puppetlabs-firewall-8.0.00040755000000000000000000000000014561126655012367 5ustar00puppetlabs-firewall-8.0.0/.gitpod.Dockerfile0100644000175100001770000000227514561126655016043 0ustar00FROM gitpod/workspace-full RUN sudo wget https://apt.puppet.com/puppet-tools-release-bionic.deb && \ wget https://apt.puppetlabs.com/puppet6-release-bionic.deb && \ sudo dpkg -i puppet6-release-bionic.deb && \ sudo dpkg -i puppet-tools-release-bionic.deb && \ sudo apt-get update && \ sudo apt-get install -y pdk zsh puppet-agent && \ sudo apt-get clean && \ sudo rm -rf /var/lib/apt/lists/* RUN sudo usermod -s $(which zsh) gitpod && \ sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" && \ echo "plugins=(git gitignore github gem pip bundler python ruby docker docker-compose)" >> /home/gitpod/.zshrc && \ echo 'PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin"' >> /home/gitpod/.zshrc && \ sudo /opt/puppetlabs/puppet/bin/gem install puppet-debugger hub -N && \ mkdir -p /home/gitpod/.config/puppet && \ /opt/puppetlabs/puppet/bin/ruby -r yaml -e "puts ({'disabled' => true}).to_yaml" > /home/gitpod/.config/puppet/analytics.yml RUN rm -f puppet6-release-bionic.deb puppet-tools-release-bionic.deb ENTRYPOINT /usr/bin/zsh puppetlabs-firewall-8.0.0/.gitpod.yml0100644000175100001770000000023014561126655014562 0ustar00image: file: .gitpod.Dockerfile tasks: - init: pdk bundle install vscode: extensions: - puppet.puppet-vscode@1.2.0:f5iEPbmOj6FoFTOV6q8LTg== puppetlabs-firewall-8.0.0/.nodeset.yml0100644000175100001770000000123414561126655014742 0ustar00--- default_set: 'centos-64-x64' sets: 'centos-59-x64': nodes: "main.foo.vm": prefab: 'centos-59-x64' 'centos-64-x64': nodes: "main.foo.vm": prefab: 'centos-64-x64' 'fedora-18-x64': nodes: "main.foo.vm": prefab: 'fedora-18-x64' 'debian-607-x64': nodes: "main.foo.vm": prefab: 'debian-607-x64' 'debian-70rc1-x64': nodes: "main.foo.vm": prefab: 'debian-70rc1-x64' 'ubuntu-server-10044-x64': nodes: "main.foo.vm": prefab: 'ubuntu-server-10044-x64' 'ubuntu-server-12042-x64': nodes: "main.foo.vm": prefab: 'ubuntu-server-12042-x64' puppetlabs-firewall-8.0.0/.rubocop.yml0100644000175100001770000004055014561126655014756 0ustar00--- require: - rubocop-performance - rubocop-rspec AllCops: DisplayCopNames: true TargetRubyVersion: '2.6' Include: - "**/*.rb" Exclude: - bin/* - ".vendor/**/*" - "**/Gemfile" - "**/Rakefile" - pkg/**/* - spec/fixtures/**/* - vendor/**/* - "**/Puppetfile" - "**/Vagrantfile" - "**/Guardfile" inherit_from: ".rubocop_todo.yml" Layout/LineLength: Description: People have wide screens, use them. Max: 200 RSpec/BeforeAfterAll: Description: Beware of using after(:all) as it may cause state to leak between tests. A necessary evil in acceptance testing. Exclude: - spec/acceptance/**/*.rb RSpec/HookArgument: Description: Prefer explicit :each argument, matching existing module's style EnforcedStyle: each RSpec/DescribeSymbol: Exclude: - spec/unit/facter/**/*.rb Style/BlockDelimiters: Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to be consistent then. EnforcedStyle: braces_for_chaining Style/ClassAndModuleChildren: Description: Compact style reduces the required amount of indentation. EnforcedStyle: compact Style/EmptyElse: Description: Enforce against empty else clauses, but allow `nil` for clarity. EnforcedStyle: empty Style/FormatString: Description: Following the main puppet project's style, prefer the % format format. EnforcedStyle: percent Style/FormatStringToken: Description: Following the main puppet project's style, prefer the simpler template tokens over annotated ones. EnforcedStyle: template Style/Lambda: Description: Prefer the keyword for easier discoverability. EnforcedStyle: literal Style/RegexpLiteral: Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 EnforcedStyle: percent_r Style/TernaryParentheses: Description: Checks for use of parentheses around ternary conditions. Enforce parentheses on complex expressions for better readability, but seriously consider breaking it up. EnforcedStyle: require_parentheses_when_complex Style/TrailingCommaInArguments: Description: Prefer always trailing comma on multiline argument lists. This makes diffs, and re-ordering nicer. EnforcedStyleForMultiline: comma Style/TrailingCommaInArrayLiteral: Description: Prefer always trailing comma on multiline literals. This makes diffs, and re-ordering nicer. EnforcedStyleForMultiline: comma Style/SymbolArray: Description: Using percent style obscures symbolic intent of array's contents. EnforcedStyle: brackets RSpec/MessageSpies: EnforcedStyle: receive Style/Documentation: Exclude: - lib/puppet/parser/functions/**/* - spec/**/* Style/WordArray: EnforcedStyle: brackets Performance/AncestorsInclude: Enabled: true Performance/BigDecimalWithNumericArgument: Enabled: true Performance/BlockGivenWithExplicitBlock: Enabled: true Performance/CaseWhenSplat: Enabled: true Performance/ConstantRegexp: Enabled: true Performance/MethodObjectAsBlock: Enabled: true Performance/RedundantSortBlock: Enabled: true Performance/RedundantStringChars: Enabled: true Performance/ReverseFirst: Enabled: true Performance/SortReverse: Enabled: true Performance/Squeeze: Enabled: true Performance/StringInclude: Enabled: true Performance/Sum: Enabled: true Style/CollectionMethods: Enabled: true Style/MethodCalledOnDoEndBlock: Enabled: true Style/StringMethods: Enabled: true Bundler/GemFilename: Enabled: false Bundler/InsecureProtocolSource: Enabled: false Capybara/CurrentPathExpectation: Enabled: false Capybara/VisibilityMatcher: Enabled: false Gemspec/DuplicatedAssignment: Enabled: false Gemspec/OrderedDependencies: Enabled: false Gemspec/RequiredRubyVersion: Enabled: false Gemspec/RubyVersionGlobalsUsage: Enabled: false Layout/ArgumentAlignment: Enabled: false Layout/BeginEndAlignment: Enabled: false Layout/ClosingHeredocIndentation: Enabled: false Layout/EmptyComment: Enabled: false Layout/EmptyLineAfterGuardClause: Enabled: false Layout/EmptyLinesAroundArguments: Enabled: false Layout/EmptyLinesAroundAttributeAccessor: Enabled: false Layout/EndOfLine: Enabled: false Layout/FirstArgumentIndentation: Enabled: false Layout/HashAlignment: Enabled: false Layout/HeredocIndentation: Enabled: false Layout/LeadingEmptyLines: Enabled: false Layout/SpaceAroundMethodCallOperator: Enabled: false Layout/SpaceInsideArrayLiteralBrackets: Enabled: false Layout/SpaceInsideReferenceBrackets: Enabled: false Lint/BigDecimalNew: Enabled: false Lint/BooleanSymbol: Enabled: false Lint/ConstantDefinitionInBlock: Enabled: false Lint/DeprecatedOpenSSLConstant: Enabled: false Lint/DisjunctiveAssignmentInConstructor: Enabled: false Lint/DuplicateElsifCondition: Enabled: false Lint/DuplicateRequire: Enabled: false Lint/DuplicateRescueException: Enabled: false Lint/EmptyConditionalBody: Enabled: false Lint/EmptyFile: Enabled: false Lint/ErbNewArguments: Enabled: false Lint/FloatComparison: Enabled: false Lint/HashCompareByIdentity: Enabled: false Lint/IdentityComparison: Enabled: false Lint/InterpolationCheck: Enabled: false Lint/MissingCopEnableDirective: Enabled: false Lint/MixedRegexpCaptureTypes: Enabled: false Lint/NestedPercentLiteral: Enabled: false Lint/NonDeterministicRequireOrder: Enabled: false Lint/OrderedMagicComments: Enabled: false Lint/OutOfRangeRegexpRef: Enabled: false Lint/RaiseException: Enabled: false Lint/RedundantCopEnableDirective: Enabled: false Lint/RedundantRequireStatement: Enabled: false Lint/RedundantSafeNavigation: Enabled: false Lint/RedundantWithIndex: Enabled: false Lint/RedundantWithObject: Enabled: false Lint/RegexpAsCondition: Enabled: false Lint/ReturnInVoidContext: Enabled: false Lint/SafeNavigationConsistency: Enabled: false Lint/SafeNavigationWithEmpty: Enabled: false Lint/SelfAssignment: Enabled: false Lint/SendWithMixinArgument: Enabled: false Lint/ShadowedArgument: Enabled: false Lint/StructNewOverride: Enabled: false Lint/ToJSON: Enabled: false Lint/TopLevelReturnWithArgument: Enabled: false Lint/TrailingCommaInAttributeDeclaration: Enabled: false Lint/UnreachableLoop: Enabled: false Lint/UriEscapeUnescape: Enabled: false Lint/UriRegexp: Enabled: false Lint/UselessMethodDefinition: Enabled: false Lint/UselessTimes: Enabled: false Metrics/AbcSize: Enabled: false Metrics/BlockLength: Enabled: false Metrics/BlockNesting: Enabled: false Metrics/ClassLength: Enabled: false Metrics/CyclomaticComplexity: Enabled: false Metrics/MethodLength: Enabled: false Metrics/ModuleLength: Enabled: false Metrics/ParameterLists: Enabled: false Metrics/PerceivedComplexity: Enabled: false Migration/DepartmentName: Enabled: false Naming/AccessorMethodName: Enabled: false Naming/BlockParameterName: Enabled: false Naming/HeredocDelimiterCase: Enabled: false Naming/HeredocDelimiterNaming: Enabled: false Naming/MemoizedInstanceVariableName: Enabled: false Naming/MethodParameterName: Enabled: false Naming/RescuedExceptionsVariableName: Enabled: false Naming/VariableNumber: Enabled: false Performance/BindCall: Enabled: false Performance/DeletePrefix: Enabled: false Performance/DeleteSuffix: Enabled: false Performance/InefficientHashSearch: Enabled: false Performance/UnfreezeString: Enabled: false Performance/UriDefaultParser: Enabled: false RSpec/Be: Enabled: false RSpec/Capybara/FeatureMethods: Enabled: false RSpec/ContainExactly: Enabled: false RSpec/ContextMethod: Enabled: false RSpec/ContextWording: Enabled: false RSpec/DescribeClass: Enabled: false RSpec/EmptyHook: Enabled: false RSpec/EmptyLineAfterExample: Enabled: false RSpec/EmptyLineAfterExampleGroup: Enabled: false RSpec/EmptyLineAfterHook: Enabled: false RSpec/ExampleLength: Enabled: false RSpec/ExampleWithoutDescription: Enabled: false RSpec/ExpectChange: Enabled: false RSpec/ExpectInHook: Enabled: false RSpec/FactoryBot/AttributeDefinedStatically: Enabled: false RSpec/FactoryBot/CreateList: Enabled: false RSpec/FactoryBot/FactoryClassName: Enabled: false RSpec/HooksBeforeExamples: Enabled: false RSpec/ImplicitBlockExpectation: Enabled: false RSpec/ImplicitSubject: Enabled: false RSpec/LeakyConstantDeclaration: Enabled: false RSpec/LetBeforeExamples: Enabled: false RSpec/MatchArray: Enabled: false RSpec/MissingExampleGroupArgument: Enabled: false RSpec/MultipleExpectations: Enabled: false RSpec/MultipleMemoizedHelpers: Enabled: false RSpec/MultipleSubjects: Enabled: false RSpec/NestedGroups: Enabled: false RSpec/PredicateMatcher: Enabled: false RSpec/ReceiveCounts: Enabled: false RSpec/ReceiveNever: Enabled: false RSpec/RepeatedExampleGroupBody: Enabled: false RSpec/RepeatedExampleGroupDescription: Enabled: false RSpec/RepeatedIncludeExample: Enabled: false RSpec/ReturnFromStub: Enabled: false RSpec/SharedExamples: Enabled: false RSpec/StubbedMock: Enabled: false RSpec/UnspecifiedException: Enabled: false RSpec/VariableDefinition: Enabled: false RSpec/VoidExpect: Enabled: false RSpec/Yield: Enabled: false Security/Open: Enabled: false Style/AccessModifierDeclarations: Enabled: false Style/AccessorGrouping: Enabled: false Style/BisectedAttrAccessor: Enabled: false Style/CaseLikeIf: Enabled: false Style/ClassEqualityComparison: Enabled: false Style/ColonMethodDefinition: Enabled: false Style/CombinableLoops: Enabled: false Style/CommentedKeyword: Enabled: false Style/Dir: Enabled: false Style/DoubleCopDisableDirective: Enabled: false Style/EmptyBlockParameter: Enabled: false Style/EmptyLambdaParameter: Enabled: false Style/Encoding: Enabled: false Style/EvalWithLocation: Enabled: false Style/ExpandPathArguments: Enabled: false Style/ExplicitBlockArgument: Enabled: false Style/ExponentialNotation: Enabled: false Style/FloatDivision: Enabled: false Style/FrozenStringLiteralComment: Enabled: false Style/GlobalStdStream: Enabled: false Style/HashAsLastArrayItem: Enabled: false Style/HashLikeCase: Enabled: false Style/HashTransformKeys: Enabled: false Style/HashTransformValues: Enabled: false Style/IfUnlessModifier: Enabled: false Style/KeywordParametersOrder: Enabled: false Style/MinMax: Enabled: false Style/MixinUsage: Enabled: false Style/MultilineWhenThen: Enabled: false Style/NegatedUnless: Enabled: false Style/NumericPredicate: Enabled: false Style/OptionalBooleanParameter: Enabled: false Style/OrAssignment: Enabled: false Style/RandomWithOffset: Enabled: false Style/RedundantAssignment: Enabled: false Style/RedundantCondition: Enabled: false Style/RedundantConditional: Enabled: false Style/RedundantFetchBlock: Enabled: false Style/RedundantFileExtensionInRequire: Enabled: false Style/RedundantRegexpCharacterClass: Enabled: false Style/RedundantRegexpEscape: Enabled: false Style/RedundantSelfAssignment: Enabled: false Style/RedundantSort: Enabled: false Style/RescueStandardError: Enabled: false Style/SingleArgumentDig: Enabled: false Style/SlicingWithRange: Enabled: false Style/SoleNestedConditional: Enabled: false Style/StderrPuts: Enabled: false Style/StringConcatenation: Enabled: false Style/Strip: Enabled: false Style/SymbolProc: Enabled: false Style/TrailingBodyOnClass: Enabled: false Style/TrailingBodyOnMethodDefinition: Enabled: false Style/TrailingBodyOnModule: Enabled: false Style/TrailingCommaInHashLiteral: Enabled: false Style/TrailingMethodEndStatement: Enabled: false Style/UnpackFirst: Enabled: false Capybara/MatchStyle: Enabled: false Capybara/NegationMatcher: Enabled: false Capybara/SpecificActions: Enabled: false Capybara/SpecificFinders: Enabled: false Capybara/SpecificMatcher: Enabled: false Gemspec/DeprecatedAttributeAssignment: Enabled: false Gemspec/DevelopmentDependencies: Enabled: false Gemspec/RequireMFA: Enabled: false Layout/LineContinuationLeadingSpace: Enabled: false Layout/LineContinuationSpacing: Enabled: false Layout/LineEndStringConcatenationIndentation: Enabled: false Layout/SpaceBeforeBrackets: Enabled: false Lint/AmbiguousAssignment: Enabled: false Lint/AmbiguousOperatorPrecedence: Enabled: false Lint/AmbiguousRange: Enabled: false Lint/ConstantOverwrittenInRescue: Enabled: false Lint/DeprecatedConstants: Enabled: false Lint/DuplicateBranch: Enabled: false Lint/DuplicateMagicComment: Enabled: false Lint/DuplicateRegexpCharacterClassElement: Enabled: false Lint/EmptyBlock: Enabled: false Lint/EmptyClass: Enabled: false Lint/EmptyInPattern: Enabled: false Lint/IncompatibleIoSelectWithFiberScheduler: Enabled: false Lint/LambdaWithoutLiteralBlock: Enabled: false Lint/NoReturnInBeginEndBlocks: Enabled: false Lint/NonAtomicFileOperation: Enabled: false Lint/NumberedParameterAssignment: Enabled: false Lint/OrAssignmentToConstant: Enabled: false Lint/RedundantDirGlobSort: Enabled: false Lint/RefinementImportMethods: Enabled: false Lint/RequireRangeParentheses: Enabled: false Lint/RequireRelativeSelfPath: Enabled: false Lint/SymbolConversion: Enabled: false Lint/ToEnumArguments: Enabled: false Lint/TripleQuotes: Enabled: false Lint/UnexpectedBlockArity: Enabled: false Lint/UnmodifiedReduceAccumulator: Enabled: false Lint/UselessRescue: Enabled: false Lint/UselessRuby2Keywords: Enabled: false Metrics/CollectionLiteralLength: Enabled: false Naming/BlockForwarding: Enabled: false Performance/CollectionLiteralInLoop: Enabled: false Performance/ConcurrentMonotonicTime: Enabled: false Performance/MapCompact: Enabled: false Performance/RedundantEqualityComparisonBlock: Enabled: false Performance/RedundantSplitRegexpArgument: Enabled: false Performance/StringIdentifierArgument: Enabled: false RSpec/BeEq: Enabled: false RSpec/BeNil: Enabled: false RSpec/ChangeByZero: Enabled: false RSpec/ClassCheck: Enabled: false RSpec/DuplicatedMetadata: Enabled: false RSpec/ExcessiveDocstringSpacing: Enabled: false RSpec/FactoryBot/ConsistentParenthesesStyle: Enabled: false RSpec/FactoryBot/FactoryNameStyle: Enabled: false RSpec/FactoryBot/SyntaxMethods: Enabled: false RSpec/IdenticalEqualityAssertion: Enabled: false RSpec/NoExpectationExample: Enabled: false RSpec/PendingWithoutReason: Enabled: false RSpec/Rails/AvoidSetupHook: Enabled: false RSpec/Rails/HaveHttpStatus: Enabled: false RSpec/Rails/InferredSpecType: Enabled: false RSpec/Rails/MinitestAssertions: Enabled: false RSpec/Rails/TravelAround: Enabled: false RSpec/RedundantAround: Enabled: false RSpec/SkipBlockInsideExample: Enabled: false RSpec/SortMetadata: Enabled: false RSpec/SubjectDeclaration: Enabled: false RSpec/VerifiedDoubleReference: Enabled: false Security/CompoundHash: Enabled: false Security/IoMethods: Enabled: false Style/ArgumentsForwarding: Enabled: false Style/ArrayIntersect: Enabled: false Style/CollectionCompact: Enabled: false Style/ComparableClamp: Enabled: false Style/ConcatArrayLiterals: Enabled: false Style/DirEmpty: Enabled: false Style/DocumentDynamicEvalDefinition: Enabled: false Style/EmptyHeredoc: Enabled: false Style/EndlessMethod: Enabled: false Style/EnvHome: Enabled: false Style/FetchEnvVar: Enabled: false Style/FileEmpty: Enabled: false Style/FileRead: Enabled: false Style/FileWrite: Enabled: false Style/HashConversion: Enabled: false Style/HashExcept: Enabled: false Style/IfWithBooleanLiteralBranches: Enabled: false Style/InPatternThen: Enabled: false Style/MagicCommentFormat: Enabled: false Style/MapCompactWithConditionalBlock: Enabled: false Style/MapToHash: Enabled: false Style/MapToSet: Enabled: false Style/MinMaxComparison: Enabled: false Style/MultilineInPatternThen: Enabled: false Style/NegatedIfElseCondition: Enabled: false Style/NestedFileDirname: Enabled: false Style/NilLambda: Enabled: false Style/NumberedParameters: Enabled: false Style/NumberedParametersLimit: Enabled: false Style/ObjectThen: Enabled: false Style/OpenStructUse: Enabled: false Style/OperatorMethodCall: Enabled: false Style/QuotedSymbols: Enabled: false Style/RedundantArgument: Enabled: false Style/RedundantConstantBase: Enabled: false Style/RedundantDoubleSplatHashBraces: Enabled: false Style/RedundantEach: Enabled: false Style/RedundantHeredocDelimiterQuotes: Enabled: false Style/RedundantInitialize: Enabled: false Style/RedundantSelfAssignmentBranch: Enabled: false Style/RedundantStringEscape: Enabled: false Style/SelectByRegexp: Enabled: false Style/StringChars: Enabled: false Style/SwapValues: Enabled: false puppetlabs-firewall-8.0.0/.rubocop_todo.yml0100644000175100001770000000503714561126655016004 0ustar00# This configuration was generated by # `rubocop --auto-gen-config` # on 2023-08-29 15:26:08 UTC using RuboCop version 1.48.1. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new # versions of RuboCop, may require this file to be generated again. # Offense count: 20 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes. Metrics/AbcSize: Max: 270 # Offense count: 2 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns, inherit_mode. # AllowedMethods: refine Metrics/BlockLength: Max: 127 # Offense count: 3 # Configuration parameters: CountComments, CountAsOne. Metrics/ClassLength: Max: 776 # Offense count: 17 # Configuration parameters: AllowedMethods, AllowedPatterns. Metrics/CyclomaticComplexity: Max: 122 # Offense count: 20 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns. Metrics/MethodLength: Max: 135 # Offense count: 12 # Configuration parameters: AllowedMethods, AllowedPatterns. Metrics/PerceivedComplexity: Max: 122 # Offense count: 18 # Configuration parameters: IgnoredMetadata. RSpec/DescribeClass: Enabled: false # Offense count: 9 # Configuration parameters: CountAsOne. RSpec/ExampleLength: Max: 8 # Offense count: 41 RSpec/MultipleExpectations: Max: 2 # Offense count: 38 # Configuration parameters: EnforcedStyle, IgnoreSharedExamples. # SupportedStyles: always, named_only RSpec/NamedSubject: Exclude: - 'spec/unit/classes/firewall_linux_archlinux_spec.rb' - 'spec/unit/classes/firewall_linux_debian_spec.rb' - 'spec/unit/classes/firewall_linux_redhat_spec.rb' # Offense count: 38 # Configuration parameters: AllowedGroups. RSpec/NestedGroups: Max: 5 # Offense count: 43 # Configuration parameters: AllowedPatterns. # AllowedPatterns: ^expect_, ^assert_ RSpec/NoExpectationExample: Exclude: - 'spec/acceptance/class_spec.rb' - 'spec/acceptance/firewall_attributes_exceptions_spec.rb' - 'spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb' - 'spec/acceptance/firewallchain_spec.rb' - 'spec/acceptance/rules_spec.rb' - 'spec/acceptance/standard_usage_spec.rb' # Offense count: 83 # Configuration parameters: AllowedVariables. Style/GlobalVars: Exclude: - 'lib/puppet/provider/firewall/firewall.rb' - 'lib/puppet/provider/firewallchain/firewallchain.rb' # Offense count: 1 Style/MixinUsage: Exclude: - 'spec/spec_helper.rb' puppetlabs-firewall-8.0.0/CHANGELOG.md0100644000175100001770000017441514561126655014325 0ustar00 # Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). ## [v8.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v8.0.0) - 2024-02-08 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.2...v8.0.0) ### Changed - [CAT-1425] : Removing RedHat/Scientific/OracleLinux 6 [#1163](https://github.com/puppetlabs/puppetlabs-firewall/pull/1163) ([rajat-puppet](https://github.com/rajat-puppet)) ### Fixed - (GH-1164) Only common jump values should be enforced as upcase [#1165](https://github.com/puppetlabs/puppetlabs-firewall/pull/1165) ([david22swan](https://github.com/david22swan)) ## [v7.0.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/v7.0.2) - 2023-09-14 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.1...v7.0.2) ### Fixed - (GH-1158) Fix for `dport/sport/state/ctstate/ctstatus` comparisons [#1160](https://github.com/puppetlabs/puppetlabs-firewall/pull/1160) ([david22swan](https://github.com/david22swan)) ## [v7.0.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v7.0.1) - 2023-09-14 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.0...v7.0.1) ### Fixed - (GH-1156) Fix for jump/goto attributes [#1157](https://github.com/puppetlabs/puppetlabs-firewall/pull/1157) ([david22swan](https://github.com/david22swan)) ## [v7.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v7.0.0) - 2023-09-13 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v6.0.0...v7.0.0) ### Changed - (CAT-376) Rework firewall module to use the resource_api [#1145](https://github.com/puppetlabs/puppetlabs-firewall/pull/1145) ([david22swan](https://github.com/david22swan)) ### Fixed - (maint) Update all README.md mentions of `action` to `jump` [#1151](https://github.com/puppetlabs/puppetlabs-firewall/pull/1151) ([david22swan](https://github.com/david22swan)) - (RUBOCOP) Resolve Rubocop Issues [#1149](https://github.com/puppetlabs/puppetlabs-firewall/pull/1149) ([david22swan](https://github.com/david22swan)) ## [v6.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v6.0.0) - 2023-07-25 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v5.0.0...v6.0.0) ### Changed - (CONT-242) Fix duplicate rule detection [#1140](https://github.com/puppetlabs/puppetlabs-firewall/pull/1140) ([david22swan](https://github.com/david22swan)) - pdksync - (MAINT) - Require Stdlib 9.x only [#1135](https://github.com/puppetlabs/puppetlabs-firewall/pull/1135) ([LukasAud](https://github.com/LukasAud)) ### Added - Add support for parsing and using --tcp-option [#1126](https://github.com/puppetlabs/puppetlabs-firewall/pull/1126) ([greatflyingsteve](https://github.com/greatflyingsteve)) ### Fixed - disable firewalld for RedHat 9 [#1142](https://github.com/puppetlabs/puppetlabs-firewall/pull/1142) ([robertc99](https://github.com/robertc99)) - Change ip6tables_version to constant in provider. [#1134](https://github.com/puppetlabs/puppetlabs-firewall/pull/1134) ([pjakubcz](https://github.com/pjakubcz)) - Fix SELinux context on newer CentOS [#1123](https://github.com/puppetlabs/puppetlabs-firewall/pull/1123) ([tobias-urdin](https://github.com/tobias-urdin)) - Force firewall chain delete [#1104](https://github.com/puppetlabs/puppetlabs-firewall/pull/1104) ([cruelsmith](https://github.com/cruelsmith)) ## [v5.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v5.0.0) - 2023-03-31 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v4.1.0...v5.0.0) ### Changed - (Cont 779) Add Support for Puppet 8 / Drop Support for Puppet 6 [#1118](https://github.com/puppetlabs/puppetlabs-firewall/pull/1118) ([david22swan](https://github.com/david22swan)) ## [v4.1.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v4.1.0) - 2023-03-31 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v4.0.1...v4.1.0) ### Added - (CONT-352) Syntax update [#1110](https://github.com/puppetlabs/puppetlabs-firewall/pull/1110) ([LukasAud](https://github.com/LukasAud)) ### Fixed - Ignore OpenBSD, similarly to FreeBSD [#1107](https://github.com/puppetlabs/puppetlabs-firewall/pull/1107) ([buzzdeee](https://github.com/buzzdeee)) - redhat9 needs iptables service [#1103](https://github.com/puppetlabs/puppetlabs-firewall/pull/1103) ([robertc99](https://github.com/robertc99)) - debian: service: fix `ensure` parameter usage [#1095](https://github.com/puppetlabs/puppetlabs-firewall/pull/1095) ([damonbreeden](https://github.com/damonbreeden)) ## [v4.0.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v4.0.1) - 2022-12-07 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v4.0.0...v4.0.1) ### Fixed - (GH-1097) Bumping back required puppet version [#1098](https://github.com/puppetlabs/puppetlabs-firewall/pull/1098) ([LukasAud](https://github.com/LukasAud)) - support --nflog-size as replacement for --nflog-range [#1096](https://github.com/puppetlabs/puppetlabs-firewall/pull/1096) ([kjetilho](https://github.com/kjetilho)) - (1093) - Fix unresolved fact error [#1094](https://github.com/puppetlabs/puppetlabs-firewall/pull/1094) ([jordanbreen28](https://github.com/jordanbreen28)) - package "iptables" has been replaced by "iptables-nft" on EL9 [#1085](https://github.com/puppetlabs/puppetlabs-firewall/pull/1085) ([kjetilho](https://github.com/kjetilho)) ## [v4.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v4.0.0) - 2022-11-22 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.6.0...v4.0.0) ### Changed - (CONT-256) Removing outdated code [#1084](https://github.com/puppetlabs/puppetlabs-firewall/pull/1084) ([LukasAud](https://github.com/LukasAud)) ### Added - add support for using rpfilter in rules [#1059](https://github.com/puppetlabs/puppetlabs-firewall/pull/1059) ([cmusik](https://github.com/cmusik)) ### Fixed - (CONT-173) - Updating deprecated facter instances [#1079](https://github.com/puppetlabs/puppetlabs-firewall/pull/1079) ([jordanbreen28](https://github.com/jordanbreen28)) - pdksync - (CONT-189) Remove support for RedHat6 / OracleLinux6 / Scientific6 [#1078](https://github.com/puppetlabs/puppetlabs-firewall/pull/1078) ([david22swan](https://github.com/david22swan)) - pdksync - (CONT-130) - Dropping Support for Debian 9 [#1075](https://github.com/puppetlabs/puppetlabs-firewall/pull/1075) ([jordanbreen28](https://github.com/jordanbreen28)) - fix service port number lookup to use protocol [#1023](https://github.com/puppetlabs/puppetlabs-firewall/pull/1023) ([kjetilho](https://github.com/kjetilho)) ## [v3.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.6.0) - 2022-10-03 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.5.0...v3.6.0) ### Added - pdksync - (GH-cat-11) Certify Support for Ubuntu 22.04 [#1063](https://github.com/puppetlabs/puppetlabs-firewall/pull/1063) ([david22swan](https://github.com/david22swan)) - pdksync - (GH-cat-12) Add Support for Redhat 9 [#1054](https://github.com/puppetlabs/puppetlabs-firewall/pull/1054) ([david22swan](https://github.com/david22swan)) ### Fixed - allow persistence of firewall rules for Suse [#1061](https://github.com/puppetlabs/puppetlabs-firewall/pull/1061) ([corporate-gadfly](https://github.com/corporate-gadfly)) - (GH-1055) Fix for `--random-fully` [#1058](https://github.com/puppetlabs/puppetlabs-firewall/pull/1058) ([david22swan](https://github.com/david22swan)) ## [v3.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.5.0) - 2022-05-17 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.4.0...v3.5.0) ### Added - CentOS Stream 9 Support (should include RHEL9 when that releases) [#1028](https://github.com/puppetlabs/puppetlabs-firewall/pull/1028) ([tskirvin](https://github.com/tskirvin)) ### Fixed - pdksync - (GH-iac-334) Remove Support for Ubuntu 14.04/16.04 [#1038](https://github.com/puppetlabs/puppetlabs-firewall/pull/1038) ([david22swan](https://github.com/david22swan)) - Fix rpfilter parameter [#1013](https://github.com/puppetlabs/puppetlabs-firewall/pull/1013) ([onyxmaster](https://github.com/onyxmaster)) ## [v3.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.4.0) - 2022-02-28 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.3.0...v3.4.0) ### Added - (SEC-944) Handle duplicate system rules [#1030](https://github.com/puppetlabs/puppetlabs-firewall/pull/1030) ([chelnak](https://github.com/chelnak)) ### Fixed - pdksync - (IAC-1787) Remove Support for CentOS 6 [#1027](https://github.com/puppetlabs/puppetlabs-firewall/pull/1027) ([david22swan](https://github.com/david22swan)) ## [v3.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.3.0) - 2021-12-15 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.2.0...v3.3.0) ### Added - pdksync - (IAC-1753) - Add Support for AlmaLinux 8 [#1020](https://github.com/puppetlabs/puppetlabs-firewall/pull/1020) ([david22swan](https://github.com/david22swan)) - pdksync - (IAC-1751) - Add Support for Rocky 8 [#1017](https://github.com/puppetlabs/puppetlabs-firewall/pull/1017) ([david22swan](https://github.com/david22swan)) ### Fixed - Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range [#1019](https://github.com/puppetlabs/puppetlabs-firewall/pull/1019) ([cmd-ntrf](https://github.com/cmd-ntrf)) - Fedora 34 and iptables-compat fix; properly utilising iptables param. [#1018](https://github.com/puppetlabs/puppetlabs-firewall/pull/1018) ([adamboutcher](https://github.com/adamboutcher)) - pdksync - (IAC-1598) - Remove Support for Debian 8 [#1015](https://github.com/puppetlabs/puppetlabs-firewall/pull/1015) ([david22swan](https://github.com/david22swan)) - Add carp protocol to :proto property [#1014](https://github.com/puppetlabs/puppetlabs-firewall/pull/1014) ([adrianiurca](https://github.com/adrianiurca)) - (MODULES-6876) lib/puppet/provider/firewall/iptables.rb - comments cleanup for parsing [#981](https://github.com/puppetlabs/puppetlabs-firewall/pull/981) ([tskirvin](https://github.com/tskirvin)) ## [v3.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.2.0) - 2021-09-06 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.1.0...v3.2.0) ### Added - pdksync - (IAC-1709) - Add Support for Debian 11 [#1005](https://github.com/puppetlabs/puppetlabs-firewall/pull/1005) ([david22swan](https://github.com/david22swan)) ### Fixed - Fix "undefined method `gsub' for nil:NilClass" when changing existing rule UID from absent to any present [#1010](https://github.com/puppetlabs/puppetlabs-firewall/pull/1010) ([onyxmaster](https://github.com/onyxmaster)) ## [v3.1.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.1.0) - 2021-07-26 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.0.2...v3.1.0) ### Added - add compatibility with Rocky Linux [#998](https://github.com/puppetlabs/puppetlabs-firewall/pull/998) ([vchepkov](https://github.com/vchepkov)) ### Fixed - (MODULES-11138) - Fix mac_source Facter.fact().value() issue with Facter 3 [#1002](https://github.com/puppetlabs/puppetlabs-firewall/pull/1002) ([adrianiurca](https://github.com/adrianiurca)) ## [v3.0.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.0.2) - 2021-07-19 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.0.1...v3.0.2) ### Fixed - sles-15: mac_source is downcased by iptables [#997](https://github.com/puppetlabs/puppetlabs-firewall/pull/997) ([adrianiurca](https://github.com/adrianiurca)) - fix: parsing random_fully in ip6tables [#996](https://github.com/puppetlabs/puppetlabs-firewall/pull/996) ([scoiatael](https://github.com/scoiatael)) ## [v3.0.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.0.1) - 2021-06-21 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.0.0...v3.0.1) ### Fixed - Fixed link to REFERENCE.md [#993](https://github.com/puppetlabs/puppetlabs-firewall/pull/993) ([Samgarr](https://github.com/Samgarr)) - Update README.md [#986](https://github.com/puppetlabs/puppetlabs-firewall/pull/986) ([arjenz](https://github.com/arjenz)) ## [v3.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.0.0) - 2021-03-01 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.8.1...v3.0.0) ### Changed - pdksync - (MAINT) Remove SLES 11 support [#977](https://github.com/puppetlabs/puppetlabs-firewall/pull/977) ([sanfrancrisko](https://github.com/sanfrancrisko)) - pdksync - (MAINT) Remove RHEL 5 family support [#976](https://github.com/puppetlabs/puppetlabs-firewall/pull/976) ([sanfrancrisko](https://github.com/sanfrancrisko)) - pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 [#972](https://github.com/puppetlabs/puppetlabs-firewall/pull/972) ([carabasdaniel](https://github.com/carabasdaniel)) ## [v2.8.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.1) - 2021-02-09 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.8.0...v2.8.1) ### Fixed - [MODULES-10907] Do not remove spaces from hex string with ! [#967](https://github.com/puppetlabs/puppetlabs-firewall/pull/967) ([adrianiurca](https://github.com/adrianiurca)) ## [v2.8.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.0) - 2020-12-14 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.7.0...v2.8.0) ### Added - pdksync - (feat) - Add support for Puppet 7 [#959](https://github.com/puppetlabs/puppetlabs-firewall/pull/959) ([daianamezdrea](https://github.com/daianamezdrea)) - (IAC-966) - MODULES-10522: Add support for the --condition parameter [#941](https://github.com/puppetlabs/puppetlabs-firewall/pull/941) ([adrianiurca](https://github.com/adrianiurca)) ### Fixed - Restore copyright names [#951](https://github.com/puppetlabs/puppetlabs-firewall/pull/951) ([hunner](https://github.com/hunner)) ## [v2.7.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.7.0) - 2020-10-15 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.6.0...v2.7.0) ### Added - (IAC-1190) add `ignore_foreign` when purging firewallchains [#948](https://github.com/puppetlabs/puppetlabs-firewall/pull/948) ([DavidS](https://github.com/DavidS)) ## [v2.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.6.0) - 2020-10-05 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.5.0...v2.6.0) ### Added - pdksync - (IAC-973) - Update travis/appveyor to run on new default branch main [#933](https://github.com/puppetlabs/puppetlabs-firewall/pull/933) ([david22swan](https://github.com/david22swan)) ### Fixed - Add carp protocol to :proto property [#945](https://github.com/puppetlabs/puppetlabs-firewall/pull/945) ([pellisesol](https://github.com/pellisesol)) - Fix extra quotes in firewall string matching [#944](https://github.com/puppetlabs/puppetlabs-firewall/pull/944) ([IBBoard](https://github.com/IBBoard)) - (IAC-987) - Removal of inappropriate terminology [#942](https://github.com/puppetlabs/puppetlabs-firewall/pull/942) ([david22swan](https://github.com/david22swan)) ## [v2.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.5.0) - 2020-07-28 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.4.0...v2.5.0) ### Added - Add acceptance and unit test [#931](https://github.com/puppetlabs/puppetlabs-firewall/pull/931) ([adrianiurca](https://github.com/adrianiurca)) - [IAC-899] - Add acceptance test for string_hex parameter [#930](https://github.com/puppetlabs/puppetlabs-firewall/pull/930) ([adrianiurca](https://github.com/adrianiurca)) - Add support for NFLOG options to ip6tables [#921](https://github.com/puppetlabs/puppetlabs-firewall/pull/921) ([frh](https://github.com/frh)) ## [v2.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.4.0) - 2020-05-13 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.3.0...v2.4.0) ### Added - Add support for u32 module in iptables [#917](https://github.com/puppetlabs/puppetlabs-firewall/pull/917) ([sanfrancrisko](https://github.com/sanfrancrisko)) - Add support for cgroup arg [#916](https://github.com/puppetlabs/puppetlabs-firewall/pull/916) ([akerl-unpriv](https://github.com/akerl-unpriv)) - Extend LOG options [#914](https://github.com/puppetlabs/puppetlabs-firewall/pull/914) ([martialblog](https://github.com/martialblog)) ### Fixed - (MODULES-8543) Remove nftables' backend warning from iptables_save outtput [#911](https://github.com/puppetlabs/puppetlabs-firewall/pull/911) ([NITEMAN](https://github.com/NITEMAN)) ## [v2.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.3.0) - 2020-03-26 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.2.0...v2.3.0) ### Added - Add iptables --hex-string support to firewall resource [#907](https://github.com/puppetlabs/puppetlabs-firewall/pull/907) ([alexconrey](https://github.com/alexconrey)) - Add random_fully and rpfilter support [#892](https://github.com/puppetlabs/puppetlabs-firewall/pull/892) ([treydock](https://github.com/treydock)) - (MODULES-7800) Add the ability to specify iptables connection tracking helpers. [#890](https://github.com/puppetlabs/puppetlabs-firewall/pull/890) ([jimmyt86](https://github.com/jimmyt86)) - Support conntrack module [#872](https://github.com/puppetlabs/puppetlabs-firewall/pull/872) ([haught](https://github.com/haught)) ### Fixed - (maint) Use fact.flush only when available [#906](https://github.com/puppetlabs/puppetlabs-firewall/pull/906) ([Filipovici-Andrei](https://github.com/Filipovici-Andrei)) - (MODULES-10358) - Clarification added to Boolean validation checks [#886](https://github.com/puppetlabs/puppetlabs-firewall/pull/886) ([david22swan](https://github.com/david22swan)) - Merge and remove duplicate README file, lint code snippets [#878](https://github.com/puppetlabs/puppetlabs-firewall/pull/878) ([runejuhl](https://github.com/runejuhl)) ## [v2.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.2.0) - 2019-12-09 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.1.0...v2.2.0) ### Added - Add support for Debian Unstable [#876](https://github.com/puppetlabs/puppetlabs-firewall/pull/876) ([martialblog](https://github.com/martialblog)) - (FM-8673) - Support added for CentOS 8 [#873](https://github.com/puppetlabs/puppetlabs-firewall/pull/873) ([david22swan](https://github.com/david22swan)) - FM-8400 - add debian10 support [#862](https://github.com/puppetlabs/puppetlabs-firewall/pull/862) ([lionce](https://github.com/lionce)) - FM-8219 - Convert to litmus [#855](https://github.com/puppetlabs/puppetlabs-firewall/pull/855) ([lionce](https://github.com/lionce)) ### Fixed - Change - Avoid puppet failures on windows nodes [#874](https://github.com/puppetlabs/puppetlabs-firewall/pull/874) ([blackknight36](https://github.com/blackknight36)) - Fix parsing iptables rules with hyphen in comments [#861](https://github.com/puppetlabs/puppetlabs-firewall/pull/861) ([Hexta](https://github.com/Hexta)) ## [v2.1.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.1.0) - 2019-09-25 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.0.0...v2.1.0) ### Added - (MODULES-6136) Add zone property of CT target. [#852](https://github.com/puppetlabs/puppetlabs-firewall/pull/852) ([rwf14f](https://github.com/rwf14f)) - (FM-8025) Add RedHat 8 support [#847](https://github.com/puppetlabs/puppetlabs-firewall/pull/847) ([eimlav](https://github.com/eimlav)) ### Fixed - MODULES-9801 - fix negated physdev [#858](https://github.com/puppetlabs/puppetlabs-firewall/pull/858) ([lionce](https://github.com/lionce)) ## [v2.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.0.0) - 2019-05-15 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.3...v2.0.0) ### Changed - pdksync - (MODULES-8444) - Raise lower Puppet bound [#841](https://github.com/puppetlabs/puppetlabs-firewall/pull/841) ([david22swan](https://github.com/david22swan)) ### Added - (FM-7903) - Implement Puppet Strings [#838](https://github.com/puppetlabs/puppetlabs-firewall/pull/838) ([david22swan](https://github.com/david22swan)) ### Fixed - (MODULES-8736) IPtables support on RHEL8 [#824](https://github.com/puppetlabs/puppetlabs-firewall/pull/824) ([EmilienM](https://github.com/EmilienM)) ## [1.15.3](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.3) - 2019-04-05 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.2...1.15.3) ### Fixed - (MODULES-8855) Move ipvs test to exception spec [#834](https://github.com/puppetlabs/puppetlabs-firewall/pull/834) ([eimlav](https://github.com/eimlav)) - (MODULES-8842) Fix ipvs not idempotent [#833](https://github.com/puppetlabs/puppetlabs-firewall/pull/833) ([eimlav](https://github.com/eimlav)) ## [1.15.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.2) - 2019-03-26 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.1...1.15.2) ### Fixed - (MODULES-8615) Fix rules with ipvs not parsing [#828](https://github.com/puppetlabs/puppetlabs-firewall/pull/828) ([eimlav](https://github.com/eimlav)) - (MODULES-7333) - Change hashing method from MD5 to SHA256 [#827](https://github.com/puppetlabs/puppetlabs-firewall/pull/827) ([david22swan](https://github.com/david22swan)) - (MODULES-6547) Fix existing rules with --dport not parsing [#826](https://github.com/puppetlabs/puppetlabs-firewall/pull/826) ([eimlav](https://github.com/eimlav)) - (MODULES-8648) - Fix for failures on SLES 11 [#816](https://github.com/puppetlabs/puppetlabs-firewall/pull/816) ([david22swan](https://github.com/david22swan)) - (MODULES-8584) Handle multiple escaped quotes in comments properly [#815](https://github.com/puppetlabs/puppetlabs-firewall/pull/815) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic)) - External control for iptables-persistent [#795](https://github.com/puppetlabs/puppetlabs-firewall/pull/795) ([identw](https://github.com/identw)) ## [1.15.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.1) - 2019-02-01 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.0...1.15.1) ### Fixed - (DOC-3056) Remove mention of rules ordering [#809](https://github.com/puppetlabs/puppetlabs-firewall/pull/809) ([clairecadman](https://github.com/clairecadman)) - (FM-7712) - Remove Gentoo 1.0 testing/support for Firewall module [#808](https://github.com/puppetlabs/puppetlabs-firewall/pull/808) ([david22swan](https://github.com/david22swan)) - (MODULES-8360) Fix IPv6 bug relating to Bugzilla 1015 [#804](https://github.com/puppetlabs/puppetlabs-firewall/pull/804) ([alexharv074](https://github.com/alexharv074)) ## [1.15.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.0) - 2019-01-18 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.14.0...1.15.0) ### Added - (MODULES-8143) - Add SLES 15 support [#798](https://github.com/puppetlabs/puppetlabs-firewall/pull/798) ([eimlav](https://github.com/eimlav)) - Add nftables wrapper support for RHEL8 [#794](https://github.com/puppetlabs/puppetlabs-firewall/pull/794) ([mwhahaha](https://github.com/mwhahaha)) - Changed regex for iniface and outiface to allow '@' in interface names [#791](https://github.com/puppetlabs/puppetlabs-firewall/pull/791) ([GeorgeCox](https://github.com/GeorgeCox)) - (MODULES-8214) Handle src_type and dst_type as array [#790](https://github.com/puppetlabs/puppetlabs-firewall/pull/790) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic)) - (MODULES-7990) Merge multiple comments into one while parsing rules [#789](https://github.com/puppetlabs/puppetlabs-firewall/pull/789) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic)) - add -g flag handling in ip6tables.rb provider [#788](https://github.com/puppetlabs/puppetlabs-firewall/pull/788) ([cestith](https://github.com/cestith)) - (MODULES-7681) Add support for bytecode property [#771](https://github.com/puppetlabs/puppetlabs-firewall/pull/771) ([baurmatt](https://github.com/baurmatt)) ### Fixed - pdksync - (FM-7655) Fix rubygems-update for ruby < 2.3 [#801](https://github.com/puppetlabs/puppetlabs-firewall/pull/801) ([tphoney](https://github.com/tphoney)) - (MODULES-6340) - Address failure when name begins with 9XXX [#796](https://github.com/puppetlabs/puppetlabs-firewall/pull/796) ([eimlav](https://github.com/eimlav)) - Amazon linux 2 changed its major version to 2 with the last update... [#793](https://github.com/puppetlabs/puppetlabs-firewall/pull/793) ([erik-frontify](https://github.com/erik-frontify)) ## [1.14.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.14.0) - 2018-09-27 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.13.0...1.14.0) ### Added - pdksync - (MODULES-6805) metadata.json shows support for puppet 6 [#782](https://github.com/puppetlabs/puppetlabs-firewall/pull/782) ([tphoney](https://github.com/tphoney)) - (FM-7399) - Prepare for changelog generator [#780](https://github.com/puppetlabs/puppetlabs-firewall/pull/780) ([pmcmaw](https://github.com/pmcmaw)) ## [1.13.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.13.0) - 2018-09-19 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.12.0...1.13.0) ### Added - pdksync - (MODULES-7705) - Bumping stdlib dependency from < 5.0.0 to < 6.0.0 [#775](https://github.com/puppetlabs/puppetlabs-firewall/pull/775) ([pmcmaw](https://github.com/pmcmaw)) - Add support for Amazon Linux 2 [#768](https://github.com/puppetlabs/puppetlabs-firewall/pull/768) ([erik-frontify](https://github.com/erik-frontify)) - (FM-7232) - Update firewall to support Ubuntu 18.04 [#767](https://github.com/puppetlabs/puppetlabs-firewall/pull/767) ([david22swan](https://github.com/david22swan)) - [FM-7044] Addition of Debian 9 support to firewall [#765](https://github.com/puppetlabs/puppetlabs-firewall/pull/765) ([david22swan](https://github.com/david22swan)) - [FM-6961] Removal of unsupported OS from firewall [#764](https://github.com/puppetlabs/puppetlabs-firewall/pull/764) ([david22swan](https://github.com/david22swan)) ### Fixed - (MODULES-7627) - Update README Limitations section [#769](https://github.com/puppetlabs/puppetlabs-firewall/pull/769) ([eimlav](https://github.com/eimlav)) - Corrections to readme [#766](https://github.com/puppetlabs/puppetlabs-firewall/pull/766) ([alexharv074](https://github.com/alexharv074)) - (MODULES-6129) negated option with address mask bugfix [#756](https://github.com/puppetlabs/puppetlabs-firewall/pull/756) ([mirekys](https://github.com/mirekys)) - (MODULES-2119) iptables delete -p all exception [#749](https://github.com/puppetlabs/puppetlabs-firewall/pull/749) ([mikkergimenez](https://github.com/mikkergimenez)) ## [1.12.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.12.0) - 2018-01-25 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.11.0...1.12.0) ### Fixed - MODULES-6261: Fix error parsing rules with dashes in the chain name [#744](https://github.com/puppetlabs/puppetlabs-firewall/pull/744) ([hantona](https://github.com/hantona)) - (MODULES-6092) Set correct seluser for CentOS/RHEL 5.x [#737](https://github.com/puppetlabs/puppetlabs-firewall/pull/737) ([mihall-primus](https://github.com/mihall-primus)) ## [1.11.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.11.0) - 2017-11-30 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.10.0...1.11.0) ### Fixed - (MODULES-6029) Skip unparsable rules with warning [#738](https://github.com/puppetlabs/puppetlabs-firewall/pull/738) ([jistr](https://github.com/jistr)) ## [1.10.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.10.0) - 2017-11-14 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.9.0...1.10.0) ### Changed - (MODULES-5501) - Remove unsupported Ubuntu [#715](https://github.com/puppetlabs/puppetlabs-firewall/pull/715) ([pmcmaw](https://github.com/pmcmaw)) - (Modules-1141) No longer accepts an array for icmp types #puppethack [#705](https://github.com/puppetlabs/puppetlabs-firewall/pull/705) ([spynappels](https://github.com/spynappels)) ### Added - (MODULES-5144) Prep for puppet 5 [#709](https://github.com/puppetlabs/puppetlabs-firewall/pull/709) ([hunner](https://github.com/hunner)) - MODULE-1805 Add hashlimit-module [#708](https://github.com/puppetlabs/puppetlabs-firewall/pull/708) ([jtruestedt](https://github.com/jtruestedt)) - (MODULES-5111) Support UNTRACKED in state and ctstate rules [#707](https://github.com/puppetlabs/puppetlabs-firewall/pull/707) ([spynappels](https://github.com/spynappels)) - MODULES-4828 version_requirement updated #puppethack [#704](https://github.com/puppetlabs/puppetlabs-firewall/pull/704) ([neilbinney](https://github.com/neilbinney)) - Add gid lookup [#682](https://github.com/puppetlabs/puppetlabs-firewall/pull/682) ([crispygoth](https://github.com/crispygoth)) ### Fixed - [MODULES-5924] Fix unmanaged rule regex when updating a iptable. [#729](https://github.com/puppetlabs/puppetlabs-firewall/pull/729) ([sathlan](https://github.com/sathlan)) - (MODULES-5692) Match more than a single space [#727](https://github.com/puppetlabs/puppetlabs-firewall/pull/727) ([hunner](https://github.com/hunner)) - (MODULES-5645) Choose correct IP version for hostname resolution [#721](https://github.com/puppetlabs/puppetlabs-firewall/pull/721) ([kpengboy](https://github.com/kpengboy)) - allow ip6tables to be disabled [#694](https://github.com/puppetlabs/puppetlabs-firewall/pull/694) ([knackaron](https://github.com/knackaron)) - (MODULES-4200) Add simple sanity check for the rule to hash parser [#666](https://github.com/puppetlabs/puppetlabs-firewall/pull/666) ([comel](https://github.com/comel)) ### Other - (MODULES-5340) Understand negated match sets [#713](https://github.com/puppetlabs/puppetlabs-firewall/pull/713) ([nbarrientos](https://github.com/nbarrientos)) ## [1.9.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.9.0) - 2017-05-19 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.8.2...1.9.0) ### Added - (FM-4896) add NFLOG support [#697](https://github.com/puppetlabs/puppetlabs-firewall/pull/697) ([eputnam](https://github.com/eputnam)) - (MODULES-4234) Add support for --physdev-is-{in,out} [#685](https://github.com/puppetlabs/puppetlabs-firewall/pull/685) ([mhutter](https://github.com/mhutter)) - Allow managing ebtables [#684](https://github.com/puppetlabs/puppetlabs-firewall/pull/684) ([hunner](https://github.com/hunner)) - MODULES-4279 Add support for the geoip module [#680](https://github.com/puppetlabs/puppetlabs-firewall/pull/680) ([jg-development](https://github.com/jg-development)) ### Fixed - (maint) modify to account for spaces in iptables-save output [#700](https://github.com/puppetlabs/puppetlabs-firewall/pull/700) ([eputnam](https://github.com/eputnam)) - Change - Ensure that firewalld is stopped before iptables starts [#695](https://github.com/puppetlabs/puppetlabs-firewall/pull/695) ([blackknight36](https://github.com/blackknight36)) - Properly handle negated `--physdev-is-...` rules [#693](https://github.com/puppetlabs/puppetlabs-firewall/pull/693) ([mhutter](https://github.com/mhutter)) - MODULES-4279 use complete option for geoip [#690](https://github.com/puppetlabs/puppetlabs-firewall/pull/690) ([jg-development](https://github.com/jg-development)) ## [1.8.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.8.2) - 2017-01-10 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.8.1...1.8.2) ### Added - Add RHEL7 SELinux support for new service_name_v6 param, subsequently fix puppet lint error [#671](https://github.com/puppetlabs/puppetlabs-firewall/pull/671) ([wilson208](https://github.com/wilson208)) - [#puppethack] MODULES-1222 - added containment [#667](https://github.com/puppetlabs/puppetlabs-firewall/pull/667) ([genebean](https://github.com/genebean)) - Add --wait to iptables commands [#647](https://github.com/puppetlabs/puppetlabs-firewall/pull/647) ([mwhahaha](https://github.com/mwhahaha)) ### Fixed - Fixes SELinux compatibility with EL6 [#664](https://github.com/puppetlabs/puppetlabs-firewall/pull/664) ([bmjen](https://github.com/bmjen)) - Re-add RHEL7 SELinux support for puppet3 [#660](https://github.com/puppetlabs/puppetlabs-firewall/pull/660) ([bmjen](https://github.com/bmjen)) - Fixing issue with double quotes being removed when part of the comment [#646](https://github.com/puppetlabs/puppetlabs-firewall/pull/646) ([kindred](https://github.com/kindred)) - Implemented paramters for NFQUEUE jump target [#644](https://github.com/puppetlabs/puppetlabs-firewall/pull/644) ([pid1co](https://github.com/pid1co)) - (MODULES-3572) Ip6tables service is not managed in the redhat family. [#641](https://github.com/puppetlabs/puppetlabs-firewall/pull/641) ([marcofl](https://github.com/marcofl)) ## [1.8.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.8.1) - 2016-05-17 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.8.0...1.8.1) ### Changed - (maint) Remove nat flush [#625](https://github.com/puppetlabs/puppetlabs-firewall/pull/625) ([hunner](https://github.com/hunner)) ### Added - (Modules 3329) Add support for iptables length and string extensions [#630](https://github.com/puppetlabs/puppetlabs-firewall/pull/630) ([shumbert](https://github.com/shumbert)) - Add VirtuozzoLinux to the RedHat family [#617](https://github.com/puppetlabs/puppetlabs-firewall/pull/617) ([jpnc](https://github.com/jpnc)) - support for multiple ipsets in a rule [#615](https://github.com/puppetlabs/puppetlabs-firewall/pull/615) ([nabam](https://github.com/nabam)) - Add 'ip' and 'pim' to proto [#610](https://github.com/puppetlabs/puppetlabs-firewall/pull/610) ([lunkwill42](https://github.com/lunkwill42)) ### Fixed - allow FreeBSD when dependencies require this class [#624](https://github.com/puppetlabs/puppetlabs-firewall/pull/624) ([rcalixte](https://github.com/rcalixte)) - match rules with -m ttl [#612](https://github.com/puppetlabs/puppetlabs-firewall/pull/612) ([pulecp](https://github.com/pulecp)) ## [1.8.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.8.0) - 2016-02-17 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.7.2...1.8.0) ### Added - (MODULES-3079) Add support for goto argument. [#606](https://github.com/puppetlabs/puppetlabs-firewall/pull/606) ([aequitas](https://github.com/aequitas)) - allow iptables package to be updated [#583](https://github.com/puppetlabs/puppetlabs-firewall/pull/583) ([cristifalcas](https://github.com/cristifalcas)) - Support IPv6 NAT on Linux 3.7+ [#576](https://github.com/puppetlabs/puppetlabs-firewall/pull/576) ([nward](https://github.com/nward)) ### Fixed - Made Facter flushing specific to a single fact. [#604](https://github.com/puppetlabs/puppetlabs-firewall/pull/604) ([jonnytdevops](https://github.com/jonnytdevops)) - (MODULES 3932) - We need to call Facter.flush to clear Facter cache [#603](https://github.com/puppetlabs/puppetlabs-firewall/pull/603) ([jonnytdevops](https://github.com/jonnytdevops)) - (MODULES-2159) ignore the --connlimit-saddr switch when parsing rules [#602](https://github.com/puppetlabs/puppetlabs-firewall/pull/602) ([paulseward](https://github.com/paulseward)) - Adding in log_uid boolean for LOG [#593](https://github.com/puppetlabs/puppetlabs-firewall/pull/593) ([mlosapio](https://github.com/mlosapio)) - (MODULES-2836) Fix handling of chains that contain '-f' [#579](https://github.com/puppetlabs/puppetlabs-firewall/pull/579) ([maxvozeler](https://github.com/maxvozeler)) - (MODULES-2783) Missing ip6tables service name [#578](https://github.com/puppetlabs/puppetlabs-firewall/pull/578) ([abednarik](https://github.com/abednarik)) ## [1.7.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.7.2) - 2015-12-07 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.7.1...1.7.2) ### Added - Add: sctp-protocol to "proto"-Parameter [#589](https://github.com/puppetlabs/puppetlabs-firewall/pull/589) ([DavidS](https://github.com/DavidS)) - MODULES-2769 - Add security table for iptables. [#575](https://github.com/puppetlabs/puppetlabs-firewall/pull/575) ([werekraken](https://github.com/werekraken)) ### Fixed - (MODULES-1341) Recover when deleting absent rules [#577](https://github.com/puppetlabs/puppetlabs-firewall/pull/577) ([reidmv](https://github.com/reidmv)) - (MAINT) RedHat 6 also uses unconfined_t [#574](https://github.com/puppetlabs/puppetlabs-firewall/pull/574) ([DavidS](https://github.com/DavidS)) - MODULES-2487 Improve port deprecation warning [#572](https://github.com/puppetlabs/puppetlabs-firewall/pull/572) ([roman-mueller](https://github.com/roman-mueller)) ## [1.7.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.7.1) - 2015-08-24 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.7.0...1.7.1) ### Changed - Deprecate port parameter [#570](https://github.com/puppetlabs/puppetlabs-firewall/pull/570) ([hunner](https://github.com/hunner)) ### Fixed - Always use dport [#569](https://github.com/puppetlabs/puppetlabs-firewall/pull/569) ([grigarr](https://github.com/grigarr)) ## [1.7.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.7.0) - 2015-07-27 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.6.0...1.7.0) ### Added - add set_dscp and set_dscp_class [#560](https://github.com/puppetlabs/puppetlabs-firewall/pull/560) ([estonfer](https://github.com/estonfer)) - Compatibility with Puppet 4 and Facter 3 [#559](https://github.com/puppetlabs/puppetlabs-firewall/pull/559) ([Jmeyering](https://github.com/Jmeyering)) ### Fixed - Makes all the services autorequired by the firewall and firewallchain types. [#556](https://github.com/puppetlabs/puppetlabs-firewall/pull/556) ([jonnytdevops](https://github.com/jonnytdevops)) - MODULES-2186 - iptables rules with -A in comment [#555](https://github.com/puppetlabs/puppetlabs-firewall/pull/555) ([TJM](https://github.com/TJM)) - Fix for physdev idempotency on EL5 [#551](https://github.com/puppetlabs/puppetlabs-firewall/pull/551) ([jonnytdevops](https://github.com/jonnytdevops)) - Fix addrtype inversion [#543](https://github.com/puppetlabs/puppetlabs-firewall/pull/543) ([jonnytdevops](https://github.com/jonnytdevops)) - (MODULES-1976) Revise rule name validation for ruby 1.9 [#517](https://github.com/puppetlabs/puppetlabs-firewall/pull/517) ([karmix](https://github.com/karmix)) - (MODULES-1967) Parse escape sequences from iptables [#513](https://github.com/puppetlabs/puppetlabs-firewall/pull/513) ([karmix](https://github.com/karmix)) ## [1.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.6.0) - 2015-05-19 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.5.0...1.6.0) ### Added - add match_mark [#527](https://github.com/puppetlabs/puppetlabs-firewall/pull/527) ([jonnytdevops](https://github.com/jonnytdevops)) - Tee Support [#525](https://github.com/puppetlabs/puppetlabs-firewall/pull/525) ([jonnytdevops](https://github.com/jonnytdevops)) - MSS feature [#524](https://github.com/puppetlabs/puppetlabs-firewall/pull/524) ([jonnytdevops](https://github.com/jonnytdevops)) - Added support for time ipt_module [#522](https://github.com/puppetlabs/puppetlabs-firewall/pull/522) ([jonnytdevops](https://github.com/jonnytdevops)) - Add support for ICMPv6 types neighbour-{solicitation,advertisement} [#515](https://github.com/puppetlabs/puppetlabs-firewall/pull/515) ([peikk0](https://github.com/peikk0)) - Add support for ICMPv6 type too-big (2) [#514](https://github.com/puppetlabs/puppetlabs-firewall/pull/514) ([peikk0](https://github.com/peikk0)) - Added ipv{4,6} to protocol list [#505](https://github.com/puppetlabs/puppetlabs-firewall/pull/505) ([jpds-zz](https://github.com/jpds-zz)) ### Fixed - Fix Arch Linux support [#526](https://github.com/puppetlabs/puppetlabs-firewall/pull/526) ([elyscape](https://github.com/elyscape)) - Added iptables-persistent fix for Debian 8 and Ubuntu 14.10 [#523](https://github.com/puppetlabs/puppetlabs-firewall/pull/523) ([jonnytdevops](https://github.com/jonnytdevops)) - Fixed idempotency bug relating to MODULES-1984 [#520](https://github.com/puppetlabs/puppetlabs-firewall/pull/520) ([jonnytdevops](https://github.com/jonnytdevops)) - (MODULES-1984) Perform daemon-reload on systemd [#518](https://github.com/puppetlabs/puppetlabs-firewall/pull/518) ([johnduarte](https://github.com/johnduarte)) ## [1.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.5.0) - 2015-03-31 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.4.0...1.5.0) ### Added - MODULES-1832 - add Gentoo support [#498](https://github.com/puppetlabs/puppetlabs-firewall/pull/498) ([derdanne](https://github.com/derdanne)) - MODULES-1636: Add --checksum-fill support. [#460](https://github.com/puppetlabs/puppetlabs-firewall/pull/460) ([Zlo](https://github.com/Zlo)) ### Fixed - MODULES-1808 - Implemented code for resource map munging to allow a single ipt module to be used multiple times in a single rule [#496](https://github.com/puppetlabs/puppetlabs-firewall/pull/496) ([jonnytdevops](https://github.com/jonnytdevops)) - Added code for physdev_is_bridged [#491](https://github.com/puppetlabs/puppetlabs-firewall/pull/491) ([jonnytdevops](https://github.com/jonnytdevops)) ## [1.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.4.0) - 2015-01-27 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.3.0...1.4.0) ### Added - Added support for iptables physdev_in and physdev_out parameters [#473](https://github.com/puppetlabs/puppetlabs-firewall/pull/473) ([jonnytdevops](https://github.com/jonnytdevops)) - MODULES-1612 - sync mask [#469](https://github.com/puppetlabs/puppetlabs-firewall/pull/469) ([underscorgan](https://github.com/underscorgan)) - MODULES-1612 - sync ipset [#468](https://github.com/puppetlabs/puppetlabs-firewall/pull/468) ([underscorgan](https://github.com/underscorgan)) - MODULES-1612 - sync set_mark [#464](https://github.com/puppetlabs/puppetlabs-firewall/pull/464) ([underscorgan](https://github.com/underscorgan)) - MODULES-1612 - Sync ipsec_dir and ipsec_policy [#459](https://github.com/puppetlabs/puppetlabs-firewall/pull/459) ([underscorgan](https://github.com/underscorgan)) - MODULES-1612 - sync mac_source [#454](https://github.com/puppetlabs/puppetlabs-firewall/pull/454) ([underscorgan](https://github.com/underscorgan)) - MODULES-1612 - sync src_type and dst_type [#453](https://github.com/puppetlabs/puppetlabs-firewall/pull/453) ([underscorgan](https://github.com/underscorgan)) - MODULES-1612 - sync src_range and dst_range [#452](https://github.com/puppetlabs/puppetlabs-firewall/pull/452) ([underscorgan](https://github.com/underscorgan)) - MODUELES-1355 - support dport/sport in ip6tables provider [#451](https://github.com/puppetlabs/puppetlabs-firewall/pull/451) ([underscorgan](https://github.com/underscorgan)) - (MODULES-464) Add netmap feature [#421](https://github.com/puppetlabs/puppetlabs-firewall/pull/421) ([patrobinson](https://github.com/patrobinson)) ### Fixed - MODULES-1453 - overly aggressive gsub [#479](https://github.com/puppetlabs/puppetlabs-firewall/pull/479) ([underscorgan](https://github.com/underscorgan)) - Uid negation fix [#474](https://github.com/puppetlabs/puppetlabs-firewall/pull/474) ([jonnytdevops](https://github.com/jonnytdevops)) - QENG-1678 - Need to stop iptables to install ipset [#472](https://github.com/puppetlabs/puppetlabs-firewall/pull/472) ([underscorgan](https://github.com/underscorgan)) - Fixing regressions for Amazon Linux since RH7 support was added [#471](https://github.com/puppetlabs/puppetlabs-firewall/pull/471) ([mlehner616](https://github.com/mlehner616)) - MODULES-1612 - mask isn't supported on deb7 [#470](https://github.com/puppetlabs/puppetlabs-firewall/pull/470) ([underscorgan](https://github.com/underscorgan)) - MODULES-1552 - Issues parsing `-m (tcp|udp)` rules [#462](https://github.com/puppetlabs/puppetlabs-firewall/pull/462) ([underscorgan](https://github.com/underscorgan)) ## [1.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.3.0) - 2014-12-16 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.2.0...1.3.0) ### Added - MODULES-556: tcp_flags support for ip6tables [#442](https://github.com/puppetlabs/puppetlabs-firewall/pull/442) ([underscorgan](https://github.com/underscorgan)) - MODULES-1309 - Make package and service names configurable [#436](https://github.com/puppetlabs/puppetlabs-firewall/pull/436) ([underscorgan](https://github.com/underscorgan)) - MODULES-1469 MODULES-1470 Support alias (eth0:0), negation for iniface, ... [#435](https://github.com/puppetlabs/puppetlabs-firewall/pull/435) ([underscorgan](https://github.com/underscorgan)) - FM-2022 Add SLES 12 to metadata [#434](https://github.com/puppetlabs/puppetlabs-firewall/pull/434) ([cyberious](https://github.com/cyberious)) ### Fixed - MODULES-1572 - Fix logic broken from MODULES-1309 [#441](https://github.com/puppetlabs/puppetlabs-firewall/pull/441) ([underscorgan](https://github.com/underscorgan)) - MODULES-1565 - Fix regexes for EL5 [#438](https://github.com/puppetlabs/puppetlabs-firewall/pull/438) ([underscorgan](https://github.com/underscorgan)) - Don't arbitrarily limit set_mark to certain chains [#427](https://github.com/puppetlabs/puppetlabs-firewall/pull/427) ([stesie](https://github.com/stesie)) ## [1.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.2.0) - 2014-11-04 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.1.3...1.2.0) ### Changed - Doesn't actually support OEL5 [#418](https://github.com/puppetlabs/puppetlabs-firewall/pull/418) ([underscorgan](https://github.com/underscorgan)) ### Added - Update to support PE3.x [#420](https://github.com/puppetlabs/puppetlabs-firewall/pull/420) ([underscorgan](https://github.com/underscorgan)) - Support netfilter-persistent for later versions [#403](https://github.com/puppetlabs/puppetlabs-firewall/pull/403) ([rra](https://github.com/rra)) - (MODULES-450) Enable rule inversion [#394](https://github.com/puppetlabs/puppetlabs-firewall/pull/394) ([hunner](https://github.com/hunner)) - Add cbt protocol, to be able to mitigate some DDoS attacks [#388](https://github.com/puppetlabs/puppetlabs-firewall/pull/388) ([thias](https://github.com/thias)) - add ipset support [#383](https://github.com/puppetlabs/puppetlabs-firewall/pull/383) ([vzctl](https://github.com/vzctl)) - Add support for mac address source rules pt2 [#337](https://github.com/puppetlabs/puppetlabs-firewall/pull/337) ([damjanek](https://github.com/damjanek)) ### Fixed - ip6tables isn't supported on EL5 [#428](https://github.com/puppetlabs/puppetlabs-firewall/pull/428) ([underscorgan](https://github.com/underscorgan)) - Fixed firewalld package issue [#426](https://github.com/puppetlabs/puppetlabs-firewall/pull/426) ([paramite](https://github.com/paramite)) - (MODULES-41) Change source for ip6tables provider [#422](https://github.com/puppetlabs/puppetlabs-firewall/pull/422) ([hunner](https://github.com/hunner)) - (MODULES-1086) toports is not reqired with jump == REDIRECT [#407](https://github.com/puppetlabs/puppetlabs-firewall/pull/407) ([hunner](https://github.com/hunner)) - Bugfix stat_prob -> stat_probability [#402](https://github.com/puppetlabs/puppetlabs-firewall/pull/402) ([hunner](https://github.com/hunner)) - Improve support for EL7 and other related fixes [#393](https://github.com/puppetlabs/puppetlabs-firewall/pull/393) ([hunner](https://github.com/hunner)) - Fixed bug which arbitrarily limited iniface and outiface parameters [#374](https://github.com/puppetlabs/puppetlabs-firewall/pull/374) ([lejonet](https://github.com/lejonet)) ## [1.1.3](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.1.3) - 2014-07-14 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.1.2...1.1.3) ## [1.1.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.1.2) - 2014-06-05 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.1.1...1.1.2) ### Fixed - (MODULES-796) Fix policy ipsec options [#363](https://github.com/puppetlabs/puppetlabs-firewall/pull/363) ([hunner](https://github.com/hunner)) ## [1.1.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.1.1) - 2014-05-16 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.1.0...1.1.1) ## [1.1.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.1.0) - 2014-05-13 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.0.2...1.1.0) ### Changed - Apply firewall resources alphabetically [#342](https://github.com/puppetlabs/puppetlabs-firewall/pull/342) ([mcanevet](https://github.com/mcanevet)) ### Added - (MODULES-689) Add support for connlimit and connmark [#344](https://github.com/puppetlabs/puppetlabs-firewall/pull/344) ([csschwe](https://github.com/csschwe)) ### Fixed - Fix access to distmoduledir [#354](https://github.com/puppetlabs/puppetlabs-firewall/pull/354) ([hunner](https://github.com/hunner)) - Fix support for Fedora Rawhide [#350](https://github.com/puppetlabs/puppetlabs-firewall/pull/350) ([xbezdick](https://github.com/xbezdick)) - Fix failing persist_iptables test on RHEL7 and Fedora [#341](https://github.com/puppetlabs/puppetlabs-firewall/pull/341) ([jeckersb](https://github.com/jeckersb)) - --reap flag is not added to iptables command [#340](https://github.com/puppetlabs/puppetlabs-firewall/pull/340) ([simon-martin](https://github.com/simon-martin)) - Fix typo in SNAT error message [#339](https://github.com/puppetlabs/puppetlabs-firewall/pull/339) ([cure](https://github.com/cure)) - Treat RHEL 7 and later like Fedora w/r/t iptables [#338](https://github.com/puppetlabs/puppetlabs-firewall/pull/338) ([larsks](https://github.com/larsks)) ## [1.0.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.0.2) - 2014-03-04 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.0.1...1.0.2) ### Fixed - Replace the symlink with the actual file to resolve a PMT issue. [#331](https://github.com/puppetlabs/puppetlabs-firewall/pull/331) ([apenney](https://github.com/apenney)) ## [1.0.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.0.1) - 2014-03-03 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.0.0...1.0.1) ### Fixed - Change OEL limitation description [#326](https://github.com/puppetlabs/puppetlabs-firewall/pull/326) ([hunner](https://github.com/hunner)) - Socket owner sles madness [#324](https://github.com/puppetlabs/puppetlabs-firewall/pull/324) ([apenney](https://github.com/apenney)) - Fix logic for supported socket platforms [#322](https://github.com/puppetlabs/puppetlabs-firewall/pull/322) ([hunner](https://github.com/hunner)) - Bugfix: Account for rules sorted after unmanaged rules [#321](https://github.com/puppetlabs/puppetlabs-firewall/pull/321) ([hunner](https://github.com/hunner)) - Fix various differences for rhel5 [#314](https://github.com/puppetlabs/puppetlabs-firewall/pull/314) ([hunner](https://github.com/hunner)) - Use iptables-save and parse the output [#311](https://github.com/puppetlabs/puppetlabs-firewall/pull/311) ([hunner](https://github.com/hunner)) ## [1.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.0.0) - 2014-02-11 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.5.0...1.0.0) ## [0.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.5.0) - 2014-02-10 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.4.2...0.5.0) ### Added - Add --random support as per #141 comment [#298](https://github.com/puppetlabs/puppetlabs-firewall/pull/298) ([hunner](https://github.com/hunner)) - (MODULES-31) add support for iptables recent [#296](https://github.com/puppetlabs/puppetlabs-firewall/pull/296) ([hunner](https://github.com/hunner)) - Add purge support to firewallchain [#287](https://github.com/puppetlabs/puppetlabs-firewall/pull/287) ([hunner](https://github.com/hunner)) - allow input chain in nat table [#270](https://github.com/puppetlabs/puppetlabs-firewall/pull/270) ([phemmer](https://github.com/phemmer)) - add ipsec policy matching [#268](https://github.com/puppetlabs/puppetlabs-firewall/pull/268) ([phemmer](https://github.com/phemmer)) - Negation support [#267](https://github.com/puppetlabs/puppetlabs-firewall/pull/267) ([phemmer](https://github.com/phemmer)) - Support conntrack stateful firewall matching [#257](https://github.com/puppetlabs/puppetlabs-firewall/pull/257) ([nogweii](https://github.com/nogweii)) - Add support for IPv6 hop limiting [#208](https://github.com/puppetlabs/puppetlabs-firewall/pull/208) ([georgkoester](https://github.com/georgkoester)) - Add ipv6 frag matchers2 and generify known_boolean handling. [#207](https://github.com/puppetlabs/puppetlabs-firewall/pull/207) ([georgkoester](https://github.com/georgkoester)) ### Fixed - Fix for #286 for pre-existing rules at the start of a chain [#303](https://github.com/puppetlabs/puppetlabs-firewall/pull/303) ([hunner](https://github.com/hunner)) - Fix #300 for match extension protocol [#302](https://github.com/puppetlabs/puppetlabs-firewall/pull/302) ([hunner](https://github.com/hunner)) - (MODULES-451) Match extension protocol for multiport [#300](https://github.com/puppetlabs/puppetlabs-firewall/pull/300) ([hunner](https://github.com/hunner)) - (MODULES-16) Correct src_range dst_range ordering [#293](https://github.com/puppetlabs/puppetlabs-firewall/pull/293) ([hunner](https://github.com/hunner)) - (MODULES-442) Correct boolean properties behavior [#291](https://github.com/puppetlabs/puppetlabs-firewall/pull/291) ([hunner](https://github.com/hunner)) - (MODULES-441) Helpfully fail when modifying chains [#288](https://github.com/puppetlabs/puppetlabs-firewall/pull/288) ([hunner](https://github.com/hunner)) - (MODULES-439) Work around existing rules [#286](https://github.com/puppetlabs/puppetlabs-firewall/pull/286) ([hunner](https://github.com/hunner)) - fix handling of builtin chains [#271](https://github.com/puppetlabs/puppetlabs-firewall/pull/271) ([phemmer](https://github.com/phemmer)) - Remove redundant `include` call in system spec helper. [#253](https://github.com/puppetlabs/puppetlabs-firewall/pull/253) ([stefanozanella](https://github.com/stefanozanella)) - Generate parser list [#248](https://github.com/puppetlabs/puppetlabs-firewall/pull/248) ([senax](https://github.com/senax)) - No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking [#240](https://github.com/puppetlabs/puppetlabs-firewall/pull/240) ([doc75](https://github.com/doc75)) ## [0.4.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.4.2) - 2013-09-10 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.4.1...0.4.2) ## [0.4.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.4.1) - 2013-08-12 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.4.0...0.4.1) ## [0.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.4.0) - 2013-07-12 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/list...0.4.0) ### Added - Feature/master/add support for iprange [#219](https://github.com/puppetlabs/puppetlabs-firewall/pull/219) ([hunner](https://github.com/hunner)) ## [list](https://github.com/puppetlabs/puppetlabs-firewall/tree/list) - 2013-07-09 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.3.1...list) ### Added - Add SL and SLC cases for operatingsystem [#220](https://github.com/puppetlabs/puppetlabs-firewall/pull/220) ([traylenator](https://github.com/traylenator)) - Add support for --src-type and --dst-type [#212](https://github.com/puppetlabs/puppetlabs-firewall/pull/212) ([nickstenning](https://github.com/nickstenning)) ### Fixed - Update providers to use expect syntax [#217](https://github.com/puppetlabs/puppetlabs-firewall/pull/217) ([hunner](https://github.com/hunner)) - Fix #188: -f in comment leads to puppet resource firewall failing. [#204](https://github.com/puppetlabs/puppetlabs-firewall/pull/204) ([georgkoester](https://github.com/georgkoester)) ## [0.3.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.3.1) - 2013-06-10 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.3.0...0.3.1) ### Fixed - Ensure all services have 'hasstatus => true' for Puppet 2.6 [#197](https://github.com/puppetlabs/puppetlabs-firewall/pull/197) ([kbarber](https://github.com/kbarber)) - Accept pre-existing rule with invalid name [#192](https://github.com/puppetlabs/puppetlabs-firewall/pull/192) ([joejulian](https://github.com/joejulian)) - Swap log_prefix and log_level order to match the way it's saved [#191](https://github.com/puppetlabs/puppetlabs-firewall/pull/191) ([joejulian](https://github.com/joejulian)) - (#20912) Split argments while maintaining quoted strings [#189](https://github.com/puppetlabs/puppetlabs-firewall/pull/189) ([joejulian](https://github.com/joejulian)) ## [0.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.3.0) - 2013-04-25 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.2.1...0.3.0) ### Added - (#171) Added ensure parameter to firewall class [#172](https://github.com/puppetlabs/puppetlabs-firewall/pull/172) ([cr3](https://github.com/cr3)) - (20096) Support systemd on Fedora 15 and up [#145](https://github.com/puppetlabs/puppetlabs-firewall/pull/145) ([ecbypi](https://github.com/ecbypi)) ### Fixed - Duplicate existing rules dont purge [#166](https://github.com/puppetlabs/puppetlabs-firewall/pull/166) ([kbarber](https://github.com/kbarber)) - Booleans not idempotent [#162](https://github.com/puppetlabs/puppetlabs-firewall/pull/162) ([kbarber](https://github.com/kbarber)) ## [0.2.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.2.1) - 2013-03-13 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.2.0...0.2.1) ## [0.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.2.0) - 2013-03-03 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.1.1...0.2.0) ### Added - (GH-134) Autorequire iptables related packages [#136](https://github.com/puppetlabs/puppetlabs-firewall/pull/136) ([dcarley](https://github.com/dcarley)) ### Fixed - Native persistence [#133](https://github.com/puppetlabs/puppetlabs-firewall/pull/133) ([dcarley](https://github.com/dcarley)) ## [0.1.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.1.1) - 2013-02-28 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.1.0...0.1.1) ## [0.1.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.1.0) - 2013-02-24 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v0.0.4...0.1.0) ### Added - (#15556) Support for ICMP6 type code resolutions [#87](https://github.com/puppetlabs/puppetlabs-firewall/pull/87) ([dcarley](https://github.com/dcarley)) - (#15038) add gre protocol to list of acceptable protocols [#85](https://github.com/puppetlabs/puppetlabs-firewall/pull/85) ([jasonhancock](https://github.com/jasonhancock)) - Ticket/11305 support vlan interface [#70](https://github.com/puppetlabs/puppetlabs-firewall/pull/70) ([kbarber](https://github.com/kbarber)) - Ticket/10162 firewallchain support for merge [#62](https://github.com/puppetlabs/puppetlabs-firewall/pull/62) ([kbarber](https://github.com/kbarber)) ### Fixed - Mock Resolv.getaddress in #host_to_ip [#110](https://github.com/puppetlabs/puppetlabs-firewall/pull/110) ([dcarley](https://github.com/dcarley)) - ip6tables provider allways execute /sbin/iptables command [#105](https://github.com/puppetlabs/puppetlabs-firewall/pull/105) ([wuwx](https://github.com/wuwx)) - (#10322) Insert order hash included chains from different tables [#89](https://github.com/puppetlabs/puppetlabs-firewall/pull/89) ([kbarber](https://github.com/kbarber)) - (#10274) Nullify addresses with zero prefixlen [#80](https://github.com/puppetlabs/puppetlabs-firewall/pull/80) ([dcarley](https://github.com/dcarley)) - Ticket/10619 unable to purge rules [#69](https://github.com/puppetlabs/puppetlabs-firewall/pull/69) ([kbarber](https://github.com/kbarber)) - (#13201) Firewall autorequire Firewallchains [#67](https://github.com/puppetlabs/puppetlabs-firewall/pull/67) ([dcarley](https://github.com/dcarley)) - (#13192) Fix allvalidchain iteration [#63](https://github.com/puppetlabs/puppetlabs-firewall/pull/63) ([kbarber](https://github.com/kbarber)) - Improved Puppet DSL style as per the guidelines. [#61](https://github.com/puppetlabs/puppetlabs-firewall/pull/61) ([adamgibbins](https://github.com/adamgibbins)) - (#10164) Reject and document icmp => "any" [#60](https://github.com/puppetlabs/puppetlabs-firewall/pull/60) ([dcarley](https://github.com/dcarley)) - (#11443) simple fix of the error message for allowed values of the jump property [#50](https://github.com/puppetlabs/puppetlabs-firewall/pull/50) ([grooverdan](https://github.com/grooverdan)) ## [v0.0.4](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.4) - 2011-12-05 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v0.0.3...v0.0.4) ### Added - (#10690) add port property support to ip6tables [#33](https://github.com/puppetlabs/puppetlabs-firewall/pull/33) ([saysjonathan](https://github.com/saysjonathan)) ## [v0.0.3](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.3) - 2011-11-12 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v0.0.2...v0.0.3) ### Fixed - (#10700) allow additional characters in comment string [#30](https://github.com/puppetlabs/puppetlabs-firewall/pull/30) ([saysjonathan](https://github.com/saysjonathan)) ## [v0.0.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.2) - 2011-10-26 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v0.0.1...v0.0.2) ### Added - (#9362) Create action property and perform transformation for accept, dro [#15](https://github.com/puppetlabs/puppetlabs-firewall/pull/15) ([kbarber](https://github.com/kbarber)) ### Fixed - (#10295) Work around bug #4248 whereby the puppet/util paths are not bein [#22](https://github.com/puppetlabs/puppetlabs-firewall/pull/22) ([kbarber](https://github.com/kbarber)) - (#10002) Change to dport and sport to handle ranges, and fix handling of [#21](https://github.com/puppetlabs/puppetlabs-firewall/pull/21) ([kbarber](https://github.com/kbarber)) ## [v0.0.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.1) - 2011-10-18 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/bff53bdbc03ad416e3f23d7ad943ebdffb3bd999...v0.0.1) puppetlabs-firewall-8.0.0/CODEOWNERS0100644000175100001770000000007614561126655014076 0ustar00# Setting ownership to the modules team * @puppetlabs/modules puppetlabs-firewall-8.0.0/CONTRIBUTING.md0100644000175100001770000000032314561126655014727 0ustar00# Contributing to Puppet modules Check out our [Contributing to Supported Modules Blog Post](https://puppetlabs.github.io/iac/docs/contributing_to_a_module.html) to find all the information that you will need. puppetlabs-firewall-8.0.0/HISTORY.md0100644000175100001770000011523714561126655014174 0ustar00## [v3.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.0.0) (2021-03-01) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.8.1...v3.0.0) ### Changed - pdksync - \(MAINT\) Remove SLES 11 support [\#977](https://github.com/puppetlabs/puppetlabs-firewall/pull/977) ([sanfrancrisko](https://github.com/sanfrancrisko)) - pdksync - \(MAINT\) Remove RHEL 5 family support [\#976](https://github.com/puppetlabs/puppetlabs-firewall/pull/976) ([sanfrancrisko](https://github.com/sanfrancrisko)) - pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 [\#972](https://github.com/puppetlabs/puppetlabs-firewall/pull/972) ([carabasdaniel](https://github.com/carabasdaniel)) ## [v2.8.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.1) (2021-02-09) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.8.0...v2.8.1) ### Fixed - \[MODULES-10907\] Do not remove spaces from hex string with ! [\#967](https://github.com/puppetlabs/puppetlabs-firewall/pull/967) ([adrianiurca](https://github.com/adrianiurca)) ## [v2.8.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.0) (2020-12-14) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.7.0...v2.8.0) ### Added - pdksync - \(feat\) - Add support for Puppet 7 [\#959](https://github.com/puppetlabs/puppetlabs-firewall/pull/959) ([daianamezdrea](https://github.com/daianamezdrea)) - \(IAC-966\) - MODULES-10522: Add support for the --condition parameter [\#941](https://github.com/puppetlabs/puppetlabs-firewall/pull/941) ([adrianiurca](https://github.com/adrianiurca)) ### Fixed - Restore copyright names [\#951](https://github.com/puppetlabs/puppetlabs-firewall/pull/951) ([hunner](https://github.com/hunner)) ## [v2.7.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.7.0) (2020-10-15) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.6.0...v2.7.0) ### Added - \(IAC-1190\) add `ignore_foreign` when purging firewallchains [\#948](https://github.com/puppetlabs/puppetlabs-firewall/pull/948) ([DavidS](https://github.com/DavidS)) ## [v2.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.6.0) (2020-10-01) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.5.0...v2.6.0) ### Fixed - Fix extra quotes in firewall string matching [\#944](https://github.com/puppetlabs/puppetlabs-firewall/pull/944) ([IBBoard](https://github.com/IBBoard)) - \(IAC-987\) - Removal of inappropriate terminology [\#942](https://github.com/puppetlabs/puppetlabs-firewall/pull/942) ([david22swan](https://github.com/david22swan)) ## [v2.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.5.0) (2020-07-28) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.4.0...v2.5.0) ### Added - Add acceptance and unit test [\#931](https://github.com/puppetlabs/puppetlabs-firewall/pull/931) ([adrianiurca](https://github.com/adrianiurca)) - \[IAC-899\] - Add acceptance test for string_hex parameter [\#930](https://github.com/puppetlabs/puppetlabs-firewall/pull/930) ([adrianiurca](https://github.com/adrianiurca)) - Add support for NFLOG options to ip6tables [\#921](https://github.com/puppetlabs/puppetlabs-firewall/pull/921) ([frh](https://github.com/frh)) ## [v2.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.4.0) (2020-05-13) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.3.0...v2.4.0) ### Added - pdksync - \(IAC-973\) - Update travis/appveyor to run on new default branch main [\#933](https://github.com/puppetlabs/puppetlabs-firewall/pull/933) ([david22swan](https://github.com/david22swan)) - Add support for u32 module in iptables [\#917](https://github.com/puppetlabs/puppetlabs-firewall/pull/917) ([sanfrancrisko](https://github.com/sanfrancrisko)) - Add support for cgroup arg [\#916](https://github.com/puppetlabs/puppetlabs-firewall/pull/916) ([akerl-unpriv](https://github.com/akerl-unpriv)) - Extend LOG options [\#914](https://github.com/puppetlabs/puppetlabs-firewall/pull/914) ([martialblog](https://github.com/martialblog)) ### Fixed - \(MODULES-8543\) Remove nftables' backend warning from iptables_save outtput [\#911](https://github.com/puppetlabs/puppetlabs-firewall/pull/911) ([NITEMAN](https://github.com/NITEMAN)) ## [v2.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.3.0) (2020-03-26) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.2.0...v2.3.0) ### Added - Add iptables --hex-string support to firewall resource [\#907](https://github.com/puppetlabs/puppetlabs-firewall/pull/907) ([alexconrey](https://github.com/alexconrey)) - Add random_fully and rpfilter support [\#892](https://github.com/puppetlabs/puppetlabs-firewall/pull/892) ([treydock](https://github.com/treydock)) - \(MODULES-7800\) Add the ability to specify iptables connection tracking helpers. [\#890](https://github.com/puppetlabs/puppetlabs-firewall/pull/890) ([jimmyt86](https://github.com/jimmyt86)) - Support conntrack module [\#872](https://github.com/puppetlabs/puppetlabs-firewall/pull/872) ([haught](https://github.com/haught)) ### Fixed - \(maint\) Use fact.flush only when available [\#906](https://github.com/puppetlabs/puppetlabs-firewall/pull/906) ([Filipovici-Andrei](https://github.com/Filipovici-Andrei)) - \(MODULES-10358\) - Clarification added to Boolean validation checks [\#886](https://github.com/puppetlabs/puppetlabs-firewall/pull/886) ([david22swan](https://github.com/david22swan)) - Merge and remove duplicate README file, lint code snippets [\#878](https://github.com/puppetlabs/puppetlabs-firewall/pull/878) ([runejuhl](https://github.com/runejuhl)) ## [v2.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.2.0) (2019-12-09) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.1.0...v2.2.0) ### Added - Add support for Debian Unstable [\#876](https://github.com/puppetlabs/puppetlabs-firewall/pull/876) ([martialblog](https://github.com/martialblog)) - \(FM-8673\) - Support added for CentOS 8 [\#873](https://github.com/puppetlabs/puppetlabs-firewall/pull/873) ([david22swan](https://github.com/david22swan)) - FM-8400 - add debian10 support [\#862](https://github.com/puppetlabs/puppetlabs-firewall/pull/862) ([lionce](https://github.com/lionce)) - FM-8219 - Convert to litmus [\#855](https://github.com/puppetlabs/puppetlabs-firewall/pull/855) ([lionce](https://github.com/lionce)) ### Fixed - Change - Avoid puppet failures on windows nodes [\#874](https://github.com/puppetlabs/puppetlabs-firewall/pull/874) ([blackknight36](https://github.com/blackknight36)) - Fix parsing iptables rules with hyphen in comments [\#861](https://github.com/puppetlabs/puppetlabs-firewall/pull/861) ([Hexta](https://github.com/Hexta)) ## [v2.1.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.1.0) (2019-09-24) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.0.0...v2.1.0) ### Added - \(MODULES-6136\) Add zone property of CT target. [\#852](https://github.com/puppetlabs/puppetlabs-firewall/pull/852) ([rwf14f](https://github.com/rwf14f)) - \(FM-8025\) Add RedHat 8 support [\#847](https://github.com/puppetlabs/puppetlabs-firewall/pull/847) ([eimlav](https://github.com/eimlav)) ### Fixed - MODULES-9801 - fix negated physdev [\#858](https://github.com/puppetlabs/puppetlabs-firewall/pull/858) ([lionce](https://github.com/lionce)) ## [v2.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.0.0) (2019-05-14) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.3...v2.0.0) ### Changed - pdksync - \(MODULES-8444\) - Raise lower Puppet bound [\#841](https://github.com/puppetlabs/puppetlabs-firewall/pull/841) ([david22swan](https://github.com/david22swan)) ### Added - \(FM-7903\) - Implement Puppet Strings [\#838](https://github.com/puppetlabs/puppetlabs-firewall/pull/838) ([david22swan](https://github.com/david22swan)) ### Fixed - \(MODULES-8736\) IPtables support on RHEL8 [\#824](https://github.com/puppetlabs/puppetlabs-firewall/pull/824) ([EmilienM](https://github.com/EmilienM)) ## [1.15.3](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.3) (2019-04-04) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.2...1.15.3) ### Fixed - \(MODULES-8855\) Move ipvs test to exception spec [\#834](https://github.com/puppetlabs/puppetlabs-firewall/pull/834) ([eimlav](https://github.com/eimlav)) - \(MODULES-8842\) Fix ipvs not idempotent [\#833](https://github.com/puppetlabs/puppetlabs-firewall/pull/833) ([eimlav](https://github.com/eimlav)) ## [1.15.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.2) (2019-03-26) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.1...1.15.2) ### Fixed - \(MODULES-8615\) Fix rules with ipvs not parsing [\#828](https://github.com/puppetlabs/puppetlabs-firewall/pull/828) ([eimlav](https://github.com/eimlav)) - \(MODULES-7333\) - Change hashing method from MD5 to SHA256 [\#827](https://github.com/puppetlabs/puppetlabs-firewall/pull/827) ([david22swan](https://github.com/david22swan)) - \(MODULES-6547\) Fix existing rules with --dport not parsing [\#826](https://github.com/puppetlabs/puppetlabs-firewall/pull/826) ([eimlav](https://github.com/eimlav)) - \(MODULES-8648\) - Fix for failures on SLES 11 [\#816](https://github.com/puppetlabs/puppetlabs-firewall/pull/816) ([david22swan](https://github.com/david22swan)) - \(MODULES-8584\) Handle multiple escaped quotes in comments properly [\#815](https://github.com/puppetlabs/puppetlabs-firewall/pull/815) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic)) - External control for iptables-persistent [\#795](https://github.com/puppetlabs/puppetlabs-firewall/pull/795) ([identw](https://github.com/identw)) ## [1.15.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.1) (2019-02-01) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.0...1.15.1) ### Fixed - \(DOC-3056\) Remove mention of rules ordering [\#809](https://github.com/puppetlabs/puppetlabs-firewall/pull/809) ([clairecadman](https://github.com/clairecadman)) - \(FM-7712\) - Remove Gentoo 1.0 testing/support for Firewall module [\#808](https://github.com/puppetlabs/puppetlabs-firewall/pull/808) ([david22swan](https://github.com/david22swan)) - \(MODULES-8360\) Fix IPv6 bug relating to Bugzilla 1015 [\#804](https://github.com/puppetlabs/puppetlabs-firewall/pull/804) ([alexharv074](https://github.com/alexharv074)) ## [1.15.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.0) (2019-01-18) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.14.0...1.15.0) ### Added - \(MODULES-8143\) - Add SLES 15 support [\#798](https://github.com/puppetlabs/puppetlabs-firewall/pull/798) ([eimlav](https://github.com/eimlav)) - Add nftables wrapper support for RHEL8 [\#794](https://github.com/puppetlabs/puppetlabs-firewall/pull/794) ([mwhahaha](https://github.com/mwhahaha)) - Changed regex for iniface and outiface to allow '@' in interface names [\#791](https://github.com/puppetlabs/puppetlabs-firewall/pull/791) ([GeorgeCox](https://github.com/GeorgeCox)) - \(MODULES-8214\) Handle src_type and dst_type as array [\#790](https://github.com/puppetlabs/puppetlabs-firewall/pull/790) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic)) - \(MODULES-7990\) Merge multiple comments into one while parsing rules [\#789](https://github.com/puppetlabs/puppetlabs-firewall/pull/789) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic)) - add -g flag handling in ip6tables.rb provider [\#788](https://github.com/puppetlabs/puppetlabs-firewall/pull/788) ([cestith](https://github.com/cestith)) - \(MODULES-7681\) Add support for bytecode property [\#771](https://github.com/puppetlabs/puppetlabs-firewall/pull/771) ([baurmatt](https://github.com/baurmatt)) ### Fixed - pdksync - \(FM-7655\) Fix rubygems-update for ruby \< 2.3 [\#801](https://github.com/puppetlabs/puppetlabs-firewall/pull/801) ([tphoney](https://github.com/tphoney)) - \(MODULES-6340\) - Address failure when name begins with 9XXX [\#796](https://github.com/puppetlabs/puppetlabs-firewall/pull/796) ([eimlav](https://github.com/eimlav)) - Amazon linux 2 changed its major version to 2 with the last update... [\#793](https://github.com/puppetlabs/puppetlabs-firewall/pull/793) ([erik-frontify](https://github.com/erik-frontify)) ## [1.14.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.14.0) (2018-09-27) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.13.0...1.14.0) ### Added - pdksync - \(MODULES-6805\) metadata.json shows support for puppet 6 [\#782](https://github.com/puppetlabs/puppetlabs-firewall/pull/782) ([tphoney](https://github.com/tphoney)) - \(FM-7399\) - Prepare for changelog generator [\#780](https://github.com/puppetlabs/puppetlabs-firewall/pull/780) ([pmcmaw](https://github.com/pmcmaw)) ## 1.13.0 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.12.0...1.13.0) ### Added - pdksync - \(MODULES-7705\) - Bumping stdlib dependency from \< 5.0.0 to \< 6.0.0 [\#775](https://github.com/puppetlabs/puppetlabs-firewall/pull/775) ([pmcmaw](https://github.com/pmcmaw)) - Add support for Amazon Linux 2 [\#768](https://github.com/puppetlabs/puppetlabs-firewall/pull/768) ([erik-frontify](https://github.com/erik-frontify)) - \(FM-7232\) - Update firewall to support Ubuntu 18.04 [\#767](https://github.com/puppetlabs/puppetlabs-firewall/pull/767) ([david22swan](https://github.com/david22swan)) - \[FM-7044\] Addition of Debian 9 support to firewall [\#765](https://github.com/puppetlabs/puppetlabs-firewall/pull/765) ([david22swan](https://github.com/david22swan)) - \[FM-6961\] Removal of unsupported OS from firewall [\#764](https://github.com/puppetlabs/puppetlabs-firewall/pull/764) ([david22swan](https://github.com/david22swan)) ### Fixed - \(MODULES-7627\) - Update README Limitations section [\#769](https://github.com/puppetlabs/puppetlabs-firewall/pull/769) ([eimlav](https://github.com/eimlav)) - Corrections to readme [\#766](https://github.com/puppetlabs/puppetlabs-firewall/pull/766) ([alexharv074](https://github.com/alexharv074)) - \(MODULES-6129\) negated option with address mask bugfix [\#756](https://github.com/puppetlabs/puppetlabs-firewall/pull/756) ([mirekys](https://github.com/mirekys)) - \(MODULES-2119\) iptables delete -p all exception [\#749](https://github.com/puppetlabs/puppetlabs-firewall/pull/749) ([mikkergimenez](https://github.com/mikkergimenez)) ## 1.12.0 ### Summary This release uses the PDK convert functionality which in return makes the module PDK compliant. It also includes a roll up of maintenance changes. #### Added - PDK convert firewall ([MODULES-6455](https://tickets.puppet.com/browse/MODULES-6455)). - Modulesync updates. ### Fixed - Set correct `seluser` for CentOS/RHEL 5.x ([MODULES-6092](https://tickets.puppet.com/browse/MODULES-6092)). - Fix error parsing rules with dashes in the chain name ([MODULES-6261](https://tickets.puppet.com/browse/MODULES-6261)). - Changes to address additional Rubocop failures. - (maint) Addressing puppet-lint doc warnings. ## Supported Release 1.11.0 ### Summary This release is to implement Rubocop changes within the module. #### Added - Rubocop has been implemented in the module. ### Changed - Module sync was updated. - Unparsable rules are now skipped with a warning. ## Supported Release 1.10.0 ### Summary This is a clean release prior to the module being run through rubocop. #### Added - Hashlimit module added. - Firewall multi notes added. - Gidd lookup now added. - Simple sanity check added to hash parser rule. ### Changed - Version requirement has been updated. - An array is no lnger accepted for icmp types. - UNTRACKED is now considered to be a valid state. - Modulesync updates. - ip6tables can be disabled. - Readme format has been fixed. - Fixes made to accomodate Puppet lint. - Fix to regex i 'connlimit_spec.rb' and 'firewall_spec.rb'. - General test fixes. - Negated match sets know properly dealt with. - Correct IP version for hostname resolution now chosen. - Unmanaged rule regex regarding iptable has been fixed. ### Removed - Ubuntu 10.04 and 12.04 removed. ## Supported Release 1.9.0 ### Summary This release includes several bugfixes and NFLOG support. #### Added - Support for NFLOG including the `NFLOG` jump target and four commandline options ([FM-4896](https://tickets.puppetlabs.com/browse/FM-4896)) - Support for the geoip module ([MODULES-4279](https://tickets.puppetlabs.com/browse/MODULES-4279)) - Management of the ebtables package #### Fixed - iptables parser fails with "Invalid address from IPAddr.new: -m" ([MODULES-4234](https://tickets.puppetlabs.com/browse/MODULES-4234)) - selinux context for iptables configuration - Replace Puppet.version.to_f with Puppet::Util::Package.versioncmp ( [MODULES-4528](https://tickets.puppetlabs.com/browse/MODULES-4528)) ## Supported Release 1.8.2 ### Summary This release includes numerous features and bugfixes, See below. #### Bugfixes - Fixing issue with double quotes being removed when part of the rule comment - Add the --wait flag to the insert/update/delete iptables actions to prevent failures from occuring when iptables is running outside of puppet for iptables >= 1.4.20 - Fix iptables_version and ip6tables_version facts not returning the version #### Features - Support for multiple IP sets in a single rule - Implement queue_bypass and queue_num parameters for NFQUEUE jump target - Tighten SELinux permissions on persistent files - RHEL7 SELinux support for puppet 3 - Manage ip6tables service for Redhat Family ## Supported Release 1.8.1 ### Summary This release documents an important issue with mcollective that may impact users of the firewall module. Workarounds are suggested as part of this advisory until mcollective can be patched. #### Bugfixes - Add mcollective rule-reversal known limitation ## Supported Release 1.8.0 ### Summary This release includes numerous features, bugfixes and other improvements including better handling when trying to delete already absent rules. #### Features - Added new 'pkg_ensure' parameter to allow the updating of the iptables package. - Added new 'log_uid' property. - Added 'sctp' to the 'proto' property. - Added support for IPv6 NAT in Linux kernels >= 3.7. - Added support for the security table. #### Bugfixes - (MODULES-2783) Replaced hardcoded iptables service references with $service_name variable. - (MODULES-1341) Recover when deleting absent rules. - (MODULES-3032) Facter flush is called to clear Facter cache get up to date value for ':iptables_persistent_version'. - (MODULES-2159) Fixed idempotency issue when using connlimit. - Fixed the handling of chain names that contain '-f'. #### Improvements - Numerous unit and acceptance test improvements. - Improved handling/use of the '$::iptables_persistent_version' custom fact. - Better handling of operating systems that use SELinux. ## Supported Release 1.7.2 ### Summary Small release for support of newer PE versions. This increments the version of PE in the metadata.json file. ## 2015-08-25 - Supported Release 1.7.1 ### Summary This is a bugfix release to deprecate the port parameter. Using the unspecific 'port' parameter can lead to firewall rules that are unexpectedly too lax. It is recommended to always use the specific dport and sport parameters to avoid this ambiguity. #### Bugfixes - Deprecate the port parameter ## 2015-07-28 - Supported Release 1.7.0 ### Summary This release includes numerous features, bugfixes and other improvements including Puppet 4 & PE 2015.2 support as well as ClusterIP and DSCP jump target support. #### Features - Puppet 4 and PE 2015.2 official support - ClusterIP jump target (including options) now supported - DSCP jump target (including options) now supported - SLES 10 now compatible (but not supported) #### Bugfixes - (MODULES-1967) Parse escape sequences from iptables - (MODULES-1592) Allow src_type and dst_type prefixed with '!' to pass validation - (MODULES-2186) - iptables rules with -A in comment now supported - (MODULES-1976) Revise rule name validation for ruby 1.9 - Fix installation hang on Debian Jessie - Fix for physdev idempotency on EL5 #### Improvements - Documentation improvements - Enforce the seluser on selinux systems - All the relevent services are now autorequired by the firewall and firewallchain types - Replace Facter.fact().value() calls with Facter.value() to support Facter 3 ## 2015-05-19 - Supported Release 1.6.0 ### Summary This release includes support for TEE, MSS, the time ipt module, Debian 8 support, and a number of test fixes and other improvements. #### Features - Add TEE support - Add MSS support (including clamp-mss-to-pmtu support) - Add support for the time ipt module (-m time) - Add support for Debian 8 - Add support for ICMPv6 types 'neighbour-{solicitation,advertisement}' - Add support for ICMPv6 type 'too-big' - Add support for new 'match_mark' property - Added 'ipv4' and 'ipv6' options to 'proto' property #### Bugfixes - Fix for Systemd-based OSes where systemd needs restarted before being able to pick up new services (MODULES-1984) - Arch Linux package management fix ## 2015-03-31 - Supported Release 1.5.0 ### Summary This release includes physdev_is_bridged support, checksum_fill support, basic Gentoo compatibility, and a number of test fixes and improvements. #### Features - Add `physdev_is_bridged` support - Add `checksum_fill` support - Add basic Gentoo compatibility (unsupported) #### Bugfixes - Implementation for resource map munging to allow a single ipt module to be used multiple times in a single rule on older versions of iptables (MODULES-1808) - Test fixes ## 2015-01-27 - Supported Release 1.4.0 ### Summary This release includes physdev support, the ability to look up usernames from uuid, and a number of bugfixes #### Features - Add `netmap` feature - Add `physdev` support - Add ability to look up username from uuid (MODULES-753, MODULES-1688) #### Bugfixes - Sync iptables/ip6tables providers (MODULES-1612) - Fix package names for Amazon and Ubuntu 14.10 (MODULES-1029) - Fix overly aggressive gsub when `ensure => absent` (MODULES-1453) - Unable to parse `-m (tcp|udp)` rules (MODULES-1552) - Fix ip6tables provider when `iptables-ipv6` package isn't installed for EL6 (MODULES-633) - Test fixes ## 2014-12-16 - Supported Release 1.3.0 ### Summary This release includes a number of bugfixes and features, including fixing `tcp_flags` support, and added support for interface aliases, negation for iniface and outiface, and extra configurability for packages and service names. #### Features - Add support for interface aliases (eth0:0) (MODULES-1469) - Add negation for iniface, outiface (MODULES-1470) - Make package and service names configurable (MODULES-1309) #### Bugfixes - Fix test regexes for EL5 (MODULES-1565) - Fix `tcp_flags` support for ip6tables (MODULES-556) - Don't arbitrarily limit `set_mark` for certain chains ## 2014-11-04 - Supported Release 1.2.0 ### Summary This release has a number of new features and bugfixes, including rule inversion, future parser support, improved EL7 support, and the ability to purge ip6tables rules. #### Features - Documentation updates! - Test updates! - Add ipset support - Enable rule inversion - Future parser support - Improved support for EL7 - Support netfilter-persistent - Add support for statistics module - Add support for mac address source rules - Add cbt protocol #### Bugfixes - Incorrect use of `source => :iptables` in the ip6tables provider was making it impossible to purge ip6tables rules (MODULES-41) - Don't require `toports` when `jump => 'REDIRECT'` (MODULES-1086) - Don't limit which chains iniface and outiface parameters can be used in - Don't fail on rules added with ipsec/strongswan (MODULES-796) ## 2014-07-08 - Supported Release 1.1.3 ### Summary This is a supported release with test coverage enhancements. #### Bugfixes - Confine to supported kernels ## 2014-06-04 - Release 1.1.2 ### Summary This is a release of the code previously released as 1.1.1, with updated metadata. ## 2014-05-16 Release 1.1.1 ### Summary This release reverts the alphabetical ordering of 1.1.0. We found this caused a regression in the Openstack modules so in the interest of safety we have removed this for now. ## 2014-05-13 Release 1.1.0 ### Summary This release has a significant change from previous releases; we now apply the firewall resources alphabetically by default, removing the need to create pre and post classes just to enforce ordering. It only effects default ordering and further information can be found in the README about this. Please test this in development before rolling into production out of an abundance of caution. We've also added `mask` which is required for --recent in recent (no pun intended) versions of iptables, as well as connlimit and connmark. This release has been validated against Ubuntu 14.04 and RHEL7 and should be fully working on those platforms. #### Features - Apply firewall resources alphabetically. - Add support for connlimit and connmark. - Add `mask` as a parameter. (Used exclusively with the recent parameter). #### Bugfixes - Add systemd support for RHEL7. - Replace &&'s with the correct and in manifests. - Fix tests on Trusty and RHEL7 - Fix for Fedora Rawhide. - Fix boolean flag tests. - Fix DNAT->SNAT typo in an error message. #### Known Bugs - For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. ## 2014-03-04 Supported Release 1.0.2 ### Summary This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath. #### Features #### Bugfixes #### Known Bugs - For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. ### Supported release - 2014-03-04 1.0.1 #### Summary An important bugfix was made to the offset calculation for unmanaged rules to handle rules with 9000+ in the name. #### Features #### Bugfixes - Offset calculations assumed unmanaged rules were numbered 9000+. - Gracefully fail to manage ip6tables on iptables 1.3.x #### Known Bugs - For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. --- ### 1.0.0 - 2014-02-11 No changes, just renumbering to 1.0.0. --- ### 0.5.0 - 2014-02-10 ##### Summary: This is a bigger release that brings in "recent" connection limiting (think "port knocking"), firewall chain purging on a per-chain/per-table basis, and support for a few other use cases. This release also fixes a major bug which could cause modifications to the wrong rules when unmanaged rules are present. ##### New Features: - Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`, `rname`, `rseconds`, `rsource`, and `rttl` - Add negation support for source and destination - Add per-chain/table purging support to `firewallchain` - IPv4 specific - Add random port forwarding support - Add ipsec policy matching via `ipsec_dir` and `ipsec_policy` - IPv6 specific - Add support for hop limiting via `hop_limit` parameter - Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag` - Add support for conntrack stateful firewall matching via `ctstate` ##### Bugfixes: - Boolean fixups allowing false values - Better detection of unmanaged rules - Fix multiport rule detection - Fix sport/dport rule detection - Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter - Allow INPUT with the nat table - Fix `src_range` & `dst_range` order detection - Documentation clarifications - Fixes to spec tests --- ### 0.4.2 - 2013-09-10 Another attempt to fix the packaging issue. We think we understand exactly what is failing and this should work properly for the first time. --- ### 0.4.1 - 2013-08-09 Bugfix release to fix a packaging issue that may have caused puppet module install commands to fail. --- ### 0.4.0 - 2013-07-11 This release adds support for address type, src/dest ip ranges, and adds additional testing and bugfixes. #### Features - Add `src_type` and `dst_type` attributes (Nick Stenning) - Add `src_range` and `dst_range` attributes (Lei Zhang) - Add SL and SLC operatingsystems as supported (Steve Traylen) #### Bugfixes - Fix parser for bursts other than 5 (Chris Rutter) - Fix parser for -f in --comment (Georg Koester) - Add doc headers to class files (Dan Carley) - Fix lint warnings/errors (Wolf Noble) --- ### 0.3.1 - 2013/6/10 This minor release provides some bugfixes and additional tests. #### Changes - Update tests for rspec-system-puppet 2 (Ken Barber) - Update rspec-system tests for rspec-system-puppet 1.5 (Ken Barber) - Ensure all services have 'hasstatus => true' for Puppet 2.6 (Ken Barber) - Accept pre-existing rule with invalid name (Joe Julian) - Swap log_prefix and log_level order to match the way it's saved (Ken Barber) - Fix log test to replicate bug #182 (Ken Barber) - Split argments while maintaining quoted strings (Joe Julian) - Add more log param tests (Ken Barber) - Add extra tests for logging parameters (Ken Barber) - Clarify OS support (Ken Barber) --- ### 0.3.0 - 2013/4/25 This release introduces support for Arch Linux and extends support for Fedora 15 and up. There are also lots of bugs fixed and improved testing to prevent regressions. ##### Changes - Fix error reporting for insane hostnames (Tomas Doran) - Support systemd on Fedora 15 and up (Eduardo Gutierrez) - Move examples to docs (Ken Barber) - Add support for Arch Linux platform (Ingmar Steen) - Add match rule for fragments (Georg Koester) - Fix boolean rules being recognized as changed (Georg Koester) - Same rules now get deleted (Anastasis Andronidis) - Socket params test (Ken Barber) - Ensure parameter can disable firewall (Marc Tardif) --- ### 0.2.1 - 2012/3/13 This maintenance release introduces the new README layout, and fixes a bug with iptables_persistent_version. ##### Changes - (GH-139) Throw away STDERR from dpkg-query in Fact - Update README to be consistent with module documentation template - Fix failing spec tests due to dpkg change in iptables_persistent_version --- ### 0.2.0 - 2012/3/3 This release introduces automatic persistence, removing the need for the previous manual dependency requirement for persistent the running rules to the OS persistence file. Previously you would have required the following in your site.pp (or some other global location): # Always persist firewall rules exec { 'persist-firewall': command => $operatingsystem ? { 'debian' => '/sbin/iptables-save > /etc/iptables/rules.v4', /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables', }, refreshonly => true, } Firewall { notify => Exec['persist-firewall'], before => Class['my_fw::post'], require => Class['my_fw::pre'], } Firewallchain { notify => Exec['persist-firewall'], } resources { "firewall": purge => true } You only need: class { 'firewall': } Firewall { before => Class['my_fw::post'], require => Class['my_fw::pre'], } To install pre-requisites and to create dependencies on your pre & post rules. Consult the README for more information. ##### Changes - Firewall class manifests (Dan Carley) - Firewall and firewallchain persistence (Dan Carley) - (GH-134) Autorequire iptables related packages (Dan Carley) - Typo in #persist_iptables OS normalisation (Dan Carley) - Tests for #persist_iptables (Dan Carley) - (GH-129) Replace errant return in autoreq block (Dan Carley) --- ### 0.1.1 - 2012/2/28 This release primarily fixes changing parameters in 3.x ##### Changes - (GH-128) Change method_missing usage to define_method for 3.x compatibility - Update travis.yml gem specifications to actually test 2.6 - Change source in Gemfile to use a specific URL for Ruby 2.0.0 compatibility --- ### 0.1.0 - 2012/2/24 This release is somewhat belated, so no summary as there are far too many changes this time around. Hopefully we won't fall this far behind again :-). ##### Changes - Add support for MARK target and set-mark property (Johan Huysmans) - Fix broken call to super for ruby-1.9.2 in munge (Ken Barber) - simple fix of the error message for allowed values of the jump property (Daniel Black) - Adding OSPF(v3) protocol to puppetlabs-firewall (Arnoud Vermeer) - Display multi-value: port, sport, dport and state command seperated (Daniel Black) - Require jump=>LOG for log params (Daniel Black) - Reject and document icmp => "any" (Dan Carley) - add firewallchain type and iptables_chain provider (Daniel Black) - Various fixes for firewallchain resource (Ken Barber) - Modify firewallchain name to be chain:table:protocol (Ken Barber) - Fix allvalidchain iteration (Ken Barber) - Firewall autorequire Firewallchains (Dan Carley) - Tests and docstring for chain autorequire (Dan Carley) - Fix README so setup instructions actually work (Ken Barber) - Support vlan interfaces (interface containing ".") (Johan Huysmans) - Add tests for VLAN support for iniface/outiface (Ken Barber) - Add the table when deleting rules (Johan Huysmans) - Fix tests since we are now prefixing -t) - Changed 'jump' to 'action', commands to lower case (Jason Short) - Support interface names containing "+" (Simon Deziel) - Fix for when iptables-save spews out "FATAL" errors (Sharif Nassar) - Fix for incorrect limit command arguments for ip6tables provider (Michael Hsu) - Document Util::Firewall.host_to_ip (Dan Carley) - Nullify addresses with zero prefixlen (Dan Carley) - Add support for --tcp-flags (Thomas Vander Stichele) - Make tcp_flags support a feature (Ken Barber) - OUTPUT is a valid chain for the mangle table (Adam Gibbins) - Enable travis-ci support (Ken Barber) - Convert an existing test to CIDR (Dan Carley) - Normalise iptables-save to CIDR (Dan Carley) - be clearer about what distributions we support (Ken Barber) - add gre protocol to list of acceptable protocols (Jason Hancock) - Added pkttype property (Ashley Penney) - Fix mark to not repeat rules with iptables 1.4.1+ (Sharif Nassar) - Stub iptables_version for now so tests run on non-Linux hosts (Ken Barber) - Stub iptables facts for set_mark tests (Dan Carley) - Update formatting of README to meet Puppet Labs best practices (Will Hopper) - Support for ICMP6 type code resolutions (Dan Carley) - Insert order hash included chains from different tables (Ken Barber) - rspec 2.11 compatibility (Jonathan Boyett) - Add missing class declaration in README (sfozz) - array_matching is contraindicated (Sharif Nassar) - Convert port Fixnum into strings (Sharif Nassar) - Update test framework to the modern age (Ken Barber) - working with ip6tables support (wuwx) - Remove gemfile.lock and add to gitignore (William Van Hevelingen) - Update travis and gemfile to be like stdlib travis files (William Van Hevelingen) - Add support for -m socket option (Ken Barber) - Add support for single --sport and --dport parsing (Ken Barber) - Fix tests for Ruby 1.9.3 from 3e13bf3 (Dan Carley) - Mock Resolv.getaddress in #host_to_ip (Dan Carley) - Update docs for source and dest - they are not arrays (Ken Barber) --- ### 0.0.4 - 2011/12/05 This release adds two new parameters, 'uid' and 'gid'. As a part of the owner module, these params allow you to specify a uid, username, gid, or group got a match: firewall { '497 match uid': port => '123', proto => 'mangle', chain => 'OUTPUT', action => 'drop' uid => '123' } This release also adds value munging for the 'log_level', 'source', and 'destination' parameters. The 'source' and 'destination' now support hostnames: firewall { '498 accept from puppetlabs.com': port => '123', proto => 'tcp', source => 'puppetlabs.com', action => 'accept' } The 'log_level' parameter now supports using log level names, such as 'warn', 'debug', and 'panic': firewall { '499 logging': port => '123', proto => 'udp', log_level => 'debug', action => 'drop' } Additional changes include iptables and ip6tables version facts, general whitespace cleanup, and adding additional unit tests. ##### Changes - (#10957) add iptables_version and ip6tables_version facts - (#11093) Improve log_level property so it converts names to numbers - (#10723) Munge hostnames and IPs to IPs with CIDR - (#10718) Add owner-match support - (#10997) Add fixtures for ipencap - (#11034) Whitespace cleanup - (#10690) add port property support to ip6tables --- ### 0.0.3 - 2011/11/12 This release introduces a new parameter 'port' which allows you to set both source and destination ports for a match: firewall { "500 allow NTP requests": port => "123", proto => "udp", action => "accept", } We also have the limit parameter finally working: firewall { "500 limit HTTP requests": dport => 80, proto => tcp, limit => "60/sec", burst => 30, action => accept, } State ordering has been fixed now, and more characters are allowed in the namevar: - Alphabetical - Numbers - Punctuation - Whitespace ##### Changes - (#10693) Ensure -m limit is added for iptables when using 'limit' param - (#10690) Create new port property - (#10700) allow additional characters in comment string - (#9082) Sort iptables --state option values internally to keep it consistent across runs - (#10324) Remove extraneous whitespace from iptables rule line in spec tests --- ### 0.0.2 - 2011/10/26 This is largely a maintanence and cleanup release, but includes the ability to specify ranges of ports in the sport/dport parameter: firewall { "500 allow port range": dport => ["3000-3030","5000-5050"], sport => ["1024-65535"], action => "accept", } ##### Changes - (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppet server - (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port - (#10263) Fix tests on Puppet 2.6.x - (#10163) Cleanup some of the inline documentation and README file to align with general forge usage --- ### 0.0.1 - 2011/10/18 Initial release. ##### Changes - (#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter - (#10088) Provide a customised version of CONTRIBUTING.md - (#10026) Re-arrange provider and type spec files to align with Puppet - (#10026) Add aliases for test,specs,tests to Rakefile and provide -T as default - (#9439) fix parsing and deleting existing rules - (#9583) Fix provider detection for gentoo and unsupported linuxes for the iptables provider - (#9576) Stub provider so it works properly outside of Linux - (#9576) Align spec framework with Puppet core - and lots of other earlier development tasks ... puppetlabs-firewall-8.0.0/LICENSE0100644000175100001770000002613614561126655013515 0ustar00 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. puppetlabs-firewall-8.0.0/NOTICE0100644000175100001770000000146714561126655013414 0ustar00Puppet Module - puppetlabs-firewall Copyright 2018 Puppet, Inc. Copyright 2011 Jonathan Boyett Copyright 2011 Media Temple, Inc. Some of the iptables code was taken from puppet-iptables which was: Copyright 2011 Bob.sh Limited Copyright 2008 Camptocamp Association Copyright 2007 Dmitri Priimak Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. puppetlabs-firewall-8.0.0/README.md0100644000175100001770000005570714561126655013775 0ustar00# firewall [![PR Testing](https://github.com/puppetlabs/puppetlabs-firewall/actions/workflows/pr_test.yml/badge.svg)](https://github.com/puppetlabs/puppetlabs-firewall/actions/workflows/pr_test.yml) #### Table of Contents 1. [Overview - What is the firewall module?](#overview) 2. [Module description - What does the module do?](#module-description) 3. [Setup - The basics of getting started with firewall](#setup) * [What firewall affects](#what-firewall-affects) * [Setup requirements](#setup-requirements) * [Beginning with firewall](#beginning-with-firewall) * [Upgrading](#upgrading) 4. [Usage - Configuration and customization options](#usage) * [Default rules - Setting up general configurations for all firewalls](#default-rules) * [Application-specific rules - Options for configuring and managing firewalls across applications](#application-specific-rules) * [Rule inversion](#rule-inversion) * [Additional uses for the firewall module](#additional-uses-for-the-firewal-module) * [Duplicate rule behaviour](#duplicate-rule-behaviour) * [Additional information](#additional-information) 5. [Reference - An under-the-hood peek at what the module is doing](#reference) 6. [Limitations - OS compatibility, etc.](#limitations) 7. [License](#license) 7. [Firewall_multi - Arrays for certain parameters](#firewall_multi) 8. [Development - Guide for contributing to the module](#development) * [Tests - Testing your configuration](#tests) ## Overview The firewall module lets you manage firewall rules with Puppet. ## Module description PuppetLabs' firewall module introduces the `firewall` resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the `firewallchain` resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported. The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining `pre` and `post` rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs. ## Setup ### What firewall affects * Every node running a firewall * Firewall settings in your system * Connection settings for managed nodes * Unmanaged resources (get purged) ### Setup requirements Firewall uses Ruby-based providers, so you must enable [pluginsync](http://docs.puppetlabs.com/guides/plugins_in_modules.html#enabling-pluginsync). ### Beginning with firewall In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them. If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet server. The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet server. If you create the `pre` and `post` classes described in the first section, then you also need to create the rules described in the second section. #### Create the `my_fw::pre` and `my_fw::post` Classes This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed. The code in this section does the following: * The 'require' parameter in `firewall {}` ensures `my_fw::pre` is run before any other rules. * In the `my_fw::post` class declaration, the 'before' parameter ensures `my_fw::post` is run after any other rules. The rules in the `pre` and `post` classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run. 1. Add the `pre` class to `my_fw/manifests/pre.pp`, and any default rules to your pre.pp file first — in the order you want them to run. ```puppet class my_fw::pre { Firewall { require => undef, } # Default firewall rules firewall { '000 accept all icmp': proto => 'icmp', jump => 'accept', } -> firewall { '001 accept all to lo interface': proto => 'all', iniface => 'lo', jump => 'accept', } -> firewall { '002 reject local traffic not on loopback interface': iniface => '! lo', proto => 'all', destination => '127.0.0.1/8', jump => 'reject', } -> firewall { '003 accept related established rules': proto => 'all', state => ['RELATED', 'ESTABLISHED'], jump => 'accept', } } ``` The rules in `pre` allow basic networking (such as ICMP and TCP) and ensure that existing connections are not closed. 2. Add the `post` class to `my_fw/manifests/post.pp` and include any default rules — apply these last. ```puppet class my_fw::post { firewall { '999 drop all': proto => 'all', jump => 'drop', before => undef, } } ``` Alternatively, the [firewallchain](#type-firewallchain) type can be used to set the default policy: ```puppet firewallchain { 'INPUT:filter:IPv4': ensure => present, policy => drop, before => undef, } ``` #### Create firewall rules The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box. Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables. 1. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run. ```puppet Firewall { before => Class['my_fw::post'], require => Class['my_fw::pre'], } ``` 2. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code: ```puppet class { ['my_fw::pre', 'my_fw::post']: } ``` 3. Include the `firewall` class to ensure the correct packages are installed: ```puppet class { 'firewall': } ``` 4. If you want to remove unmanaged firewall rules, add the following code to set up a metatype to purge unmanaged firewall resources in your site.pp or another top-scope file. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine. ```puppet resources { 'firewall': purge => true, } ``` To purge unmanaged firewall chains, add: ```puppet resources { 'firewallchain': purge => true, } ``` Internal chains can not be deleted. In order to avoid all the confusing Warning/Notice messages when using `purge => true`, like these ones: Warning: Inbuilt Chains may not be deleted. Chain `POSTROUTING:mangle:IPv6` will be flushed and have it's policy reverted to default. Please create firewallchains for every internal chain. Here is an example: ```puppet firewallchain { 'POSTROUTING:mangle:IPv6': ensure => present, } resources { 'firewallchain': purge => true, } ``` > **Note:** If you need more fine-grained control about which unmananged rules get removed, investigate the `purge` and `ignore_foreign` parameters available in `firewallchain`. > **Note:** `ignore_foreign` of `firewallchain` does not work as expected with a resources purge of `firewall`. ### Upgrading Use these steps if you already have a version of the firewall module installed. #### From version 0.2.0 and more recent Upgrade the module with the puppet module tool as normal: puppet module upgrade puppetlabs/firewall ## Usage There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc. All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. _000_ runs first, _999_ runs last. **Note:** The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range. ### Default rules You can place default rules in either `my_fw::pre` or `my_fw::post`, depending on when you would like them to run. Rules placed in the `pre` class will run first, and rules in the `post` class, last. In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'. #### Examples of default rules Basic accept ICMP request example: ```puppet firewall { '000 accept all icmp requests': proto => 'icmp', jump => 'accept', } ``` Drop all: ```puppet firewall { '999 drop all other requests': jump => 'drop', } ``` #### Example of an IPv6 rule IPv6 rules can be specified using the _ip6tables_ provider: ```puppet firewall { '006 Allow inbound SSH (v6)': dport => 22, proto => 'tcp', jump => 'accept', protocol => 'ip6tables', } ``` ### Application-specific rules Puppet doesn't care where you define rules, and this means that you can place your firewall resources as close to the applications and services that you manage as you wish. If you use the [roles and profiles pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it makes sense to create your firewall rules in the profiles, so they remain close to the services managed by the profile. This is an example of firewall rules in a profile: ```puppet class profile::apache { include apache apache::vhost { 'mysite': ensure => present, } firewall { '100 allow http and https access': dport => [80, 443], proto => 'tcp', jump => 'accept', } } ``` ### Rule inversion Firewall rules may be inverted by prefixing the value of a parameter by "! ". Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range and src\_type. If the value is an array, then either the first value of the array, or all of its values must be prefixed in order to invert them all. For most array attributes it is not possible to invert only one passed value. Examples: ```puppet firewall { '001 disallow esp protocol': jump => 'accept', proto => '! esp', } firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset': chain => 'INPUT', state => 'NEW', jump => 'drop', proto => 'tcp', sport => ['! http', '443'], source => '! 10.0.0.0/8', tcp_flags => '! FIN,SYN,RST,ACK SYN', } ``` There are exceptions to this however, with attributes such as src\_type, dst\_type and ipset allowing the user to negate each passed values seperately. Examples: ```puppet firewall { '001 allow local disallow anycast': jump => 'accept', src_type => ['LOCAL', '! ANYCAST'], } ``` ### Additional uses for the firewall module You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows: ```puppet node 'some.node.com' { firewall { '111 open port 111': dport => 111, } } ``` You can also do more complex things with the `firewall` resource. This example sets up static NAT for the source network 10.1.2.0/24: ```puppet firewall { '100 snat for network foo2': chain => 'POSTROUTING', jump => 'MASQUERADE', proto => 'all', outiface => 'eth0', source => '10.1.2.0/24', table => 'nat', } ``` You can also change the TCP MSS value for VPN client traffic: ```puppet firewall { '110 TCPMSS for VPN clients': chain => 'FORWARD', table => 'mangle', source => '10.0.2.0/24', proto => 'tcp', tcp_flags => 'SYN,RST SYN', mss => '1361:1541', set_mss => '1360', jump => 'TCPMSS', } ``` The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target: ```puppet firewall { '503 Mirror traffic to IDS': proto => 'all', jump => 'TEE', gateway => '10.0.0.2', chain => 'PREROUTING', table => 'mangle', } ``` The following example creates a new chain and forwards any port 5000 access to it. ```puppet firewall { '100 forward to MY_CHAIN': chain => 'INPUT', jump => 'MY_CHAIN', } # The namevar here is in the format chain_name:table:protocol firewallchain { 'MY_CHAIN:filter:IPv4': ensure => present, } firewall { '100 my rule': chain => 'MY_CHAIN', jump => 'accept', proto => 'tcp', dport => 5000, } ``` Setup NFLOG for a rule. ```puppet firewall {'666 for NFLOG': proto => 'all', jump => 'NFLOG', nflog_group => 3, nflog_prefix => 'nflog-test', nflog_size => 256, nflog_threshold => 1, } ``` ### Duplicate rule behaviour It is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This configuration is not supported by the firewall module. In the event of a duplicate rule, the module will throw an error message notifying the user that it has found a duplicate and halt in it's update. This behaviour was previously configurable via the `onduplicaterulebehaviour` parameter. However the implementation of this resulted in a massive slowdown of the module and so this has been removed in favour of a simple error being thrown whenever a duplicate is detected. ### Additional information Access the inline documentation: puppet describe firewall Or puppet doc -r type (and search for firewall) ## Reference For information on the classes and types, see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-firewall/blob/main/REFERENCE.md). For information on the facts, see below. Facts: * [ip6tables_version](#fact-ip6tablesversion) * [iptables_version](#fact-iptablesversion) * [iptables_persistent_version](#fact-iptablespersistentversion) ### Fact: ip6tables_version A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution. ### Fact: iptables_version A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution. ### Fact: iptables_persistent_version Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact. ## Limitations For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-firewall/blob/main/metadata.json) ### SLES The `socket` parameter is not supported on SLES. In this release it will cause the catalog to fail with iptables failures, rather than correctly warn you that the features are unusable. ### Oracle Enterprise Linux The `socket` and `owner` parameters are unsupported on Oracle Enterprise Linux when the "Unbreakable" kernel is used. These may function correctly when using the stock RedHat kernel instead. Declaring either of these parameters on an unsupported system will result in iptable rules failing to apply. ## Passing firewall parameter values as arrays with `firewall_multi` module You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays. A community module, [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi), provides a defined type wrapper to spawn firewall resources for arrays of certain inputs. For example: ```puppet firewall_multi { '100 allow http and https access': source => [ '10.0.10.0/24', '10.0.12.0/24', '10.1.1.128', ], dport => [80, 443], proto => 'tcp', jump => 'accept', } ``` For more information see the documentation at [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi). ### Known issues #### MCollective causes PE to reverse firewall rule order Firewall rules appear in reverse order if you use MCollective to run Puppet in Puppet Enterprise 2016.1, 2015.3, 2015.2, or 3.8.x. If you use MCollective to kick off Puppet runs (`mco puppet runonce -I agent.example.com`) while also using the [`puppetlabs/firewall`](https://forge.puppet.com/puppetlabs/firewall) module, your firewall rules might be listed in reverse order. In many firewall configurations, the last rule drops all packets. If the rule order is reversed, this rule is listed first and network connectivity fails. To prevent this issue, do not use MCollective to kick off Puppet runs. Use any of the following instead: * Run `puppet agent -t` on the command line. * Use a cron job. * Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console. ### condition parameter The `condition` parameter requires `xtables-addons` to be installed locally. For ubuntu distributions `xtables-addons-common` package can be installed by running command: `apt-get install xtables-addons-common` or running a manifest: ```puppet package { 'xtables-addons-common': ensure => 'latest', } ``` For other distributions (RedHat, Debian, Centos etc) manual installation of the `xtables-addons` package is required. #### Reporting Issues Please report any bugs in the Puppetlabs GitHub issue tracker: ## License This codebase is licensed under the Apache2.0 licensing, however due to the nature of the codebase the open source dependencies may also use a combination of [AGPL](https://opensource.org/license/agpl-v3/), [BSD-2](https://opensource.org/license/bsd-2-clause/), [BSD-3](https://opensource.org/license/bsd-3-clause/), [GPL2.0](https://opensource.org/license/gpl-2-0/), [LGPL](https://opensource.org/license/lgpl-3-0/), [MIT](https://opensource.org/license/mit/) and [MPL](https://opensource.org/license/mpl-2-0/) Licensing. ## Development Acceptance tests for this module leverage [puppet_litmus](https://github.com/puppetlabs/puppet_litmus). To run the acceptance tests follow the instructions [here](https://github.com/puppetlabs/puppet_litmus/wiki/Tutorial:-use-Litmus-to-execute-acceptance-tests-with-a-sample-module-(MoTD)#install-the-necessary-gems-for-the-module). You can also find a tutorial and walkthrough of using Litmus and the PDK on [YouTube](https://www.youtube.com/watch?v=FYfR7ZEGHoE). If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://github.com/puppetlabs/puppetlabs-firewall/issues). Every Monday the Puppet IA Content Team has [office hours](https://puppet.com/community/office-hours) in the [Puppet Community Slack](http://slack.puppet.com/), alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC). If you have problems getting this module up and running, please [contact Support](http://puppetlabs.com/services/customer-support). If you submit a change to this module, be sure to regenerate the reference documentation as follows: ```bash puppet strings generate --format markdown --out REFERENCE.md ``` ### Testing Make sure you have: * rake * bundler Install the necessary gems: ```text bundle install ``` And run the tests from the root of the source code: ```text bundle exec rake parallel_spec ``` See the Github Action runs for information on running the acceptance and other tests. ### Migration path to v7.0.0 As of `v7.0.0` of this module a major rework has been done to adopt the [puppet-resource_api](https://github.com/puppetlabs/puppet-resource_api) into the module and use it style of code in place of the original form of Puppet Type and Providers. This was done in the most part to increase the ease with with the module could be maintained and updated in the future, the changes helping to structure the module in such a way as to be more easily understood and altered going forward. As part of this process several breaking changes where made to the code that will need to be accounted for whenever you update to this new version of the module, with these changes including: * The `provider` attibute within the `firewall` type has been renamed to `protocol`, both to bring it in line with the matching attribute within the `firewallchain` type and due to the resource_api forbidding the use of `provider` as a attribute name. As part of this the attribute has also been updated to accept `IPv4` and `IPv6` in place of `iptables` or `ip6tables`, though they are still valid as input. * The `action` attribute within the `firewall` type has been removed as it was merely a restricted version of the `jump` attribute, both of them managing the same function, this being reasoned as a way to enforce the use of generic parameters. From this point the parameters formerly unique to `action` should now be passed to `jump`. * Strict types have now been implemented for all attributes, while this should not require changes on the user end in most cases, there may be some instances where manifests will require updated to match the new expected form of input. * Attributes that allow both arrays and negated values have now been updated. * For attributes that require that all passed values be negated as one, you now merely have to negate the first value within the array, rather than all of them, though negating all is still accepted. * For attributes that allow passed values to be negated seperately this is not the case. All attributes in this situation are noted within their description. * The `sport` and `dport` attributes have been updated so that they will now accept with `:` or `-` as a separator when passing ranges, with `:` being preferred as it matchs what is passed to iptables. Two pairs of manifest taken from the tests can be seen below, illustrating the changes that may be required, the first applying a hoplimit on `ip6tables`: ```Puppet firewall { '571 - hop_limit': ensure => present, proto => 'tcp', dport => '571', action => 'ACCEPT', hop_limit => '5', provider => 'ip6tables', } ``` ```Puppet firewall { '571 - hop_limit': ensure => present, proto => 'tcp', dport => '571', jump => 'accept', hop_limit => '5', protocol => 'IPv6', } ``` And the second negating access to a range of ports on `iptables`: ```puppet firewall { '560 - negated ports': proto => `tcp`, sport => ['! 560-570','! 580'], action => `accept`, } ``` ```puppet firewall { '560 - negated ports': proto => `tcp`, sport => '! 560:570','580', jump => `accept`, } ``` puppetlabs-firewall-8.0.0/REFERENCE.md0100644000175100001770000016260314561126655014330 0ustar00# Reference ## Table of Contents ### Classes #### Public Classes * [`firewall`](#firewall): Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins #### Private Classes * `firewall::linux`: Main linux class, includes all other classes * `firewall::linux::archlinux`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems. * `firewall::linux::debian`: Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot. * `firewall::linux::gentoo`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems. * `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems. * `firewall::params`: Provides defaults for the Apt module parameters ### Resource types * [`firewall`](#firewall): This type provides the capability to manage firewall rules within puppet via iptables. **Autorequires:** If Puppet is managing the iptables * [`firewallchain`](#firewallchain): This type provides the capability to manage rule chains for firewalls. Currently this supports only iptables, ip6tables and ebtables on Linu ## Classes ### `firewall` Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package installation Include the firewall class for nodes that need to use the resources in this module: #### Examples ##### ```puppet class { 'firewall': } ``` #### Parameters The following parameters are available in the `firewall` class: * [`ensure`](#-firewall--ensure) * [`ensure_v6`](#-firewall--ensure_v6) * [`pkg_ensure`](#-firewall--pkg_ensure) * [`service_name`](#-firewall--service_name) * [`service_name_v6`](#-firewall--service_name_v6) * [`package_name`](#-firewall--package_name) * [`ebtables_manage`](#-firewall--ebtables_manage) ##### `ensure` Data type: `Enum[running, stopped, 'running', 'stopped']` Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'. Default value: `running` ##### `ensure_v6` Data type: `Optional[Enum[running, stopped, 'running', 'stopped']]` Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. Default value: `undef` ##### `pkg_ensure` Data type: `Enum[present, installed, latest, 'present', 'installed', 'latest']` Controls the state of the iptables package on your system. Valid options: 'present', 'installed' or 'latest'. Default value: `present` ##### `service_name` Data type: `Variant[String[1], Array[String[1]]]` Specify the name of the IPv4 iptables service. Default value: `$firewall::params::service_name` ##### `service_name_v6` Data type: `Optional[String[1]]` Specify the name of the IPv6 iptables service. Default value: `$firewall::params::service_name_v6` ##### `package_name` Data type: `Optional[Variant[String[1], Array[String[1]]]]` Specify the platform-specific package(s) to install. Default value: `$firewall::params::package_name` ##### `ebtables_manage` Data type: `Boolean` Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure. Default value: `false` ## Resource types ### `firewall` This type provides the capability to manage firewall rules within puppet via iptables. **Autorequires:** If Puppet is managing the iptables chains specified in the `chain` or `jump` parameters, the firewall resource will autorequire those firewallchain resources. If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, the firewall resource will autorequire those packages to ensure that any required binaries are installed. #### Providers * Required binaries: iptables-save, iptables. * Default for kernel == linux. * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf. #### Features * address_type: The ability to match on source or destination address type. * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. * condition: Match if a specific condition variable is (un)set (requires xtables-addons) * connection_limiting: Connection limiting features. * conntrack: Connection tracking features. * dnat: Destination NATing. * hop_limiting: Hop limiting features. * icmp_match: The ability to match ICMP types. * interface_match: Interface matching. * iprange: The ability to match on source or destination IP range. * ipsec_dir: The ability to match IPsec policy direction. * ipsec_policy: The ability to match IPsec policy. * iptables: The provider provides iptables features. * isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet. * isfragment: The ability to match fragments. * ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet. * islastfrag: The ability to match the last fragment of an ipv6 packet. * length: The ability to match the length of the layer-3 payload. * log_level: The ability to control the log level. * log_prefix: The ability to add prefixes to log messages. * log_uid: The ability to log the userid of the process which generated the packet. * log_tcp_sequence: The ability to log TCP sequence numbers. * log_tcp_options: The ability to log TCP packet header. * log_ip_options: The ability to log IP/IPv6 packet header. * mark: The ability to match or set the netfilter mark value associated with the packet. * mask: The ability to match recent rules based on the ipv4 mask. * nflog_group: The ability to set the group number for NFLOG. * nflog_prefix: The ability to set a prefix for nflog messages. * nflog_size: Set the max size of a message to send to nflog. * nflog_threshold: The ability to set nflog_threshold. * owner: The ability to match owners. * pkttype: The ability to match a packet type. * rate_limiting: Rate limiting features. * recent_limiting: The netfilter recent module. * reject_type: The ability to control reject messages. * set_mss: Set the TCP MSS of a packet. * snat: Source NATing. * socket: The ability to match open sockets. * state_match: The ability to match stateful firewall states. * string_matching: The ability to match a given string by using some pattern matching strategy. * tcp_flags: The ability to match on particular TCP flag settings. * netmap: The ability to map entire subnets via source or destination nat rules. * hashlimit: The ability to use the hashlimit-module. * bpf: The ability to use Berkeley Paket Filter rules. * ipvs: The ability to match IP Virtual Server packets. * ct_target: The ability to set connection tracking parameters for a packet or its associated connection. * random_fully: The ability to use --random-fully flag. #### Properties The following properties are available in the `firewall` type. ##### `burst` Data type: `Optional[Integer[1]]` Rate limiting burst value (per second) before limit checks apply. ##### `bytecode` Data type: `Optional[String[1]]` Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. ##### `cgroup` Data type: `Optional[String[1]]` Matches against the net_cls cgroup ID of the packet. To negate add a space seperate `!` to the beginning of the string ##### `chain` Data type: `String[1]` Name of the chain the rule will be a part of, ensure the chain you choose exists within your set table. Can be one of the built-in chains: * INPUT * FORWARD * OUTPUT * PREROUTING * POSTROUTING Or you can provide a user-based chain. Defaults to 'INPUT' Default value: `INPUT` ##### `checksum_fill` Data type: `Optional[Boolean]` Compute and fill missing packet checksums. ##### `clamp_mss_to_pmtu` Data type: `Optional[Boolean]` Sets the clamp mss to pmtu flag. ##### `clusterip_clustermac` Data type: `Optional[Pattern[/^([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Used with the CLUSTERIP jump target. Specify the ClusterIP MAC address. Has to be a link-layer multicast address. This is IPv4 specific. ##### `clusterip_hash_init` Data type: `Optional[String[1]]` Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. This is IPv4 specific. ##### `clusterip_hashmode` Data type: `Optional[Enum['sourceip', 'sourceip-sourceport', 'sourceip-sourceport-destport']]` Used with the CLUSTERIP jump target. Specify the hashing mode. This is IPv4 specific. ##### `clusterip_local_node` Data type: `Optional[Integer[1]]` Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. This is IPv4 specific. ##### `clusterip_new` Data type: `Optional[Boolean]` Used with the CLUSTERIP jump target. Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. This is IPv4 specific. ##### `clusterip_total_nodes` Data type: `Optional[Integer[1]]` Used with the CLUSTERIP jump target. Number of total nodes within this cluster. This is IPv4 specific. ##### `condition` Data type: `Optional[String[1]]` Match on boolean value (0/1) stored in /proc/net/nf_condition/name. ##### `connlimit_above` Data type: `Optional[Integer]` Connection limiting value for matched connections above n. ##### `connlimit_mask` Data type: `Optional[Integer[0,128]]` Connection limiting by subnet mask for matched connections. IPv4: 0-32 IPv6: 0-128 ##### `connlimit_upto` Data type: `Optional[Integer]` Connection limiting value for matched connections below or equal to n. ##### `connmark` Data type: `Optional[Pattern[/^(?:!\s)?[a-fA-F0-9x]+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match the Netfilter mark value associated with the packet, accepts a mark. This value will be converted to hex if it is not already. This value can be negated by adding a space seperated `!` to the beginning. ##### `ctdir` Data type: `Optional[Enum['REPLY', 'ORIGINAL']]` Matches a packet that is flowing in the specified direction using the conntrack module. If this flag is not specified at all, matches packets in both directions. Values can be: * REPLY * ORIGINAL ##### `ctexpire` Data type: `Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Matches a packet based on lifetime remaining in seconds or range of seconds using the conntrack module. For example: ctexpire => '100' ctexpire => '100:150' ##### `ctorigdst` Data type: `Optional[String[1]]` The original destination address using the conntrack module. For example: ctorigdst => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctorigdst => '! 192.168.2.0/24' The ctorigdst can also be an IPv6 address if your provider supports it. ##### `ctorigdstport` Data type: `Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The original destination port to match for this filter using the conntrack module. For example: ctorigdstport => '80' You can also specify a port range: For example: ctorigdstport => '80:81' You can also negate a port by putting ! in front. For example: ctorigdstport => '! 80' ##### `ctorigsrc` Data type: `Optional[String[1]]` The original source address using the conntrack module. For example: ctorigsrc => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctorigsrc => '! 192.168.2.0/24' The ctorigsrc can also be an IPv6 address if your provider supports it. ##### `ctorigsrcport` Data type: `Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The original source port to match for this filter using the conntrack module. For example: ctorigsrcport => '80' You can also specify a port range: For example: ctorigsrcport => '80:81' You can also negate a port by putting ! in front. For example: ctorigsrcport => '! 80' ##### `ctproto` Data type: `Optional[Variant[Pattern[/^(?:!\s)?\d+$/],Integer]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The specific layer-4 protocol number to match for this rule using the conntrack module. ##### `ctrepldst` Data type: `Optional[String[1]]` The reply destination address using the conntrack module. For example: ctrepldst => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctrepldst => '! 192.168.2.0/24' The ctrepldst can also be an IPv6 address if your provider supports it. ##### `ctrepldstport` Data type: `Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The reply destination port to match for this filter using the conntrack module. For example: ctrepldstport => '80' You can also specify a port range: For example: ctrepldstport => '80:81' You can also negate a port by putting ! in front. For example: ctrepldstport => '! 80' ##### `ctreplsrc` Data type: `Optional[String[1]]` The reply source address using the conntrack module. For example: ctreplsrc => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctreplsrc => '! 192.168.2.0/24' The ctreplsrc can also be an IPv6 address if your provider supports it. ##### `ctreplsrcport` Data type: `Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The reply source port to match for this filter using the conntrack module. For example: ctreplsrcport => '80' You can also specify a port range: For example: ctreplsrcport => '80:81' You can also negate a port by putting ! in front. For example: ctreplsrcport => '! 80' ##### `ctstate` Data type: `Optional[Variant[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT)$/], Array[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT)$/]]]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Values can be: * INVALID * ESTABLISHED * NEW * RELATED * UNTRACKED * SNAT * DNAT Can be passed either as a single String or as an Array, if passed as an array values should be passed in order: ctstate => 'INVALID' ctstate => ['INVALID', 'ESTABLISHED'] Values can be negated by adding a '!'. If you wish to negate multiple states at once, then place a ! at the start of the first array variable. For example: ctstate => ['! INVALID', 'ESTABLISHED'] Note: This will negate all passed states, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. ##### `ctstatus` Data type: `Optional[Variant[Pattern[/^(?:!\s)?(?:EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED|NONE)$/], Array[Pattern[/^(?:!\s)?(?:EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED|NONE)$/]]]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Matches a packet based on its status using the conntrack module. Values can be: * EXPECTED * SEEN_REPLY * ASSURED * CONFIRMED * NONE Can be passed either as a single String or as an Array: ctstatus => 'EXPECTED' ctstatus => ['EXPECTED', 'CONFIRMED'] Values can be negated by adding a '!'. If you wish to negate multiple states at once, then place a ! at the start of the first array variable. For example: ctstatus => ['! EXPECTED', 'CONFIRMED'] Note:#{' '} This will negate all passed states, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. ##### `date_start` Data type: `Optional[Pattern[/^[0-9]{4}\-(?:0[0-9]|1[0-2])\-(?:[0-2][0-9]|3[0-1])T(?:[0-1][0-9]|2[0-3])\:[0-5][0-9]\:[0-5][0-9]$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 ##### `date_stop` Data type: `Optional[Pattern[/^[0-9]{4}\-(?:0[0-9]|1[0-2])\-(?:[0-2][0-9]|3[0-1])T(?:[0-1][0-9]|2[0-3])\:[0-5][0-9]\:[0-5][0-9]$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 ##### `destination` Data type: `Optional[String[1]]` The destination address to match. For example: destination => '192.168.1.0/24' You can also negate a mask by putting ! in front. For example: destination => '! 192.168.2.0/24' The destination can also be an IPv6 address if your provider supports it. ##### `dport` Data type: `Optional[Variant[Array[Variant[Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]],Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: dport => '1:1024' This would cover ports 1 to 1024. You can also negate a port by putting ! in front. For example: dport => '! 54' If you wish to negate multiple ports at once, then place a ! at the start of the first array variable. For example: dport => ['! 54','23'] Note: This will negate all passed ports, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. ##### `dst_cc` Data type: `Optional[Pattern[/^[A-Z]{2}(,[A-Z]{2})*$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ dst attribute for the module geoip ##### `dst_range` Data type: `Optional[String[1]]` The destination IP range. For example: dst_range => '192.168.1.1-192.168.1.10' You can also negate the range by putting ! in front. For example: dst_range => '! 192.168.1.1-192.168.1.10' The destination IP range must be in 'IP1-IP2' format. ##### `dst_type` Data type: `Optional[Variant[ Array[Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]], Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The destination address type. For example: dst_type => ['LOCAL'] Can be one of: * UNSPEC - an unspecified address * UNICAST - a unicast address * LOCAL - a local address * BROADCAST - a broadcast address * ANYCAST - an anycast packet * MULTICAST - a multicast address * BLACKHOLE - a blackhole address * UNREACHABLE - an unreachable address * PROHIBIT - a prohibited address * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: dst_type => ['LOCAL --limit-iface-in'] Each value can be negated seperately using '!': dst_type => ['! UNICAST', '! LOCAL'] Will accept a single element or an array. ##### `ensure` Data type: `Enum[present, absent, 'present', 'absent']` Whether this rule should be present or absent on the target system. Default value: `present` ##### `gateway` Data type: `Optional[Pattern[/^(\d+.\d+.\d+.\d+|\w+:\w+::\w+)$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The TEE target will clone a packet and redirect this clone to another machine on the local network segment. Gateway is the target host's IP. ##### `gid` Data type: `Optional[Variant[String[1], Integer]]` GID or Group owner matching rule. Accepts a single argument only, as iptables does not accept multiple gid in a single statement. To negate add a space seperated '!' in front of the value. ##### `goto` Data type: `Optional[String[1]]` The value for the iptables --goto parameter. Normal values are: * QUEUE * RETURN * DNAT * SNAT * LOG * MASQUERADE * REDIRECT * MARK But any valid chain name is allowed. ##### `hashlimit_above` Data type: `Optional[Pattern[/^\d+(?:\/(?:sec|min|hour|day))?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match if the rate is above amount/quantum. This parameter or `hashlimit_upto` and `hashlimit_name` are required when setting any other hashlimit values. Allowed forms are '40','40/sec','40/min','40/hour','40/day'. ##### `hashlimit_burst` Data type: `Optional[Integer[1]]` Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too. ##### `hashlimit_dstmask` Data type: `Optional[Integer[0,32]]` When --hashlimit-mode srcip is used, all destination addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. Prefix must be between (inclusive) 0 and 32. Note that --hashlimit-dstmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. ##### `hashlimit_htable_expire` Data type: `Optional[Integer]` After how many milliseconds do hash entries expire. ##### `hashlimit_htable_gcinterval` Data type: `Optional[Integer]` How many milliseconds between garbage collection intervals. ##### `hashlimit_htable_max` Data type: `Optional[Integer]` Maximum entries in the hash. ##### `hashlimit_htable_size` Data type: `Optional[Integer]` The number of buckets of the hash table ##### `hashlimit_mode` Data type: `Optional[Pattern[/^(?:srcip|srcport|dstip|dstport)(?:\,(?:srcip|srcport|dstip|dstport))*$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. Allowed values are: srcip, srcport, dstip, dstport ##### `hashlimit_name` Data type: `Optional[String[1]]` The name for the /proc/net/ipt_hashlimit/foo entry. This parameter and either `hashlimit_upto` or `hashlimit_above` are required when setting any other hashlimit values. ##### `hashlimit_srcmask` Data type: `Optional[Integer[0,32]]` When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. Prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. ##### `hashlimit_upto` Data type: `Optional[Pattern[/^\d+(?:\/(?:sec|min|hour|day))?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). This parameter or `hashlimit_above` and `hashlimit_name` are required when setting any other hashlimit values. Allowed forms are '40','40/sec','40/min','40/hour','40/day'. ##### `helper` Data type: `Optional[String[1]]` Invoke the nf_conntrack_xxx helper module for this packet. ##### `hop_limit` Data type: `Optional[Variant[Pattern[/^(?:!\s)?\d+$/],Integer]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Hop limiting value for matched packets. To negate add a space seperated `!` the the beginning of the value This is IPv6 specific. ##### `icmp` Data type: `Optional[Variant[String[1],Integer]]` When matching ICMP packets, this is the type of ICMP packet to match. A value of "any" is not supported. To achieve this behaviour the parameter should simply be omitted or undefined. An array of values is also not supported. To match against multiple ICMP types, please use separate rules for each ICMP type. ##### `iniface` Data type: `Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+\:@]+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Input interface to filter on. Supports interface alias like eth0:0. To negate the match try this: iniface => '! lo', ##### `ipsec_dir` Data type: `Optional[Enum['in', 'out']]` Sets the ipsec policy direction ##### `ipsec_policy` Data type: `Optional[Enum['none', 'ipsec']]` Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc. ##### `ipset` Data type: `Optional[Variant[Pattern[/^(?:!\s)?\w+\s(?:src|dst)(?:,src|,dst)?$/], Array[Pattern[/^(?:!\s)?\w+\s(?:src|dst)(?:,src|,dst)?$/]]]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Matches against the specified ipset list. Requires ipset kernel module. Will accept a single element or an array. The value is the name of the denylist, followed by a space, and then 'src' and/or 'dst' separated by a comma. For example: 'denylist src,dst' To negate simply place a space seperated `!` at the beginning of a value. Values can de negated independently. ##### `ipvs` Data type: `Optional[Boolean]` Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. ##### `isfirstfrag` Data type: `Optional[Boolean]` Matches if the packet is the first fragment. Specific to IPv6. ##### `isfragment` Data type: `Optional[Boolean]` Set to true to match tcp fragments (requires proto to be set to tcp) ##### `ishasmorefrags` Data type: `Optional[Boolean]` Matches if the packet has it's 'more fragments' bit set. Specific to IPv6. ##### `islastfrag` Data type: `Optional[Boolean]` Matches if the packet is the last fragment. Specific to IPv6. ##### `jump` Data type: `Optional[String[1]]` This value for the iptables --jump parameter and the action to perform on a match. Common values are: * ACCEPT - the packet is accepted * REJECT - the packet is rejected with a suitable ICMP response * DROP - the packet is dropped But can also be on of the following: * QUEUE * RETURN * DNAT * SNAT * LOG * NFLOG * NETMAP * MASQUERADE * REDIRECT * MARK * CT And any valid chain name is also allowed. If you specify no value it will simply match the rule but perform no action. ##### `kernel_timezone` Data type: `Optional[Boolean]` Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. ##### `length` Data type: `Optional[Pattern[/^([0-9]+)(:)?([0-9]+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Sets the length of layer-3 payload to match. Example values are: '500', '5:400' ##### `limit` Data type: `Optional[Pattern[/^\d+\/(?:sec(?:ond)?|min(?:ute)?|hour|day)$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Rate limiting value for matched packets. The format is: rate/[/second/|/minute|/hour|/day] Example values are: '50/sec', '40/min', '30/hour', '10/day'." ##### `line` Data type: `Optional[String[1]]` A read only attribute containing the full rule, used when deleting and when applying firewallchain purge attributes. ##### `log_ip_options` Data type: `Optional[Boolean]` When combined with jump => "LOG" logging of the TCP IP/IPv6 packet header. ##### `log_level` Data type: `Optional[Variant[Integer[0,7],String[1]]]` When combined with jump => "LOG" specifies the system log level to log to. Note: log level 4/warn is the default setting and as such it is not returned by iptables-save. As a result, explicitly setting `log_level` to this can result in idempotency errors. ##### `log_prefix` Data type: `Optional[String[1]]` When combined with jump => "LOG" specifies the log prefix to use when logging. ##### `log_tcp_options` Data type: `Optional[Boolean]` When combined with jump => "LOG" logging of the TCP packet header. ##### `log_tcp_sequence` Data type: `Optional[Boolean]` When combined with jump => "LOG" enables logging of the TCP sequence numbers. ##### `log_uid` Data type: `Optional[Boolean]` When combined with jump => "LOG" specifies the uid of the process making the connection. ##### `mac_source` Data type: `Optional[Pattern[/^(?:!\s)?([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ MAC Source ##### `mask` Data type: `Optional[Pattern[/^\d+\.\d+\.\d+\.\d+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Recent module; sets the mask to use when `recent` is enabled. The recent module defaults this to `255.255.255.255` when recent is set ##### `match_mark` Data type: `Optional[Pattern[/^(?:!\s)?[a-fA-F0-9x]+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match the Netfilter mark value associated with the packet, accepts a mark. This value will be converted to hex if it is not already. This value can be negated by adding a space seperated `!` to the beginning. ##### `month_days` Data type: `Optional[Variant[Integer[0,31], Array[Integer[0,31]]]]` Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28-day or 29-day February. Can be passed either as a single value or an array of values: month_days => 5, month_days => [5, 9, 23], ##### `mss` Data type: `Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match a given TCP MSS value or range. This value can be negated by adding a space seperated `!` to the beginning. ##### `nflog_group` Data type: `Optional[Integer[1, 65535]]` Used with the jump target NFLOG. The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). Defaults to 0. ##### `nflog_prefix` Data type: `Optional[String]` Used with the jump target NFLOG. A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs. ##### `nflog_range` Data type: `Optional[Integer[1]]` Used with the jump target NFLOG. This has never worked, use nflog_size instead. ##### `nflog_size` Data type: `Optional[Integer[1]]` Used with the jump target NFLOG. The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own size, this option overrides it. ##### `nflog_threshold` Data type: `Optional[Integer[1]]` Used with the jump target NFLOG. Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. Defaults to 1. ##### `notrack` Data type: `Optional[Boolean]` Invoke the disable connection tracking for this packet. This parameter can be used with iptables version >= 1.8.3 ##### `outiface` Data type: `Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+\:@]+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Output interface to filter on. Supports interface alias like eth0:0. To negate the match try this: outiface => '! lo', ##### `physdev_in` Data type: `Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+]+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match if the packet is entering a bridge from the given interface. To negate the match try this: physdev_in => '! lo', ##### `physdev_is_bridged` Data type: `Optional[Boolean]` Match if the packet is transversing a bridge. ##### `physdev_is_in` Data type: `Optional[Boolean]` Matches if the packet has entered through a bridge interface. ##### `physdev_is_out` Data type: `Optional[Boolean]` Matches if the packet will leave through a bridge interface. ##### `physdev_out` Data type: `Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+]+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match if the packet is leaving a bridge via the given interface. To negate the match try this: physdev_out => '! lo', ##### `pkttype` Data type: `Optional[Enum['unicast', 'broadcast', 'multicast']]` Sets the packet type to match. ##### `proto` Data type: `Optional[Pattern[/^(?:!\s)?(?:ip(?:encap)?|tcp|udp|icmp|esp|ah|vrrp|carp|igmp|ipv4|ospf|gre|cbt|sctp|pim|all)/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The specific protocol to match for this rule. Default value: `tcp` ##### `protocol` Data type: `Enum['iptables', 'ip6tables', 'IPv4', 'IPv6']` The protocol used to set the rule, it's allowed values have been expanded to bring it closer to its `firewallchain` counterpart. Defaults to `IPv4` Noted: this was previously defined as `provider`, however the resource_api does not allow this to be used as an attribute title. Default value: `IPv4` ##### `queue_bypass` Data type: `Optional[Boolean]` Allow packets to bypass :queue_num if userspace process is not listening ##### `queue_num` Data type: `Optional[Integer[1]]` Used with NFQUEUE jump target. What queue number to send packets to ##### `random` Data type: `Optional[Boolean]` When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping. ##### `random_fully` Data type: `Optional[Boolean]` When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable fully randomized port mapping. ##### `rdest` Data type: `Optional[Boolean]` Recent module; add the destination IP address to the list. Mutually exclusive with `rsource` Must be boolean true. ##### `reap` Data type: `Optional[Boolean]` Recent module; can only be used in conjunction with the `rseconds` attribute. When used, this will cause entries older than 'seconds' to be purged. Must be boolean true. ##### `recent` Data type: `Optional[Enum['set', 'update', 'rcheck', 'remove', '! set', '! update', '! rcheck', '! remove']]` Enable the recent module. Takes as an argument one of set, update, rcheck or remove. For example: ``` # If anyone's appeared on the 'badguy' blacklist within # the last 60 seconds, drop their traffic, and update the timestamp. firewall { '100 Drop badguy traffic': recent => 'update', rseconds => 60, rsource => true, rname => 'badguy', jump => 'DROP', chain => 'FORWARD', } ``` ``` # No-one should be sending us traffic on eth0 from the # localhost, Blacklist them firewall { '101 blacklist strange traffic': recent => 'set', rsource => true, rname => 'badguy', destination => '127.0.0.0/8', iniface => 'eth0', jump => 'DROP', chain => 'FORWARD', } ``` ##### `reject` Data type: `Optional[Enum['icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited', 'icmp6-no-route', 'no-route', 'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable']]` When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender. Valid values differ depending on if the protocol is `IPv4` or `IPv6`. IPv4 allows: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited, or icmp-admin-prohibited. IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, or icmp6-port-unreachable. ##### `rhitcount` Data type: `Optional[Integer[1]]` Recent module; used in conjunction with `recent => 'update'` or `recent => 'rcheck'. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. ##### `rname` Data type: `Optional[String[1]]` Recent module; The name of the list. The recent module defaults this to `DEFAULT` when recent is set ##### `rpfilter` Data type: `Optional[Variant[Enum['loose', 'validmark', 'accept-local', 'invert'], Array[Enum['loose', 'validmark', 'accept-local', 'invert']]]]` Enable the rpfilter module. ##### `rseconds` Data type: `Optional[Integer[1]]` Recent module; used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. ##### `rsource` Data type: `Optional[Boolean]` Recent module; add the source IP address to the list. Mutually exclusive with `rdest` The recent module defaults this behaviour to true when recent is set. ##### `rttl` Data type: `Optional[Boolean]` Recent module; may only be used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the `recent => 'set'` rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. Must be boolean true. ##### `set_dscp` Data type: `Optional[String[1]]` Set DSCP Markings. ##### `set_dscp_class` Data type: `Optional[Enum['af11', 'af12', 'af13', 'af21', 'af22', 'af23', 'af31', 'af32', 'af33', 'af41', 'af42', 'af43', 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'cs6', 'cs7', 'ef']]` This sets the DSCP field according to a predefined DiffServ class. ##### `set_mark` Data type: `Optional[Pattern[/^[a-fA-F0-9x]+(?:\/[a-fA-F0-9x]+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Set the Netfilter mark value associated with the packet. Accepts either of mark/mask or mark. These will be converted to hex if they are not already. ##### `set_mss` Data type: `Optional[Integer[1]]` Sets the TCP MSS value for packets. ##### `socket` Data type: `Optional[Boolean]` If true, matches if an open socket can be found by doing a coket lookup on the packet. ##### `source` Data type: `Optional[String[1]]` The source address. For example: source => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: source => '! 192.168.2.0/24' The source can also be an IPv6 address if your provider supports it. ##### `sport` Data type: `Optional[Variant[Array[Variant[Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]],Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: sport => '1:1024' This would cover ports 1 to 1024. You can also negate a port by putting ! in front. For example: sport => '! 54' If you wish to negate multiple ports at once, then place a ! at the start of the first array variable. For example: sport => ['! 54','23'] Note: This will negate all passed ports, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. ##### `src_cc` Data type: `Optional[Pattern[/^[A-Z]{2}(,[A-Z]{2})*$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ src attribute for the module geoip ##### `src_range` Data type: `Optional[String[1]]` The source IP range. For example: src_range => '192.168.1.1-192.168.1.10' You can also negate the range by apending a `!`` to the front. For example: src_range => '! 192.168.1.1-192.168.1.10' The source IP range must be in 'IP1-IP2' format. ##### `src_type` Data type: `Optional[Variant[ Array[Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]], Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The source address type. For example: src_type => 'LOCAL' Can be one of: * UNSPEC - an unspecified address * UNICAST - a unicast address * LOCAL - a local address * BROADCAST - a broadcast address * ANYCAST - an anycast packet * MULTICAST - a multicast address * BLACKHOLE - a blackhole address * UNREACHABLE - an unreachable address * PROHIBIT - a prohibited address * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: src_type => ['LOCAL --limit-iface-in'] It can also be negated using '!': src_type => ['! LOCAL'] Will accept a single element or an array. Each element of the array should be negated seperately. ##### `stat_every` Data type: `Optional[Integer[1]]` Match one packet every nth packet. Requires `stat_mode => 'nth'` ##### `stat_mode` Data type: `Optional[Enum[nth, random]]` Set the matching mode for statistic matching. ##### `stat_packet` Data type: `Optional[Integer]` Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'` ##### `stat_probability` Data type: `Optional[Variant[Integer[0,1], Float[0.0,1.0]]]` Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`. ##### `state` Data type: `Optional[Variant[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED)$/], Array[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED)$/]]]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Matches a packet based on its state in the firewall stateful inspection table. Values can be: * INVALID * ESTABLISHED * NEW * RELATED * UNTRACKED * SNAT * DNAT Can be passed either as a single String or as an Array: state => 'INVALID' state => ['INVALID', 'ESTABLISHED'] Values can be negated by adding a '!'. If you wish to negate multiple states at once, then place a ! at the start of the first array variable. For example: state => ['! INVALID', 'ESTABLISHED'] Note: This will negate all passed states, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. ##### `string` Data type: `Optional[String[1]]` String matching feature. Matches the packet against the pattern given as an argument. To negate, add a space seperated `!` to the beginning of the string. ##### `string_algo` Data type: `Optional[Enum['bm', 'kmp']]` String matching feature, pattern matching strategy. ##### `string_from` Data type: `Optional[Integer[1]]` String matching feature, offset from which we start looking for any matching. ##### `string_hex` Data type: `Optional[Pattern[/^(?:!\s)?\|[a-zA-Z0-9\s]+\|$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ String matching feature. Matches the packet against the pattern given as an argument. To negate, add a space seperated `!` to the beginning of the string. ##### `string_to` Data type: `Optional[Integer[1]]` String matching feature, offset up to which we should scan. ##### `table` Data type: `Enum['nat', 'mangle', 'filter', 'raw', 'rawpost', 'broute', 'security']` The table the rule will exist in. Valid options are: * nat * mangle * filter * raw * rawpost Defaults to 'filter' Default value: `filter` ##### `tcp_flags` Data type: `Optional[Pattern[/^(?:!\s)?((FIN|SYN|RST|PSH|ACK|URG|ALL|NONE),?)+\s((FIN|SYN|RST|PSH|ACK|URG|ALL|NONE),?)+$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match when the TCP flags are as specified. Is a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. The flags are: FIN SYN RST PSH ACK URG ALL NONE Note that you specify them in the order that iptables --list-rules would list them to avoid having puppet think you changed the flags. Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection initiation. Can be negated by placing ! in front, i.e. ! FIN,SYN,RST,ACK SYN ##### `tcp_option` Data type: `Optional[Variant[Pattern[/^(?:!\s)?(?:[0-1][0-9]{0,2}|2[0-4][0-9]|25[0-5])$/], Integer[0,255]]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Match when the TCP option is present or absent. Given as a single TCP option, optionally prefixed with '! ' to match on absence instead. Only one TCP option can be matched in a given rule. TCP option numbers are an eight-bit field, so valid option numbers range from 0-255. ##### `time_contiguous` Data type: `Optional[Boolean]` When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. ##### `time_start` Data type: `Optional[Pattern[/^([0-9]|[0-1][0-9]|2[0-3])\:[0-5][0-9](?:\:[0-5][0-9])?/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. ##### `time_stop` Data type: `Optional[Pattern[/^([0-9]|[0-1][0-9]|2[0-3])\:[0-5][0-9](?:\:[0-5][0-9])?/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. ##### `to` Data type: `Optional[String[1]]` For NETMAP this will replace the destination IP ##### `todest` Data type: `Optional[String[1]]` When using jump => "DNAT" you can specify the new destination address using this paramter. Can specify a single new destination IP address or an inclusive range of IP addresses. Optionally a port or a port range with a possible follow up baseport can be provided. Input structure: [ipaddr[-ipaddr]][:port[-port[/baseport]]] ##### `toports` Data type: `Optional[Pattern[/^\d+(?:-\d+)?$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ For REDIRECT/MASQUERADE this is the port that will replace the destination/source port. Can specify a single new port or an inclusive range of ports. ##### `tosource` Data type: `Optional[String[1]]` When using jump => "SNAT" you can specify the new source address using this paramter. Can specify a single new destination IP address or an inclusive range of IP addresses. Input structure: [ipaddr[-ipaddr]][:port[-port]] ##### `u32` Data type: `Optional[Pattern[/^0x[0-9a-fA-F]+&0x[0-9a-fA-F]+=0x[0-9a-fA-F]+(?::0x[0-9a-fA-F]+)?(?:&&0x[0-9a-fA-F]+&0x[0-9a-fA-F]+=0x[0-9a-fA-F]+(?::0x[0-9a-fA-F]+)?)*$/]]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ Enable the u32 module. Takes as an argument one of set, update, rcheck or remove. For example: firewall { '032 u32 test': ensure => present, table => 'mangle', chain => 'PREROUTING', u32 => '0x4&0x1fff=0x0&&0x0&0xf000000=0x5000000', jump => 'DROP', } ##### `uid` Data type: `Optional[Variant[String[1], Integer]]` UID or Username owner matching rule. Accepts a single argument only, as iptables does not accept multiple uid in a single statement. To negate add a space seperated '!' in front of the value. ##### `week_days` Data type: `Optional[Variant[Enum['Mon','Tue','Wed','Thu','Fri','Sat','Sun'], Array[Enum['Mon','Tue','Wed','Thu','Fri','Sat','Sun']]]]` Only match on the given weekdays. Can be passed either as a single value or an array of values: week_days => 'Mon', week_days => ['Mon', 'Tue', 'Wed'], ##### `zone` Data type: `Optional[Integer]` Assign this packet to zone id and only have lookups done in that zone. #### Parameters The following parameters are available in the `firewall` type. * [`name`](#-firewall--name) ##### `name` namevar Data type: `Pattern[/(^\d+(?:[ \t-]\S+)+$)/]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The canonical name of the rule. This name is also used for ordering so make sure you prefix the rule with a number: 000 this runs first 999 this runs last Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. ### `firewallchain` This type provides the capability to manage rule chains for firewalls. Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that allow it. #### Providers * iptables_chain is the only provider that supports firewallchain. #### Features * iptables_chain: The provider provides iptables chain features. * policy: Default policy (inbuilt chains only). #### Properties The following properties are available in the `firewallchain` type. ##### `ensure` Data type: `Enum[present, absent]` Whether this chain should be present or absent on the target system. Setting this to absent will first remove all rules associated with this chain and then delete the chain itself. Inbuilt chains however will merely remove any added rules and, if it has been changed, return their policy to the default. Default value: `present` ##### `ignore` Data type: `Optional[Variant[String[1], Array[String[1]]]]` Regex to perform on firewall rules to exempt unmanaged rules from purging. This is matched against the output of `iptables-save`. This can be a single regex, or an array of them. To support flags, use the ruby inline flag mechanism. Meaning a regex such as /foo/i can be written as '(?i)foo' or '(?i:foo)' Full example: ``` firewallchain { 'INPUT:filter:IPv4': purge => true, ignore => [ '-j fail2ban-ssh', # ignore the fail2ban jump rule '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule ], } ``` ##### `ignore_foreign` Data type: `Boolean` Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules in this chain. This can be used to ignore rules that were not put in by puppet. Beware that nothing keeps other systems from configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured rules. ##### `policy` Data type: `Optional[Enum['accept', 'drop', 'queue', 'return']]` This action to take when the end of the chain is reached. This can only be set on inbuilt chains (i.e. INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) and can be one of: * accept - the packet is accepted * drop - the packet is dropped * queue - the packet is passed userspace * return - the packet is returned to calling (jump) queue or the default of inbuilt chains ##### `purge` Data type: `Boolean` Whether or not to purge unmanaged rules in this chain #### Parameters The following parameters are available in the `firewallchain` type. * [`name`](#-firewallchain--name) ##### `name` namevar Data type: `Pattern[/^(?:\S+):(?:nat|mangle|filter|raw|rawpost|broute|security):(?:IP(?:v[46])?|ethernet)$/]` _*this data type contains a regex that may not be accurately reflected in generated documentation_ The canonical name of the chain with the required format being `{chain}:{table}:{protocol}`. puppetlabs-firewall-8.0.0/data0040755000000000000000000000000014561126655013300 5ustar00puppetlabs-firewall-8.0.0/data/common.yaml0100644000175100001770000000000714561126655015562 0ustar00--- {} puppetlabs-firewall-8.0.0/hiera.yaml0100644000175100001770000000125514561126655014457 0ustar00--- version: 5 defaults: # Used for any hierarchy level that omits these keys. datadir: data # This path is relative to hiera.yaml's directory. data_hash: yaml_data # Use the built-in YAML backend. hierarchy: - name: "osfamily/major release" paths: # Used to distinguish between Debian and Ubuntu - "os/%{facts.os.name}/%{facts.os.release.major}.yaml" - "os/%{facts.os.family}/%{facts.os.release.major}.yaml" # Used for Solaris - "os/%{facts.os.family}/%{facts.kernelrelease}.yaml" - name: "osfamily" paths: - "os/%{facts.os.name}.yaml" - "os/%{facts.os.family}.yaml" - name: 'common' path: 'common.yaml' puppetlabs-firewall-8.0.0/lib0040755000000000000000000000000014561126655013135 5ustar00puppetlabs-firewall-8.0.0/lib/facter0040755000000000000000000000000014561126655014401 5ustar00puppetlabs-firewall-8.0.0/lib/facter/ip6tables_version.rb0100644000175100001770000000046614561126655020503 0ustar00# frozen_string_literal: true Facter.add(:ip6tables_version) do confine kernel: :Linux confine { Facter::Core::Execution.which('ip6tables') } setcode do version = Facter::Core::Execution.execute('ip6tables --version', { on_fail: nil }) version.match(%r{\d+\.\d+\.\d+}).to_s if version end end puppetlabs-firewall-8.0.0/lib/facter/iptables_persistent_version.rb0100644000175100001770000000076214561126655022674 0ustar00# frozen_string_literal: true Facter.add(:iptables_persistent_version) do confine operatingsystem: ['Debian', 'Ubuntu'] setcode do # Throw away STDERR because dpkg >= 1.16.7 will make some noise if the # package isn't currently installed. cmd = "dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null" version = Facter::Core::Execution.execute(cmd, { on_fail: nil }) if version.nil? || !version.match(%r{\d+\.\d+}) nil else version end end end puppetlabs-firewall-8.0.0/lib/facter/iptables_version.rb0100644000175100001770000000046314561126655020412 0ustar00# frozen_string_literal: true Facter.add(:iptables_version) do confine kernel: :Linux confine { Facter::Core::Execution.which('iptables') } setcode do version = Facter::Core::Execution.execute('iptables --version', { on_fail: nil }) version.match(%r{\d+\.\d+\.\d+}).to_s if version end end puppetlabs-firewall-8.0.0/lib/puppet0040755000000000000000000000000014561126655014452 5ustar00puppetlabs-firewall-8.0.0/lib/puppet/provider0040755000000000000000000000000014561126655016304 5ustar00puppetlabs-firewall-8.0.0/lib/puppet/provider/firewall0040755000000000000000000000000014561126655020111 5ustar00puppetlabs-firewall-8.0.0/lib/puppet/provider/firewall/firewall.rb0100644000175100001770000015373214561126655022367 0ustar00# frozen_string_literal: true require_relative '../../../puppet_x/puppetlabs/firewall/utility' # Implementation for the iptables type using the Resource API. class Puppet::Provider::Firewall::Firewall ###### GLOBAL VARIABLES ###### # Command to list all chains and rules # $list_command = 'iptables-save' $list_command = { 'IPv4' => 'iptables-save', 'iptables' => 'iptables-save', 'IPv6' => 'ip6tables-save', 'ip6tables' => 'ip6tables-save' } # Regex used to divide output of$list_command between tables $table_regex = %r{(\*(?:nat|mangle|filter|raw|rawpost|broute|security)[^*]+)} # Regex used to retrieve table name $table_name_regex = %r{^\*(nat|mangle|filter|raw|rawpost|broute|security)} # Regex used to retrieve Rules $rules_regex = %r{(-A.*)\n} # Base command $base_command = { 'IPv4' => 'iptables -t', 'iptables' => 'iptables -t', 'IPv6' => 'ip6tables -t', 'ip6tables' => 'ip6tables -t' } # Command to add a rule to a chain $rule_create_command = '-I' # chain_name rule_num # Command to update a rule within a chain $rule_update_command = '-R' # chain_name rule_num # Command to delete a rule from a chain $rule_delete_command = '-D' # chain_name rule_num # Number range 9000-9999 is reserved for unmanaged rules $unmanaged_rule_regex = %r{^9[0-9]{3}\s.*$} # Attribute resource map # Map is ordered as the attributes appear in the iptables-save/ip6tables-save output $resource_map = { chain: '-A', source: '-s', destination: '-d', iniface: '-i', outiface: '-o', physdev_in: '--physdev-in', physdev_out: '--physdev-out', physdev_is_bridged: '--physdev-is-bridged', physdev_is_in: '--physdev-is-in', physdev_is_out: '--physdev-is-out', proto: '-p', isfragment: '-f', isfirstfrag: '-m frag --fragid 0 --fragfirst', ishasmorefrags: '-m frag --fragid 0 --fragmore', islastfrag: '-m frag --fragid 0 --fraglast', stat_mode: '-m statistic --mode', stat_every: '--every', stat_packet: '--packet', stat_probability: '--probability', src_range: '--src-range', dst_range: '--dst-range', tcp_option: '--tcp-option', tcp_flags: '--tcp-flags', uid: '--uid-owner', gid: '--gid-owner', mac_source: '--mac-source', sport: ['-m multiport --sports', '--sport'], dport: ['-m multiport --dports', '--dport'], src_type: '-m addrtype --src-type', dst_type: '-m addrtype --dst-type', socket: '-m socket', pkttype: '--pkt-type', ipsec_dir: '--dir', ipsec_policy: '--pol', state: '--state', ctstate: '--ctstate', ctproto: '--ctproto', ctorigsrc: '--ctorigsrc', ctorigdst: '--ctorigdst', ctreplsrc: '--ctreplsrc', ctrepldst: '--ctrepldst', ctorigsrcport: '--ctorigsrcport', ctorigdstport: '--ctorigdstport', ctreplsrcport: '--ctreplsrcport', ctrepldstport: '--ctrepldstport', ctstatus: '--ctstatus', ctexpire: '--ctexpire', ctdir: '--ctdir', hop_limit: '--hl-eq', icmp: ['-m icmp --icmp-type', '-m icmp6 --icmpv6-type'], limit: '--limit', burst: '--limit-burst', length: '-m length --length', recent: '-m recent', rseconds: '--seconds', reap: '--reap', rhitcount: '--hitcount', rttl: '--rttl', rname: '--name', mask: '--mask', rsource: '--rsource', rdest: '--rdest', ipset: '-m set --match-set', string: '--string', string_hex: '--hex-string', string_algo: '--algo', string_from: '--from', string_to: '--to', jump: '-j', goto: '-g', clusterip_new: '--new', clusterip_hashmode: '--hashmode', clusterip_clustermac: '--clustermac', clusterip_total_nodes: '--total-nodes', clusterip_local_node: '--local-node', clusterip_hash_init: '--hash-init', queue_num: '--queue-num', queue_bypass: '--queue-bypass', nflog_group: '--nflog-group', nflog_prefix: '--nflog-prefix', nflog_range: '--nflog-range', nflog_size: '--nflog-size', nflog_threshold: '--nflog-threshold', gateway: '--gateway', clamp_mss_to_pmtu: '--clamp-mss-to-pmtu', set_mss: '--set-mss', set_dscp: '--set-dscp', set_dscp_class: '--set-dscp-class', todest: '--to-destination', tosource: '--to-source', toports: '--to-ports', to: '--to', checksum_fill: '--checksum-fill', random_fully: '--random-fully', random: '--random', log_prefix: '--log-prefix', log_level: '--log-level', log_uid: '--log-uid', log_tcp_sequence: '--log-tcp-sequence', log_tcp_options: '--log-tcp-options', log_ip_options: '--log-ip-options', reject: '--reject-with', set_mark: '--set-xmark', match_mark: '-m mark --mark', mss: '-m tcpmss --mss', connlimit_upto: '--connlimit-upto', connlimit_above: '--connlimit-above', connlimit_mask: '--connlimit-mask', connmark: '-m connmark --mark', time_start: '--timestart', time_stop: '--timestop', month_days: '--monthdays', week_days: '--weekdays', date_start: '--datestart', date_stop: '--datestop', time_contiguous: '--contiguous', kernel_timezone: '--kerneltz', u32: '--u32', src_cc: '--source-country', dst_cc: '--destination-country', hashlimit_upto: '--hashlimit-upto', hashlimit_above: '--hashlimit-above', hashlimit_name: '--hashlimit-name', hashlimit_burst: '--hashlimit-burst', hashlimit_mode: '--hashlimit-mode', hashlimit_srcmask: '--hashlimit-srcmask', hashlimit_dstmask: '--hashlimit-dstmask', hashlimit_htable_size: '--hashlimit-htable-size', hashlimit_htable_max: '--hashlimit-htable-max', hashlimit_htable_expire: '--hashlimit-htable-expire', hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval', bytecode: '-m bpf --bytecode', ipvs: '--ipvs', cgroup: '--cgroup', rpfilter: '-m rpfilter', condition: '--condition', name: '-m comment --comment', notrack: '--notrack', helper: '--helper', zone: '--zone' } # These are known booleans that do not take a value. $known_booleans = [ :checksum_fill, :clamp_mss_to_pmtu, :isfragment, :ishasmorefrags, :islastfrag, :isfirstfrag, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, :random_fully, :random, :rdest, :reap, :rsource, :rttl, :socket, :physdev_is_bridged, :physdev_is_in, :physdev_is_out, :time_contiguous, :kernel_timezone, :clusterip_new, :queue_bypass, :ipvs, :notrack ] # Properties that use "-m " (with the potential to have multiple # arguments against the same IPT module) must be in this hash. The keys in this # hash are the IPT module names, with the values being an array of the respective # supported arguments for this IPT module. # # ** IPT Module arguments must be in order as they would appear in iptables-save ** # # Exceptions: # => multiport: (For some reason, the multiport arguments can't be) # specified within the same "-m multiport", but works in seperate # ones. # => addrtype: Each instance of src_type/dst_type requires it's own preface # @module_to_argument_mapping = { physdev: [:physdev_in, :physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out], iprange: [:src_range, :dst_range], tcp: [:tcp_option, :tcp_flags], owner: [:uid, :gid], mac: [:mac_source], policy: [:ipsec_dir, :ipsec_policy], condition: [:condition], pkttype: [:pkttype], state: [:state], conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir], hl: [:hop_limit], limit: [:limit, :burst], string: [:string, :string_hex, :string_algo, :string_from, :string_to], connlimit: [:connlimit_upto, :connlimit_above, :connlimit_mask], time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone], u32: [:u32], geoip: [:src_cc, :dst_cc], hashlimit: [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval], ipvs: [:ipvs], cgroup: [:cgroup] } # This is the order of resources as they appear in ip(6)tables-save output, # it is used in order to ensure that the rules are applied in the correct order. # This order can be determined by going through iptables source code or just tweaking and trying manually $resource_list = [ :source, :destination, :iniface, :outiface, :physdev_in, :physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out, :proto, :isfragment, :ishasmorefrags, :islastfrag, :isfirstfrag, :stat_mode, :stat_every, :stat_packet, :stat_probability, :src_range, :dst_range, :tcp_option, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :src_type, :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state, :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir, :hop_limit, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_hex, :string_algo, :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, :nflog_group, :nflog_prefix, :nflog_range, :nflog_size, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix, :log_level, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, :reject, :set_mark, :match_mark, :mss, :connlimit_upto, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :u32, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :helper, :zone, :cgroup, :rpfilter, :condition, :name, :notrack ] ###### PUBLIC METHODS ###### def get(context) # Call the private method which returns the rules # The method is seperated out in this way as it is re-used later in the code rules = Puppet::Provider::Firewall::Firewall.get_rules(context, false) # Verify the returned data Puppet::Provider::Firewall::Firewall.validate_get(context, rules) # Return array rules end def set(context, changes) changes.each do |name, change| is = change[:is] should = change[:should] is = PuppetX::Firewall::Utility.create_absent(:name, name) if is.nil? should = PuppetX::Firewall::Utility.create_absent(:name, name) if should.nil? # Run static verification against both sets of values Puppet::Provider::Firewall::Firewall.validate_input(is, should) # Process the intended values so that they are inputed as they should be should = Puppet::Provider::Firewall::Firewall.process_input(should) if is[:ensure].to_s == 'absent' && should[:ensure].to_s == 'present' context.creating(name) do create(context, name, should) end elsif is[:ensure].to_s == 'present' && should[:ensure].to_s == 'absent' context.deleting(name) do delete(context, name, is) end elsif is[:ensure].to_s == 'present' context.updating(name) do update(context, name, should) end end end end def create(context, name, should) context.notice("Creating Rule '#{name}' with #{should.inspect}") position = Puppet::Provider::Firewall::Firewall.insert_order(context, name, should[:chain], should[:table], should[:protocol]) arguments = Puppet::Provider::Firewall::Firewall.hash_to_rule(context, name, should) Puppet::Provider.execute([$base_command[should[:protocol]], should[:table], $rule_create_command, should[:chain], position, arguments].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, should[:protocol]) end def update(context, name, should) context.notice("Updating Rule '#{name}' with #{should.inspect}") position = Puppet::Provider::Firewall::Firewall.insert_order(context, name, should[:chain], should[:table], should[:protocol]) arguments = Puppet::Provider::Firewall::Firewall.hash_to_rule(context, name, should) Puppet::Provider.execute([$base_command[should[:protocol]], should[:table], $rule_update_command, should[:chain], position, arguments].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, should[:protocol]) end def delete(context, name, is) context.notice("Deleting Rule '#{name}'") # When deleting we use the retrieved iptables-save append command as a base # We do this to ensure accuracy when removing non-standard (i.e. uncommented) rules via the firewallchain purge function arguments = is[:line].gsub(%r{^-A}, $rule_delete_command) Puppet::Provider.execute([$base_command[is[:protocol]], is[:table], arguments].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, is[:protocol]) end # Custom insync method # Needed for uid and gid def insync?(context, _name, property_name, is_hash, should_hash) context.debug("Checking whether '#{property_name}' is out of sync") # If either value is nil, no custom logic is required return nil if is_hash[property_name].nil? || should_hash[property_name].nil? case property_name when :protocol is = is_hash[property_name] should = should_hash[property_name] # Ensure the should value accurately matches the is should = 'IPv4' if should == 'iptables' should = 'IPv6' if should == 'ip6tables' is == should when :source, :destination # Ensure source/destination has it's valid mask before you compare it is_hash[property_name] == PuppetX::Firewall::Utility.host_to_mask(should_hash[property_name], should_hash[:protocol]) when :tcp_option, :ctproto, :hop_limit # Ensure that the values are compared as strings is_hash[property_name] == should_hash[property_name].to_s when :tcp_flags # Custom logic to account for `ALL` being returned as `FIN,SYN,RST,PSH,ACK,URG` is = is_hash[property_name].split should = should_hash[property_name].split is = is.map { |x| (x == 'FIN,SYN,RST,PSH,ACK,URG') ? 'ALL' : x } should = should.map { |x| (x == 'FIN,SYN,RST,PSH,ACK,URG') ? 'ALL' : x } is.join(' ') == should.join(' ') when :uid, :gid require 'etc' # The following code allow us to take into consideration unix mappings # between string usernames and UIDs (integers). We also need to ignore # spaces as they are irrelevant with respect to rule sync. # Remove whitespace is = is_hash[property_name].to_s.gsub(%r{\s+}, '') should = should_hash[property_name].to_s.gsub(%r{\s+}, '') # Keep track of negation, but remove the '!' is_negate = '' should_negate = '' if is.start_with?('!') is = is.gsub(%r{^!}, '') is_negate = '!' end if should.start_with?('!') should = should.gsub(%r{^!}, '') should_negate = '!' end # If 'is' or 'should' contain anything other than digits or digit range, # we assume that we have to do a lookup to convert to UID is = Etc.getpwnam(is).uid unless is[%r{[0-9]+(-[0-9]+)?}] == is should = Etc.getpwnam(should).uid unless should[%r{[0-9]+(-[0-9]+)?}] == should "#{is_negate}#{is}" == "#{should_negate}#{should}" when :mac_source, :jump # Value of mac_source/jump may be downcased or upcased when returned depending on the OS is_hash[property_name].casecmp(should_hash[property_name]).zero? when :icmp # Ensure that the values are compared to each other as icmp code numbers is = PuppetX::Firewall::Utility.icmp_name_to_number(is_hash[property_name], is_hash[:protocol]) should = PuppetX::Firewall::Utility.icmp_name_to_number(should_hash[property_name], should_hash[:protocol]) is == should when :log_level # Ensure that the values are compared to each other as log level numbers is = PuppetX::Firewall::Utility.log_level_name_to_number(is_hash[property_name]) should = PuppetX::Firewall::Utility.log_level_name_to_number(should_hash[property_name]) is == should when :set_mark # Ensure that the values are compared to eachother in hexidecimal format is = PuppetX::Firewall::Utility.mark_mask_to_hex(is_hash[property_name]) should = PuppetX::Firewall::Utility.mark_mask_to_hex(should_hash[property_name]) is == should when :match_mark, :connmark # Ensure that the values are compared to eachother in hexidecimal format is = PuppetX::Firewall::Utility.mark_to_hex(is_hash[property_name]) should = PuppetX::Firewall::Utility.mark_to_hex(should_hash[property_name]) is == should when :time_start, :time_stop # Ensure the values are compared in full `00:00:00` format is = is_hash[property_name] should = should_hash[property_name] should = "0#{should}" if %r{^([0-9]):}.match?(should) should = "#{should}:00" if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(should) is == should when :dport, :sport, :state, :ctstate, :ctstatus is = is_hash[property_name] should = should_hash[property_name] # Unique logic is only needed when both values are arrays return nil unless is.is_a?(Array) && should.is_a?(Array) # Ensure values are sorted # Ensure any negation includes only the first value is_negated = true if %r{^!\s}.match?(is[0].to_s) is.each_with_index do |_value, _index| is = is.map { |value| value.to_s.tr('! ', '') }.sort end is[0] = ['!', is[0]].join(' ') if is_negated should_negated = true if %r{^!\s}.match?(should[0].to_s) should.each_with_index do |_value, _index| should = should.map { |value| value.to_s.tr('! ', '') }.sort # Port range can be passed as `-` but will always be set/returned as `:` ports = [:dport, :sport] should = should.map { |value| value.to_s.tr('-', ':') }.sort if ports.include?(property_name) end should[0] = ['!', should[0]].join(' ') if should_negated is == should when :string_hex # Compare the values with any whitespace removed is = is_hash[property_name].to_s.gsub(%r{\s+}, '') should = should_hash[property_name].to_s.gsub(%r{\s+}, '') is == should else # Ensure that if both values are arrays, that they are sorted prior to comparison return nil unless is_hash[property_name].is_a?(Array) && should_hash[property_name].is_a?(Array) is_hash[property_name].sort == should_hash[property_name].sort end end ###### PRIVATE METHODS ###### ###### GET ###### # Retrieve the rules # Optional values lets you return a simplified set of data, used for determining order when adding/updating/deleting rules, # while also allowing for the protocols used to retrieve the rules to be limited. # @api private def self.get_rules(context, basic, protocols = ['IPv4', 'IPv6']) # Create empty return array rules = [] counter = 1 # For each protocol protocols.each do |protocol| # Retrieve String containing all information iptables_list = Puppet::Provider.execute($list_command[protocol]) # Scan String to retrieve all Rules iptables_list.scan($table_regex).each do |table| table_name = table[0].scan($table_name_regex)[0][0] table[0].scan($rules_regex).each do |rule| raw_rules = if basic Puppet::Provider::Firewall::Firewall.rule_to_name(context, rule[0], table_name, protocol) else Puppet::Provider::Firewall::Firewall.rule_to_hash(context, rule[0], table_name, protocol) end # Process the returned values so that it is correct for our purposes rules << Puppet::Provider::Firewall::Firewall.process_get(context, raw_rules, rule[0], counter) counter += 1 end end # Return array end rules end # Simplified version of 'self.rules_to_hash' meant to return name, chain and table only # @api private def self.rule_to_name(_context, rule, table_name, protocol) rule_hash = {} rule_hash[:ensure] = 'present' rule_hash[:table] = table_name rule_hash[:protocol] = protocol name_regex = Regexp.new("#{$resource_map[:name]}\\s(?:\"([^\"]*)|([^\"\\s]*))") name_value = rule.scan(name_regex)[0] # Combine the returned values and remove and trailing or leading whitespace rule_hash[:name] = [name_value[0], name_value[1]].join(' ').strip if name_value chain_regex = Regexp.new("#{$resource_map[:chain]}\\s(\\S+)") rule_hash[:chain] = rule.scan(chain_regex)[0][0] rule_hash end # Converts a given rule to a hash value # @api private def self.rule_to_hash(_context, rule, table_name, protocol) # loop through resource map rule_hash = {} rule_hash[:ensure] = 'present' rule_hash[:table] = table_name rule_hash[:protocol] = protocol rule_hash[:line] = rule # Add the ensure parameter first $resource_map.each do |key, value| if $known_booleans.include?(key) # check for flag with regex, add a space/line end to ensure accuracy with the more simplistic flags; i.e. `-f`, `--random` rule_hash[key] = if rule.match(Regexp.new("#{value}(\\s|$)")) true else false end next end case key when :name, :string, :string_hex, :bytecode, :u32, :nflog_prefix, :log_prefix # When :name/:string/:string_hex/:bytecode, return everything inside the double quote pair following the key value # When only a single word comment is returned no quotes are given, so we must check for this as well # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-i` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!\\s))?#{value}\\s(?:\"([^\"]*)|([^\"\\s]*))") key_value = rule.scan(value_regex)[0] # Combine the returned values and remove and trailing or leading whitespace key_value[1] = [key_value[0], key_value[1], key_value[2]].join rule_hash[key] = key_value[1] if key_value[1] end when :sport, :dport split_value_regex = value[0].split(%r{ }) negated_multi_regex = [split_value_regex[0], split_value_regex[1], '!', split_value_regex[2]].join(' ') if rule.match(value[0]) # First check against the multiport value, if found split and return as an array value_regex = Regexp.new("#{value[0]}\\s(\\S+)") key_value = rule.scan(value_regex)[0] rule_hash[key] = key_value[0].split(%r{,}) elsif rule.match(negated_multi_regex) # Next check against a negated multiport value, if found split and return as an array with the first value negated value_regex = Regexp.new("#{negated_multi_regex}\\s(\\S+)") key_value = rule.scan(value_regex)[0] # Add '!' to the beginning of the first value to show it as negated split_value = key_value[0].split(%r{,}) split_value[0] = "! #{split_value[0]}" rule_hash[key] = split_value elsif rule.match(value[1]) # If no multi value matches, check against the regular value instead value_regex = Regexp.new("(?:(!)\\s)?#{value[1]}\\s(\\S+)") key_value = rule.scan(value_regex)[0] # If it is negated, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? rule_hash[key] = key_value[1] end when :tcp_flags # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-i` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!)\\s)?#{value}\\s(\\S+)\\s(\\S+)") key_value = rule.scan(value_regex)[0] # If a negation is found combine it with the first retrieved value, then combine both values key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? rule_hash[key] = [key_value[1], key_value[2]].join(' ') end when :src_type, :dst_type, :ipset, :match_mark, :mss, :connmark split_regex = value.split(%r{ }) if rule.match(Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s")) # The exact information retrieved changes dependeing on the key type_attr = [:src_type, :dst_type] value_regex = Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s(\\S+)\\s?(--limit-iface-(?:in|out))?") if type_attr.include?(key) ip_attr = [:ipset] value_regex = Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s(\\S+\\s\\S+)") if ip_attr.include?(key) mark_attr = [:match_mark, :mss, :connmark] value_regex = Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s(\\S+)") if mark_attr.include?(key) # Since multiple values can be recovered, we must loop through each instance type_value = [] key_value = rule.scan(value_regex) key_value.length.times do |i| type_value.append(key_value[i].join(' ').strip) if key_value[i] end # If only a single value was found return as a string rule_hash[key] = type_value[0] if type_value.length == 1 rule_hash[key] = type_value if type_value.length > 1 end when :state, :ctstate, :ctstatus, :month_days, :week_days if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!)\\s)?#{value}\\s(\\S+)") key_value = rule.scan(value_regex) split_value = key_value[0][1].split(%r{,}) # If negated add to first value split_value[0] = [key_value[0][0], split_value[0]].join(' ') unless key_value[0][0].nil? # If value is meant to be Int, return as such int_attr = [:month_days] split_value = split_value.map(&:to_i) if int_attr.include?(key) # If only a single value is found, strip the Array wrapping split_value = split_value[0] if split_value.length == 1 rule_hash[key] = split_value end when :icmp case protocol when 'IPv4', 'iptables' proto = 0 when 'IPv6', 'ip6tables' proto = 1 end if rule.match(Regexp.new("#{value[proto]}\\s")) value_regex = Regexp.new("#{value[proto]}\\s(\\S+)") key_value = rule.scan(value_regex)[0] rule_hash[key] = key_value[0] end when :recent if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("#{value}\\s(!\\s)?--(\\S+)") key_value = rule.scan(value_regex)[0] # If it has, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join unless key_value[0].nil? rule_hash[key] = key_value[1] if key_value end when :rpfilter if rule.match(Regexp.new("#{value}\\s--")) # Since the values are their own flags we can simply look for them directly value_regex = Regexp.new("(?:\s--(invert|validmark|loose|accept-local))") key_value = rule.scan(value_regex) return_value = [] key_value.each do |val| return_value << val[0] end rule_hash[key] = return_value[0] if return_value.length == 1 rule_hash[key] = return_value if return_value.length > 1 end when :proto, :source, :destination, :iniface, :outiface, :physdev_in, :physdev_out, :src_range, :dst_range, :tcp_option, :uid, :gid, :mac_source, :pkttype, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctexpire, :cgroup, :hop_limit # Values where negation is prior to the flag # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-i` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!)\\s)?#{value}\\s(\\S+)") key_value = rule.scan(value_regex)[0] # If it has, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? rule_hash[key] = key_value[1] if key_value end else # stat_mode, stat_every, stat_packet, stat_probability, socket, ipsec_dir, ipsec_policy, :ctdir, # :limit, :burst, :length, :rseconds, :rhitcount, :rname, :mask, :string_algo, :string_from, :string_to, # :jump, :goto, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, # :clusterip_hash_init, :queue_num, :nflog_group, :nflog_range, :nflog_size, :nflog_threshold, # :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :log_level, # :reject, :set_mark, :connlimit_upto, :connlimit_above, :connlimit_mask, :time_start, :time_stop, :date_start, # :date_stop, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, # :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, # :hashlimit_htable_gcinterval, :zone, :helper, :condition # Default return, retrieve first complete block following the key value # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-j`, `--to` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("#{value}(?:\\s(!)\\s|\\s{1,2})(\\S+)") key_value = rule.scan(value_regex)[0] # If it has, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? # If value is meant to return as an integer/float ensure it does int_attr = [:stat_every, :stat_packet, :burst, :rseconds, :rhitcount, :string_from, :string_to, :clusterip_total_nodes, :clusterip_local_nodes, :nflog_group, :nflog_range, :nflog_size, :nflog_threshold, :set_mss, :connlimit_upto, :connlimit_above, :connlimit_mask, :hashlimit_burst, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :zone] key_value[1] = key_value[1].to_i if int_attr.include?(key) if key == :stat_probability && key_value[1].include?('.') key_value[1] = key_value[1].to_f elsif key == :stat_probability key_value[1] = key_value[1].to_i end rule_hash[key] = key_value[1] if key_value end end end rule_hash end # Verify that the information being retrieved is correct # @api private def self.validate_get(_context, rules) # Verify that names are unique names = [] rules.each do |rule| names << rule[:name] end raise ArgumentError, 'Duplicate names have been found within your Firewalls. This prevents the module from working correctly and must be manually resolved.' if names.length != names.uniq.length # Verify that the current order of the retrieved puppet rules is correct end # Certain attributes need custom logic to ensure that they are returning the correct information # @api private def self.process_get(_context, rule_hash, rule, counter) # Puppet-firewall requires that all rules have structured comments (resource names) and will fail if a # rule in iptables does not have a matching comment. if !rule_hash.key?(:name) num = 9000 + counter rule_hash[:name] = "#{num} #{Digest::SHA256.hexdigest(rule)}" elsif !rule_hash[:name].match(%r{(^\d+(?:[ \t-]\S+)+$)}) num = 9000 + counter rule_hash[:name] = "#{num} #{rule_hash[:name]}" end # If no specific proto has been set we treat it as having `all` set rule_hash[:proto] = 'all' unless rule_hash[:proto] # Certain OS can return the proto as it;s equivalent number and we make sure to convert it in that case rule_hash[:proto] = PuppetX::Firewall::Utility.proto_number_to_name(rule_hash[:proto]) # If a dscp numer is found, also return it as it's valid class name rule_hash[:set_dscp_class] = PuppetX::Firewall::Utility.dscp_number_to_class(rule_hash[:set_dscp]) if rule_hash[:set_dscp] rule_hash end # @api private def self.create_absent(namevar, title) result = if title.is_a? Hash title.dup else { namevar => title } end result[:ensure] = 'absent' result end ###### SET ###### # Verify that the information being set is correct # @api private def self.validate_input(_is, should) # Verify that name does not start with 9000-9999, this range has been reserved. Ignore check when deleting the rule raise ArgumentError, 'Rule name cannot start with 9000-9999, as this range is reserved for unmanaged rules.' if should[:name].match($unmanaged_rule_regex) && should[:ensure].to_s == 'present' # `isfragment` can only be set when `proto` is `tcp` raise ArgumentError, '`proto` must be set to `tcp` for `isfragment` to be true.' if should[:isfragment] && should[:proto] != 'tcp' # `stat_mode` must be set to `nth` for `stat_every` and `stat_packet` to be set raise ArgumentError, '`stat_mode` must be set to `nth` for `stat_every` to be set.' if should[:stat_every] && should[:stat_mode] != 'nth' raise ArgumentError, '`stat_mode` must be set to `nth` for `stat_packet` to be set.' if should[:stat_packet] && should[:stat_mode] != 'nth' # `stat_mode` must be set to `random` for `stat_probability` to be set raise ArgumentError, '`stat_mode` must be set to `random` for `stat_probability` to be set.' if should[:stat_probability] && should[:stat_mode] != 'random' # Verify that if dport/sport/state/ctstate/ctstatus is passed as an array, that any negation includes either the first value or al values [:dport, :sport, :state, :ctstate, :ctstatus].each do |key| next unless should[key].is_a?(Array) negated_values = 0 should[key].each do |value| negated_values += 1 if %r{^!\s}.match?(value.to_s) end next unless (negated_values == 1 && !should[key][0].to_s.match(%r{^!\s})) || (negated_values >= 2 && negated_values != should[key].length) raise ArgumentError, "When negating a `#{key}` array, you must negate either the first given value only or all the given values." end raise ArgumentError, 'Value `any` is not valid. This behaviour should be achieved by omitting or undefining the ICMP parameter.' if should[:icmp] && should[:icmp] == 'any' raise ArgumentError, '`burst` cannot be set without `limit`.' if should[:burst] && !(should[:limit]) # Verify that a correct range has been passed for `length` if should[:length] match = should[:length].to_s.match('^([0-9]+)(?::)?([0-9]+)?$') low = match[1].to_i high = match[2].to_i if match[2] raise ArgumentError, '`length` values must be between 0 and 65535' if (low.negative? || low > 65_535) || (!high.nil? && (high.negative? || high > 65_535 || high < low)) end # Recent module raise ArgumentError, '`recent` must be set to `update` or `rcheck` for `rseconds` to be set.' if should[:rseconds] && (should[:recent] != 'update' && should[:recent] != 'rcheck') raise ArgumentError, '`rseconds` must be set for `reap` to be set.' if should[:reap] && !should[:rseconds] raise ArgumentError, '`recent` must be set to `update` or `rcheck` for `rhitcount` to be set.' if should[:rhitcount] && (should[:recent] != 'update' && should[:recent] != 'rcheck') raise ArgumentError, '`recent` must be set to `update` or `rcheck` for `rttl` to be set.' if should[:rttl] && (should[:recent] != 'update' && should[:recent] != 'rcheck') raise ArgumentError, '`recent` must be set for `rname` to be set.' if should[:rname] && !should[:recent] raise ArgumentError, '`recent` must be set for `rsource` to be set.' if should[:rsource] && !should[:recent] raise ArgumentError, '`recent` must be set for `rdest` to be set.' if should[:rdest] && !should[:recent] raise ArgumentError, '`rdest` and `rsource` are mutually exclusive, only one may be set at a time.' if should[:rsource] && should[:rdest] # String module raise ArgumentError, '`string_algo` must be set for `string` or `string_hex` to be set.' if (should[:string] || should[:string_hex]) && !(should[:string_algo]) # NFQUEUE raise ArgumentError, '`queue_num`` must be between 0 and 65535' if should[:queue_num] && (should[:queue_num].to_i > 65_535 || should[:queue_num].to_i.negative?) # Jump # `2^16-1` is equal to `65_535` raise ArgumentError, '`nflog_group` must be between 0 and 2^16-1' if should[:nflog_group] && (should[:nflog_group].to_i > 65_535 || should[:queue_num].to_i.negative?) raise ArgumentError, 'When setting `jump => TEE`, the gateway property is required' if should[:jump] == 'TEE' && !should[:gateway] raise ArgumentError, 'When setting `jump => TCPMSS`, the `set_mss` or `clamp_mss_to_pmtu` property is required' if should[:jump] == 'TCPMSS' && !(should[:set_mss] || should[:clamp_mss_to_pmtu]) raise ArgumentError, 'When setting `jump => DSCP`, the `set_dscp` or `set_dscp_class` property is required' if should[:jump] == 'DSCP' && !(should[:set_dscp] || should[:set_dscp_class]) raise ArgumentError, 'Parameter `jump => DNAT` only applies to `table => nat`' if should[:jump] == 'DNAT' && should[:table] != 'nat' raise ArgumentError, 'Parameter `jump => DNAT` must have `todest` parameter' if (should[:jump] == 'DNAT' && !should[:todest]) || (should[:jump] != 'DNAT' && should[:todest]) raise ArgumentError, 'Parameter `jump => SNAT` only applies to `table => nat`' if should[:jump] == 'SNAT' && should[:table] != 'nat' raise ArgumentError, 'Parameter `jump => SNAT` must have `tosource` parameter' if (should[:jump] == 'SNAT' && !should[:tosource]) || (should[:jump] != 'SNAT' && should[:tosource]) raise ArgumentError, 'Parameter `checksum_fill` requires `jump => CHECKSUM` and `table => mangle`' if should[:checksum_fill] && !(should[:jump] == 'CHECKSUM' && should[:table] == 'mangle') [:log_prefix, :log_level, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options].each do |log| raise ArgumentError, "Parameter `#{log}` requires `jump => LOG`" if should[log] && should[:jump] != 'LOG' end raise ArgumentError, 'Parameter `jump => CT` only applies to `table => raw`' if should[:jump] == 'CT' && should[:table] != 'raw' raise ArgumentError, 'Parameter `zone` requires `jump => CT`' if should[:zone] && should[:jump] != 'CT' raise ArgumentError, 'Parameter `helper` requires `jump => CT`' if should[:helper] && should[:jump] != 'CT' raise ArgumentError, 'Parameter `notrack` requires `jump => CT`' if should[:notrack] && should[:jump] != 'CT' # Connlimit raise ArgumentError, 'Parameter `connlimit_mask` requires either `connlimit_upto` or `connlimit_above`' if should[:connlimit_mask] && !(should[:connlimit_upto] || should[:connlimit_above]) # Hashlimit [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval].each do |hash| next unless should[hash] && (!should[:hashlimit_name] || !(should[:hashlimit_upto] || should[:hashlimit_above])) raise ArgumentError, 'Parameter `hashlimit_name` and either `hashlimit_upto` or `hashlimit_above` are required when setting any `hashlimit` attribute.' end raise ArgumentError, '`hashlimit_upto` and `hashlimit_above` are mutually exclusive, only one may be set at a time.' if should[:hashlimit_upto] && should[:hashlimit_above] # Protocol ipv4_only = [:clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init] ipv4_only.each do |ipv4| raise ArgumentError, "Parameter `#{ipv4}` is specific to the `IPv4` protocol" if should[ipv4] && !(should[:protocol] == 'IPv4' || should[:protocol] == 'iptables') end ipv6_only = [:hop_limit, :ishasmorefrags, :islastfrag, :isfirstfrag] ipv6_only.each do |ipv6| raise ArgumentError, "Parameter `#{ipv6}` is specific to the `IPv6` protocol" if should[ipv6] && !(should[:protocol] == 'IPv6' || should[:protocol] == 'ip6tables') end ## Array elements must be unique [:dst_type, :src_type].each do |key| next unless should[key].is_a?(Array) raise ArgumentError, "`#{key}` elements must be unique" if should[key].map { |type| type.to_s.gsub(%r{--limit-iface-(in|out)}, '') }.uniq.length != should[key].length end # Log prefix size is limited raise ArgumentError, 'Parameter `nflog_prefix`` must be less than 64 characters' if should[:nflog_prefix] && should[:nflog_prefix].length > 64 [:dst_range, :src_range].each do |key| next unless should[key] matches = %r{^([^\-/]+)-([^\-/]+)$}.match(should[key]) raise(ArgumentError, 'The IP range must be in `IP1-IP2` format.') unless matches [matches[1], matches[2]].each do |addr| begin # rubocop:disable Style/RedundantBegin PuppetX::Firewall::Utility.host_to_ip(addr, should[:protocol]) rescue StandardError raise(ArgumentError, "Invalid IP address `#{addr}` in range `#{should[key]}`") end end end end # Certain attributes need processed in ways that can vary between IPv4 and IPv6 # @api private def self.process_input(should) # `dport`, `sport` `state` `ctstate` and `ctstatus` arrays should only have the first value negated. [:dport, :sport, :state, :ctstate, :ctstatus].each do |key| next unless should[key].is_a?(Array) negated = true if %r{^!\s}.match?(should[key][0].to_s) should[key].each_with_index do |_value, _index| should[key] = should[key].map { |value| value.to_s.tr('! ', '') } end should[key][0] = ['!', should[key][0]].join(' ') if negated end # `jump` common values should always be uppercase jump_common_values = ['accept', 'reject', 'drop', 'queue', 'return', 'dnat', 'snat', 'log', 'nflog', 'netmp', 'masquerade', 'redirect', 'mark', 'ct'] should[:jump] = should[:jump].upcase if should[:jump] && jump_common_values.include?(should[:jump].downcase) # `source` and `destination` must be put through host_to_mask should[:source] = PuppetX::Firewall::Utility.host_to_mask(should[:source], should[:protocol]) if should[:source] should[:destination] = PuppetX::Firewall::Utility.host_to_mask(should[:destination], should[:protocol]) if should[:destination] # ct attributes must be put through host_to_mask with certain masks then being removed ct = [:ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst] ct.each do |c| break unless should[c] value = PuppetX::Firewall::Utility.host_to_mask(should[c], should[:protocol]) should[c] = if should[:protocol] == 'IPv4' value.chomp('/32') else value.chomp('/128') end end # `icmp` needs to be converted to a number if passed as a string should[:icmp] = PuppetX::Firewall::Utility.icmp_name_to_number(should[:icmp], should[:protocol]) if should[:icmp] # `log_level` needs to be converted to a number if passed as a string should[:log_level] = PuppetX::Firewall::Utility.log_level_name_to_number(should[:log_level]) if should[:log_level] # `set_mark`, `match_mark` and `connmark` must be applied in hexidecimal format should[:set_mark] = PuppetX::Firewall::Utility.mark_mask_to_hex(should[:set_mark]) if should[:set_mark] should[:match_mark] = PuppetX::Firewall::Utility.mark_to_hex(should[:match_mark]) if should[:match_mark] should[:connmark] = PuppetX::Firewall::Utility.mark_to_hex(should[:connmark]) if should[:connmark] # `time_start` and `time_stop` must be applied in full HH:MM:SS format time = [:time_start, :time_stop] time.each do |t| should[t] = "0#{should[t]}" if %r{^([0-9]):}.match?(should[t]) should[t] = "#{should[t]}:00" if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(should[t]) end # If `sport/dport` range has been passed with `-`, replace with `:` should[:sport] = should[:sport].to_s.tr('-', ':') if should[:sport].is_a?(String) should[:dport] = should[:dport].to_s.tr('-', ':') if should[:dport].is_a?(String) should[:sport] = should[:sport].map { |port| port.to_s.tr('-', ':') } if should[:sport].is_a?(Array) should[:dport] = should[:dport].map { |port| port.to_s.tr('-', ':') } if should[:dport].is_a?(Array) should end # Converts a given hash value to a command line argument # @api private def self.hash_to_rule(_context, _name, rule) arguments = '' # We loop through an ordered list of all flags as the order that they are added is important $resource_list.each do |key| next unless rule[key] value = rule[key] # Ensure that the necesary module (`-m`) arguments are added when needed # addrtype and ipset are exceptions as they need to preface each instance @module_to_argument_mapping.each do |modules| # Skip unless the key is part of the module next unless modules[1].include?(key) # Skip if the module flag has already been added next if arguments.match(Regexp.new("-m #{modules[0]}")) # Add the module flag arguments += " -m #{modules[0]}" end # if resource is known_boolean if $known_booleans.include?(key) # If value is true, append command to arguments arguments += " #{$resource_map[key]}" if value next end # check for existence, retrieve string that follows if it is # certain resources may need special rules case key when :name, :string, :string_hex, :bytecode, :u32, :nflog_prefix, :log_prefix arguments += " #{[$resource_map[key], "'#{rule[key]}'"].join(' ')}" if rule[key].match?(%r{^[^!]}) # if standard arguments += " #{['!', $resource_map[key], "'#{rule[key].gsub(%r{^!\s?}, '')}'"].join(' ')}" if rule[key].match?(%r{^!}) # if negated when :sport, :dport if rule[key].is_a?(Array) && rule[key][0].to_s.match(%r{^!}) # Negated Multiport split_comannd = $resource_map[key][0].split(%r{ }) negated_command = [split_comannd[0], split_comannd[1], '!', split_comannd[2]].join(' ') value = rule[key].join(',').gsub(%r{^!\s?}, '') arguments += " #{[negated_command, value].join(' ')}" elsif rule[key].is_a?(Array) # Standard Multiport arguments += " #{[$resource_map[key][0], rule[key].join(',')].join(' ')}" elsif rule[key].to_s.match?(%r{^!}) # Negated Standard arguments += " #{['!', $resource_map[key][1], rule[key].gsub(%r{^!\s?}, '')].join(' ')}" else # Standard arguments += " #{[$resource_map[key][1], rule[key]].join(' ')}" end when :src_type, :dst_type, :ipset, :match_mark, :mss, :connmark # Code for if value requires it's own flag each time it is applied split_command = $resource_map[key].split(%r{ }) negated_command = [split_command[0], split_command[1], '!', split_command[2]].join(' ') # If a string, wrap as an array to simplify the code rule[key] = [rule[key]] if rule[key].is_a?(String) rule[key].each do |ru| arguments += " #{$resource_map[key]} #{ru}" unless ru.match?(%r{^!}) arguments += " #{negated_command} #{ru.gsub(%r{^!\s?}, '')}" if ru.match?(%r{^!}) end when :state, :ctstate, :ctstatus, :month_days, :week_days # Code for if value is an array and all values are joined together and passed as part of a single flag # If not an array, wrap as an array to simplify the code rule[key] = [rule[key]] unless rule[key].is_a?(Array) int_attr = [:month_days] arguments += " #{[$resource_map[key], rule[key].join(',')].join(' ')}" if int_attr.include?(key) || rule[key][0].match(%r{^[^!]}) # if standard arguments += " #{['!', $resource_map[key], rule[key].join(',').gsub(%r{^!\s?}, '')].join(' ')}" if !int_attr.include?(key) && rule[key][0].match(%r{^!}) # if negated when :icmp case rule[:protocol] when 'IPv4', 'iptables' proto = 0 when 'IPv6', 'ip6tables' proto = 1 end # Retrieve the correct command for the protocol # A command is generated to be used for negation split_comannd = $resource_map[key][proto].split(%r{ }) negated_command = [split_comannd[0], split_comannd[1], '!', split_comannd[2]].join(' ') arguments += " #{[$resource_map[key][proto], rule[key]].join(' ')}" if rule[key].match?(%r{^[^!]}) # if standard arguments += " #{[negated_command, rule[key].gsub(%r{^!\s?}, '')].join(' ')}" if rule[key].match?(%r{^!}) # if negated when :recent # Add value after command, if negated add negation before command # Preface the value of recent with `--` arguments += " #{$resource_map[key]} --#{rule[key]}" if rule[key].match?(%r{^[^!]}) # if standard arguments += " #{$resource_map[key]} ! --#{rule[key].gsub(%r{^!\s?}, '')}" if rule[key].match?(%r{^!}) # if negated when :rpfilter # Add value after command # Preface the value of recent with `--` # If a string, wrap as an array to simplify the code rule[key] = [rule[key]] if rule[key].is_a?(String) arguments += " #{$resource_map[key]} --#{rule[key].join(' --')}" when :proto, :source, :destination, :iniface, :outiface, :physdev_in, :physdev_out, :src_range, :dst_range, :tcp_option, :tcp_flags, :uid, :gid, :mac_source, :pkttype, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctexpire, :cgroup, :hop_limit # Add value after command, if negated add negation before command arguments += " #{[$resource_map[key], rule[key]].join(' ')}" if rule[key].is_a?(Integer) || rule[key].match?(%r{^[^!]}) # if standard arguments += " #{['!', $resource_map[key], rule[key].gsub(%r{^!\s?}, '')].join(' ')}" if rule[key].is_a?(String) && rule[key].match?(%r{^!}) # if negated else # :chain, stat_mode, stat_every, stat_packet, stat_probability, socket, ipsec_dir, ipsec_policy, :ctdir, # :limit, :burst, :length, :rseconds, :rhitcount, :rname, :mask, :string_algo, :string_from, :string_to, # :jump, :goto, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, # :clusterip_hash_init, :queue_num, :nflog_group, :nflog_range, :nflog_size, :nflog_threshold, # :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :log_level, # :reject, :set_mark, :connlimit_upto, :connlimit_above, :connlimit_mask, :time_start, :time_stop, :date_start, # :date_stop, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, # :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, # :hashlimit_htable_gcinterval, :zone, :helper, :condition # Add value after command arguments += " #{[$resource_map[key], rule[key]].join(' ')}" end end arguments end # Find the correct position for our new rule in its chain # This has been lifted from the previous provider in order to maintain the logic between them # @api private def self.insert_order(context, name, chain, table, protocol) rules = [] # Find any rules that match the given chain and table pairing Puppet::Provider::Firewall::Firewall.get_rules(context, true, [protocol]).each do |rule| rules << rule[:name] if rule[:chain] == chain && rule[:table] == table end # If no rules found, return 1 return 1 if rules.empty? # Find if this is a new or eisting rule if rules.include? name # If the rule already exists, use it as the offset offset_rule = name else # If it doesn't add it to the list and find it's ordered location rules << name new_rule_location = rules.sort.uniq.index(name) offset_rule = if new_rule_location.zero? # First and only rule rules[0] else # This rule will come after other managed rules, so find the rule # immediately preceeding it. rules.sort.uniq[new_rule_location - 1] end end # Count how many unmanaged rules are ahead of the target rule so we know # how much to add to the insert order unnamed_offset = rules[0..rules.index(offset_rule)].reduce(0) do |sum, rule| # This regex matches the names given to unmanaged rules (a number # 9000-9999 followed by an MD5 hash). sum + (rule.match($unmanaged_rule_regex) ? 1 : 0) end # We want our rule to come before unmanaged rules if it's not a 9-rule unnamed_offset -= 1 if offset_rule.match($unmanaged_rule_regex) && !name.match(%r{^9}) # Insert our new or updated rule in the correct order of named rules, but # offset for unnamed rules. sorted_rules = rules.reject { |r| r.match($unmanaged_rule_regex) }.sort sorted_rules.index(name) + 1 + unnamed_offset end end puppetlabs-firewall-8.0.0/lib/puppet/provider/firewallchain0040755000000000000000000000000014561126655021114 5ustar00puppetlabs-firewall-8.0.0/lib/puppet/provider/firewallchain/firewallchain.rb0100644000175100001770000002521114561126655024363 0ustar00# frozen_string_literal: true require_relative '../../../puppet_x/puppetlabs/firewall/utility' # Implementation for the firewallchain type using the Resource API. class Puppet::Provider::Firewallchain::Firewallchain ###### GLOBAL VARIABLES ###### # Command to list all chains and rules $list_command = { 'IPv4' => 'iptables-save', 'IPv6' => 'ip6tables-save' } # Regex used to divide output of$list_command between tables $table_regex = %r{(\*(?:nat|mangle|filter|raw|rawpost|broute|security)[^*]+)} # Regex used to retrieve table name $table_name_regex = %r{^\*(nat|mangle|filter|raw|rawpost|broute|security)} # Regex used to retrieve Chains $chain_regex = %r{\n:(INPUT|FORWARD|OUTPUT|(?:\S+))(?:\s(ACCEPT|DROP|QEUE|RETURN|PREROUTING|POSTROUTING))?} # Base commands for the protocols, including table affixes $base_command = { 'IPv4' => 'iptables -t', 'IPv6' => 'ip6tables -t' } # Command to create a chain $chain_create_command = '-N' # Command to flush all rules from a chain, must be used before deleting $chain_flush_command = '-F' # Command to delete a chain, cannot be used on inbuilt $chain_delete_command = '-X' # Command to set chain policy, works on inbuilt chains only $chain_policy_command = '-P' # Check if the given chain name references a built in one $built_in_regex = %r{^(?:INPUT|OUTPUT|FORWARD|PREROUTING|POSTROUTING)$} ###### PUBLIC METHODS ###### # Raw data is retrieved via `iptables-save` and then regexed to retrieve the different Chains and whether they have a set Policy def get(_context) # Create empty return array chains = [] # Scan String to retrieve all Chains and Policies ['IPv4', 'IPv6'].each do |protocol| # Retrieve String containing all IPv4 information iptables_list = Puppet::Provider.execute($list_command[protocol]) iptables_list.scan($table_regex).each do |table| table_name = table[0].scan($table_name_regex)[0][0] table[0].scan($chain_regex).each do |chain| # Create the base hash chain_hash = { name: "#{chain[0]}:#{table_name}:#{protocol}", purge: false, ignore_foreign: false, ensure: 'present' } # If a policy was found add to the hash chain_hash[:policy] = chain[1].downcase if chain[1] chains << chain_hash end end end # Return array chains end def set(context, changes) changes.each do |name, change| is = change[:is] should = change[:should] is = PuppetX::Firewall::Utility.create_absent(:name, name) if is.nil? should = PuppetX::Firewall::Utility.create_absent(:name, name) if should.nil? # Process the input and divide the name into it's relevant parts is, should = Puppet::Provider::Firewallchain::Firewallchain.process_input(is, should) # Run static verification against both sets of values Puppet::Provider::Firewallchain::Firewallchain.verify(is, should) if is[:ensure].to_s == 'absent' && should[:ensure].to_s == 'present' context.creating(name) do create(context, name, should) end elsif is[:ensure].to_s == 'present' && should[:ensure].to_s == 'absent' context.deleting(name) do delete(context, name, is) end elsif is[:ensure].to_s == 'present' && should[:ensure].to_s == 'present' context.updating(name) do update(context, name, should, is) end end end end def create(context, name, should) context.notice("Creating Chain '#{name}' with #{should.inspect}") Puppet::Provider.execute([$base_command[should[:protocol]], should[:table], $chain_create_command, should[:chain]].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, should[:protocol]) end def update(context, name, should, is) # Skip the update if not a inbuilt chain or if policy has not been updated return if !$built_in_regex.match(should[:chain]) || ($built_in_regex.match(should[:chain]) && is[:policy] == should[:policy]) context.notice("Updating Chain '#{name}' with #{should.inspect}") Puppet::Provider.execute([$base_command[should[:protocol]], should[:table], $chain_policy_command, should[:chain], should[:policy].upcase].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, should[:protocol]) end def delete(context, name, is) # Before we can delete a chain we must first flush it of any active rules context.notice("Flushing Chain '#{name}'") Puppet::Provider.execute([$base_command[is[:protocol]], is[:table], $chain_flush_command, is[:chain]].join(' ')) # For Inbuilt chains we cannot delete them and so instead simply ensure they are reverted to the default policy if $built_in_regex.match(is[:chain]) context.notice("Reverting Internal Chain '#{name}' to its default") Puppet::Provider.execute([$base_command[is[:protocol]], is[:table], $chain_policy_command, is[:chain], 'ACCEPT'].join(' ')) else context.notice("Deleting Chain '#{name}'") Puppet::Provider.execute([$base_command[is[:protocol]], is[:table], $chain_delete_command, is[:chain]].join(' ')) end PuppetX::Firewall::Utility.persist_iptables(context, name, is[:protocol]) end # Custom insync method def insync?(context, _name, property_name, _is_hash, _should_hash) context.debug("Checking whether '#{property_name}' is out of sync") case property_name when :purge, :ignore, :ignore_foreign # Suppres any update notifications for the purge/ignore(_foreign) values # They are used in the generate method which is ran prior to this point and have no # bearing on it's actual state. true else nil end end ###### PRIVATE METHODS ###### # Process the information so that it can be correctly applied # @api private def self.process_input(is, should) # Split the name into it's relevant parts is[:name] = is[:title] if is[:name].nil? is[:chain], is[:table], is[:protocol] = is[:name].split(':') should[:name] = should[:title] if should[:name].nil? should[:chain], should[:table], should[:protocol] = should[:name].split(':') # If an in-built chain, always treat it as being present and ensure it is assigned a policy # The retrieval of in-built chains may get confused by `iptables-save` tendency to not return table information # for tables that have not yet been interacted with. is[:ensure] = 'present' if $built_in_regex.match(is[:chain]) is[:policy] = 'accept' if $built_in_regex.match(is[:chain]) && is[:policy].nil? # For the same reason assign it the default policy as an intended state if it does not have one should[:policy] = 'accept' if $built_in_regex.match(should[:chain]) && should[:policy].nil? [is, should] end # Verify that the information is correct # @api private def self.verify(_is, should) # Verify that no incorrect chain names are passed case should[:table] when 'filter' raise ArgumentError, 'INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table \'filter\'' if %r{^(PREROUTING|POSTROUTING|BROUTING)$}.match?(should[:chain]) when 'mangle' raise ArgumentError, 'PREROUTING, POSTROUTING, INPUT, FORWARD and OUTPUT are the only inbuilt chains that can be used in table \'mangle\'' if %r{^(BROUTING)$}.match?(should[:chain]) when 'nat' raise ArgumentError, 'PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table \'nat\'' if %r{^(BROUTING|FORWARD)$}.match?(should[:chain]) raise ArgumentError, 'table nat isn\'t valid in IPv6. You must specify \':IPv4\' as the name suffix' if %r{^(IP(v6)?)?$}.match?(should[:protocol]) when 'raw' raise ArgumentError, 'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\'' if %r{^(POSTROUTING|BROUTING|INPUT|FORWARD)$}.match?(should[:chain]) when 'broute' raise ArgumentError, 'BROUTE is only valid with protocol \'ethernet\'' if should[:protocol] != 'ethernet' raise ArgumentError, 'BROUTING is the only inbuilt chain allowed on on table \'broute\'' if %r{^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$}.match?(should[:chain]) when 'security' raise ArgumentError, 'INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table \'security\'' if %r{^(PREROUTING|POSTROUTING|BROUTING)$}.match?(should[:chain]) end # Verify that Policy is only passed for the inbuilt chains raise ArgumentError, "'policy' can only be set on Internal Chains. Setting for '#{should[:name]}' is invalid" if !$built_in_regex.match(should[:chain]) && should.key?(:policy) # Warn that inbuilt chains will be flushed, not deleted warn "Warning: Inbuilt Chains may not be deleted. Chain `#{should[:name]}` will be flushed and have it's policy reverted to default." if $built_in_regex.match(should[:chain]) && should[:ensure] == 'absent' end # Customer generate method called by the resource_api # Finds and returns all unmanaged rules on the chain that are not set to be ignored def generate(_context, title, _is, should) # Unless purge is true, return an empty array return [] unless should[:purge] # gather a list of all rules present on the system rules_resources = Puppet::Type.type(:firewall).instances # Retrieve information from the title name, table, protocol = title.split(':') # Keep only rules in this chain rules_resources.delete_if do |resource| resource.rsapi_current_state[:chain] != name || resource.rsapi_current_state[:table] != table || resource.rsapi_current_state[:protocol] != protocol end # Remove rules which match our ignore filter # Ensure ignore value is wrapped as an array to simplify the code should[:ignore] = [should[:ignore]] if should[:ignore].is_a?(String) rules_resources.delete_if { |resource| should[:ignore].find_index { |ignore| resource.rsapi_current_state[:line].match(ignore) } } if should[:ignore] # Remove rules that were (presumably) not put in by puppet rules_resources.delete_if { |resource| resource.rsapi_current_state[:name].match(%r{^(\d+)[[:graph:][:space:]]})[1].to_i >= 9000 } if should[:ignore_foreign] # We mark all remaining rules for deletion, and then let the catalog override us on rules which should be present # We also ensure that the generate rules have the correct protocol to avoid issues with our validation rules_resources.each do |resource| resource[:ensure] = :absent resource[:protocol] = protocol end rules_resources end end puppetlabs-firewall-8.0.0/lib/puppet/type0040755000000000000000000000000014561126655015433 5ustar00puppetlabs-firewall-8.0.0/lib/puppet/type/firewall.rb0100644000175100001770000014660414561126655017711 0ustar00# frozen_string_literal: true # lib/puppet/type/iptables.rb require 'puppet/resource_api' Puppet::ResourceApi.register_type( name: 'firewall', docs: <<-DESC, This type provides the capability to manage firewall rules within puppet via iptables. **Autorequires:** If Puppet is managing the iptables chains specified in the `chain` or `jump` parameters, the firewall resource will autorequire those firewallchain resources. If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, the firewall resource will autorequire those packages to ensure that any required binaries are installed. #### Providers * Required binaries: iptables-save, iptables. * Default for kernel == linux. * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf. #### Features * address_type: The ability to match on source or destination address type. * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. * condition: Match if a specific condition variable is (un)set (requires xtables-addons) * connection_limiting: Connection limiting features. * conntrack: Connection tracking features. * dnat: Destination NATing. * hop_limiting: Hop limiting features. * icmp_match: The ability to match ICMP types. * interface_match: Interface matching. * iprange: The ability to match on source or destination IP range. * ipsec_dir: The ability to match IPsec policy direction. * ipsec_policy: The ability to match IPsec policy. * iptables: The provider provides iptables features. * isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet. * isfragment: The ability to match fragments. * ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet. * islastfrag: The ability to match the last fragment of an ipv6 packet. * length: The ability to match the length of the layer-3 payload. * log_level: The ability to control the log level. * log_prefix: The ability to add prefixes to log messages. * log_uid: The ability to log the userid of the process which generated the packet. * log_tcp_sequence: The ability to log TCP sequence numbers. * log_tcp_options: The ability to log TCP packet header. * log_ip_options: The ability to log IP/IPv6 packet header. * mark: The ability to match or set the netfilter mark value associated with the packet. * mask: The ability to match recent rules based on the ipv4 mask. * nflog_group: The ability to set the group number for NFLOG. * nflog_prefix: The ability to set a prefix for nflog messages. * nflog_size: Set the max size of a message to send to nflog. * nflog_threshold: The ability to set nflog_threshold. * owner: The ability to match owners. * pkttype: The ability to match a packet type. * rate_limiting: Rate limiting features. * recent_limiting: The netfilter recent module. * reject_type: The ability to control reject messages. * set_mss: Set the TCP MSS of a packet. * snat: Source NATing. * socket: The ability to match open sockets. * state_match: The ability to match stateful firewall states. * string_matching: The ability to match a given string by using some pattern matching strategy. * tcp_flags: The ability to match on particular TCP flag settings. * netmap: The ability to map entire subnets via source or destination nat rules. * hashlimit: The ability to use the hashlimit-module. * bpf: The ability to use Berkeley Paket Filter rules. * ipvs: The ability to match IP Virtual Server packets. * ct_target: The ability to set connection tracking parameters for a packet or its associated connection. * random_fully: The ability to use --random-fully flag. DESC features: ['custom_insync'], attributes: { ensure: { type: "Enum[present, absent, 'present', 'absent']", default: 'present', desc: <<-DESC Whether this rule should be present or absent on the target system. DESC }, name: { type: 'Pattern[/(^\d+(?:[ \t-]\S+)+$)/]', behaviour: :namevar, desc: <<-DESC The canonical name of the rule. This name is also used for ordering so make sure you prefix the rule with a number: 000 this runs first 999 this runs last Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. DESC }, line: { type: 'Optional[String[1]]', behaviour: :read_only, desc: <<-DESC A read only attribute containing the full rule, used when deleting and when applying firewallchain purge attributes. DESC }, protocol: { type: "Enum['iptables', 'ip6tables', 'IPv4', 'IPv6']", default: 'IPv4', desc: <<-DESC The protocol used to set the rule, it's allowed values have been expanded to bring it closer to its `firewallchain` counterpart. Defaults to `IPv4` Noted: this was previously defined as `provider`, however the resource_api does not allow this to be used as an attribute title. DESC }, table: { type: "Enum['nat', 'mangle', 'filter', 'raw', 'rawpost', 'broute', 'security']", default: 'filter', desc: <<-DESC The table the rule will exist in. Valid options are: * nat * mangle * filter * raw * rawpost Defaults to 'filter' DESC }, chain: { type: 'String[1]', default: 'INPUT', desc: <<-DESC Name of the chain the rule will be a part of, ensure the chain you choose exists within your set table. Can be one of the built-in chains: * INPUT * FORWARD * OUTPUT * PREROUTING * POSTROUTING Or you can provide a user-based chain. Defaults to 'INPUT' DESC }, source: { type: 'Optional[String[1]]', desc: <<-DESC The source address. For example: source => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: source => '! 192.168.2.0/24' The source can also be an IPv6 address if your provider supports it. DESC }, destination: { type: 'Optional[String[1]]', desc: <<-DESC The destination address to match. For example: destination => '192.168.1.0/24' You can also negate a mask by putting ! in front. For example: destination => '! 192.168.2.0/24' The destination can also be an IPv6 address if your provider supports it. DESC }, iniface: { type: 'Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+\:@]+$/]]', desc: <<-DESC Input interface to filter on. Supports interface alias like eth0:0. To negate the match try this: iniface => '! lo', DESC }, outiface: { type: 'Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+\:@]+$/]]', desc: <<-DESC Output interface to filter on. Supports interface alias like eth0:0. To negate the match try this: outiface => '! lo', DESC }, physdev_in: { type: 'Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+]+$/]]', desc: <<-DESC Match if the packet is entering a bridge from the given interface. To negate the match try this: physdev_in => '! lo', DESC }, physdev_out: { type: 'Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+]+$/]]', desc: <<-DESC Match if the packet is leaving a bridge via the given interface. To negate the match try this: physdev_out => '! lo', DESC }, physdev_is_bridged: { type: 'Optional[Boolean]', desc: <<-DESC Match if the packet is transversing a bridge. DESC }, physdev_is_in: { type: 'Optional[Boolean]', desc: <<-DESC Matches if the packet has entered through a bridge interface. DESC }, physdev_is_out: { type: 'Optional[Boolean]', desc: <<-DESC Matches if the packet will leave through a bridge interface. DESC }, proto: { type: 'Optional[Pattern[/^(?:!\s)?(?:ip(?:encap)?|tcp|udp|icmp|esp|ah|vrrp|carp|igmp|ipv4|ospf|gre|cbt|sctp|pim|all)/]]', default: 'tcp', desc: <<-DESC The specific protocol to match for this rule. DESC }, isfragment: { type: 'Optional[Boolean]', desc: <<-DESC Set to true to match tcp fragments (requires proto to be set to tcp) DESC }, isfirstfrag: { type: 'Optional[Boolean]', desc: <<-DESC Matches if the packet is the first fragment. Specific to IPv6. DESC }, ishasmorefrags: { type: 'Optional[Boolean]', desc: <<-DESC Matches if the packet has it's 'more fragments' bit set. Specific to IPv6. DESC }, islastfrag: { type: 'Optional[Boolean]', desc: <<-DESC Matches if the packet is the last fragment. Specific to IPv6. DESC }, stat_mode: { type: 'Optional[Enum[nth, random]]', desc: <<-DESC Set the matching mode for statistic matching. DESC }, stat_every: { type: 'Optional[Integer[1]]', desc: <<-DESC Match one packet every nth packet. Requires `stat_mode => 'nth'` DESC }, stat_packet: { type: 'Optional[Integer]', desc: <<-DESC Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'` DESC }, stat_probability: { type: 'Optional[Variant[Integer[0,1], Float[0.0,1.0]]]', desc: <<-DESC Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`. DESC }, src_range: { type: 'Optional[String[1]]', desc: <<-DESC The source IP range. For example: src_range => '192.168.1.1-192.168.1.10' You can also negate the range by apending a `!`` to the front. For example: src_range => '! 192.168.1.1-192.168.1.10' The source IP range must be in 'IP1-IP2' format. DESC }, dst_range: { type: 'Optional[String[1]]', desc: <<-DESC The destination IP range. For example: dst_range => '192.168.1.1-192.168.1.10' You can also negate the range by putting ! in front. For example: dst_range => '! 192.168.1.1-192.168.1.10' The destination IP range must be in 'IP1-IP2' format. DESC }, tcp_option: { type: 'Optional[Variant[Pattern[/^(?:!\s)?(?:[0-1][0-9]{0,2}|2[0-4][0-9]|25[0-5])$/], Integer[0,255]]]', desc: <<-DESC Match when the TCP option is present or absent. Given as a single TCP option, optionally prefixed with '! ' to match on absence instead. Only one TCP option can be matched in a given rule. TCP option numbers are an eight-bit field, so valid option numbers range from 0-255. DESC }, tcp_flags: { type: 'Optional[Pattern[/^(?:!\s)?((FIN|SYN|RST|PSH|ACK|URG|ALL|NONE),?)+\s((FIN|SYN|RST|PSH|ACK|URG|ALL|NONE),?)+$/]]', desc: <<-DESC Match when the TCP flags are as specified. Is a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. The flags are: FIN SYN RST PSH ACK URG ALL NONE Note that you specify them in the order that iptables --list-rules would list them to avoid having puppet think you changed the flags. Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection initiation. Can be negated by placing ! in front, i.e. ! FIN,SYN,RST,ACK SYN DESC }, uid: { type: 'Optional[Variant[String[1], Integer]]', desc: <<-DESC UID or Username owner matching rule. Accepts a single argument only, as iptables does not accept multiple uid in a single statement. To negate add a space seperated '!' in front of the value. DESC }, gid: { type: 'Optional[Variant[String[1], Integer]]', desc: <<-DESC GID or Group owner matching rule. Accepts a single argument only, as iptables does not accept multiple gid in a single statement. To negate add a space seperated '!' in front of the value. DESC }, mac_source: { type: 'Optional[Pattern[/^(?:!\s)?([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})$/]]', desc: <<-DESC MAC Source DESC }, sport: { type: 'Optional[Variant[Array[Variant[Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]],Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]]', desc: <<-DESC The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: sport => '1:1024' This would cover ports 1 to 1024. You can also negate a port by putting ! in front. For example: sport => '! 54' If you wish to negate multiple ports at once, then place a ! at the start of the first array variable. For example: sport => ['! 54','23'] Note: This will negate all passed ports, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. DESC }, dport: { type: 'Optional[Variant[Array[Variant[Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]],Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]]', desc: <<-DESC The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: dport => '1:1024' This would cover ports 1 to 1024. You can also negate a port by putting ! in front. For example: dport => '! 54' If you wish to negate multiple ports at once, then place a ! at the start of the first array variable. For example: dport => ['! 54','23'] Note: This will negate all passed ports, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. DESC }, src_type: { type: 'Optional[Variant[ Array[Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]], Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]]]', desc: <<-DESC The source address type. For example: src_type => 'LOCAL' Can be one of: * UNSPEC - an unspecified address * UNICAST - a unicast address * LOCAL - a local address * BROADCAST - a broadcast address * ANYCAST - an anycast packet * MULTICAST - a multicast address * BLACKHOLE - a blackhole address * UNREACHABLE - an unreachable address * PROHIBIT - a prohibited address * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: src_type => ['LOCAL --limit-iface-in'] It can also be negated using '!': src_type => ['! LOCAL'] Will accept a single element or an array. Each element of the array should be negated seperately. DESC }, dst_type: { type: 'Optional[Variant[ Array[Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]], Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]]]', desc: <<-DESC The destination address type. For example: dst_type => ['LOCAL'] Can be one of: * UNSPEC - an unspecified address * UNICAST - a unicast address * LOCAL - a local address * BROADCAST - a broadcast address * ANYCAST - an anycast packet * MULTICAST - a multicast address * BLACKHOLE - a blackhole address * UNREACHABLE - an unreachable address * PROHIBIT - a prohibited address * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: dst_type => ['LOCAL --limit-iface-in'] Each value can be negated seperately using '!': dst_type => ['! UNICAST', '! LOCAL'] Will accept a single element or an array. DESC }, socket: { type: 'Optional[Boolean]', desc: <<-DESC If true, matches if an open socket can be found by doing a coket lookup on the packet. DESC }, pkttype: { type: "Optional[Enum['unicast', 'broadcast', 'multicast']]", desc: <<-DESC Sets the packet type to match. DESC }, ipsec_dir: { type: "Optional[Enum['in', 'out']]", desc: <<-DESC Sets the ipsec policy direction DESC }, ipsec_policy: { type: "Optional[Enum['none', 'ipsec']]", desc: <<-DESC Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc. DESC }, state: { type: 'Optional[Variant[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED)$/], Array[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED)$/]]]]', desc: <<-DESC Matches a packet based on its state in the firewall stateful inspection table. Values can be: * INVALID * ESTABLISHED * NEW * RELATED * UNTRACKED * SNAT * DNAT Can be passed either as a single String or as an Array: state => 'INVALID' state => ['INVALID', 'ESTABLISHED'] Values can be negated by adding a '!'. If you wish to negate multiple states at once, then place a ! at the start of the first array variable. For example: state => ['! INVALID', 'ESTABLISHED'] Note: This will negate all passed states, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. DESC }, ctstate: { type: 'Optional[Variant[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT)$/], Array[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT)$/]]]]', desc: <<-DESC Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Values can be: * INVALID * ESTABLISHED * NEW * RELATED * UNTRACKED * SNAT * DNAT Can be passed either as a single String or as an Array, if passed as an array values should be passed in order: ctstate => 'INVALID' ctstate => ['INVALID', 'ESTABLISHED'] Values can be negated by adding a '!'. If you wish to negate multiple states at once, then place a ! at the start of the first array variable. For example: ctstate => ['! INVALID', 'ESTABLISHED'] Note: This will negate all passed states, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. DESC }, ctproto: { type: 'Optional[Variant[Pattern[/^(?:!\s)?\d+$/],Integer]]', desc: <<-DESC The specific layer-4 protocol number to match for this rule using the conntrack module. DESC }, ctorigsrc: { type: 'Optional[String[1]]', desc: <<-DESC The original source address using the conntrack module. For example: ctorigsrc => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctorigsrc => '! 192.168.2.0/24' The ctorigsrc can also be an IPv6 address if your provider supports it. DESC }, ctorigdst: { type: 'Optional[String[1]]', desc: <<-DESC The original destination address using the conntrack module. For example: ctorigdst => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctorigdst => '! 192.168.2.0/24' The ctorigdst can also be an IPv6 address if your provider supports it. DESC }, ctreplsrc: { type: 'Optional[String[1]]', desc: <<-DESC The reply source address using the conntrack module. For example: ctreplsrc => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctreplsrc => '! 192.168.2.0/24' The ctreplsrc can also be an IPv6 address if your provider supports it. DESC }, ctrepldst: { type: 'Optional[String[1]]', desc: <<-DESC The reply destination address using the conntrack module. For example: ctrepldst => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctrepldst => '! 192.168.2.0/24' The ctrepldst can also be an IPv6 address if your provider supports it. DESC }, ctorigsrcport: { type: 'Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]', desc: <<-DESC The original source port to match for this filter using the conntrack module. For example: ctorigsrcport => '80' You can also specify a port range: For example: ctorigsrcport => '80:81' You can also negate a port by putting ! in front. For example: ctorigsrcport => '! 80' DESC }, ctorigdstport: { type: 'Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]', desc: <<-DESC The original destination port to match for this filter using the conntrack module. For example: ctorigdstport => '80' You can also specify a port range: For example: ctorigdstport => '80:81' You can also negate a port by putting ! in front. For example: ctorigdstport => '! 80' DESC }, ctreplsrcport: { type: 'Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]', desc: <<-DESC The reply source port to match for this filter using the conntrack module. For example: ctreplsrcport => '80' You can also specify a port range: For example: ctreplsrcport => '80:81' You can also negate a port by putting ! in front. For example: ctreplsrcport => '! 80' DESC }, ctrepldstport: { type: 'Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]', desc: <<-DESC The reply destination port to match for this filter using the conntrack module. For example: ctrepldstport => '80' You can also specify a port range: For example: ctrepldstport => '80:81' You can also negate a port by putting ! in front. For example: ctrepldstport => '! 80' DESC }, ctstatus: { type: 'Optional[Variant[Pattern[/^(?:!\s)?(?:EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED|NONE)$/], Array[Pattern[/^(?:!\s)?(?:EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED|NONE)$/]]]]', desc: <<-DESC Matches a packet based on its status using the conntrack module. Values can be: * EXPECTED * SEEN_REPLY * ASSURED * CONFIRMED * NONE Can be passed either as a single String or as an Array: ctstatus => 'EXPECTED' ctstatus => ['EXPECTED', 'CONFIRMED'] Values can be negated by adding a '!'. If you wish to negate multiple states at once, then place a ! at the start of the first array variable. For example: ctstatus => ['! EXPECTED', 'CONFIRMED'] Note:#{' '} This will negate all passed states, it is not possible to negate a single one of the array. In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour. DESC }, ctexpire: { type: 'Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]', desc: <<-DESC Matches a packet based on lifetime remaining in seconds or range of seconds using the conntrack module. For example: ctexpire => '100' ctexpire => '100:150' DESC }, ctdir: { type: "Optional[Enum['REPLY', 'ORIGINAL']]", desc: <<-DESC Matches a packet that is flowing in the specified direction using the conntrack module. If this flag is not specified at all, matches packets in both directions. Values can be: * REPLY * ORIGINAL DESC }, hop_limit: { type: 'Optional[Variant[Pattern[/^(?:!\s)?\d+$/],Integer]]', desc: <<-DESC Hop limiting value for matched packets. To negate add a space seperated `!` the the beginning of the value This is IPv6 specific. DESC }, icmp: { type: 'Optional[Variant[String[1],Integer]]', desc: <<-DESC When matching ICMP packets, this is the type of ICMP packet to match. A value of "any" is not supported. To achieve this behaviour the parameter should simply be omitted or undefined. An array of values is also not supported. To match against multiple ICMP types, please use separate rules for each ICMP type. DESC }, limit: { type: 'Optional[Pattern[/^\d+\/(?:sec(?:ond)?|min(?:ute)?|hour|day)$/]]', desc: <<-DESC Rate limiting value for matched packets. The format is: rate/[/second/|/minute|/hour|/day] Example values are: '50/sec', '40/min', '30/hour', '10/day'." DESC }, burst: { type: 'Optional[Integer[1]]', desc: <<-DESC Rate limiting burst value (per second) before limit checks apply. DESC }, length: { type: 'Optional[Pattern[/^([0-9]+)(:)?([0-9]+)?$/]]', desc: <<-DESC Sets the length of layer-3 payload to match. Example values are: '500', '5:400' DESC }, recent: { type: "Optional[Enum['set', 'update', 'rcheck', 'remove', '! set', '! update', '! rcheck', '! remove']]", desc: <<-DESC Enable the recent module. Takes as an argument one of set, update, rcheck or remove. For example: ``` # If anyone's appeared on the 'badguy' blacklist within # the last 60 seconds, drop their traffic, and update the timestamp. firewall { '100 Drop badguy traffic': recent => 'update', rseconds => 60, rsource => true, rname => 'badguy', jump => 'DROP', chain => 'FORWARD', } ``` ``` # No-one should be sending us traffic on eth0 from the # localhost, Blacklist them firewall { '101 blacklist strange traffic': recent => 'set', rsource => true, rname => 'badguy', destination => '127.0.0.0/8', iniface => 'eth0', jump => 'DROP', chain => 'FORWARD', } ``` DESC }, rseconds: { type: 'Optional[Integer[1]]', desc: <<-DESC Recent module; used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. DESC }, reap: { type: 'Optional[Boolean]', desc: <<-DESC Recent module; can only be used in conjunction with the `rseconds` attribute. When used, this will cause entries older than 'seconds' to be purged. Must be boolean true. DESC }, rhitcount: { type: 'Optional[Integer[1]]', desc: <<-DESC Recent module; used in conjunction with `recent => 'update'` or `recent => 'rcheck'. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. DESC }, rttl: { type: 'Optional[Boolean]', desc: <<-DESC Recent module; may only be used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the `recent => 'set'` rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. Must be boolean true. DESC }, rname: { type: 'Optional[String[1]]', desc: <<-DESC Recent module; The name of the list. The recent module defaults this to `DEFAULT` when recent is set DESC }, mask: { type: 'Optional[Pattern[/^\d+\.\d+\.\d+\.\d+$/]]', desc: <<-DESC Recent module; sets the mask to use when `recent` is enabled. The recent module defaults this to `255.255.255.255` when recent is set DESC }, rsource: { type: 'Optional[Boolean]', desc: <<-DESC Recent module; add the source IP address to the list. Mutually exclusive with `rdest` The recent module defaults this behaviour to true when recent is set. DESC }, rdest: { type: 'Optional[Boolean]', desc: <<-DESC Recent module; add the destination IP address to the list. Mutually exclusive with `rsource` Must be boolean true. DESC }, ipset: { type: 'Optional[Variant[Pattern[/^(?:!\s)?\w+\s(?:src|dst)(?:,src|,dst)?$/], Array[Pattern[/^(?:!\s)?\w+\s(?:src|dst)(?:,src|,dst)?$/]]]]', desc: <<-DESC Matches against the specified ipset list. Requires ipset kernel module. Will accept a single element or an array. The value is the name of the denylist, followed by a space, and then 'src' and/or 'dst' separated by a comma. For example: 'denylist src,dst' To negate simply place a space seperated `!` at the beginning of a value. Values can de negated independently. DESC }, string: { type: 'Optional[String[1]]', desc: <<-DESC String matching feature. Matches the packet against the pattern given as an argument. To negate, add a space seperated `!` to the beginning of the string. DESC }, string_hex: { type: 'Optional[Pattern[/^(?:!\s)?\|[a-zA-Z0-9\s]+\|$/]]', desc: <<-DESC String matching feature. Matches the packet against the pattern given as an argument. To negate, add a space seperated `!` to the beginning of the string. DESC }, string_algo: { type: "Optional[Enum['bm', 'kmp']]", desc: <<-DESC String matching feature, pattern matching strategy. DESC }, string_from: { type: 'Optional[Integer[1]]', desc: <<-DESC String matching feature, offset from which we start looking for any matching. DESC }, string_to: { type: 'Optional[Integer[1]]', desc: <<-DESC String matching feature, offset up to which we should scan. DESC }, jump: { type: 'Optional[String[1]]', desc: <<-DESC This value for the iptables --jump parameter and the action to perform on a match. Common values are: * ACCEPT - the packet is accepted * REJECT - the packet is rejected with a suitable ICMP response * DROP - the packet is dropped But can also be on of the following: * QUEUE * RETURN * DNAT * SNAT * LOG * NFLOG * NETMAP * MASQUERADE * REDIRECT * MARK * CT And any valid chain name is also allowed. If you specify no value it will simply match the rule but perform no action. DESC }, goto: { type: 'Optional[String[1]]', desc: <<-DESC The value for the iptables --goto parameter. Normal values are: * QUEUE * RETURN * DNAT * SNAT * LOG * MASQUERADE * REDIRECT * MARK But any valid chain name is allowed. DESC }, clusterip_new: { type: 'Optional[Boolean]', desc: <<-DESC Used with the CLUSTERIP jump target. Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. This is IPv4 specific. DESC }, clusterip_hashmode: { type: "Optional[Enum['sourceip', 'sourceip-sourceport', 'sourceip-sourceport-destport']]", desc: <<-DESC Used with the CLUSTERIP jump target. Specify the hashing mode. This is IPv4 specific. DESC }, clusterip_clustermac: { type: 'Optional[Pattern[/^([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})$/]]', desc: <<-DESC Used with the CLUSTERIP jump target. Specify the ClusterIP MAC address. Has to be a link-layer multicast address. This is IPv4 specific. DESC }, clusterip_total_nodes: { type: 'Optional[Integer[1]]', desc: <<-DESC Used with the CLUSTERIP jump target. Number of total nodes within this cluster. This is IPv4 specific. DESC }, clusterip_local_node: { type: 'Optional[Integer[1]]', desc: <<-DESC Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. This is IPv4 specific. DESC }, clusterip_hash_init: { type: 'Optional[String[1]]', desc: <<-DESC Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. This is IPv4 specific. DESC }, queue_num: { type: 'Optional[Integer[1]]', desc: <<-DESC Used with NFQUEUE jump target. What queue number to send packets to DESC }, queue_bypass: { type: 'Optional[Boolean]', desc: <<-DESC Allow packets to bypass :queue_num if userspace process is not listening DESC }, nflog_group: { type: 'Optional[Integer[1, 65535]]', desc: <<-DESC Used with the jump target NFLOG. The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). Defaults to 0. DESC }, nflog_prefix: { type: 'Optional[String]', desc: <<-DESC Used with the jump target NFLOG. A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs. DESC }, nflog_range: { type: 'Optional[Integer[1]]', desc: <<-DESC Used with the jump target NFLOG. This has never worked, use nflog_size instead. DESC }, nflog_size: { type: 'Optional[Integer[1]]', desc: <<-DESC Used with the jump target NFLOG. The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own size, this option overrides it. DESC }, nflog_threshold: { type: 'Optional[Integer[1]]', desc: <<-DESC Used with the jump target NFLOG. Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. Defaults to 1. DESC }, gateway: { type: 'Optional[Pattern[/^(\d+.\d+.\d+.\d+|\w+:\w+::\w+)$/]]', desc: <<-DESC The TEE target will clone a packet and redirect this clone to another machine on the local network segment. Gateway is the target host's IP. DESC }, clamp_mss_to_pmtu: { type: 'Optional[Boolean]', desc: <<-DESC Sets the clamp mss to pmtu flag. DESC }, set_mss: { type: 'Optional[Integer[1]]', desc: <<-DESC Sets the TCP MSS value for packets. DESC }, set_dscp: { type: 'Optional[String[1]]', desc: <<-DESC Set DSCP Markings. DESC }, set_dscp_class: { type: "Optional[Enum['af11', 'af12', 'af13', 'af21', 'af22', 'af23', 'af31', 'af32', 'af33', 'af41', 'af42', 'af43', 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'cs6', 'cs7', 'ef']]", desc: <<-DESC This sets the DSCP field according to a predefined DiffServ class. DESC }, todest: { type: 'Optional[String[1]]', desc: <<-DESC When using jump => "DNAT" you can specify the new destination address using this paramter. Can specify a single new destination IP address or an inclusive range of IP addresses. Optionally a port or a port range with a possible follow up baseport can be provided. Input structure: [ipaddr[-ipaddr]][:port[-port[/baseport]]] DESC }, tosource: { type: 'Optional[String[1]]', desc: <<-DESC When using jump => "SNAT" you can specify the new source address using this paramter. Can specify a single new destination IP address or an inclusive range of IP addresses. Input structure: [ipaddr[-ipaddr]][:port[-port]] DESC }, toports: { type: 'Optional[Pattern[/^\d+(?:-\d+)?$/]]', desc: <<-DESC For REDIRECT/MASQUERADE this is the port that will replace the destination/source port. Can specify a single new port or an inclusive range of ports. DESC }, to: { type: 'Optional[String[1]]', desc: <<-DESC For NETMAP this will replace the destination IP DESC }, checksum_fill: { type: 'Optional[Boolean]', desc: <<-DESC Compute and fill missing packet checksums. DESC }, random_fully: { type: 'Optional[Boolean]', desc: <<-DESC When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable fully randomized port mapping. DESC }, random: { type: 'Optional[Boolean]', desc: <<-DESC When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping. DESC }, log_prefix: { type: 'Optional[String[1]]', desc: <<-DESC When combined with jump => "LOG" specifies the log prefix to use when logging. DESC }, log_level: { type: 'Optional[Variant[Integer[0,7],String[1]]]', desc: <<-DESC When combined with jump => "LOG" specifies the system log level to log to. Note: log level 4/warn is the default setting and as such it is not returned by iptables-save. As a result, explicitly setting `log_level` to this can result in idempotency errors. DESC }, log_uid: { type: 'Optional[Boolean]', desc: <<-DESC When combined with jump => "LOG" specifies the uid of the process making the connection. DESC }, log_tcp_sequence: { type: 'Optional[Boolean]', desc: <<-DESC When combined with jump => "LOG" enables logging of the TCP sequence numbers. DESC }, log_tcp_options: { type: 'Optional[Boolean]', desc: <<-DESC When combined with jump => "LOG" logging of the TCP packet header. DESC }, log_ip_options: { type: 'Optional[Boolean]', desc: <<-DESC When combined with jump => "LOG" logging of the TCP IP/IPv6 packet header. DESC }, reject: { type: "Optional[Enum['icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited', 'icmp6-no-route', 'no-route', 'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable']]", desc: <<-DESC When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender. Valid values differ depending on if the protocol is `IPv4` or `IPv6`. IPv4 allows: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited, or icmp-admin-prohibited. IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, or icmp6-port-unreachable. DESC }, set_mark: { type: 'Optional[Pattern[/^[a-fA-F0-9x]+(?:\/[a-fA-F0-9x]+)?$/]]', desc: <<-DESC Set the Netfilter mark value associated with the packet. Accepts either of mark/mask or mark. These will be converted to hex if they are not already. DESC }, match_mark: { type: 'Optional[Pattern[/^(?:!\s)?[a-fA-F0-9x]+$/]]', desc: <<-DESC Match the Netfilter mark value associated with the packet, accepts a mark. This value will be converted to hex if it is not already. This value can be negated by adding a space seperated `!` to the beginning. DESC }, mss: { type: 'Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]', desc: <<-DESC Match a given TCP MSS value or range. This value can be negated by adding a space seperated `!` to the beginning. DESC }, connlimit_upto: { type: 'Optional[Integer]', desc: <<-DESC Connection limiting value for matched connections below or equal to n. DESC }, connlimit_above: { type: 'Optional[Integer]', desc: <<-DESC Connection limiting value for matched connections above n. DESC }, connlimit_mask: { type: 'Optional[Integer[0,128]]', desc: <<-DESC Connection limiting by subnet mask for matched connections. IPv4: 0-32 IPv6: 0-128 DESC }, connmark: { type: 'Optional[Pattern[/^(?:!\s)?[a-fA-F0-9x]+$/]]', desc: <<-DESC Match the Netfilter mark value associated with the packet, accepts a mark. This value will be converted to hex if it is not already. This value can be negated by adding a space seperated `!` to the beginning. DESC }, time_start: { type: 'Optional[Pattern[/^([0-9]|[0-1][0-9]|2[0-3])\:[0-5][0-9](?:\:[0-5][0-9])?/]]', desc: <<-DESC Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. DESC }, time_stop: { type: 'Optional[Pattern[/^([0-9]|[0-1][0-9]|2[0-3])\:[0-5][0-9](?:\:[0-5][0-9])?/]]', desc: <<-DESC Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. DESC }, month_days: { type: 'Optional[Variant[Integer[0,31], Array[Integer[0,31]]]]', desc: <<-DESC Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28-day or 29-day February. Can be passed either as a single value or an array of values: month_days => 5, month_days => [5, 9, 23], DESC }, week_days: { type: "Optional[Variant[Enum['Mon','Tue','Wed','Thu','Fri','Sat','Sun'], Array[Enum['Mon','Tue','Wed','Thu','Fri','Sat','Sun']]]]", desc: <<-DESC Only match on the given weekdays. Can be passed either as a single value or an array of values: week_days => 'Mon', week_days => ['Mon', 'Tue', 'Wed'], DESC }, date_start: { type: 'Optional[Pattern[/^[0-9]{4}\-(?:0[0-9]|1[0-2])\-(?:[0-2][0-9]|3[0-1])T(?:[0-1][0-9]|2[0-3])\:[0-5][0-9]\:[0-5][0-9]$/]]', desc: <<-DESC Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 DESC }, date_stop: { type: 'Optional[Pattern[/^[0-9]{4}\-(?:0[0-9]|1[0-2])\-(?:[0-2][0-9]|3[0-1])T(?:[0-1][0-9]|2[0-3])\:[0-5][0-9]\:[0-5][0-9]$/]]', desc: <<-DESC Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 DESC }, time_contiguous: { type: 'Optional[Boolean]', desc: <<-DESC When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. DESC }, kernel_timezone: { type: 'Optional[Boolean]', desc: <<-DESC Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. DESC }, u32: { type: 'Optional[Pattern[/^0x[0-9a-fA-F]+&0x[0-9a-fA-F]+=0x[0-9a-fA-F]+(?::0x[0-9a-fA-F]+)?(?:&&0x[0-9a-fA-F]+&0x[0-9a-fA-F]+=0x[0-9a-fA-F]+(?::0x[0-9a-fA-F]+)?)*$/]]', desc: <<-DESC Enable the u32 module. Takes as an argument one of set, update, rcheck or remove. For example: firewall { '032 u32 test': ensure => present, table => 'mangle', chain => 'PREROUTING', u32 => '0x4&0x1fff=0x0&&0x0&0xf000000=0x5000000', jump => 'DROP', } DESC }, src_cc: { type: 'Optional[Pattern[/^[A-Z]{2}(,[A-Z]{2})*$/]]', desc: <<-DESC src attribute for the module geoip DESC }, dst_cc: { type: 'Optional[Pattern[/^[A-Z]{2}(,[A-Z]{2})*$/]]', desc: <<-DESC dst attribute for the module geoip DESC }, hashlimit_upto: { type: 'Optional[Pattern[/^\d+(?:\/(?:sec|min|hour|day))?$/]]', desc: <<-DESC Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). This parameter or `hashlimit_above` and `hashlimit_name` are required when setting any other hashlimit values. Allowed forms are '40','40/sec','40/min','40/hour','40/day'. DESC }, hashlimit_above: { type: 'Optional[Pattern[/^\d+(?:\/(?:sec|min|hour|day))?$/]]', desc: <<-DESC Match if the rate is above amount/quantum. This parameter or `hashlimit_upto` and `hashlimit_name` are required when setting any other hashlimit values. Allowed forms are '40','40/sec','40/min','40/hour','40/day'. DESC }, hashlimit_name: { type: 'Optional[String[1]]', desc: <<-DESC The name for the /proc/net/ipt_hashlimit/foo entry. This parameter and either `hashlimit_upto` or `hashlimit_above` are required when setting any other hashlimit values. DESC }, hashlimit_burst: { type: 'Optional[Integer[1]]', desc: <<-DESC Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too. DESC }, hashlimit_mode: { type: 'Optional[Pattern[/^(?:srcip|srcport|dstip|dstport)(?:\,(?:srcip|srcport|dstip|dstport))*$/]]', desc: <<-DESC A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. Allowed values are: srcip, srcport, dstip, dstport DESC }, hashlimit_srcmask: { type: 'Optional[Integer[0,32]]', desc: <<-DESC When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. Prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. DESC }, hashlimit_dstmask: { type: 'Optional[Integer[0,32]]', desc: <<-DESC When --hashlimit-mode srcip is used, all destination addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. Prefix must be between (inclusive) 0 and 32. Note that --hashlimit-dstmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. DESC }, hashlimit_htable_size: { type: 'Optional[Integer]', desc: <<-DESC The number of buckets of the hash table DESC }, hashlimit_htable_max: { type: 'Optional[Integer]', desc: <<-DESC Maximum entries in the hash. DESC }, hashlimit_htable_expire: { type: 'Optional[Integer]', desc: <<-DESC After how many milliseconds do hash entries expire. DESC }, hashlimit_htable_gcinterval: { type: 'Optional[Integer]', desc: <<-DESC How many milliseconds between garbage collection intervals. DESC }, bytecode: { type: 'Optional[String[1]]', desc: <<-DESC Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. DESC }, ipvs: { type: 'Optional[Boolean]', desc: <<-DESC Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. DESC }, zone: { type: 'Optional[Integer]', desc: <<-DESC Assign this packet to zone id and only have lookups done in that zone. DESC }, helper: { type: 'Optional[String[1]]', desc: <<-DESC Invoke the nf_conntrack_xxx helper module for this packet. DESC }, cgroup: { type: 'Optional[String[1]]', desc: <<-DESC Matches against the net_cls cgroup ID of the packet. To negate add a space seperate `!` to the beginning of the string DESC }, rpfilter: { type: "Optional[Variant[Enum['loose', 'validmark', 'accept-local', 'invert'], Array[Enum['loose', 'validmark', 'accept-local', 'invert']]]]", desc: <<-DESC Enable the rpfilter module. DESC }, condition: { type: 'Optional[String[1]]', desc: <<-DESC Match on boolean value (0/1) stored in /proc/net/nf_condition/name. DESC }, notrack: { type: 'Optional[Boolean]', desc: <<-DESC Invoke the disable connection tracking for this packet. This parameter can be used with iptables version >= 1.8.3 DESC } }, ) puppetlabs-firewall-8.0.0/lib/puppet/type/firewallchain.rb0100644000175100001770000000650314561126655020705 0ustar00# frozen_string_literal: true # lib/puppet/type/firewallchain.rb require 'puppet/resource_api' Puppet::ResourceApi.register_type( name: 'firewallchain', features: ['custom_generate', 'custom_insync'], docs: <<-DESC, This type provides the capability to manage rule chains for firewalls. Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that allow it. #### Providers * iptables_chain is the only provider that supports firewallchain. #### Features * iptables_chain: The provider provides iptables chain features. * policy: Default policy (inbuilt chains only). DESC attributes: { ensure: { type: 'Enum[present, absent]', default: 'present', desc: <<-DESC Whether this chain should be present or absent on the target system. Setting this to absent will first remove all rules associated with this chain and then delete the chain itself. Inbuilt chains however will merely remove any added rules and, if it has been changed, return their policy to the default. DESC }, name: { type: 'Pattern[/^(?:\S+):(?:nat|mangle|filter|raw|rawpost|broute|security):(?:IP(?:v[46])?|ethernet)$/]', desc: 'The canonical name of the chain with the required format being `{chain}:{table}:{protocol}`.', behaviour: :namevar }, policy: { type: "Optional[Enum['accept', 'drop', 'queue', 'return']]", desc: <<-DESC This action to take when the end of the chain is reached. This can only be set on inbuilt chains (i.e. INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) and can be one of: * accept - the packet is accepted * drop - the packet is dropped * queue - the packet is passed userspace * return - the packet is returned to calling (jump) queue or the default of inbuilt chains DESC }, purge: { type: 'Boolean', default: false, desc: 'Whether or not to purge unmanaged rules in this chain' }, ignore: { type: 'Optional[Variant[String[1], Array[String[1]]]]', desc: <<-DESC Regex to perform on firewall rules to exempt unmanaged rules from purging. This is matched against the output of `iptables-save`. This can be a single regex, or an array of them. To support flags, use the ruby inline flag mechanism. Meaning a regex such as /foo/i can be written as '(?i)foo' or '(?i:foo)' Full example: ``` firewallchain { 'INPUT:filter:IPv4': purge => true, ignore => [ '-j fail2ban-ssh', # ignore the fail2ban jump rule '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule ], } ``` DESC }, ignore_foreign: { type: 'Boolean', default: false, desc: <<-DESC Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules in this chain. This can be used to ignore rules that were not put in by puppet. Beware that nothing keeps other systems from configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured rules. DESC } }, ) puppetlabs-firewall-8.0.0/lib/puppet_x0040755000000000000000000000000014561126655015001 5ustar00puppetlabs-firewall-8.0.0/lib/puppet_x/puppetlabs0040755000000000000000000000000014561126655017160 5ustar00puppetlabs-firewall-8.0.0/lib/puppet_x/puppetlabs/firewall0040755000000000000000000000000014561126655020765 5ustar00puppetlabs-firewall-8.0.0/lib/puppet_x/puppetlabs/firewall/ipcidr.rb0100644000175100001770000000162714561126655022703 0ustar00# frozen_string_literal: true require 'puppet_x' require 'ipaddr' module PuppetX::Firewall # rubocop:disable Style/ClassAndModuleChildren # IPCidr object wrapper for IPAddr class IPCidr < IPAddr def initialize(ipaddr, family = Socket::AF_UNSPEC) super(ipaddr, family) rescue ArgumentError => e raise ArgumentError, "Invalid address from IPAddr.new: #{ipaddr}" if e.message.include?('invalid address') raise e end def netmask _to_string(@mask_addr) end def prefixlen m = case @family when Socket::AF_INET IN4MASK when Socket::AF_INET6 IN6MASK else raise 'unsupported address family' end return Regexp.last_match(1).length if %r{\A(1*)(0*)\z} =~ (@mask_addr & m).to_s(2) raise 'bad addr_mask format' end def cidr "#{self}/#{prefixlen}" end end end puppetlabs-firewall-8.0.0/lib/puppet_x/puppetlabs/firewall/utility.rb0100644000175100001770000002344514561126655023136 0ustar00# frozen_string_literal: true require 'puppet_x' require 'socket' require 'resolv' require 'puppet_x/puppetlabs/firewall/ipcidr' module PuppetX::Firewall # rubocop:disable Style/ClassAndModuleChildren # A utility class meant to contain re-usable code class Utility # Save any current iptables changes so they are retained upon restart def self.persist_iptables(context, name, protocol) os_key = Facter.value('os')['family'] cmd = case os_key when 'RedHat' case protocol when 'IPv4', 'iptables' ['/usr/libexec/iptables/iptables.init', 'save'] when 'IPv6', 'ip6tables' ['/usr/libexec/iptables/ip6tables.init', 'save'] end when 'Debian' fact = Facter.fact(:iptables_persistent_version) fact.flush if fact.respond_to?(:flush) persist_ver = fact.value case protocol when 'IPv4', 'IPv6', 'iptables', 'ip6tables' if persist_ver && Puppet::Util::Package.versioncmp(persist_ver, '1.0').positive? ['/usr/sbin/service', 'netfilter-persistent', 'save'] else ['/usr/sbin/service', 'iptables-persistent', 'save'] end end when 'Archlinux' case protocol when 'IPv4', 'iptables' ['/bin/sh', '-c', '/usr/sbin/iptables-save > /etc/iptables/iptables.rules'] when 'IPv6', 'ip6tables' ['/bin/sh', '-c', '/usr/sbin/ip6tables-save > /etc/iptables/ip6tables.rules'] end when 'Suse' case protocol when 'IPv4', 'iptables' ['/bin/sh', '-c', '/usr/sbin/iptables-save > /etc/sysconfig/iptables'] end else # Catch unsupported OSs debug('firewall: Rule persistence is not supported for this type/OS') return end # Run the persist command within a rescue block begin context.notice("Ensuring changes to '#{name}' persist") Puppet::Provider.execute(cmd) rescue Puppet::ExecutionFailure => e warn "Unable to persist firewall rules: #{e}" end end # @api private def self.create_absent(namevar, title) result = if title.is_a? Hash title.dup else { namevar => title } end result[:ensure] = 'absent' result end # Takes an address and protocol and returns the address in CIDR notation. # # The protocol is only used when the address is a hostname. # # If the address is: # # - A hostname: # It will be resolved # - An IPv4 address: # It will be qualified with a /32 CIDR notation # - An IPv6 address: # It will be qualified with a /128 CIDR notation # - An IP address with a CIDR notation: # It will be normalised # - An IP address with a dotted-quad netmask: # It will be converted to CIDR notation # - Any address with a resulting prefix length of zero: # It will return nil which is equivilent to not specifying an address # def self.host_to_ip(value, proto = nil) begin value = PuppetX::Firewall::IPCidr.new(value) rescue StandardError family = case proto when 'IPv4', 'iptables' Socket::AF_INET when 'IPv6', 'ip6tables' Socket::AF_INET6 when nil raise ArgumentError, 'Proto must be specified for a hostname' else raise ArgumentError, "Unsupported address family: #{proto}" end new_value = nil Resolv.each_address(value) do |addr| begin # rubocop:disable Style/RedundantBegin new_value = PuppetX::Firewall::IPCidr.new(addr, family) break rescue StandardError # looking for the one that works # rubocop:disable Lint/SuppressedException end end raise "Failed to resolve hostname #{value}" if new_value.nil? value = new_value end return nil if value.prefixlen.zero? value.cidr end # Takes an address mask and protocol and converts the host portion to CIDR # notation. # # This takes into account you can negate a mask but follows all rules # defined in host_to_ip for the host/address part. # def self.host_to_mask(value, proto) match = value.match %r{(!)\s?(.*)$} return PuppetX::Firewall::Utility.host_to_ip(value, proto) unless match cidr = PuppetX::Firewall::Utility.host_to_ip(match[2], proto) return nil if cidr.nil? "#{match[1]} #{cidr}" end # Translate the symbolic names for icmp packet types to integers def self.icmp_name_to_number(value_icmp, protocol) if value_icmp.to_s.match?(%r{^\d+$}) value_icmp.to_s elsif ['IPv4', 'iptables'].include?(protocol) # https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml case value_icmp when 'echo-reply' then '0' when 'destination-unreachable' then '3' when 'source-quench' then '4' when 'redirect' then '6' when 'echo-request' then '8' when 'router-advertisement' then '9' when 'router-solicitation' then '10' when 'time-exceeded' then '11' when 'parameter-problem' then '12' when 'timestamp-request' then '13' when 'timestamp-reply' then '14' when 'address-mask-request' then '17' when 'address-mask-reply' then '18' else nil end elsif ['IPv6', 'ip6tables'].include?(protocol) # https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml case value_icmp when 'destination-unreachable' then '1' when 'too-big' then '2' when 'time-exceeded' then '3' when 'parameter-problem' then '4' when 'echo-request' then '128' when 'echo-reply' then '129' when 'router-solicitation' then '133' when 'router-advertisement' then '134' when 'neighbour-solicitation' then '135' when 'neighbour-advertisement' then '136' when 'redirect' then '137' else nil end else raise ArgumentError, "unsupported protocol family '#{protocol}'" end end # Convert log_level names to their respective numbers # https://www.iana.org/assignments/syslog-parameters/syslog-parameters.xhtml def self.log_level_name_to_number(value) if value.to_s.match?(%r{^[0-7]$}) value.to_s else case value when 'panic' then '0' when 'alert' then '1' when 'crit' then '2' when 'err', 'error' then '3' when 'warn', 'warning' then '4' when 'not', 'notice' then '5' when 'info' then '6' when 'debug' then '7' else nil end end end # Validates the argument is int or hex, and returns valid hex # conversion of the value or nil otherwise. def self.to_hex32(value) begin value = Integer(value) return "0x#{value.to_s(16)}" if value.between?(0, 0xffffffff) rescue ArgumentError # pass end nil end # Accepts a valid mark or mark/mask and returns them in the valid # hexidecimal format. # USed for set_mark def self.mark_mask_to_hex(value) match = value.to_s.match(%r{([a-fA-F0-9x]+)/?([a-fA-F0-9x]+)?}) mark = PuppetX::Firewall::Utility.to_hex32(match[1]) return "#{mark}/0xffffffff" if match[2].nil? mask = PuppetX::Firewall::Utility.to_hex32(match[2]) "#{mark}/#{mask}" end # Accepts a valid mark and returns them in the valid hexidecimal format. # Accounts for negation. # Used for match_mark / connmark def self.mark_to_hex(value) match = value.to_s.match(%r{^(!\s)?([a-fA-F0-9x]+)}) mask = PuppetX::Firewall::Utility.to_hex32(match[2]) return mask if match[1].nil? "! #{mask}" end # Converts a given number to its protocol keyword # https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml def self.proto_number_to_name(value) return value if %r{^(?:!\s)?([a-z])}.match?(value) match = value.to_s.match(%r{^(!\s)?(.*)}) keyword = case match[2] when '1' then 'icmp' when '2' then 'igmp' when '4' then 'ipencap' when '6' then 'tcp' when '7' then 'cbt' when '17' then 'udp' when '47' then 'gre' when '50' then 'esp' when '51' then 'ah' when '89' then 'ospf' when '103' then 'pim' when '112' then 'vrrp' when '132' then 'sctp' else raise ArgumentError, "Unsupported proto number: #{value}" end "#{match[1]}#{keyword}" end # Converts a given number to its dscp class name # https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml def self.dscp_number_to_class(value) case value when '0x0a' then 'af11' when '0x0c' then 'af12' when '0x0e' then 'af13' when '0x12' then 'af21' when '0x14' then 'af22' when '0x16' then 'af23' when '0x1a' then 'af31' when '0x1c' then 'af32' when '0x1e' then 'af33' when '0x22' then 'af41' when '0x24' then 'af42' when '0x26' then 'af43' when '0x08' then 'cs1' when '0x10' then 'cs2' when '0x18' then 'cs3' when '0x20' then 'cs4' when '0x28' then 'cs5' when '0x30' then 'cs6' when '0x38' then 'cs7' when '0x2e' then 'ef' else nil end end end end puppetlabs-firewall-8.0.0/manifests0040755000000000000000000000000014561126655014360 5ustar00puppetlabs-firewall-8.0.0/manifests/init.pp0100644000175100001770000000543714561126655016006 0ustar00# @summary # Performs the basic setup tasks required for using the firewall resources. # # At the moment this takes care of: # # iptables-persistent package installation # Include the firewall class for nodes that need to use the resources in this module: # # @example # class { 'firewall': } # # @param ensure # Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'. # # @param ensure_v6 # Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. # # @param pkg_ensure # Controls the state of the iptables package on your system. Valid options: 'present', 'installed' or 'latest'. # # @param service_name # Specify the name of the IPv4 iptables service. # # @param service_name_v6 # Specify the name of the IPv6 iptables service. # # @param package_name # Specify the platform-specific package(s) to install. # # @param ebtables_manage # Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure. # class firewall ( Enum[running, stopped, 'running', 'stopped'] $ensure = running, Optional[Enum[running, stopped, 'running', 'stopped']] $ensure_v6 = undef, Enum[present, installed, latest, 'present', 'installed', 'latest'] $pkg_ensure = present, Variant[String[1], Array[String[1]]] $service_name = $firewall::params::service_name, Optional[String[1]] $service_name_v6 = $firewall::params::service_name_v6, Optional[Variant[String[1], Array[String[1]]]] $package_name = $firewall::params::package_name, Boolean $ebtables_manage = false, ) inherits firewall::params { $_ensure_v6 = pick($ensure_v6, $ensure) case $ensure { /^(running|stopped)$/: { # Do nothing. } default: { fail("${title}: Ensure value '${ensure}' is not supported") } } if $ensure_v6 { case $ensure_v6 { /^(running|stopped)$/: { # Do nothing. } default: { fail("${title}: ensure_v6 value '${ensure_v6}' is not supported") } } } case $facts['kernel'] { 'Linux': { class { "${title}::linux": ensure => $ensure, ensure_v6 => $_ensure_v6, pkg_ensure => $pkg_ensure, service_name => $service_name, service_name_v6 => $service_name_v6, package_name => $package_name, ebtables_manage => $ebtables_manage, } contain "${title}::linux" } 'FreeBSD', 'OpenBSD', 'windows': { } default: { fail("${title}: Kernel '${facts['kernel']}' is not currently supported") } } } puppetlabs-firewall-8.0.0/manifests/linux0040755000000000000000000000000014561126655015517 5ustar00puppetlabs-firewall-8.0.0/manifests/linux/archlinux.pp0100644000175100001770000000321714561126655020171 0ustar00# @summary # Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems. # # @param ensure # Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'. # # @param enable # Enable parameter passed onto Service[] resources. Defaults to 'true'. # # @param service_name # Specify the name of the IPv4 iptables service. Defaults defined in firewall::params. # # @param package_name # Specify the platform-specific package(s) to install. Defaults defined in firewall::params. # # @param package_ensure # Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'. # # @api private # class firewall::linux::archlinux ( Enum[running, stopped, 'running', 'stopped'] $ensure = 'running', Variant[Boolean, String[1]] $enable = true, Variant[String[1], Array[String[1]]] $service_name = $firewall::params::service_name, Optional[Variant[String[1], Array[String[1]]]] $package_name = $firewall::params::package_name, Enum[present, latest, 'present', 'latest'] $package_ensure = $firewall::params::package_ensure, ) inherits firewall::params { if $package_name { package { $package_name: ensure => $package_ensure, } } service { $service_name: ensure => $ensure, enable => $enable, hasstatus => true, } file { '/etc/iptables/iptables.rules': ensure => file, before => Service[$service_name], } file { '/etc/iptables/ip6tables.rules': ensure => file, before => Service[$service_name], } } puppetlabs-firewall-8.0.0/manifests/linux/debian.pp0100644000175100001770000000317714561126655017423 0ustar00# @summary # Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot. # # @param ensure # Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'. # # @param enable # Enable parameter passed onto Service[] resources. Defaults to 'true'. # # @param service_name # Specify the name of the IPv4 iptables service. Defaults defined in firewall::params. # # @param package_name # Specify the platform-specific package(s) to install. Defaults defined in firewall::params. # # @param package_ensure # Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'. # # @api private # class firewall::linux::debian ( Enum[running, stopped, 'running', 'stopped'] $ensure = running, Variant[Boolean, String[1]] $enable = true, Variant[String[1], Array[String[1]]] $service_name = $firewall::params::service_name, Optional[Variant[String[1], Array[String[1]]]] $package_name = $firewall::params::package_name, Enum[present, latest, 'present', 'latest'] $package_ensure = $firewall::params::package_ensure, ) inherits firewall::params { if $package_name { stdlib::ensure_packages([$package_name], { ensure => $package_ensure }) } # This isn't a real service/daemon. The start action loads rules, so just # needs to be called on system boot. service { $service_name: ensure => $ensure, enable => $enable, hasstatus => true, require => Package[$package_name], } } puppetlabs-firewall-8.0.0/manifests/linux/gentoo.pp0100644000175100001770000000321314561126655017463 0ustar00# @summary # Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems. # # @param ensure # Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'. # # @param enable # Enable parameter passed onto Service[] resources. Defaults to 'true'. # # @param service_name # Specify the name of the IPv4 iptables service. Defaults defined in firewall::params. # # @param package_name # Specify the platform-specific package(s) to install. Defaults defined in firewall::params. # # @param package_ensure # Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'. # # @api private # class firewall::linux::gentoo ( Enum[running, stopped, 'running', 'stopped'] $ensure = running, Variant[Boolean, String[1]] $enable = true, Variant[String[1], Array[String[1]]] $service_name = $firewall::params::service_name, Optional[Variant[String[1], Array[String[1]]]] $package_name = $firewall::params::package_name, Enum[present, latest, 'present', 'latest'] $package_ensure = $firewall::params::package_ensure, ) inherits firewall::params { if $package_name { package { $package_name: ensure => $package_ensure, } } service { $service_name: ensure => $ensure, enable => $enable, hasstatus => true, } file { '/var/lib/iptables/rules-save': ensure => file, before => Service[$service_name], } file { '/var/lib/iptables/rules-save6': ensure => file, before => Service[$service_name], } } puppetlabs-firewall-8.0.0/manifests/linux/redhat.pp0100644000175100001770000001600114561126655017436 0ustar00# @summary # Manages the `iptables` service on RedHat-alike systems. # # @param ensure # Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'. # # @param ensure_v6 # Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'undef'. # # @param enable # Enable parameter passed onto Service[] resources. Defaults to 'true'. # # @param enable_v6 # Enable parameter passed onto Service[] resources. Defaults to 'undef'. # # @param service_name # Specify the name of the IPv4 iptables service. Defaults defined in firewall::params. # # @param service_name_v6 # Specify the name of the IPv4 iptables service. Defaults defined in firewall::params. # # @param package_name # Specify the platform-specific package(s) to install. Defaults defined in firewall::params. # # @param package_ensure # Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'. # # @param sysconfig_manage # Enable sysconfig configuration for iptables/ip6tables files. Defaults defined in firewall::params. # This is disabled for RedHat/CentOS 8+. # # @api private # class firewall::linux::redhat ( Enum[running, stopped, 'running', 'stopped'] $ensure = running, Optional[Enum[running, stopped, 'running', 'stopped']] $ensure_v6 = undef, Variant[Boolean, String[1]] $enable = true, Optional[Variant[Boolean, String[1]]] $enable_v6 = undef, Variant[String[1], Array[String[1]]] $service_name = $firewall::params::service_name, Optional[String[1]] $service_name_v6 = $firewall::params::service_name_v6, Optional[Variant[String[1], Array[String[1]]]] $package_name = $firewall::params::package_name, Enum[present, latest, 'present', 'latest'] $package_ensure = $firewall::params::package_ensure, Boolean $sysconfig_manage = $firewall::params::sysconfig_manage, Boolean $firewalld_manage = $firewall::params::firewalld_manage, ) inherits firewall::params { $_ensure_v6 = pick($ensure_v6, $ensure) $_enable_v6 = pick($enable_v6, $enable) # RHEL 7 / CentOS 7 and later and Fedora 15 and later require the iptables-services # package, which provides the /usr/libexec/iptables/iptables.init used by # lib/puppet/util/firewall.rb. if ($facts['os']['name'] != 'Amazon') { if $firewalld_manage { service { 'firewalld': ensure => stopped, enable => false, before => [Package[$package_name], Service[$service_name]], } } } # in RHEL 8 / CentOS 8 nftables provides a replacement iptables cli # but there is no nftables specific for ipv6 so throw a warning if !$service_name_v6 and ($ensure_v6 or $enable_v6) { warning('No v6 service available, $ensure_v6 and $enable_v6 are ignored') } if $package_name { stdlib::ensure_packages($package_name, { 'ensure' => $package_ensure, 'before' => Service[$service_name] } ) } if ($facts['os']['name'] != 'Amazon') { if $ensure == 'running' { $running_command = ['/usr/bin/systemctl', 'daemon-reload'] exec { '/usr/bin/systemctl daemon-reload': command => $running_command, require => Package[$package_name], before => Service[$service_name, $service_name_v6], subscribe => Package[$package_name], refreshonly => true, } } } if ($facts['os']['name'] == 'Amazon') and (versioncmp($facts['os']['release']['major'], '4') >= 0) or ($facts['os']['name'] == 'Amazon') and (versioncmp($facts['os']['release']['major'], '2') >= 0) { service { $service_name: ensure => $ensure, enable => $enable, hasstatus => true, provider => systemd, } if $service_name_v6 { service { $service_name_v6: ensure => $_ensure_v6, enable => $_enable_v6, hasstatus => true, provider => systemd, } } } else { service { $service_name: ensure => $ensure, enable => $enable, hasstatus => true, } if $service_name_v6 { service { $service_name_v6: ensure => $_ensure_v6, enable => $_enable_v6, hasstatus => true, } } } if $sysconfig_manage { file { "/etc/sysconfig/${service_name}": ensure => file, owner => 'root', group => 'root', mode => '0600', } if $service_name_v6 { file { "/etc/sysconfig/${service_name_v6}": ensure => file, owner => 'root', group => 'root', mode => '0600', } } # Redhat 7 selinux user context for /etc/sysconfig/iptables is set to system_u # Redhat 7 selinux type context for /etc/sysconfig/iptables is set to system_conf_t case $facts['os']['selinux']['enabled'] { #lint:ignore:quoted_booleans 'true',true: { case $facts['os']['name'] { 'RedHat': { case $facts['os']['release']['full'] { /^7\..*/: { $seluser = 'unconfined_u' $seltype = 'system_conf_t' } default : { $seluser = 'system_u' $seltype = 'system_conf_t' } } File<| title == "/etc/sysconfig/${service_name}" |> { seluser => $seluser, seltype => $seltype } File<| title == "/etc/sysconfig/${service_name_v6}" |> { seluser => $seluser, seltype => $seltype } } 'CentOS': { case $facts['os']['release']['full'] { /^6\..*/: { $seluser = 'unconfined_u' $seltype = 'system_conf_t' } /^7\..*/: { $seluser = 'system_u' $seltype = 'system_conf_t' } /^8\..*/: { $seluser = 'system_u' $seltype = 'etc_t' } /^9\..*/: { $seluser = 'system_u' $seltype = 'etc_t' } default : { $seluser = 'unconfined_u' $seltype = 'etc_t' } } File<| title == "/etc/sysconfig/${service_name}" |> { seluser => $seluser, seltype => $seltype } File<| title == "/etc/sysconfig/${service_name_v6}" |> { seluser => $seluser, seltype => $seltype } } # Fedora uses the same SELinux context as Redhat 'Fedora': { $seluser = 'system_u' $seltype = 'system_conf_t' File<| title == "/etc/sysconfig/${service_name}" |> { seluser => $seluser, seltype => $seltype } File<| title == "/etc/sysconfig/${service_name_v6}" |> { seluser => $seluser, seltype => $seltype } } default: {} } } default: {} #lint:endignore } } } puppetlabs-firewall-8.0.0/manifests/linux.pp0100644000175100001770000000723214561126655016175 0ustar00# @summary Main linux class, includes all other classes # # @param ensure # Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'. Defaults to 'running'. # # @param ensure_v6 # Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. Defaults to 'running'. # # @param pkg_ensure # Controls the state of the iptables package on your system. Valid options: 'present', 'installed' or 'latest'. Defaults to 'latest'. # # @param service_name # Specify the name of the IPv4 iptables service. Defaults defined in firewall::params. # # @param service_name_v6 # Specify the name of the IPv6 iptables service. Defaults defined in firewall::params. # # @param package_name # Specify the platform-specific package(s) to install. Defaults defined in firewall::params. # # @param ebtables_manage # Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure. # # @api private # class firewall::linux ( Enum[running, stopped, 'running', 'stopped'] $ensure = running, Optional[Enum[running, stopped, 'running', 'stopped']] $ensure_v6 = undef, Enum[present, installed, latest, 'present', 'installed', 'latest'] $pkg_ensure = installed, Variant[String[1], Array[String[1]]] $service_name = $firewall::params::service_name, Optional[String[1]] $service_name_v6 = $firewall::params::service_name_v6, Optional[Variant[String[1], Array[String[1]]]] $package_name = $firewall::params::package_name, Boolean $ebtables_manage = false, String[1] $iptables_name = $firewall::params::iptables_name, ) inherits firewall::params { $enable = $ensure ? { 'running' => true, 'stopped' => false, } $_ensure_v6 = pick($ensure_v6, $ensure) $_enable_v6 = $_ensure_v6 ? { 'running' => true, 'stopped' => false, } package { 'iptables': ensure => $pkg_ensure, name => $iptables_name, } if $ebtables_manage { package { 'ebtables': ensure => $pkg_ensure, } } case $facts['os']['name'] { 'RedHat', 'CentOS', 'Fedora', 'Scientific', 'SL', 'SLC', 'Ascendos', 'CloudLinux', 'PSBM', 'OracleLinux', 'OVS', 'OEL', 'Amazon', 'XenServer', 'VirtuozzoLinux', 'Rocky', 'AlmaLinux': { class { "${title}::redhat": ensure => $ensure, ensure_v6 => $_ensure_v6, enable => $enable, enable_v6 => $_enable_v6, package_name => $package_name, service_name => $service_name, service_name_v6 => $service_name_v6, require => Package['iptables'], } } 'Debian', 'Ubuntu': { class { "${title}::debian": ensure => $ensure, enable => $enable, package_name => $package_name, service_name => $service_name, require => Package['iptables'], } } 'Archlinux': { class { "${title}::archlinux": ensure => $ensure, enable => $enable, package_name => $package_name, service_name => $service_name, require => Package['iptables'], } } 'Gentoo': { class { "${title}::gentoo": ensure => $ensure, enable => $enable, package_name => $package_name, service_name => $service_name, require => Package['iptables'], } } default: {} } } puppetlabs-firewall-8.0.0/manifests/params.pp0100644000175100001770000000742714561126655016327 0ustar00# @summary Provides defaults for the Apt module parameters # # @api private # class firewall::params { $package_ensure = 'present' case $facts['os']['family'] { 'RedHat': { case $facts['os']['name'] { 'Amazon': { $service_name = 'iptables' $service_name_v6 = 'ip6tables' $package_name = undef $iptables_name = 'iptables' $sysconfig_manage = true $firewalld_manage = true } 'Fedora': { $service_name = 'iptables' $service_name_v6 = 'ip6tables' if versioncmp($facts['os']['release']['full'], '34') >= 0 { $package_name = 'iptables-services' $iptables_name = 'iptables-compat' } else { $iptables_name = 'iptables' $package_name = undef } $sysconfig_manage = true $firewalld_manage = true } default: { if versioncmp($facts['os']['release']['full'], '9') >= 0 { $service_name = ['nftables','iptables'] $service_name_v6 = 'ip6tables' $package_name = ['iptables-services', 'nftables', 'iptables-nft-services'] $iptables_name = 'iptables-nft' $sysconfig_manage = false $firewalld_manage = true } elsif versioncmp($facts['os']['release']['full'], '8.0') >= 0 { $service_name = ['iptables', 'nftables'] $service_name_v6 = 'ip6tables' $package_name = ['iptables-services', 'nftables'] $iptables_name = 'iptables' $sysconfig_manage = false $firewalld_manage = true } elsif versioncmp($facts['os']['release']['full'], '7.0') >= 0 { $service_name = 'iptables' $service_name_v6 = 'ip6tables' $package_name = 'iptables-services' $iptables_name = 'iptables' $sysconfig_manage = true $firewalld_manage = true } else { $service_name = 'iptables' $service_name_v6 = 'ip6tables' $package_name = 'iptables-ipv6' $iptables_name = 'iptables' $sysconfig_manage = true $firewalld_manage = true } } } } 'Debian': { $service_name_v6 = undef $iptables_name = 'iptables' case $facts['os']['name'] { 'Debian': { if versioncmp($facts['os']['release']['full'], 'unstable') >= 0 { $service_name = 'netfilter-persistent' $package_name = 'netfilter-persistent' } elsif versioncmp($facts['os']['release']['full'], '8.0') >= 0 { $service_name = 'netfilter-persistent' $package_name = 'iptables-persistent' } else { $service_name = 'iptables-persistent' $package_name = 'iptables-persistent' } } 'Ubuntu': { if versioncmp($facts['os']['release']['full'], '14.10') >= 0 { $service_name = 'netfilter-persistent' $package_name = 'iptables-persistent' } else { $service_name = 'iptables-persistent' $package_name = 'iptables-persistent' } } default: { $service_name = 'iptables-persistent' $package_name = 'iptables-persistent' } } } 'Gentoo': { $service_name = ['iptables','ip6tables'] $service_name_v6 = undef $package_name = 'net-firewall/iptables' } default: { $iptables_name = 'iptables' $service_name_v6 = undef case $facts['os']['name'] { 'Archlinux': { $service_name = ['iptables','ip6tables'] $package_name = undef } default: { $service_name = 'iptables' $package_name = undef } } } } } puppetlabs-firewall-8.0.0/metadata.json0100644000175100001770000000342714561126655015161 0ustar00{ "name": "puppetlabs-firewall", "version": "8.0.0", "author": "puppetlabs", "summary": "Manages Firewalls such as iptables", "license": "Apache-2.0", "source": "https://github.com/puppetlabs/puppetlabs-firewall", "project_page": "http://github.com/puppetlabs/puppetlabs-firewall", "issues_url": "https://github.com/puppetlabs/puppetlabs-firewall/issues", "dependencies": [ { "name": "puppetlabs/stdlib", "version_requirement": ">= 9.0.0 < 10.0.0" } ], "operatingsystem_support": [ { "operatingsystem": "RedHat", "operatingsystemrelease": [ "7", "8", "9" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ "7", "8" ] }, { "operatingsystem": "OracleLinux", "operatingsystemrelease": [ "7" ] }, { "operatingsystem": "Scientific", "operatingsystemrelease": [ "7" ] }, { "operatingsystem": "SLES", "operatingsystemrelease": [ "12", "15" ] }, { "operatingsystem": "Debian", "operatingsystemrelease": [ "10", "11" ] }, { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "18.04", "20.04", "22.04" ] }, { "operatingsystem": "Rocky", "operatingsystemrelease": [ "8" ] }, { "operatingsystem": "AlmaLinux", "operatingsystemrelease": [ "8" ] } ], "requirements": [ { "name": "puppet", "version_requirement": ">= 7.0.0 < 9.0.0" } ], "template-url": "https://github.com/puppetlabs/pdk-templates.git#main", "template-ref": "heads/main-0-g79a2f93", "pdk-version": "3.0.0" } puppetlabs-firewall-8.0.0/pdk.yaml0100644000175100001770000000001714561126655014140 0ustar00--- ignore: [] puppetlabs-firewall-8.0.0/provision.yaml0100644000175100001770000000232214561126655015413 0ustar00--- default: provisioner: docker images: - litmusimage/centos:7 vagrant: provisioner: vagrant images: - centos/7 - generic/ubuntu1804 docker_deb: provisioner: docker images: - litmusimage/debian:8 - litmusimage/debian:9 docker_ub_6: provisioner: docker images: - litmusimage/ubuntu:16.04 - litmusimage/ubuntu:18.04 - litmusimage/ubuntu:20.04 docker_el7: provisioner: docker images: - litmusimage/centos:7 docker_el8: provisioner: docker images: - litmusimage/centos:8 release_checks_6: provisioner: abs images: - redhat-6-x86_64 - redhat-7-x86_64 - redhat-8-x86_64 - centos-6-x86_64 - centos-7-x86_64 - centos-8-x86_64 - oracle-6-x86_64 - scientific-6-x86_64 - scientific-7-x86_64 - debian-8-x86_64 - debian-9-x86_64 - debian-10-x86_64 - sles-12-x86_64 - sles-15-x86_64 - ubuntu-1404-x86_64 - ubuntu-1604-x86_64 - ubuntu-1804-x86_64 - ubuntu-2004-x86_64 release_checks_7: provisioner: abs images: - redhat-7-x86_64 - redhat-8-x86_64 - centos-7-x86_64 - centos-8-x86_64 - oracle-7-x86_64 - scientific-7-x86_64 - sles-12-x86_64 - sles-15-x86_64 - debian-9-x86_64 - debian-10-x86_64 - ubuntu-1804-x86_64 - ubuntu-2004-x86_64