Add class for outgoing PXP connections
Add class for pxp-agent firewalling
Add Debian support
systemctl: Use relative path
make path to `nft` binary configureable
rspec mock systemd process on docker
On docker rspec the service provider is autodetected as redhatrather than systemd.
https://tickets.puppetlabs.com/browse/PUP-11167
That causes
```error during compilation: Parameter enable failed on Service[firewalld]: Provider redhat must have features 'maskable' to set 'enable' to 'mask' (file: /builds/ai/it-puppet-module-nftables/code/spec/fixtures/modules/nftables/manifests/init.pp, line: 186)...
Migrate from deprecated mocha
Add support for Arch Linux
Arch Linux stores the configuration in a different path and does notprovide firewalld without explicit installation.
This basically the same as #66 – I've reused their code since it hasn'tbeen merged in a while.
Make sure that the list of interfaces is mocked
If 'networking' is not removed from the facts, the values declared in`default_module_facts.yml` win (the fact set contains two keys:`:networking` and `'networking'`)
This test has always been wrong as the interfaces were never been...
rubocop - RSpec/RepeatedExampleGroupBody
rubocop -f RSpec/RepeatedExampleGroupDescription
rubocop:auto_correct results
modulesync 5.1.0
Pet rubocop
modulesync 4.2.0
support a different table name for 'nat'- Some applications (such as libvirt) still use iptables to inject firewall rules- iptables will refuse to update tables that were initially created with nft- This commit allows defining the name of the 'nat' table in order to avoid...
Allow declaring the same set in several tables
Closes #100
Allow creating a totally empty firewall
By setting `nftables::inet_filter` and `nftables::nat` to `false`users can now start off from a totally empty firewall and add thetables, chains and rules they'd like.
The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
Fix IPv4 source address type detection
Before this patch, a rule like this:
``` nftables::simplerule { 'foo': action => 'accept', dport => 443, proto => 'tcp4', saddr => '192.168.1.10', }```
would incorrectly generate this rule:...
Rely on puppet 6 calling daemon-reload
Since Puppet 6 now there no need to explicitlycall `systemctl daemon-reload`.
Add rules for QEMU/libvirt guests
Merge pull request #80 from luisfdez/dockerce
Add Docker-CE default rules
Add optional handling of chains
Add nftables.version to structured fact.
```FACTERLIB=. facter -p nftables { tables => [ "bridge-filter", "bridge-nat", "inet-firewalld", "ip-firewalld", "ip6-firewalld" ], version => "0.9.3" }```
Fix rulename spec in spec
Fix syntax
Add newline & more tests
Add rules for Apache ActiveMQ
fix #74 - ensure table are initialized before flushing them (#75)
Merge pull request #73 from Koumbit/global_chain_not_hardcoded
start declaring the 'global' chain with module resources
create tests for presence of the "global" chain
Add unit test
Fix IP version filter for IPv6 traffic
add some mail related outgoing rules
Merge pull request #62 from glpatcern/master
Added Samba in rules
Made ctdb rule parameterized
Pull up rule regexp to type aliases
Added to tests
Align simplerule and rule rulename requirements
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
switch naming to puppetserver
Prefix custom tables with custom- so they're loaded
Merge pull request #48 from cernops/config_template
Several fixes for nftables::config
Correct NFS udp and tcp port matching
There was a missing `th` from rule which from the examples in the manpage is meant to be there.
Cannot find the docs for what `th` does.
test that all classes can be included
test that bad configuration leaves service running
Fix context name (removes dup)
Implement intended failure
Auto fill simple table configuration
Encapsulate addr-related exprs in Nftables::Addr
Encapsulate port-related exprs in Nftables::Port
Implement nftables::simplerule::saddr
Allow some other types of verdicts
Implement nftables::simplerule::sport
Handle dport internally always as an array
Implement nftables:;simplerule::counter
Implement nftables:;simplerule::daddr
Test passing a port without protocol
Allow IPv4 and IPv6 only rules
Richer dport
Add nftables::simplerule
Remove duplicate flush on reload
When nftables was reloaded a flush was being done both in the systemdreload call and in the nft script itself.
rubocop:auto_correct fixes
Add basic configuration validation acceptance test (#38)
It is not possible to start the nftables service within docker sothe service is altered to only validate the serviceconfiguration resulting from concat constructed files and nft inclusions.
Mock with mocha
modulesync 4.0.0
Merge pull request #29 from keachi/fwd_conntrack
Enable conntrack in FORWARD
Merge pull request #32 from dvanders/ceph_nfs
Add Ceph and NFS rules
Test NFS rules
Signed-off-by: Dan van der Ster <daniel.vanderster@cern.ch>
Test ceph rules
New parameter noflush_tables to selectivly skip flush
Introduces a new structured fact nftables
```yamlnftables: tables: - inet-filter - ip-nat - ip6-nat - inet-f2b-table```
By default the nft script will continue to contain `nft flush ruleset`...
Merge pull request #28 from traylenator/simplify
Do not test nftables::rules repeatadly
Merge pull request #22 from cernops/log_limit
Set a customisable rate limit to the logging rules
Rather than testing the contents of nftable::rules just testthat nftables::rules instance is correct.
The existing test for the define nftables::rules is enough.
Motivation here is to make changes to nftables::rules easier to handle...
Allow sourcing sets from Hiera
Allow disabling default NAT tables and chains
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```ExecStart=/sbin/nft -f /etc/sysconfig/nftables.confExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'ExecStop=/sbin/nft flush ruleset```...
Merge pull request #16 from cernops/icmp
Move ICMP stuff to separate classes allowing better customisation
Make masking Service['firewalld'] configurable
Move ICMP stuff to separate classes
Correct bad merge
There was a bad merge between
correct tests.
Merge pull request #13 from traylenator/comment
Add comments for all the nftable::rules entries
Merge pull request #14 from cernops/ct_away
Move conntrack rules from global to INPUT and OUTPUT
Merge pull request #6 from traylenator/afs
Add rules for afs3_callback in and out rules for kerberos and openafs.
Move ct rules from global to INPUT and OUTPUT
Switch $order$fragmenta/b to $order-$fragment-a/b
For each nftable::rule this adds an extra concat fragment toadd a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules backto puppet code more obvious. When adding a new rule it should be more...
Allow tables to add comments to $log_prefix
Merge pull request #8 from cernops/ai5973
Allow raw sets and dashes in set names
Add kerberos out and openafs_client out
Add rules for afs3_callback
In particular the afs callback to the cache manager(7001) which is UDP and alwaysIPv4 since there OpenAFS does not support IPv6.
https://wiki.openafs.org/devel/AFSServicePorts/
Allow dashes in set names
Relax nftables::set::type making it optional
This is needed in case nftables::set is passed raw configuration viasource or content.
Add a parameter to control the fate of discarded packets
Merge pull request #4 from cernops/dhcp6
Add classes encapsulating rules for DHCPv6 client traffic (in/out)
Add class nftables::services::dhcpv6_client
Merge pull request #5 from cernops/custom_log_prefix
Allow customising the log prefix
