Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / spec / acceptance @ 8ef25aa2

# Date Auteur Commentaire
2340d1d6 2024-06-27 07:25 Steve Traylen

Run default destroying acceptance tests at end

The spec test destroy_spec was purging default nftables configurations
before other existing tests had a chance to run.

Run the default destroying tests as the final test.
a528bf59 2024-06-27 06:33 Steve Traylen

New clobber_default_config paramter

Certain OSes namely Debian and Archlinux provide default rules
with the OS.

This module has always respected those rules and appended all of
its own rules to the end of the existing rules.

The new parameter `clobber_default_config` if set `true` (default `false`)...
8bc8fe98 2024-06-27 06:12 Steve Traylen

Accept on Debian 11 nftables::set will fail

On Debian 11 adding an nftables set triggers a bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063690

move the `nftables::set` tests out to their own test which makes sense
anyway and mark as pending for Debian 11.
d7d6d5d3 2023-12-20 13:31 Tim Meusel

simplerule: Add support for outgoing interface filtering
25b3f3f4 2023-12-19 12:36 Tim Meusel

simplerule: Add support for incoming interface filtering
08b9f1d0 2023-11-22 03:53 Steve Traylen

Additional rules for podman root containers

This class defines additional forwarding rules to let root containers
reach external networks when using Netavark (since v4.0) or CNI (deprecated).
At the time of writing, Podman supports automatic configuration...
baad986e 2023-11-16 19:10 Vadym Chepkov

add ftp helper

This adds ability to enable a connection tracker helper and provides typical ftp rules

Co-authored-by: Vadym Chepkov <>
Co-authored-by: Yury Bushmelev <>
ffc8b86f 2023-08-26 18:20 Tim Meusel

Add nftables rules for ws-discovery
50a5be8b 2023-08-26 18:05 Tim Meusel

Add rule for incoming SSDP
3b26826f 2023-08-25 19:07 Tim Meusel

Add rule for incoming LLMNR
6b350264 2023-08-19 16:22 Tim Meusel

Add rule for outgoing multicast DNS
e499cece 2023-08-19 15:52 Tim Meusel

Add rule for multicast listener requests (MLDv2)
020842af 2023-08-09 20:00 Tim Meusel

Add rules for IGMP
5ffd0328 2023-08-09 19:11 Tim Meusel

Add rule to allow multicast DNS
8b131276 2023-08-09 18:53 Tim Meusel

Add rule to allow incoming spotify broadcast
80b384c8 2023-08-09 17:57 Tim Meusel

Add rule to allow incoming multicast traffic
ea29e235 2023-06-19 12:58 Simon Hoenscheid

add ldap and active directory rules
509ef14f 2023-01-29 12:29 Tim Meusel

Merge pull request #149 from hugendudel/netdev_support

Allow netdev as table family in defined type nftables::chain
9e100a98 2023-01-29 12:17 Nacho Barrientos

Add acceptance test covering tables of type netdev
a1f09048 2022-10-24 16:59 Tim Meusel

Add class for outgoing HKP firewalling
331b8d85 2022-09-01 05:22 Steve Traylen

New nftables::file type to include raw file

For example:

```puppet
nftables::file{'geoip':
content => "include \"/files/geoipsets/dbip/*.ipv4\"\n",
}
```

will right a file or content into the nftables configuration.

The file written will be included in configuration....
2b1896c1 2022-07-10 06:42 Tim Meusel

Add rule to allow outgoing whois queries
194e05d5 2022-07-07 08:53 Tim Meusel

Add class for outgoing PXP connections
7f74df2e 2022-07-07 08:10 Tim Meusel

Add class for pxp-agent firewalling
008c95d7 2022-07-06 02:31 Kienan Stewart

Add Debian support
8842a597 2022-07-05 08:23 Tim Meusel

make path to `nft` binary configureable
0c9bc308 2022-02-27 11:05 hashworks

Add support for Arch Linux

Arch Linux stores the configuration in a different path and does not
provide firewalld without explicit installation.

This basically the same as #66 – I've reused their code since it hasn't
been merged in a while.
b5874974 2021-12-16 09:54 Steve Traylen

rubocop - RSpec/RepeatedExampleGroupBody
c82b960a 2021-12-16 08:55 Steve Traylen

rubocop:auto_correct results
fcb79d73 2021-09-07 05:37 Ben Morrice

support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid...
c94658e1 2021-07-06 11:46 Nacho Barrientos

Allow declaring the same set in several tables

Closes #100
7b9d6ffc 2021-05-31 04:42 Nacho Barrientos

Allow creating a totally empty firewall

By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.

The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
1eda6efa 2021-04-21 09:46 Steve Traylen

Rely on puppet 6 calling daemon-reload

Since Puppet 6 now there no need to explicitly
call `systemctl daemon-reload`.
cd2a3cbf 2021-03-25 03:30 Nacho Barrientos

Add rules for QEMU/libvirt guests
6be2adf7 2021-03-19 07:12 Luis Fernández Álvarez

Add Docker-CE default rules
771b3256 2021-03-15 09:59 Nacho Barrientos

Add rules for Apache ActiveMQ
19908f41 2021-01-18 14:07 mh

add some mail related outgoing rules
1ee2f66b 2021-01-18 06:25 Giuseppe Lo Presti

Added to tests
04176b0e 2020-12-13 16:52 mh

switch naming to puppetserver
cfcafde5 2020-12-10 09:20 Steve Traylen

test that all classes can be included
d8752442 2020-12-10 09:20 Steve Traylen

test that bad configuration leaves service running
ce22630b 2020-12-09 05:37 Steve Traylen

Remove duplicate flush on reload

When nftables was reloaded a flush was being done both in the systemd
reload call and in the nft script itself.
bd5145ab 2020-12-08 07:54 Steve Traylen

Add basic configuration validation acceptance test (#38)

  • Add basic configuration validation acceptance test

It is not possible to start the nftables service within docker so
the service is altered to only validate the service
configuration resulting from concat constructed files and nft inclusions.