add icinga2 rule for outgoing traffic
Install netbase for /etc/services on Ubuntu 20.04
On Ubuntu 20.04 only the nftables package no longer depends on netbase.
The result is the required `/etc/services` file is not installed.
Always install `netbase` on Ubuntu 20.04
Revert "Install netbase for /etc/services file"
This reverts commit 25528bfc63df27900cc2f91ef32bd4ccddef7382.
Install netbase for /etc/services file
set service provider to systemd in unit tests
Merge pull request #252 from phaedriel/addr_array
Add support Arrays of source/destination IP addresses for nftables::simplerule
partial modulesync 9.1.0
This excludes the Gemfile changes
Change default hash location to /var/tmp to survive reboots and avoid bogus nftables reload
Added shell provider to execs. Hash generate now in array. Ran rubocop:autocorrect
Changed path to use fact. Partial conversion of execs to arrays
Change exec title
Fix typos
Added purge_unmanaged_rules new variant of method
Add variant array
Run default destroying acceptance tests at end
The spec test destroy_spec was purging default nftables configurationsbefore other existing tests had a chance to run.
Run the default destroying tests as the final test.
New clobber_default_config paramter
Certain OSes namely Debian and Archlinux provide default ruleswith the OS.
This module has always respected those rules and appended all ofits own rules to the end of the existing rules.
The new parameter `clobber_default_config` if set `true` (default `false`)...
Accept on Debian 11 nftables::set will fail
On Debian 11 adding an nftables set triggers a bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063690
move the `nftables::set` tests out to their own test which makes senseanyway and mark as pending for Debian 11.
rules::llmnr: Allow interface filtering
rules::ospf3: Allow filtering on incoming interfaces
rules::out::ospf3: Allow filtering on outgoing interfaces
rules::mdns: Allow interface filtering
rules::out::mdns: Allow interface filtering
rules::icmp: Allow ICMP packets with extensions
Make "dropping invalid packets" configureable
It doesn't make sense to explicitly drop those pakets when the defaultpolicy is already `DROP`. Also some applications, like ceph, are knownto send packets that might be marked as invalid.
simplerule: Add support for outgoing interface filtering
rules::out:dns: refactor for better readability
simplerule: Add support for incoming interface filtering
Support input interface specification to dns server
Useful when you want to allow docker/podman containersaccess to a hosts dns stub resolver.
```puppetclass{'nftables::rules::dns': iifname => ['docker0'],}```
Merge pull request #189 from tskirvin/master
nftables::simplerule::dport - takes port ranges as part of the array
Additional rules for podman root containers
This class defines additional forwarding rules to let root containersreach external networks when using Netavark (since v4.0) or CNI (deprecated).At the time of writing, Podman supports automatic configuration...
add ftp helper
This adds ability to enable a connection tracker helper and provides typical ftp rules
Co-authored-by: Vadym Chepkov <vchepkov@gmail.com>Co-authored-by: Yury Bushmelev <jay4mail@gmail.com>
trying out a spec to mix port arrays and ranges
spec update to confirm that port ranges work
Add nftables rules for ws-discovery
Add rule for incoming SSDP
Add rule for incoming LLMNR
Add rule for outgoing multicast DNS
Add rule for multicast listener requests (MLDv2)
modulesync 7.0.0
Add rules for IGMP
Add rule to allow multicast DNS
Add rule to allow incoming spotify broadcast
Add rule to allow incoming multicast traffic
add ldap and active directory rules
Add bridge as a valid family for chain tables
Merge pull request #149 from hugendudel/netdev_support
Allow netdev as table family in defined type nftables::chain
Add acceptance test covering tables of type netdev
Align filemode on RedHat to distro default
The RPM acutally ships the configuration and directory with0600/0700 while this module sets the mode to 0640/0750.
However, this has the drawback that on new nftables RPM versions,we are setting it back to the modules mode and triggering an nft...
Add class for outgoing HKP firewalling
split conntrack management into dedicated classes so they get consumeable
New nftables::file type to include raw file
For example:
```puppetnftables::file{'geoip': content => "include \"/files/geoipsets/dbip/*.ipv4\"\n",}```
will right a file or content into the nftables configuration.
The file written will be included in configuration....
Merge pull request #144 from duritong/fix-143-properly-escape-rulename
Properly escape bridge in rulename
fix #143 - properly escape rulename for interfaces
remove duplicate expect
this is handled by the next - more specific - expect anyways
Add all families as a valid noflush pattern
nftables has more valid families than the ones currently accepted by themodule.
This patch adds support for all the families currently supported as perthe documentation at:https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
chrony: Allow filtering for outgoing NTP servers
Add rule to allow outgoing whois queries
Add class for outgoing PXP connections
Add class for pxp-agent firewalling
Add Debian support
systemctl: Use relative path
make path to `nft` binary configureable
rspec mock systemd process on docker
On docker rspec the service provider is autodetected as redhatrather than systemd.
https://tickets.puppetlabs.com/browse/PUP-11167
That causes
```error during compilation: Parameter enable failed on Service[firewalld]: Provider redhat must have features 'maskable' to set 'enable' to 'mask' (file: /builds/ai/it-puppet-module-nftables/code/spec/fixtures/modules/nftables/manifests/init.pp, line: 186)...
Migrate from deprecated mocha
Add support for Arch Linux
Arch Linux stores the configuration in a different path and does notprovide firewalld without explicit installation.
This basically the same as #66 – I've reused their code since it hasn'tbeen merged in a while.
Make sure that the list of interfaces is mocked
If 'networking' is not removed from the facts, the values declared in`default_module_facts.yml` win (the fact set contains two keys:`:networking` and `'networking'`)
This test has always been wrong as the interfaces were never been...
rubocop - RSpec/RepeatedExampleGroupBody
rubocop -f RSpec/RepeatedExampleGroupDescription
rubocop:auto_correct results
modulesync 5.1.0
Pet rubocop
modulesync 4.2.0
support a different table name for 'nat'- Some applications (such as libvirt) still use iptables to inject firewall rules- iptables will refuse to update tables that were initially created with nft- This commit allows defining the name of the 'nat' table in order to avoid...
Allow declaring the same set in several tables
Closes #100
Allow creating a totally empty firewall
By setting `nftables::inet_filter` and `nftables::nat` to `false`users can now start off from a totally empty firewall and add thetables, chains and rules they'd like.
The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
Fix IPv4 source address type detection
Before this patch, a rule like this:
``` nftables::simplerule { 'foo': action => 'accept', dport => 443, proto => 'tcp4', saddr => '192.168.1.10', }```
would incorrectly generate this rule:...
Rely on puppet 6 calling daemon-reload
Since Puppet 6 now there no need to explicitlycall `systemctl daemon-reload`.
Add rules for QEMU/libvirt guests
Merge pull request #80 from luisfdez/dockerce
Add Docker-CE default rules
Add optional handling of chains
Add nftables.version to structured fact.
```FACTERLIB=. facter -p nftables { tables => [ "bridge-filter", "bridge-nat", "inet-firewalld", "ip-firewalld", "ip6-firewalld" ], version => "0.9.3" }```
Fix rulename spec in spec
Fix syntax
Add newline & more tests
Add rules for Apache ActiveMQ
fix #74 - ensure table are initialized before flushing them (#75)
Merge pull request #73 from Koumbit/global_chain_not_hardcoded
start declaring the 'global' chain with module resources
create tests for presence of the "global" chain
Add unit test
Fix IP version filter for IPv6 traffic
add some mail related outgoing rules
Merge pull request #62 from glpatcern/master
Added Samba in rules
Made ctdb rule parameterized
Pull up rule regexp to type aliases
Added to tests
Align simplerule and rule rulename requirements
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
switch naming to puppetserver
Prefix custom tables with custom- so they're loaded
