Fix nftables::rules::out::nfs3 for nftables 0.9.0
Fix rubocop style error
Revert "Use symbols for both lookups in os_facts"
This reverts commit 0877a8fd3646130f06b29e581a1ed2f990394094.
My initial tests were too hasty. `os_facts[:os][:family]` returnsan empty string. The original formulation was correct.
Use symbols for both lookups in os_facts
The access does work this way and it seems preferable to beconsistent. The access using `os_facts['os']` does not work.
Add test cases for Debian
Made ctdb rule parameterized
Added to tests
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
switch naming to puppetserver
Merge pull request #48 from cernops/config_template
Several fixes for nftables::config
Correct NFS udp and tcp port matching
There was a missing `th` from rule which from the examples in the manpage is meant to be there.
Cannot find the docs for what `th` does.
Auto fill simple table configuration
Remove duplicate flush on reload
When nftables was reloaded a flush was being done both in the systemdreload call and in the nft script itself.
rubocop:auto_correct fixes
Merge pull request #29 from keachi/fwd_conntrack
Enable conntrack in FORWARD
Merge pull request #32 from dvanders/ceph_nfs
Add Ceph and NFS rules
Test NFS rules
Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
Test ceph rules
New parameter noflush_tables to selectivly skip flush
Introduces a new structured fact nftables
```yamlnftables: tables: - inet-filter - ip-nat - ip6-nat - inet-f2b-table```
By default the nft script will continue to contain `nft flush ruleset`...
Merge pull request #28 from traylenator/simplify
Do not test nftables::rules repeatadly
Merge pull request #22 from cernops/log_limit
Set a customisable rate limit to the logging rules
Rather than testing the contents of nftable::rules just testthat nftables::rules instance is correct.
The existing test for the define nftables::rules is enough.
Motivation here is to make changes to nftables::rules easier to handle...
Allow sourcing sets from Hiera
Allow disabling default NAT tables and chains
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```ExecStart=/sbin/nft -f /etc/sysconfig/nftables.confExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'ExecStop=/sbin/nft flush ruleset```...
Merge pull request #16 from cernops/icmp
Move ICMP stuff to separate classes allowing better customisation
Make masking Service['firewalld'] configurable
Move ICMP stuff to separate classes
Correct bad merge
There was a bad merge between
correct tests.
Merge pull request #13 from traylenator/comment
Add comments for all the nftable::rules entries
Merge pull request #14 from cernops/ct_away
Move conntrack rules from global to INPUT and OUTPUT
Merge pull request #6 from traylenator/afs
Add rules for afs3_callback in and out rules for kerberos and openafs.
Move ct rules from global to INPUT and OUTPUT
Switch $order$fragmenta/b to $order-$fragment-a/b
For each nftable::rule this adds an extra concat fragment toadd a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules backto puppet code more obvious. When adding a new rule it should be more...
Allow tables to add comments to $log_prefix
Add kerberos out and openafs_client out
Add rules for afs3_callback
In particular the afs callback to the cache manager(7001) which is UDP and alwaysIPv4 since there OpenAFS does not support IPv6.
https://wiki.openafs.org/devel/AFSServicePorts/
Add a parameter to control the fate of discarded packets
Merge pull request #4 from cernops/dhcp6
Add classes encapsulating rules for DHCPv6 client traffic (in/out)
Add class nftables::services::dhcpv6_client
Merge pull request #5 from cernops/custom_log_prefix
Allow customising the log prefix
Use concat for table conf generation
This way other components of the module will be able to add extra stuffto the table definitions like sets.
Fix rulenames which includes an index
The rulename has a regex pattern `[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(\d+)?$/]`which allows an index at the end of the rulename (with a delimiter).This is split later with `$data = split($rulename, '')` but the content...
Add basic ip6 nat chains
Add class bridges
Allow traffic from any bridge to itself by default
Allow to inject custom rules
fix offenses
New parameter out_all, default false
In order to allow all outbound traffic a parameter isadded to enable a simple `allow` entry on the out chain.
Default is false so backwards compatible.
If true all the other out_bound rules (ntp, ...) will be disabled...
Styling to make tests green
Add a rule to create snat
Test masquerade default proto
Add a define for masquerading
Extract the dnat spec tests
Add a define for ipv4 dnat
Create a special ingoing chain for all ingoing fwd rules
Stop and mask firewalld service
Linting
Add spec tests for a DNAT
Add spec tests for ip nat prerouting
Add spec tests for router functionality
Add spec tests for ip nat chain policies
Fix nat hooks
Rename to snake cases
Add spec tests for ip-nat
Rename spec filter to inet-filter
Replace filter with inet-filter
Refactoring
Spec tests for default rules
Add spec tests for default chains
Add spec tests for filter chains
Write some spec tests for init class
Add spec tests it should compile
