INPUT and OUTPUT
61f03b47 2020-11-19 09:19 Steve Traylen

Switch $order$fragmenta/b to $order-$fragment-a/b
e53053ce 2020-11-19 08:31 Steve Traylen

Add comments for all the nftable::rules entries

For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for the rule.

The motivation here is to make the mapping from resulting rules back
to puppet code more obvious. When adding a new rule it should be more...
ac0af4aa 2020-11-19 03:16 Nacho Barrientos

Allow tables to add comments to $log_prefix
ef3e9ad6 2020-11-18 15:25 duritong

Merge pull request #8 from cernops/ai5973

Allow raw sets and dashes in set names
9785cd54 2020-11-18 11:02 Steve Traylen

lint fix
215aee13 2020-11-18 07:18 Steve Traylen

Add kerberos out and openafs_client out
f3f2870f 2020-11-18 07:18 Steve Traylen

Add rules for afs3_callback

In particular the afs callback to the cache manager(7001) which is UDP and always
IPv4 since there OpenAFS does not support IPv6.

https://wiki.openafs.org/devel/AFSServicePorts/
7bb485c5 2020-11-16 09:19 Nacho Barrientos

Allow dashes in set names
9f0498e3 2020-11-16 09:16 Nacho Barrientos

Relax nftables::set::type making it optional

This is needed in case nftables::set is passed raw configuration via
source or content.
70727742 2020-11-16 04:50 Nacho Barrientos

Add a parameter to control the fate of discarded packets
0cf43fdf 2020-11-15 16:37 duritong

Merge pull request #4 from cernops/dhcp6

Add classes encapsulating rules for DHCPv6 client traffic (in/out)
37b2a3b7 2020-11-15 13:41 Nacho Barrientos

Add class nftables::services::dhcpv6_client
883389dc 2020-11-15 10:51 duritong

Merge pull request #5 from cernops/custom_log_prefix

Allow customising the log prefix
43566263 2020-11-15 10:47 Nacho Barrientos

Add rules for outgoing and incoming DHCPv6 client traffic
ed827383 2020-11-15 04:44 Nacho Barrientos

Allow customising the log prefix
20b96360 2020-11-13 09:57 Nacho Barrientos

Add support for named sets
e4c32222 2020-11-13 09:55 Nacho Barrientos

Use concat for table conf generation

This way other components of the module will be able to add extra stuff
to the table definitions like sets.
18ec6f48 2020-11-05 16:43 tr

Fix rulenames which includes an index

The rulename has a regex pattern `[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(\d+)?$/]`
which allows an index at the end of the rulename (with a delimiter).
This is split later with `$data = split($rulename, '')` but the content...
e5eb7424 2020-11-05 16:37 tr

Allow to specify prometheus source addresses
e73f2e97 2020-10-28 15:53 tr

Fix rule node exporter
8227cb1c 2020-10-28 15:50 tr

Manage rule in dns
cb50fd79 2020-10-28 15:47 tr

Add rule in node_exporter
248ef9d5 2020-10-28 14:40 tr

Add basic ip6 nat chains
579e27df 2020-10-27 02:22 tr

Fix the regex for bridge names
2c00d766 2020-10-27 02:22 tr

Replace dashes with underlines

Docker daemon bridges contains dashes, replace them with underlines to
fit the naming concept.
66ed7f61 2020-10-26 02:15 mh

migrate create_resource to the generic loop over hash approach

create_resource is notorious for not providing exact line/file info
when something fails. Since in puppet you can now loop over hashes
and you have the splat assignment operator. This means you get much...
fd0eaeca 2020-10-24 06:02 tr

Add class bridges

Allow traffic from any bridge to itself by default
c1224db5 2020-10-23 13:47 tr

Move filter rules to inet_filter class
b3a7a6dd 2020-10-23 13:46 tr

Allow to inject custom rules
e17693e3 2020-10-20 08:29 Steve Traylen

New parameter out_all, default false

In order to allow all outbound traffic a parameter is
added to enable a simple `allow` entry on the out chain.

Default is false so backwards compatible.

If true all the other out_bound rules (ntp, ...) will be disabled...
a074dec2 2020-10-14 12:23 tr

Allow index numbers
25205881 2020-10-14 12:15 tr

Fix rule puppet out
4db4422a 2020-10-13 14:24 tr

Add http and https
a6316327 2020-08-31 06:51 tr

Use enum instead of pattern for proto
3d29a6eb 2020-08-31 06:13 tr

Add a rule to create snat
2a3b45ec 2020-08-31 05:38 tr

Add a define for masquerading
7cc88e25 2020-08-30 11:08 tr

Linting
ba5e15bd 2020-08-30 11:04 tr

Add rules for OSPF
351a88fb 2020-08-30 10:49 tr

Add a define for ipv4 dnat
af544fea 2020-08-30 09:15 tr

Create a special ingoing chain for all ingoing fwd rules
b01596ea 2020-08-30 08:46 tr

Rename file filter to inet-filter
f02562f2 2020-08-30 07:18 tr

Stop and mask firewalld service
2e704fc9 2020-08-30 07:09 mh

add new rules
c02d1b07 2020-08-30 06:31 mh

add a few more rules
c8092701 2020-08-30 06:17 tr

Split init class
c8894978 2020-08-30 06:09 tr

Use default
38a67c59 2020-08-30 05:45 tr

Rewrite ip-nat to concat
5df9303f 2020-08-30 05:24 tr

Replace filter with inet-filter
8efbdf9a 2020-08-29 19:05 tr

Refactoring
a04bdb5e 2020-08-29 13:24 tr

Add a newline to filter chains
f6848bb8 2020-08-29 13:01 tr

Explicitly set ensure file
5acb554a 2020-08-29 12:06 tr

Write some spec tests for init class
e140adff 2020-08-29 10:46 tr

Linting
5933ab8e 2020-08-29 10:14 tr

Set NAT only for IPv4
d4de1bfe 2020-08-29 09:39 tr

Allow to set a list of dns servers
a98c98d4 2020-08-29 09:26 tr

Add in/out rules for Tor
40b19655 2020-08-29 09:25 tr

Add a in rule for icinga2
df2679aa 2020-08-29 09:24 tr

Add in rule for puppet
ca24c673 2020-08-29 09:23 tr

Add in/out rules for wireguard
223f3c54 2020-08-29 09:20 tr

Add a rule for dhcpc
188e569f 2020-08-29 09:14 tr

Remove out rule ntp

Duplicate to chrony, but chrony allows every sport (which is required by
chrony).
ee1cf60a 2020-08-29 09:12 mh

add outgoing puppet
cd664666 2020-08-29 08:55 tr

Allow http by default

CentOS mirrors are only available over http.
be0b08e1 2020-08-29 08:28 tr

Apply a base firewall

Allow all services to install updates and manage the node.
0c850704 2020-08-29 08:28 tr

Add a class for outgoing ntp
c5ff0cc5 2020-08-29 08:28 tr

Add a class for outgoing https
9da28f8c 2020-08-29 08:28 tr

Add a class for outgoing dns
a534e044 2020-08-29 08:21 mh

fix naming
0ba57c66 2020-08-29 05:50 mh

initial release