Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root @ d43ced4d

# Date Auteur Commentaire
d43ced4d 2020-12-09 11:44 Nacho Barrientos

Implement nftables:;simplerule::counter
aaa37172 2020-12-09 11:44 Nacho Barrientos

Implement nftables:;simplerule::daddr
d38aab5b 2020-12-09 11:44 Nacho Barrientos

Test passing a port without protocol
316bc3f8 2020-12-09 11:44 Nacho Barrientos

Allow IPv4 and IPv6 only rules
3a52fb41 2020-12-09 11:44 Nacho Barrientos

Richer dport
fb65734d 2020-12-09 11:44 Nacho Barrientos

s/setname/rulename
83382bb5 2020-12-09 11:44 Nacho Barrientos

Add nftables::simplerule
f0bd8791 2020-12-09 10:58 duritong

Merge pull request #34 from traylenator/dedupe_flush

Remove duplicate flush on reload
354a3ea5 2020-12-09 10:34 duritong

Merge pull request #44 from traylenator/formatting

Correct layout of ignore table example
b9785000 2020-12-09 09:42 Steve Traylen

Correct layout of ignore chain example
ce22630b 2020-12-09 05:37 Steve Traylen

Remove duplicate flush on reload

When nftables was reloaded a flush was being done both in the systemd
reload call and in the nft script itself.
03d8e696 2020-12-09 04:55 Steve Traylen

Merge pull request #41 from traylenator/rubocop

rubocop corrections
139ec11d 2020-12-09 04:37 Steve Traylen

Merge pull request #43 from cernops/doc_typos

Fix typos and formatting in the README
1330c27e 2020-12-09 04:08 Nacho Barrientos

Add a hint about changing default output configuration
8ded326d 2020-12-09 04:06 Nacho Barrientos

Fix typo in class name
4ed97e58 2020-12-09 04:06 Nacho Barrientos

Add a separation between the header and the content
620da9a6 2020-12-09 04:06 Nacho Barrientos

Add remark about the global chain
0f31ffbe 2020-12-09 04:06 Nacho Barrientos

Fix grammatical error
1ffab17b 2020-12-09 04:05 Nacho Barrientos

Add full stop
7e5b657a 2020-12-08 11:49 Steve Traylen

rubocop:auto_correct fixes
da8956d3 2020-12-08 11:49 Steve Traylen

Enable rubocop check

Will submit centrally if all well.
492ca838 2020-12-08 09:23 Steve Traylen

Disable Disable TrailingCommaInArguments early

Can be reverted once
https://github.com/voxpupuli/voxpupuli-test/pull/36
is released
c4b1b93b 2020-12-08 07:58 Steve Traylen

Comment why firewalld_enable parameter is required (#40)
bd5145ab 2020-12-08 07:54 Steve Traylen

Add basic configuration validation acceptance test (#38)

  • Add basic configuration validation acceptance test

It is not possible to start the nftables service within docker so
the service is altered to only validate the service
configuration resulting from concat constructed files and nft inclusions.
7db6f797 2020-12-07 11:23 Steve Traylen

Merge pull request #36 from traylenator/modulesync

modulesync 4.0.0 and general alignment to voxpupuli.
4630574b 2020-12-07 11:18 Steve Traylen

Correct author, add tags and issues to metadata
5b4c71bc 2020-12-07 11:18 Steve Traylen

Correctly remove puppet4 support
31b17627 2020-12-07 11:18 Steve Traylen

Use single line for each parameter definition
59c1ddf4 2020-12-07 10:13 Steve Traylen

Mock with mocha
b09d43bf 2020-12-07 09:56 Steve Traylen

Adapt metadata to voxpupuli name space
11bf7237 2020-12-07 09:51 Steve Traylen

lint_fix results
78f22811 2020-12-07 09:25 Steve Traylen

modulesync 4.0.0
8897f7d0 2020-12-07 09:21 Steve Traylen

Drop duritong .sync.yml
e3c56ff6 2020-12-03 03:48 keachi

Merge pull request #29 from keachi/fwd_conntrack

Enable conntrack in FORWARD
24a5a2a7 2020-12-02 15:05 tr

Enable conntrack in FORWARD
ed8e4643 2020-12-02 08:03 duritong

Merge pull request #32 from dvanders/ceph_nfs

Add Ceph and NFS rules
d0c972c3 2020-12-02 05:37 Dan van der Ster

Test NFS rules

Signed-off-by: Dan van der Ster <>
f4e9e995 2020-12-02 05:37 Dan van der Ster

Test ceph rules

Signed-off-by: Dan van der Ster <>
c3be15e0 2020-12-01 15:05 duritong

Merge pull request #31 from traylenator/selective

New parameter noflush_tables to selectivly skip flush
5210e023 2020-12-01 05:42 Dan van der Ster

Add NFS-related rules

Signed-off-by: Dan van der Ster <>
bbc93ede 2020-12-01 04:33 Dan van der Ster

Add ceph related rules

Signed-off-by: Dan van der Ster <>
03d9e7da 2020-12-01 03:09 Steve Traylen

New parameter noflush_tables to selectivly skip flush

Introduces a new structured fact nftables

```yaml
nftables:
tables:
- inet-filter
- ip-nat
- ip6-nat
- inet-f2b-table
```

By default the nft script will continue to contain `nft flush ruleset`...
9fe75e32 2020-11-30 07:21 duritong

Merge pull request #30 from traylenator/slc

Scientific Linux 8 will never exist
2ccf856b 2020-11-30 05:27 Steve Traylen

Scientific Linux 8 will never exist

As per

https://listserv.fnal.gov/scripts/wa.exe?A2=ind1904&L=SCIENTIFIC-LINUX-ANNOUNCE&P=78
72aad4a2 2020-11-29 13:22 keachi

Merge pull request #28 from traylenator/simplify

Do not test nftables::rules repeatadly
902ceaac 2020-11-29 13:18 keachi

Merge pull request #22 from cernops/log_limit

Set a customisable rate limit to the logging rules
d5a61536 2020-11-27 06:07 duritong

Merge pull request #26 from cernops/hiera_sets

Allow sourcing sets from Hiera
6b80ac21 2020-11-27 06:06 duritong

Merge pull request #27 from traylenator/reference

Refresh REFERENCE
300b7382 2020-11-27 05:21 Steve Traylen

Do not test nftables::rules repeatadly

Rather than testing the contents of nftable::rules just test
that nftables::rules instance is correct.

The existing test for the define nftables::rules is enough.

Motivation here is to make changes to nftables::rules easier to handle...
7f6cacc5 2020-11-27 04:01 Steve Traylen

Refresh REFERENCE
802d80d1 2020-11-27 03:35 Nacho Barrientos

Allow sourcing sets from Hiera
7395300c 2020-11-26 16:09 duritong

Merge pull request #25 from cernops/no_nat

Allow disabling default NAT tables and chains
82d10659 2020-11-26 15:39 Nacho Barrientos

Allow disabling default NAT tables and chains
bd549474 2020-11-26 15:07 duritong

Merge pull request #10 from traylenator/reload

Reload rules atomically and verify rules before deploy
30462da1 2020-11-26 05:19 Steve Traylen

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```...
b10c6216 2020-11-24 10:37 Nacho Barrientos

Set a customisable rate limit to the logging rules
92461926 2020-11-24 07:53 duritong

Merge pull request #16 from cernops/icmp

Move ICMP stuff to separate classes allowing better customisation
587e522e 2020-11-24 07:51 duritong

Merge pull request #20 from cernops/firewalld_mask

Make masking Service['firewalld'] optional
ae9872e2 2020-11-24 04:17 Nacho Barrientos

Make masking Service['firewalld'] configurable
79e9a23f 2020-11-21 03:10 Nacho Barrientos

Move ICMP stuff to separate classes
def3893c 2020-11-20 10:52 keachi

Merge pull request #15 from traylenator/fixtests

Correct bad merge
8b97e6a3 2020-11-20 03:52 Steve Traylen

Correct bad merge

There was a bad merge between

correct tests.
a5f5fb12 2020-11-19 15:56 duritong

Merge pull request #13 from traylenator/comment

Add comments for all the nftable::rules entries
21d0496e 2020-11-19 15:53 duritong

Merge pull request #14 from cernops/ct_away

Move conntrack rules from global to INPUT and OUTPUT
7b14f6d9 2020-11-19 15:11 keachi

Merge pull request #6 from traylenator/afs

Add rules for afs3_callback in and out rules for kerberos and openafs.
ea96d5db 2020-11-19 10:15 Nacho Barrientos

Move ct rules from global to INPUT and OUTPUT
61f03b47 2020-11-19 09:19 Steve Traylen

Switch $order$fragmenta/b to $order-$fragment-a/b
e53053ce 2020-11-19 08:31 Steve Traylen

Add comments for all the nftable::rules entries

For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for the rule.

The motivation here is to make the mapping from resulting rules back
to puppet code more obvious. When adding a new rule it should be more...
9e5b8bf0 2020-11-19 05:28 keachi

Merge pull request #12 from cernops/log_format

Allow tables to add comments to $log_prefix
ac0af4aa 2020-11-19 03:16 Nacho Barrientos

Allow tables to add comments to $log_prefix
ef3e9ad6 2020-11-18 15:25 duritong

Merge pull request #8 from cernops/ai5973

Allow raw sets and dashes in set names
9785cd54 2020-11-18 11:02 Steve Traylen

lint fix
215aee13 2020-11-18 07:18 Steve Traylen

Add kerberos out and openafs_client out
f3f2870f 2020-11-18 07:18 Steve Traylen

Add rules for afs3_callback

In particular the afs callback to the cache manager(7001) which is UDP and always
IPv4 since there OpenAFS does not support IPv6.

https://wiki.openafs.org/devel/AFSServicePorts/
5e0146c2 2020-11-17 09:53 keachi

Merge pull request #7 from cernops/reject_with

Add a parameter to control the fate of discarded traffic
7bb485c5 2020-11-16 09:19 Nacho Barrientos

Allow dashes in set names
9f0498e3 2020-11-16 09:16 Nacho Barrientos

Relax nftables::set::type making it optional

This is needed in case nftables::set is passed raw configuration via
source or content.
70727742 2020-11-16 04:50 Nacho Barrientos

Add a parameter to control the fate of discarded packets
0cf43fdf 2020-11-15 16:37 duritong

Merge pull request #4 from cernops/dhcp6

Add classes encapsulating rules for DHCPv6 client traffic (in/out)
37b2a3b7 2020-11-15 13:41 Nacho Barrientos

Add class nftables::services::dhcpv6_client
883389dc 2020-11-15 10:51 duritong

Merge pull request #5 from cernops/custom_log_prefix

Allow customising the log prefix
43566263 2020-11-15 10:47 Nacho Barrientos

Add rules for outgoing and incoming DHCPv6 client traffic
ed827383 2020-11-15 04:44 Nacho Barrientos

Allow customising the log prefix
317b8d01 2020-11-13 14:21 keachi

Merge pull request #3 from cernops/ai5973

Add support for named sets
20b96360 2020-11-13 09:57 Nacho Barrientos

Add support for named sets
e4c32222 2020-11-13 09:55 Nacho Barrientos

Use concat for table conf generation

This way other components of the module will be able to add extra stuff
to the table definitions like sets.
18ec6f48 2020-11-05 16:43 tr

Fix rulenames which includes an index

The rulename has a regex pattern `[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(\d+)?$/]`
which allows an index at the end of the rulename (with a delimiter).
This is split later with `$data = split($rulename, '')` but the content...
e5eb7424 2020-11-05 16:37 tr

Allow to specify prometheus source addresses
e73f2e97 2020-10-28 15:53 tr

Fix rule node exporter
8227cb1c 2020-10-28 15:50 tr

Manage rule in dns
cb50fd79 2020-10-28 15:47 tr

Add rule in node_exporter
e105f149 2020-10-28 14:50 tr

Include table ip6 nat
248ef9d5 2020-10-28 14:40 tr

Add basic ip6 nat chains
579e27df 2020-10-27 02:22 tr

Fix the regex for bridge names
2c00d766 2020-10-27 02:22 tr

Replace dashes with underlines

Docker daemon bridges contains dashes, replace them with underlines to
fit the naming concept.
66ed7f61 2020-10-26 02:15 mh

migrate create_resource to the generic loop over hash approach

create_resource is notorious for not providing exact line/file info
when something fails. Since in puppet you can now loop over hashes
and you have the splat assignment operator. This means you get much...
66b1a7a9 2020-10-25 10:05 tr

Allow ICMPv6 Router Advertisment packets
fd0eaeca 2020-10-24 06:02 tr

Add class bridges

Allow traffic from any bridge to itself by default
c1224db5 2020-10-23 13:47 tr

Move filter rules to inet_filter class
b3a7a6dd 2020-10-23 13:46 tr

Allow to inject custom rules