rules::out::mdns: Allow interface filtering
rules::icmp: Allow ICMP packets with extensions
Make "dropping invalid packets" configureable
It doesn't make sense to explicitly drop those pakets when the defaultpolicy is already `DROP`. Also some applications, like ceph, are knownto send packets that might be marked as invalid.
rules::out:dns: refactor for better readability
Support input interface specification to dns server
Useful when you want to allow docker/podman containersaccess to a hosts dns stub resolver.
```puppetclass{'nftables::rules::dns': iifname => ['docker0'],}```
Additional rules for podman root containers
This class defines additional forwarding rules to let root containersreach external networks when using Netavark (since v4.0) or CNI (deprecated).At the time of writing, Podman supports automatic configuration...
add ftp helper
This adds ability to enable a connection tracker helper and provides typical ftp rules
Co-authored-by: Vadym Chepkov <vchepkov@gmail.com>Co-authored-by: Yury Bushmelev <jay4mail@gmail.com>
Align filemode on RedHat to distro default
The RPM acutally ships the configuration and directory with0600/0700 while this module sets the mode to 0640/0750.
However, this has the drawback that on new nftables RPM versions,we are setting it back to the modules mode and triggering an nft...
split conntrack management into dedicated classes so they get consumeable
New nftables::file type to include raw file
For example:
```puppetnftables::file{'geoip': content => "include \"/files/geoipsets/dbip/*.ipv4\"\n",}```
will right a file or content into the nftables configuration.
The file written will be included in configuration....
Merge pull request #144 from duritong/fix-143-properly-escape-rulename
Properly escape bridge in rulename
fix #143 - properly escape rulename for interfaces
remove duplicate expect
this is handled by the next - more specific - expect anyways
Add all families as a valid noflush pattern
nftables has more valid families than the ones currently accepted by themodule.
This patch adds support for all the families currently supported as perthe documentation at:https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
chrony: Allow filtering for outgoing NTP servers
Add rule to allow outgoing whois queries
Add class for outgoing PXP connections
Add class for pxp-agent firewalling
Add Debian support
systemctl: Use relative path
make path to `nft` binary configureable
Add support for Arch Linux
Arch Linux stores the configuration in a different path and does notprovide firewalld without explicit installation.
This basically the same as #66 – I've reused their code since it hasn'tbeen merged in a while.
Make sure that the list of interfaces is mocked
If 'networking' is not removed from the facts, the values declared in`default_module_facts.yml` win (the fact set contains two keys:`:networking` and `'networking'`)
This test has always been wrong as the interfaces were never been...
rubocop -f RSpec/RepeatedExampleGroupDescription
rubocop:auto_correct results
Pet rubocop
support a different table name for 'nat'- Some applications (such as libvirt) still use iptables to inject firewall rules- iptables will refuse to update tables that were initially created with nft- This commit allows defining the name of the 'nat' table in order to avoid...
Allow creating a totally empty firewall
By setting `nftables::inet_filter` and `nftables::nat` to `false`users can now start off from a totally empty firewall and add thetables, chains and rules they'd like.
The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
Add rules for QEMU/libvirt guests
Add optional handling of chains
Fix rulename spec in spec
Fix syntax
Add newline & more tests
Add Docker-CE default rules
Add rules for Apache ActiveMQ
fix #74 - ensure table are initialized before flushing them (#75)
Merge pull request #73 from Koumbit/global_chain_not_hardcoded
start declaring the 'global' chain with module resources
create tests for presence of the "global" chain
add some mail related outgoing rules
Made ctdb rule parameterized
Added to tests
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
switch naming to puppetserver
Merge pull request #48 from cernops/config_template
Several fixes for nftables::config
Correct NFS udp and tcp port matching
There was a missing `th` from rule which from the examples in the manpage is meant to be there.
Cannot find the docs for what `th` does.
Auto fill simple table configuration
Remove duplicate flush on reload
When nftables was reloaded a flush was being done both in the systemdreload call and in the nft script itself.
rubocop:auto_correct fixes
Merge pull request #29 from keachi/fwd_conntrack
Enable conntrack in FORWARD
Merge pull request #32 from dvanders/ceph_nfs
Add Ceph and NFS rules
Test NFS rules
Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
Test ceph rules
New parameter noflush_tables to selectivly skip flush
Introduces a new structured fact nftables
```yamlnftables: tables: - inet-filter - ip-nat - ip6-nat - inet-f2b-table```
By default the nft script will continue to contain `nft flush ruleset`...
Merge pull request #28 from traylenator/simplify
Do not test nftables::rules repeatadly
Merge pull request #22 from cernops/log_limit
Set a customisable rate limit to the logging rules
Rather than testing the contents of nftable::rules just testthat nftables::rules instance is correct.
The existing test for the define nftables::rules is enough.
Motivation here is to make changes to nftables::rules easier to handle...
Allow sourcing sets from Hiera
Allow disabling default NAT tables and chains
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```ExecStart=/sbin/nft -f /etc/sysconfig/nftables.confExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'ExecStop=/sbin/nft flush ruleset```...
Merge pull request #16 from cernops/icmp
Move ICMP stuff to separate classes allowing better customisation
Make masking Service['firewalld'] configurable
Move ICMP stuff to separate classes
Correct bad merge
There was a bad merge between
correct tests.
Merge pull request #13 from traylenator/comment
Add comments for all the nftable::rules entries
Merge pull request #14 from cernops/ct_away
Move conntrack rules from global to INPUT and OUTPUT
Merge pull request #6 from traylenator/afs
Add rules for afs3_callback in and out rules for kerberos and openafs.
Move ct rules from global to INPUT and OUTPUT
Switch $order$fragmenta/b to $order-$fragment-a/b
For each nftable::rule this adds an extra concat fragment toadd a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules backto puppet code more obvious. When adding a new rule it should be more...
Allow tables to add comments to $log_prefix
Add kerberos out and openafs_client out
Add rules for afs3_callback
In particular the afs callback to the cache manager(7001) which is UDP and alwaysIPv4 since there OpenAFS does not support IPv6.
https://wiki.openafs.org/devel/AFSServicePorts/
Add a parameter to control the fate of discarded packets
Merge pull request #4 from cernops/dhcp6
Add classes encapsulating rules for DHCPv6 client traffic (in/out)
Add class nftables::services::dhcpv6_client
Merge pull request #5 from cernops/custom_log_prefix
Allow customising the log prefix
Use concat for table conf generation
This way other components of the module will be able to add extra stuffto the table definitions like sets.
Fix rulenames which includes an index
The rulename has a regex pattern `[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(\d+)?$/]`which allows an index at the end of the rulename (with a delimiter).This is split later with `$data = split($rulename, '')` but the content...
Add basic ip6 nat chains
Add class bridges
Allow traffic from any bridge to itself by default
Allow to inject custom rules
fix offenses
New parameter out_all, default false
In order to allow all outbound traffic a parameter isadded to enable a simple `allow` entry on the out chain.
Default is false so backwards compatible.
If true all the other out_bound rules (ntp, ...) will be disabled...
Styling to make tests green
Add a rule to create snat
Test masquerade default proto
Add a define for masquerading
Extract the dnat spec tests
Add a define for ipv4 dnat
Create a special ingoing chain for all ingoing fwd rules
Stop and mask firewalld service
Linting
Add spec tests for a DNAT
Add spec tests for ip nat prerouting
Add spec tests for router functionality
Add spec tests for ip nat chain policies
Fix nat hooks
