fix #74 - ensure table are initialized before flushing them (#75)
Merge pull request #73 from Koumbit/global_chain_not_hardcoded
start declaring the 'global' chain with module resources
create tests for presence of the "global" chain
Add unit test
Fix IP version filter for IPv6 traffic
add some mail related outgoing rules
Merge pull request #62 from glpatcern/master
Added Samba in rules
Made ctdb rule parameterized
Pull up rule regexp to type aliases
Added to tests
Align simplerule and rule rulename requirements
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
switch naming to puppetserver
Prefix custom tables with custom- so they're loaded
Merge pull request #48 from cernops/config_template
Several fixes for nftables::config
Correct NFS udp and tcp port matching
There was a missing `th` from rule which from the examples in the manpage is meant to be there.
Cannot find the docs for what `th` does.
test that all classes can be included
test that bad configuration leaves service running
Fix context name (removes dup)
Implement intended failure
Auto fill simple table configuration
Encapsulate addr-related exprs in Nftables::Addr
Encapsulate port-related exprs in Nftables::Port
Implement nftables::simplerule::saddr
Allow some other types of verdicts
Implement nftables::simplerule::sport
Handle dport internally always as an array
Implement nftables:;simplerule::counter
Implement nftables:;simplerule::daddr
Test passing a port without protocol
Allow IPv4 and IPv6 only rules
Richer dport
Add nftables::simplerule
Remove duplicate flush on reload
When nftables was reloaded a flush was being done both in the systemdreload call and in the nft script itself.
rubocop:auto_correct fixes
Add basic configuration validation acceptance test (#38)
It is not possible to start the nftables service within docker sothe service is altered to only validate the serviceconfiguration resulting from concat constructed files and nft inclusions.
Mock with mocha
modulesync 4.0.0
Merge pull request #29 from keachi/fwd_conntrack
Enable conntrack in FORWARD
Merge pull request #32 from dvanders/ceph_nfs
Add Ceph and NFS rules
Test NFS rules
Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
Test ceph rules
New parameter noflush_tables to selectivly skip flush
Introduces a new structured fact nftables
```yamlnftables: tables: - inet-filter - ip-nat - ip6-nat - inet-f2b-table```
By default the nft script will continue to contain `nft flush ruleset`...
Merge pull request #28 from traylenator/simplify
Do not test nftables::rules repeatadly
Merge pull request #22 from cernops/log_limit
Set a customisable rate limit to the logging rules
Rather than testing the contents of nftable::rules just testthat nftables::rules instance is correct.
The existing test for the define nftables::rules is enough.
Motivation here is to make changes to nftables::rules easier to handle...
Allow sourcing sets from Hiera
Allow disabling default NAT tables and chains
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```ExecStart=/sbin/nft -f /etc/sysconfig/nftables.confExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'ExecStop=/sbin/nft flush ruleset```...
Merge pull request #16 from cernops/icmp
Move ICMP stuff to separate classes allowing better customisation
Make masking Service['firewalld'] configurable
Move ICMP stuff to separate classes
Correct bad merge
There was a bad merge between
correct tests.
Merge pull request #13 from traylenator/comment
Add comments for all the nftable::rules entries
Merge pull request #14 from cernops/ct_away
Move conntrack rules from global to INPUT and OUTPUT
Merge pull request #6 from traylenator/afs
Add rules for afs3_callback in and out rules for kerberos and openafs.
Move ct rules from global to INPUT and OUTPUT
Switch $order$fragmenta/b to $order-$fragment-a/b
For each nftable::rule this adds an extra concat fragment toadd a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules backto puppet code more obvious. When adding a new rule it should be more...
Allow tables to add comments to $log_prefix
Merge pull request #8 from cernops/ai5973
Allow raw sets and dashes in set names
Add kerberos out and openafs_client out
Add rules for afs3_callback
In particular the afs callback to the cache manager(7001) which is UDP and alwaysIPv4 since there OpenAFS does not support IPv6.
https://wiki.openafs.org/devel/AFSServicePorts/
Allow dashes in set names
Relax nftables::set::type making it optional
This is needed in case nftables::set is passed raw configuration viasource or content.
Add a parameter to control the fate of discarded packets
Merge pull request #4 from cernops/dhcp6
Add classes encapsulating rules for DHCPv6 client traffic (in/out)
Add class nftables::services::dhcpv6_client
Merge pull request #5 from cernops/custom_log_prefix
Allow customising the log prefix
Add support for named sets
Use concat for table conf generation
This way other components of the module will be able to add extra stuffto the table definitions like sets.
Fix rulenames which includes an index
The rulename has a regex pattern `[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(\d+)?$/]`which allows an index at the end of the rulename (with a delimiter).This is split later with `$data = split($rulename, '')` but the content...
Add basic ip6 nat chains
Add class bridges
Allow traffic from any bridge to itself by default
Allow to inject custom rules
fix offenses
New parameter out_all, default false
In order to allow all outbound traffic a parameter isadded to enable a simple `allow` entry on the out chain.
Default is false so backwards compatible.
If true all the other out_bound rules (ntp, ...) will be disabled...
Styling to make tests green
Do PDK convert
Add a rule to create snat
Test masquerade default proto
Add a define for masquerading
Extract the dnat spec tests
Add a define for ipv4 dnat
Create a special ingoing chain for all ingoing fwd rules
Stop and mask firewalld service
Linting
Add spec tests for a DNAT
Add spec tests for ip nat prerouting
Add spec tests for router functionality
Add spec tests for ip nat chain policies
Fix nat hooks
Rename to snake cases
Add spec tests for ip-nat
Rename spec filter to inet-filter
Replace filter with inet-filter
Refactoring
