Update manifests/set.pp
Docs for nftables::set
switch naming to puppetserver
Prefix custom tables with custom- so they're loaded
Merge pull request #48 from cernops/config_template
Several fixes for nftables::config
Merge pull request #50 from traylenator/moretests
Correct nfs3 invalid udp /tcp matching rule and more tests
Correct NFS udp and tcp port matching
There was a missing `th` from rule which from the examples in the manpage is meant to be there.
Cannot find the docs for what `th` does.
Remove a blank separating the doc string and the code
Otherwise the generator of the docs does not do the job :/
Validate table spec
Implement intended failure
Auto fill simple table configuration
Encapsulate addr-related exprs in Nftables::Addr
Encapsulate port-related exprs in Nftables::Port
Sort template parameters alphabetically
Implement nftables::simplerule::saddr
Allow some other types of verdicts
Document nftables::simplerule's parameters
Recommend using nftables::rule
Implement nftables::simplerule::sport
Remove double spacing
Lint fixes
Remove optional modifier on $table
It does not really make sense to pass undef to nftables::rule
Correct error message
Re-document and add example
Implement nftables:;simplerule::counter
Implement nftables:;simplerule::daddr
Allow IPv4 and IPv6 only rules
Richer dport
s/setname/rulename
Add nftables::simplerule
Merge pull request #34 from traylenator/dedupe_flush
Remove duplicate flush on reload
Correct layout of ignore chain example
When nftables was reloaded a flush was being done both in the systemdreload call and in the nft script itself.
Comment why firewalld_enable parameter is required (#40)
Use single line for each parameter definition
lint_fix results
Merge pull request #29 from keachi/fwd_conntrack
Enable conntrack in FORWARD
Merge pull request #32 from dvanders/ceph_nfs
Add Ceph and NFS rules
Add NFS-related rules
Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
Add ceph related rules
New parameter noflush_tables to selectivly skip flush
Introduces a new structured fact nftables
```yamlnftables: tables: - inet-filter - ip-nat - ip6-nat - inet-f2b-table```
By default the nft script will continue to contain `nft flush ruleset`...
Merge pull request #22 from cernops/log_limit
Set a customisable rate limit to the logging rules
Allow sourcing sets from Hiera
Allow disabling default NAT tables and chains
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```ExecStart=/sbin/nft -f /etc/sysconfig/nftables.confExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'ExecStop=/sbin/nft flush ruleset```...
Merge pull request #16 from cernops/icmp
Move ICMP stuff to separate classes allowing better customisation
Make masking Service['firewalld'] configurable
Move ICMP stuff to separate classes
Merge pull request #13 from traylenator/comment
Add comments for all the nftable::rules entries
Merge pull request #14 from cernops/ct_away
Move conntrack rules from global to INPUT and OUTPUT
Merge pull request #6 from traylenator/afs
Add rules for afs3_callback in and out rules for kerberos and openafs.
Move ct rules from global to INPUT and OUTPUT
Switch $order$fragmenta/b to $order-$fragment-a/b
For each nftable::rule this adds an extra concat fragment toadd a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules backto puppet code more obvious. When adding a new rule it should be more...
Allow tables to add comments to $log_prefix
Merge pull request #8 from cernops/ai5973
Allow raw sets and dashes in set names
lint fix
Add kerberos out and openafs_client out
Add rules for afs3_callback
In particular the afs callback to the cache manager(7001) which is UDP and alwaysIPv4 since there OpenAFS does not support IPv6.
https://wiki.openafs.org/devel/AFSServicePorts/
Allow dashes in set names
Relax nftables::set::type making it optional
This is needed in case nftables::set is passed raw configuration viasource or content.
Add a parameter to control the fate of discarded packets
Merge pull request #4 from cernops/dhcp6
Add classes encapsulating rules for DHCPv6 client traffic (in/out)
Add class nftables::services::dhcpv6_client
Merge pull request #5 from cernops/custom_log_prefix
Allow customising the log prefix
Add rules for outgoing and incoming DHCPv6 client traffic
Add support for named sets
Use concat for table conf generation
This way other components of the module will be able to add extra stuffto the table definitions like sets.
Fix rulenames which includes an index
The rulename has a regex pattern `[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(\d+)?$/]`which allows an index at the end of the rulename (with a delimiter).This is split later with `$data = split($rulename, '')` but the content...
Allow to specify prometheus source addresses
Fix rule node exporter
Manage rule in dns
Add rule in node_exporter
Add basic ip6 nat chains
Fix the regex for bridge names
Replace dashes with underlines
Docker daemon bridges contains dashes, replace them with underlines tofit the naming concept.
migrate create_resource to the generic loop over hash approach
create_resource is notorious for not providing exact line/file infowhen something fails. Since in puppet you can now loop over hashesand you have the splat assignment operator. This means you get much...
Add class bridges
Allow traffic from any bridge to itself by default
Move filter rules to inet_filter class
Allow to inject custom rules
New parameter out_all, default false
In order to allow all outbound traffic a parameter isadded to enable a simple `allow` entry on the out chain.
Default is false so backwards compatible.
If true all the other out_bound rules (ntp, ...) will be disabled...
Allow index numbers
Fix rule puppet out
Add http and https
Use enum instead of pattern for proto
Add a rule to create snat
Add a define for masquerading
Linting
Add rules for OSPF
Add a define for ipv4 dnat
Create a special ingoing chain for all ingoing fwd rules
Rename file filter to inet-filter
Stop and mask firewalld service
add new rules
add a few more rules
Split init class
Use default
