Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
- Puppet >= 6.0.0 < 8.0.0
- , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'karimchaouch-firewall', '3.5.1'
Learn more about managing modules with a PuppetfileDocumentation
firewall
Table of Contents
- Overview - What is the firewall module?
- Module description - What does the module do?
- Setup - The basics of getting started with firewall
- Usage - Configuration and customization options
- Reference - An under-the-hood peek at what the module is doing
- Limitations - OS compatibility, etc.
- Firewall_multi - Arrays for certain parameters
- Development - Guide for contributing to the module
Overview
The firewall module lets you manage firewall rules with Puppet.
Module description
PuppetLabs' firewall module introduces the firewall
resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the firewallchain
resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported.
The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining pre
and post
rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs.
Setup
What firewall affects
- Every node running a firewall
- Firewall settings in your system
- Connection settings for managed nodes
- Unmanaged resources (get purged)
Setup requirements
Firewall uses Ruby-based providers, so you must enable pluginsync.
Beginning with firewall
In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them.
If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet server.
The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet server. If you create the pre
and post
classes described in the first section, then you also need to create the rules described in the second section.
Create the my_fw::pre
and my_fw::post
Classes
This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.
The code in this section does the following:
- The 'require' parameter in
firewall {}
ensuresmy_fw::pre
is run before any other rules. - In the
my_fw::post
class declaration, the 'before' parameter ensuresmy_fw::post
is run after any other rules.
The rules in the pre
and post
classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run.
- Add the
pre
class tomy_fw/manifests/pre.pp
, and any default rules to your pre.pp file first — in the order you want them to run.
class my_fw::pre {
Firewall {
require => undef,
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}
-> firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}
-> firewall { '002 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}
-> firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
The rules in pre
allow basic networking (such as ICMP and TCP) and ensure that
existing connections are not closed.
- Add the
post
class tomy_fw/manifests/post.pp
and include any default rules — apply these last.
class my_fw::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
Alternatively, the firewallchain type can be used to set the default policy:
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
policy => drop,
before => undef,
}
Create firewall rules
The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box.
Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.
- Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the
pre
andpost
classes are run in the correct order and avoid locking you out of your box during the first Puppet run.
Firewall {
before => Class['my_fw::post'],
require => Class['my_fw::pre'],
}
- Declare the
my_fw::pre
andmy_fw::post
classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:
class { ['my_fw::pre', 'my_fw::post']: }
- Include the
firewall
class to ensure the correct packages are installed:
class { 'firewall': }
- If you want to remove unmanaged firewall rules, add the following code to set up a metatype to purge unmanaged firewall resources in your site.pp or another top-scope file. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
resources { 'firewall':
purge => true,
}
To purge unmanaged firewall chains, add:
resources { 'firewallchain':
purge => true,
}
Internal chains can not be deleted. In order to avoid all the confusing
Warning/Notice messages when using purge => true
, like these ones:
Notice: Compiled catalog for blonde-height.delivery.puppetlabs.net in environment production in 0.05 seconds
Warning: Firewallchain[INPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain INPUT:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[INPUT:mangle:IPv4]/ensure: removed
Warning: Firewallchain[FORWARD:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain FORWARD:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[FORWARD:mangle:IPv4]/ensure: removed
Warning: Firewallchain[OUTPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain OUTPUT:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[OUTPUT:mangle:IPv4]/ensure: removed
Warning: Firewallchain[POSTROUTING:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain POSTROUTING:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[POSTROUTING:mangle:IPv4]/ensure: removed
Please create firewallchains for every internal chain. Here is an example:
firewallchain { 'POSTROUTING:mangle:IPv6':
ensure => present,
}
resources { 'firewallchain':
purge => true,
}
Note: If there are unmanaged rules in unmanaged chains, it will take a second Puppet run for the firewall chain to be purged.
Note: If you need more fine-grained control about which unmananged rules get removed, investigate the
purge
andignore_foreign
parameters available infirewallchain
.
Upgrading
Use these steps if you already have a version of the firewall module installed.
From version 0.2.0 and more recent
Upgrade the module with the puppet module tool as normal:
puppet module upgrade puppetlabs/firewall
Usage
There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc.
All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. 000 runs first, 999 runs last.
Note: The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range.
Default rules
You can place default rules in either my_fw::pre
or my_fw::post
, depending on when you would like them to run. Rules placed in the pre
class will run first, and rules in the post
class, last.
In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'.
Examples of default rules
Basic accept ICMP request example:
firewall { '000 accept all icmp requests':
proto => 'icmp',
action => 'accept',
}
Drop all:
firewall { '999 drop all other requests':
action => 'drop',
}
Example of an IPv6 rule
IPv6 rules can be specified using the ip6tables provider:
firewall { '006 Allow inbound SSH (v6)':
dport => 22,
proto => 'tcp',
action => 'accept',
provider => 'ip6tables',
}
Application-specific rules
Puppet doesn't care where you define rules, and this means that you can place your firewall resources as close to the applications and services that you manage as you wish. If you use the roles and profiles pattern then it makes sense to create your firewall rules in the profiles, so they remain close to the services managed by the profile.
This is an example of firewall rules in a profile:
class profile::apache {
include apache
apache::vhost { 'mysite':
ensure => present,
}
firewall { '100 allow http and https access':
dport => [80, 443],
proto => 'tcp',
action => 'accept',
}
}
Rule inversion
Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.
Parameters that understand inversion are: connmark, ctstate, destination, dport, dst_range, dst_type, iniface, outiface, port, proto, source, sport, src_range and src_type.
Examples:
firewall { '001 disallow esp protocol':
action => 'accept',
proto => '! esp',
}
firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset':
chain => 'INPUT',
state => 'NEW',
action => 'drop',
proto => 'tcp',
sport => ['! http', '! 443'],
source => '! 10.0.0.0/8',
tcp_flags => '! FIN,SYN,RST,ACK SYN',
}
Additional uses for the firewall module
You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows:
node 'some.node.com' {
firewall { '111 open port 111':
dport => 111,
}
}
You can also do more complex things with the firewall
resource. This example sets up static NAT for the source network 10.1.2.0/24:
firewall { '100 snat for network foo2':
chain => 'POSTROUTING',
jump => 'MASQUERADE',
proto => 'all',
outiface => 'eth0',
source => '10.1.2.0/24',
table => 'nat',
}
You can also change the TCP MSS value for VPN client traffic:
firewall { '110 TCPMSS for VPN clients':
chain => 'FORWARD',
table => 'mangle',
source => '10.0.2.0/24',
proto => 'tcp',
tcp_flags => 'SYN,RST SYN',
mss => '1361:1541',
set_mss => '1360',
jump => 'TCPMSS',
}
The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:
firewall { '503 Mirror traffic to IDS':
proto => 'all',
jump => 'TEE',
gateway => '10.0.0.2',
chain => 'PREROUTING',
table => 'mangle',
}
The following example creates a new chain and forwards any port 5000 access to it.
firewall { '100 forward to MY_CHAIN':
chain => 'INPUT',
jump => 'MY_CHAIN',
}
# The namevar here is in the format chain_name:table:protocol
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => present,
}
firewall { '100 my rule':
chain => 'MY_CHAIN',
action => 'accept',
proto => 'tcp',
dport => 5000,
}
Setup NFLOG for a rule.
firewall {'666 for NFLOG':
proto => 'all',
jump => 'NFLOG',
nflog_group => 3,
nflog_prefix => 'nflog-test',
nflog_range => 256,
nflog_threshold => 1,
}
Duplicate rule behaviour
It is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This configuration is not supported by the firewall module.
In the event of a duplicate rule, the module will by default display a warning message notifying the user that it has found a duplicate but will continue to update the resource.
This behaviour is configurable via the onduplicaterulebehaviour
parameter. Users can choose from the following behaviours:
ignore
- The duplicate rule is ignored and any updates to the resource will continue unaffected.warn
- The duplicate rule is logged as a warning and any updates to the resource will continue unaffected.error
- The duplicate rule is logged as an error and any updates to the resource will be skipped.
With either the ignore
or warn
(default) behaviour, Puppet may create another duplicate rule.
To prevent this behavior and report the resource as failing during the Puppet run, specify the error
behaviour.
Additional information
Access the inline documentation:
puppet describe firewall
Or
puppet doc -r type
(and search for firewall)
Reference
For information on the classes and types, see the REFERENCE.md. For information on the facts, see below.
Facts:
Fact: ip6tables_version
A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.
Fact: iptables_version
A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution.
Fact: iptables_persistent_version
Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.
Limitations
For an extensive list of supported operating systems, see metadata.json
SLES
The socket
parameter is not supported on SLES. In this release it will cause
the catalog to fail with iptables failures, rather than correctly warn you that
the features are unusable.
Oracle Enterprise Linux
The socket
and owner
parameters are unsupported on Oracle Enterprise Linux
when the "Unbreakable" kernel is used. These may function correctly when using
the stock RedHat kernel instead. Declaring either of these parameters on an
unsupported system will result in iptable rules failing to apply.
Passing firewall parameter values as arrays with firewall_multi
module
You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays.
A community module, alexharvey-firewall_multi, provides a defined type wrapper to spawn firewall resources for arrays of certain inputs.
For example:
firewall_multi { '100 allow http and https access':
source => [
'10.0.10.0/24',
'10.0.12.0/24',
'10.1.1.128',
],
dport => [80, 443],
proto => 'tcp',
action => 'accept',
}
For more information see the documentation at alexharvey-firewall_multi.
Known issues
MCollective causes PE to reverse firewall rule order
Firewall rules appear in reverse order if you use MCollective to run Puppet in Puppet Enterprise 2016.1, 2015.3, 2015.2, or 3.8.x.
If you use MCollective to kick off Puppet runs (mco puppet runonce -I agent.example.com
) while also using the puppetlabs/firewall
module, your firewall rules might be listed in reverse order.
In many firewall configurations, the last rule drops all packets. If the rule order is reversed, this rule is listed first and network connectivity fails.
To prevent this issue, do not use MCollective to kick off Puppet runs. Use any of the following instead:
- Run
puppet agent -t
on the command line. - Use a cron job.
- Click Run Puppet in the console.
condition parameter
The condition
parameter requires xtables-addons
to be installed locally.
For ubuntu distributions xtables-addons-common
package can be installed by running command: apt-get install xtables-addons-common
or
running a manifest:
package { 'xtables-addons-common':
ensure => 'latest',
}
For other distributions (RedHat, Debian, Centos etc) manual installation of the xtables-addons
package is required.
Reporting Issues
Please report any bugs in the Puppetlabs JIRA issue tracker:
https://tickets.puppetlabs.com/projects/MODULES/issues
Development
Acceptance tests for this module leverage puppet_litmus. To run the acceptance tests follow the instructions here. You can also find a tutorial and walkthrough of using Litmus and the PDK on YouTube.
If you run into an issue with this module, or if you would like to request a feature, please file a ticket. Every Monday the Puppet IA Content Team has office hours in the Puppet Community Slack, alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC).
If you have problems getting this module up and running, please contact Support.
If you submit a change to this module, be sure to regenerate the reference documentation as follows:
puppet strings generate --format markdown --out REFERENCE.md
Testing
Make sure you have:
- rake
- bundler
Install the necessary gems:
bundle install
And run the tests from the root of the source code:
bundle exec rake parallel_spec
See also .travis.yml
for information on running the acceptance and other tests.
Reference
Table of Contents
Classes
Public Classes
firewall
: Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins
Private Classes
firewall::linux
: Main linux class, includes all other classesfirewall::linux::archlinux
: Managesiptables
andip6tables
services, and creates files used for persistence, on Arch Linux systems.firewall::linux::debian
: Installs theiptables-persistent
package for Debian-alike systems. This allows rules to be stored to file and restored on boot.firewall::linux::gentoo
: Managesiptables
andip6tables
services, and creates files used for persistence, on Gentoo Linux systems.firewall::linux::redhat
: Manages theiptables
service on RedHat-alike systems.firewall::params
: Provides defaults for the Apt module parameters.
Resource types
firewall
: This type provides the capability to manage firewall rules within puppet.firewallchain
: This type provides the capability to manage rule chains for firewalls.
Classes
firewall
Performs the basic setup tasks required for using the firewall resources.
At the moment this takes care of:
iptables-persistent package installation Include the firewall class for nodes that need to use the resources in this module:
Examples
class { 'firewall': }
Parameters
The following parameters are available in the firewall
class:
ensure
Data type: Any
Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.
Default value: running
ensure_v6
Data type: Any
Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
Default value: undef
pkg_ensure
Data type: Any
Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.
Default value: present
service_name
Data type: Any
Specify the name of the IPv4 iptables service.
Default value: $firewall::params::service_name
service_name_v6
Data type: Any
Specify the name of the IPv6 iptables service.
Default value: $firewall::params::service_name_v6
package_name
Data type: Any
Specify the platform-specific package(s) to install.
Default value: $firewall::params::package_name
ebtables_manage
Data type: Any
Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
Default value: false
Resource types
firewall
Autorequires:
If Puppet is managing the iptables or ip6tables chains specified in the
chain
or jump
parameters, the firewall resource will autorequire
those firewallchain resources.
If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, and the provider is iptables or ip6tables, the firewall resource will autorequire those packages to ensure that any required binaries are installed.
Providers
Note: Not all features are available with all providers.
-
ip6tables: Ip6tables type provider
- Required binaries: ip6tables-save, ip6tables.
- Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag, ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
-
iptables: Iptables type provider
- Required binaries: iptables-save, iptables.
- Default for kernel == linux.
- Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
Features
-
address_type: The ability to match on source or destination address type.
-
clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
-
condition: Match if a specific condition variable is (un)set (requires xtables-addons)
-
connection_limiting: Connection limiting features.
-
conntrack: Connection tracking features.
-
dnat: Destination NATing.
-
hop_limiting: Hop limiting features.
-
icmp_match: The ability to match ICMP types.
-
interface_match: Interface matching.
-
iprange: The ability to match on source or destination IP range.
-
ipsec_dir: The ability to match IPsec policy direction.
-
ipsec_policy: The ability to match IPsec policy.
-
iptables: The provider provides iptables features.
-
isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet.
-
isfragment: The ability to match fragments.
-
ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet.
-
islastfrag: The ability to match the last fragment of an ipv6 packet.
-
length: The ability to match the length of the layer-3 payload.
-
log_level: The ability to control the log level.
-
log_prefix: The ability to add prefixes to log messages.
-
log_uid: The ability to log the userid of the process which generated the packet.
-
log_tcp_sequence: The ability to log TCP sequence numbers.
-
log_tcp_options: The ability to log TCP packet header.
-
log_ip_options: The ability to log IP/IPv6 packet header.
-
mark: The ability to match or set the netfilter mark value associated with the packet.
-
mask: The ability to match recent rules based on the ipv4 mask.
-
nflog_group: The ability to set the group number for NFLOG.
-
nflog_prefix: The ability to set a prefix for nflog messages.
-
nflog_range: The ability to set nflog_range.
-
nflog_threshold: The ability to set nflog_threshold.
-
owner: The ability to match owners.
-
pkttype: The ability to match a packet type.
-
rate_limiting: Rate limiting features.
-
recent_limiting: The netfilter recent module.
-
reject_type: The ability to control reject messages.
-
set_mss: Set the TCP MSS of a packet.
-
snat: Source NATing.
-
socket: The ability to match open sockets.
-
state_match: The ability to match stateful firewall states.
-
string_matching: The ability to match a given string by using some pattern matching strategy.
-
tcp_flags: The ability to match on particular TCP flag settings.
-
netmap: The ability to map entire subnets via source or destination nat rules.
-
hashlimit: The ability to use the hashlimit-module.
-
bpf: The ability to use Berkeley Paket Filter rules.
-
ipvs: The ability to match IP Virtual Server packets.
-
ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
-
random_fully: The ability to use --random-fully flag.
Properties
The following properties are available in the firewall
type.
action
Valid values: accept
, reject
, drop
This is the action to perform on a match. Can be one of:
- accept - the packet is accepted
- reject - the packet is rejected with a suitable ICMP response
- drop - the packet is dropped
If you specify no value it will simply match the rule but perform no action unless you provide a provider specific parameter (such as jump).
burst
Valid values: %r{^\d+$}
Rate limiting burst value (per second) before limit checks apply.
bytecode
Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility.
cgroup
Matches against the net_cls cgroup ID of the packet.
chain
Valid values: %r{^[a-zA-Z0-9\-_]+$}
Name of the chain to use. Can be one of the built-ins:
- INPUT
- FORWARD
- OUTPUT
- PREROUTING
- POSTROUTING
Or you can provide a user-based chain.
Default value: INPUT
checksum_fill
Valid values: true
, false
Compute and fill missing packet checksums.
clamp_mss_to_pmtu
Valid values: true
, false
Sets the clamp mss to pmtu flag.
clusterip_clustermac
Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
Used with the CLUSTERIP jump target. Specify the ClusterIP MAC address. Has to be a link-layer multicast address.
clusterip_hash_init
Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization.
clusterip_hashmode
Valid values: sourceip
, sourceip-sourceport
, sourceip-sourceport-destport
Used with the CLUSTERIP jump target. Specify the hashing mode.
clusterip_local_node
Valid values: %r{\d+}
Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization.
clusterip_new
Valid values: true
, false
Used with the CLUSTERIP jump target. Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
clusterip_total_nodes
Valid values: %r{\d+}
Used with the CLUSTERIP jump target. Number of total nodes within this cluster.
condition
Match on boolean value (0/1) stored in /proc/net/nf_condition/name.
connlimit_above
Valid values: %r{^\d+$}
Connection limiting value for matched connections above n.
connlimit_mask
Valid values: %r{^\d+$}
Connection limiting by subnet mask for matched connections. IPv4: 0-32 IPv6: 0-128
connmark
Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already.
ctdir
Valid values: REPLY
, ORIGINAL
Matches a packet that is flowing in the specified direction using the conntrack module. If this flag is not specified at all, matches packets in both directions. Values can be:
- REPLY
- ORIGINAL
ctexpire
Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
Matches a packet based on lifetime remaining in seconds or range of values using the conntrack module. For example:
ctexpire => '100:150'
ctorigdst
The original destination address using the conntrack module. For example:
ctorigdst => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctorigdst => '! 192.168.2.0/24'
The ctorigdst can also be an IPv6 address if your provider supports it.
ctorigdstport
Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
The original destination port to match for this filter using the conntrack module. For example:
ctorigdstport => '80'
You can also specify a port range: For example:
ctorigdstport => '80:81'
You can also negate a port by putting ! in front. For example:
ctorigdstport => '! 80'
ctorigsrc
The original source address using the conntrack module. For example:
ctorigsrc => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctorigsrc => '! 192.168.2.0/24'
The ctorigsrc can also be an IPv6 address if your provider supports it.
ctorigsrcport
Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
The original source port to match for this filter using the conntrack module. For example:
ctorigsrcport => '80'
You can also specify a port range: For example:
ctorigsrcport => '80:81'
You can also negate a port by putting ! in front. For example:
ctorigsrcport => '! 80'
ctproto
Valid values: %r{^!?\s?\d+$}
The specific layer-4 protocol number to match for this rule using the conntrack module.
ctrepldst
The reply destination address using the conntrack module. For example:
ctrepldst => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctrepldst => '! 192.168.2.0/24'
The ctrepldst can also be an IPv6 address if your provider supports it.
ctrepldstport
Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
The reply destination port to match for this filter using the conntrack module. For example:
ctrepldstport => '80'
You can also specify a port range: For example:
ctrepldstport => '80:81'
You can also negate a port by putting ! in front. For example:
ctrepldstport => '! 80'
ctreplsrc
The reply source address using the conntrack module. For example:
ctreplsrc => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctreplsrc => '! 192.168.2.0/24'
The ctreplsrc can also be an IPv6 address if your provider supports it.
ctreplsrcport
Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
The reply source port to match for this filter using the conntrack module. For example:
ctreplsrcport => '80'
You can also specify a port range: For example:
ctreplsrcport => '80:81'
You can also negate a port by putting ! in front. For example:
ctreplsrcport => '! 80'
ctstate
Valid values: INVALID
, ESTABLISHED
, NEW
, RELATED
, UNTRACKED
, SNAT
, DNAT
Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Values can be:
- INVALID
- ESTABLISHED
- NEW
- RELATED
- UNTRACKED
- SNAT
- DNAT
ctstatus
Valid values: NONE
, EXPECTED
, SEEN_REPLY
, ASSURED
, CONFIRMED
Matches a packet based on its status using the conntrack module. Values can be:
- EXPECTED
- SEEN_REPLY
- ASSURED
- CONFIRMED
date_start
Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
date_stop
Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
destination
The destination address to match. For example:
destination => '192.168.1.0/24'
You can also negate a mask by putting ! in front. For example:
destination => '! 192.168.2.0/24'
The destination can also be an IPv6 address if your provider supports it.
dport
The destination port to match for this filter (if the protocol supports ports). Will accept a single element or an array.
For some firewall providers you can pass a range of ports in the format:
<start_number>-<ending_number>
For example:
1-1024
This would cover ports 1 to 1024.
dst_cc
Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
dst attribute for the module geoip
dst_range
The destination IP range. For example:
dst_range => '192.168.1.1-192.168.1.10'
The destination IP range must be in 'IP1-IP2' format.
dst_type
Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| [ address_type, "! #{address_type}".to_sym, "#{address_type} --limit-iface-in".to_sym, "#{address_type} --limit-iface-out".to_sym, "! #{address_type} --limit-iface-in".to_sym, "! #{address_type} --limit-iface-out".to_sym, ] }.flatten
The destination address type. For example:
dst_type => ['LOCAL']
Can be one of:
- UNSPEC - an unspecified address
- UNICAST - a unicast address
- LOCAL - a local address
- BROADCAST - a broadcast address
- ANYCAST - an anycast packet
- MULTICAST - a multicast address
- BLACKHOLE - a blackhole address
- UNREACHABLE - an unreachable address
- PROHIBIT - a prohibited address
- THROW - undocumented
- NAT - undocumented
- XRESOLVE - undocumented
In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
dst_type => ['LOCAL --limit-iface-in']
It can also be negated using '!':
dst_type => ['! LOCAL']
Will accept a single element or an array.
ensure
Valid values: present
, absent
Manage the state of this rule.
Default value: present
gateway
The TEE target will clone a packet and redirect this clone to another machine on the local network segment. gateway is the target host's IP.
gid
GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement.
goto
The value for the iptables --goto parameter. Normal values are:
- QUEUE
- RETURN
- DNAT
- SNAT
- LOG
- MASQUERADE
- REDIRECT
- MARK
But any valid chain name is allowed.
hashlimit_above
Match if the rate is above amount/quantum. This parameter or hashlimit_upto is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
hashlimit_burst
Valid values: %r{^\d+$}
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too.
hashlimit_dstmask
Like --hashlimit-srcmask, but for destination addresses.
hashlimit_htable_expire
After how many milliseconds do hash entries expire.
hashlimit_htable_gcinterval
How many milliseconds between garbage collection intervals.
hashlimit_htable_max
Maximum entries in the hash.
hashlimit_htable_size
The number of buckets of the hash table
hashlimit_mode
A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. Allowed values are: srcip, srcport, dstip, dstport
hashlimit_name
The name for the /proc/net/ipt_hashlimit/foo entry. This parameter is required.
hashlimit_srcmask
When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
hashlimit_upto
Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). This parameter or hashlimit_above is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
helper
Invoke the nf_conntrack_xxx helper module for this packet.
hop_limit
Valid values: %r{^\d+$}
Hop limiting value for matched packets.
icmp
When matching ICMP packets, this is the type of ICMP packet to match.
A value of "any" is not supported. To achieve this behaviour the parameter should simply be omitted or undefined. An array of values is also not supported. To match against multiple ICMP types, please use separate rules for each ICMP type.
iniface
Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
Input interface to filter on. Supports interface alias like eth0:0. To negate the match try this:
iniface => '! lo',
ipsec_dir
Valid values: in
, out
Sets the ipsec policy direction
ipsec_policy
Valid values: none
, ipsec
Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to --pol ipsec
such as: --strict
, --reqid 100
, --next
, --proto esp
, etc.
ipset
Matches against the specified ipset list. Requires ipset kernel module. Will accept a single element or an array. The value is the name of the blacklist, followed by a space, and then 'src' and/or 'dst' separated by a comma. For example: 'blacklist src,dst'
ipvs
Valid values: true
, false
Indicates that the current packet belongs to an IPVS connection.
isfirstfrag
Valid values: true
, false
If true, matches if the packet is the first fragment. Sadly cannot be negated. ipv6.
isfragment
Valid values: true
, false
Set to true to match tcp fragments (requires type to be set to tcp)
ishasmorefrags
Valid values: true
, false
If true, matches if the packet has it's 'more fragments' bit set. ipv6.
islastfrag
Valid values: true
, false
If true, matches if the packet is the last fragment. ipv6.
jump
The value for the iptables --jump parameter. Normal values are:
- QUEUE
- RETURN
- DNAT
- SNAT
- LOG
- NFLOG
- MASQUERADE
- REDIRECT
- MARK
- CT
But any valid chain name is allowed.
For the values ACCEPT, DROP, and REJECT, you must use the generic 'action' parameter. This is to enfore the use of generic parameters where possible for maximum cross-platform modelling.
If you set both 'accept' and 'jump' parameters, you will get an error as only one of the options should be set.
kernel_timezone
Valid values: true
, false
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
length
Sets the length of layer-3 payload to match.
limit
Rate limiting value for matched packets. The format is: rate/[/second/|/minute|/hour|/day].
Example values are: '50/sec', '40/min', '30/hour', '10/day'."
log_ip_options
Valid values: true
, false
When combined with jump => "LOG" logging of the TCP IP/IPv6 packet header.
log_level
When combined with jump => "LOG" specifies the system log level to log to.
log_prefix
When combined with jump => "LOG" specifies the log prefix to use when logging.
log_tcp_options
Valid values: true
, false
When combined with jump => "LOG" logging of the TCP packet header.
log_tcp_sequence
Valid values: true
, false
When combined with jump => "LOG" enables logging of the TCP sequence numbers.
log_uid
Valid values: true
, false
When combined with jump => "LOG" specifies the uid of the process making the connection.
mac_source
Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
MAC Source
mask
Sets the mask to use when recent
is enabled.
match_mark
Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already.
month_days
Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February.
mss
Match a given TCP MSS value or range.
nflog_group
Used with the jump target NFLOG. The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). Defaults to 0.
nflog_prefix
Used with the jump target NFLOG. A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs.
nflog_range
Used with the jump target NFLOG. The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it.
nflog_threshold
Used with the jump target NFLOG. Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. Defaults to 1.
notrack
Valid values: true
, false
Invoke the disable connection tracking for this packet. This parameter can be used with iptables version >= 1.8.3
outiface
Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
Output interface to filter on. Supports interface alias like eth0:0. To negate the match try this:
outiface => '! lo',
physdev_in
Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
Match if the packet is entering a bridge from the given interface.
physdev_is_bridged
Valid values: true
, false
Match if the packet is transversing a bridge.
physdev_is_in
Valid values: true
, false
Matches if the packet has entered through a bridge interface.
physdev_is_out
Valid values: true
, false
Matches if the packet will leave through a bridge interface.
physdev_out
Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
Match if the packet is leaving a bridge via the given interface.
pkttype
Valid values: unicast
, broadcast
, multicast
Sets the packet type to match.
port
note This property has been DEPRECATED
The destination or source port to match for this filter (if the protocol supports ports). Will accept a single element or an array.
For some firewall providers you can pass a range of ports in the format:
<start_number>-<ending_number>
For example:
1-1024
This would cover ports 1 to 1024.
proto
Valid values: [:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :carp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto| [proto, "! #{proto}".to_sym] }.flatten
The specific protocol to match for this rule.
Default value: tcp
queue_bypass
Valid values: true
, false
Used with NFQUEUE jump target Allow packets to bypass :queue_num if userspace process is not listening
queue_num
Used with NFQUEUE jump target. What queue number to send packets to
random
Valid values: true
, false
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping.
random_fully
Valid values: true
, false
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable fully randomized port mapping.
NOTE Requires Kernel >= 3.13 and iptables >= 1.6.2
rdest
Valid values: true
, false
Recent module; add the destination IP address to the list. Must be boolean true.
reap
Valid values: true
, false
Recent module; can only be used in conjunction with the rseconds
attribute. When used, this will cause entries older than 'seconds' to be
purged. Must be boolean true.
recent
Valid values: set
, update
, rcheck
, remove
Enable the recent module. Takes as an argument one of set, update, rcheck or remove. For example:
# If anyone's appeared on the 'badguy' blacklist within
# the last 60 seconds, drop their traffic, and update the timestamp.
firewall { '100 Drop badguy traffic':
recent => 'update',
rseconds => 60,
rsource => true,
rname => 'badguy',
action => 'DROP',
chain => 'FORWARD',
}
# No-one should be sending us traffic on eth0 from the
# localhost, Blacklist them
firewall { '101 blacklist strange traffic':
recent => 'set',
rsource => true,
rname => 'badguy',
destination => '127.0.0.0/8',
iniface => 'eth0',
action => 'DROP',
chain => 'FORWARD',
}
reject
When combined with action => "REJECT" you can specify a different icmp response to be sent back to the packet sender.
rhitcount
Recent module; used in conjunction with recent => 'update'
or `recent
=> 'rcheck'. When used, this will narrow the match to only happen when
the address is in the list and packets had been received greater than or
equal to the given value.
rname
Recent module; The name of the list. Takes a string argument.
rpfilter
Valid values: loose
, validmark
, accept-local
, invert
Enable the rpfilter module.
rseconds
Recent module; used in conjunction with one of recent => 'rcheck'
or
recent => 'update'
. When used, this will narrow the match to only
happen when the address is in the list and was seen within the last given
number of seconds.
rsource
Valid values: true
, false
Recent module; add the source IP address to the list. Must be boolean true.
rttl
Valid values: true
, false
Recent module; may only be used in conjunction with one of recent => 'rcheck'
or recent => 'update'
. When used, this will narrow the match
to only happen when the address is in the list and the TTL of the current
packet matches that of the packet which hit the recent => 'set'
rule.
This may be useful if you have problems with people faking their source
address in order to DoS you via this module by disallowing others access
to your site by sending bogus packets to you. Must be boolean true.
set_dscp
Set DSCP Markings.
set_dscp_class
This sets the DSCP field according to a predefined DiffServ class.
set_mark
Set the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already.
set_mss
Sets the TCP MSS value for packets.
socket
Valid values: true
, false
If true, matches if an open socket can be found by doing a coket lookup on the packet.
source
The source address. For example:
source => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
source => '! 192.168.2.0/24'
The source can also be an IPv6 address if your provider supports it.
sport
The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array.
For some firewall providers you can pass a range of ports in the format:
<start_number>-<ending_number>
For example:
1-1024
This would cover ports 1 to 1024.
src_cc
Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
src attribute for the module geoip
src_range
The source IP range. For example:
src_range => '192.168.1.1-192.168.1.10'
The source IP range must be in 'IP1-IP2' format.
src_type
Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| [ address_type, "! #{address_type}".to_sym, "#{address_type} --limit-iface-in".to_sym, "#{address_type} --limit-iface-out".to_sym, "! #{address_type} --limit-iface-in".to_sym, "! #{address_type} --limit-iface-out".to_sym, ] }.flatten
The source address type. For example:
src_type => ['LOCAL']
Can be one of:
- UNSPEC - an unspecified address
- UNICAST - a unicast address
- LOCAL - a local address
- BROADCAST - a broadcast address
- ANYCAST - an anycast packet
- MULTICAST - a multicast address
- BLACKHOLE - a blackhole address
- UNREACHABLE - an unreachable address
- PROHIBIT - a prohibited address
- THROW - undocumented
- NAT - undocumented
- XRESOLVE - undocumented
In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
src_type => ['LOCAL --limit-iface-in']
It can also be negated using '!':
src_type => ['! LOCAL']
Will accept a single element or an array.
stat_every
Match one packet every nth packet. Requires stat_mode => 'nth'
stat_mode
Valid values: nth
, random
Set the matching mode for statistic matching.
stat_packet
Valid values: %r{^\d+$}
Set the initial counter value for the nth mode. Must be between 0 and the value of stat_every
. Defaults to 0. Requires stat_mode => 'nth'
stat_probability
Set the probability from 0 to 1 for a packet to be randomly matched. It works only with stat_mode => 'random'
.
state
Valid values: INVALID
, ESTABLISHED
, NEW
, RELATED
, UNTRACKED
Matches a packet based on its state in the firewall stateful inspection table. Values can be:
- INVALID
- ESTABLISHED
- NEW
- RELATED
- UNTRACKED
string
String matching feature. Matches the packet against the pattern given as an argument.
string_algo
Valid values: bm
, kmp
String matching feature, pattern matching strategy.
string_from
String matching feature, offset from which we start looking for any matching.
string_hex
String matching feature. Matches the package against the hex pattern given as an argument.
string_to
String matching feature, offset up to which we should scan.
table
Valid values: nat
, mangle
, filter
, raw
, rawpost
Table to use. Can be one of:
- nat
- mangle
- filter
- raw
- rawpost
Default value: filter
tcp_flags
Match when the TCP flags are as specified. Is a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. The flags are: SYN ACK FIN RST URG PSH ALL NONE Note that you specify them in the order that iptables --list-rules would list them to avoid having puppet think you changed the flags. Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection initiation.
time_contiguous
Valid values: true
, false
When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
time_start
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
time_stop
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
to
For NETMAP this will replace the destination IP
todest
When using jump => "DNAT" you can specify the new destination address using this paramter.
toports
For DNAT this is the port that will replace the destination port.
tosource
When using jump => "SNAT" you can specify the new source address using this parameter.
uid
UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement.
week_days
Valid values: Mon
, Tue
, Wed
, Thu
, Fri
, Sat
, Sun
Only match on the given weekdays.
zone
Assign this packet to zone id and only have lookups done in that zone.
Parameters
The following parameters are available in the firewall
type.
line
Read-only property for caching the rule line.
name
Valid values: %r{^\d+[[:graph:][:space:]]+$}
namevar
The canonical name of the rule. This name is also used for ordering so make sure you prefix the rule with a number:
000 this runs first
999 this runs last
Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem.
provider
The specific backend to use for this firewall
resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
firewallchain
Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that allow it.
Autorequires: If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, and the provider is iptables_chain, the firewall resource will autorequire those packages to ensure that any required binaries are installed.
Providers
- iptables_chain is the only provider that supports firewallchain.
Features
- iptables_chain: The provider provides iptables chain features.
- policy: Default policy (inbuilt chains only).
Properties
The following properties are available in the firewallchain
type.
ensure
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
policy
Valid values: accept
, drop
, queue
, return
This is the action to when the end of the chain is reached. It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) and can be one of:
- accept - the packet is accepted
- drop - the packet is dropped
- queue - the packet is passed userspace
- return - the packet is returned to calling (jump) queue or the default of inbuilt chains
Parameters
The following parameters are available in the firewallchain
type.
ignore
Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
This is matched against the output of iptables-save
.
This can be a single regex, or an array of them. To support flags, use the ruby inline flag mechanism. Meaning a regex such as /foo/i can be written as '(?i)foo' or '(?i:foo)'
Full example:
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => [
'-j fail2ban-ssh', # ignore the fail2ban jump rule
'--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
],
}
ignore_foreign
Valid values: false
, true
Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules in this chain. This can be used to ignore rules that were not put in by puppet. Beware that nothing keeps other systems from configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured rules.
Default value: false
name
namevar
The canonical name of the chain.
For iptables the format must be {chain}:{table}:{protocol}.
provider
The specific backend to use for this firewallchain
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
purge
Valid values: false
, true
Purge unmanaged firewall rules in this chain
Default value: false
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v3.5.0 - 2022-05-17
Added
Fixed
-
pdksync - (GH-iac-334) Remove Support for Ubuntu 14.04/16.04 #1038 (david22swan)
-
Fix rpfilter parameter #1013 (onyxmaster)
v3.4.0 (2022-02-28)
Added
Fixed
- pdksync - (IAC-1787) - Remove Support for CentOS 6 #1027 (david22swan)
v3.3.0 (2021-12-15)
Added
- pdksync - (IAC-1753) - Add Support for AlmaLinux 8 #1020 (david22swan)
- pdksync - (IAC-1751) - Add Support for Rocky 8 #1017 (david22swan)
Fixed
- Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range #1019 (cmd-ntrf)
- Fedora 34 and iptables-compat fix; properly utilising iptables param. #1018 (adamboutcher)
- pdksync - (IAC-1598) - Remove Support for Debian 8 #1015 (david22swan)
- Add carp protocol to :proto property #1014 (adrianiurca)
- (MODULES-6876) lib/puppet/provider/firewall/iptables.rb - comments cleanup for parsing #981 (tskirvin)
v3.2.0 (2021-09-06)
Added
- pdksync - (IAC-1709) - Add Support for Debian 11 #1005 (david22swan)
Fixed
- Fix "undefined method `gsub' for nil:NilClass" when changing existing rule UID from absent to any present #1010 (onyxmaster)
v3.1.0 (2021-07-26)
Added
Fixed
- (MODULES-11138) - Fix mac_source Facter.fact().value() issue with Facter 3 #1002 (adrianiurca)
v3.0.2 (2021-07-19)
Fixed
- sles-15: mac_source is downcased by iptables #997 (adrianiurca)
- fix: parsing random_fully in ip6tables #996 (scoiatael)
v3.0.1 (2021-06-21)
Fixed
v3.0.0 (2021-03-01)
Changed
- pdksync - (MAINT) Remove SLES 11 support #977 (sanfrancrisko)
- pdksync - (MAINT) Remove RHEL 5 family support #976 (sanfrancrisko)
- pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 #972 (carabasdaniel)
v2.8.1 (2021-02-09)
Fixed
- [MODULES-10907] Do not remove spaces from hex string with ! #967 (adrianiurca)
v2.8.0 (2020-12-14)
Added
- pdksync - (feat) - Add support for Puppet 7 #959 (daianamezdrea)
- (IAC-966) - MODULES-10522: Add support for the --condition parameter #941 (adrianiurca)
Fixed
v2.7.0 (2020-10-15)
Added
v2.6.0 (2020-10-01)
Fixed
- Fix extra quotes in firewall string matching #944 (IBBoard)
- (IAC-987) - Removal of inappropriate terminology #942 (david22swan)
v2.5.0 (2020-07-28)
Added
- Add acceptance and unit test #931 (adrianiurca)
- [IAC-899] - Add acceptance test for string_hex parameter #930 (adrianiurca)
- Add support for NFLOG options to ip6tables #921 (frh)
v2.4.0 (2020-05-13)
Added
- pdksync - (IAC-973) - Update travis/appveyor to run on new default branch main #933 (david22swan)
- Add support for u32 module in iptables #917 (sanfrancrisko)
- Add support for cgroup arg #916 (akerl-unpriv)
- Extend LOG options #914 (martialblog)
Fixed
v2.3.0 (2020-03-26)
Added
- Add iptables --hex-string support to firewall resource #907 (alexconrey)
- Add random_fully and rpfilter support #892 (treydock)
- (MODULES-7800) Add the ability to specify iptables connection tracking helpers. #890 (jimmyt86)
- Support conntrack module #872 (haught)
Fixed
- (maint) Use fact.flush only when available #906 (Filipovici-Andrei)
- (MODULES-10358) - Clarification added to Boolean validation checks #886 (david22swan)
- Merge and remove duplicate README file, lint code snippets #878 (runejuhl)
v2.2.0 (2019-12-09)
Added
- Add support for Debian Unstable #876 (martialblog)
- (FM-8673) - Support added for CentOS 8 #873 (david22swan)
- FM-8400 - add debian10 support #862 (lionce)
- FM-8219 - Convert to litmus #855 (lionce)
Fixed
- Change - Avoid puppet failures on windows nodes #874 (blackknight36)
- Fix parsing iptables rules with hyphen in comments #861 (Hexta)
v2.1.0 (2019-09-24)
Added
- (MODULES-6136) Add zone property of CT target. #852 (rwf14f)
- (FM-8025) Add RedHat 8 support #847 (eimlav)
Fixed
v2.0.0 (2019-05-14)
Changed
- pdksync - (MODULES-8444) - Raise lower Puppet bound #841 (david22swan)
Added
- (FM-7903) - Implement Puppet Strings #838 (david22swan)
Fixed
1.15.3 (2019-04-04)
Fixed
- (MODULES-8855) Move ipvs test to exception spec #834 (eimlav)
- (MODULES-8842) Fix ipvs not idempotent #833 (eimlav)
1.15.2 (2019-03-26)
Fixed
- (MODULES-8615) Fix rules with ipvs not parsing #828 (eimlav)
- (MODULES-7333) - Change hashing method from MD5 to SHA256 #827 (david22swan)
- (MODULES-6547) Fix existing rules with --dport not parsing #826 (eimlav)
- (MODULES-8648) - Fix for failures on SLES 11 #816 (david22swan)
- (MODULES-8584) Handle multiple escaped quotes in comments properly #815 (mateusz-gozdek-sociomantic)
- External control for iptables-persistent #795 (identw)
1.15.1 (2019-02-01)
Fixed
- (DOC-3056) Remove mention of rules ordering #809 (clairecadman)
- (FM-7712) - Remove Gentoo 1.0 testing/support for Firewall module #808 (david22swan)
- (MODULES-8360) Fix IPv6 bug relating to Bugzilla 1015 #804 (alexharv074)
1.15.0 (2019-01-18)
Added
- (MODULES-8143) - Add SLES 15 support #798 (eimlav)
- Add nftables wrapper support for RHEL8 #794 (mwhahaha)
- Changed regex for iniface and outiface to allow '@' in interface names #791 (GeorgeCox)
- (MODULES-8214) Handle src_type and dst_type as array #790 (mateusz-gozdek-sociomantic)
- (MODULES-7990) Merge multiple comments into one while parsing rules #789 (mateusz-gozdek-sociomantic)
- add -g flag handling in ip6tables.rb provider #788 (cestith)
- (MODULES-7681) Add support for bytecode property #771 (baurmatt)
Fixed
- pdksync - (FM-7655) Fix rubygems-update for ruby \< 2.3 #801 (tphoney)
- (MODULES-6340) - Address failure when name begins with 9XXX #796 (eimlav)
- Amazon linux 2 changed its major version to 2 with the last update... #793 (erik-frontify)
1.14.0 (2018-09-27)
Added
- pdksync - (MODULES-6805) metadata.json shows support for puppet 6 #782 (tphoney)
- (FM-7399) - Prepare for changelog generator #780 (pmcmaw)
1.13.0
Added
- pdksync - (MODULES-7705) - Bumping stdlib dependency from \< 5.0.0 to \< 6.0.0 #775 (pmcmaw)
- Add support for Amazon Linux 2 #768 (erik-frontify)
- (FM-7232) - Update firewall to support Ubuntu 18.04 #767 (david22swan)
- [FM-7044] Addition of Debian 9 support to firewall #765 (david22swan)
- [FM-6961] Removal of unsupported OS from firewall #764 (david22swan)
Fixed
- (MODULES-7627) - Update README Limitations section #769 (eimlav)
- Corrections to readme #766 (alexharv074)
- (MODULES-6129) negated option with address mask bugfix #756 (mirekys)
- (MODULES-2119) iptables delete -p all exception #749 (mikkergimenez)
1.12.0
Summary
This release uses the PDK convert functionality which in return makes the module PDK compliant. It also includes a roll up of maintenance changes.
Added
- PDK convert firewall (MODULES-6455).
- Modulesync updates.
Fixed
- Set correct
seluser
for CentOS/RHEL 5.x (MODULES-6092). - Fix error parsing rules with dashes in the chain name (MODULES-6261).
- Changes to address additional Rubocop failures.
- (maint) Addressing puppet-lint doc warnings.
Supported Release 1.11.0
Summary
This release is to implement Rubocop changes within the module.
Added
- Rubocop has been implemented in the module.
Changed
- Module sync was updated.
- Unparsable rules are now skipped with a warning.
Supported Release 1.10.0
Summary
This is a clean release prior to the module being run through rubocop.
Added
- Hashlimit module added.
- Firewall multi notes added.
- Gidd lookup now added.
- Simple sanity check added to hash parser rule.
Changed
- Version requirement has been updated.
- An array is no lnger accepted for icmp types.
- UNTRACKED is now considered to be a valid state.
- Modulesync updates.
- ip6tables can be disabled.
- Readme format has been fixed.
- Fixes made to accomodate Puppet lint.
- Fix to regex i 'connlimit_spec.rb' and 'firewall_spec.rb'.
- General test fixes.
- Negated match sets know properly dealt with.
- Correct IP version for hostname resolution now chosen.
- Unmanaged rule regex regarding iptable has been fixed.
Removed
- Ubuntu 10.04 and 12.04 removed.
Supported Release 1.9.0
Summary
This release includes several bugfixes and NFLOG support.
Added
- Support for NFLOG including the
NFLOG
jump target and four commandline options (FM-4896) - Support for the geoip module (MODULES-4279)
- Management of the ebtables package
Fixed
- iptables parser fails with "Invalid address from IPAddr.new: -m" (MODULES-4234)
- selinux context for iptables configuration
- Replace Puppet.version.to_f with Puppet::Util::Package.versioncmp ( MODULES-4528)
Supported Release 1.8.2
Summary
This release includes numerous features and bugfixes, See below.
Bugfixes
- Fixing issue with double quotes being removed when part of the rule comment
- Add the --wait flag to the insert/update/delete iptables actions to prevent failures from occuring when iptables is running outside of puppet for iptables >= 1.4.20
- Fix iptables_version and ip6tables_version facts not returning the version
Features
- Support for multiple IP sets in a single rule
- Implement queue_bypass and queue_num parameters for NFQUEUE jump target
- Tighten SELinux permissions on persistent files
- RHEL7 SELinux support for puppet 3
- Manage ip6tables service for Redhat Family
Supported Release 1.8.1
Summary
This release documents an important issue with mcollective that may impact users of the firewall module. Workarounds are suggested as part of this advisory until mcollective can be patched.
Bugfixes
- Add mcollective rule-reversal known limitation
Supported Release 1.8.0
Summary
This release includes numerous features, bugfixes and other improvements including better handling when trying to delete already absent rules.
Features
- Added new 'pkg_ensure' parameter to allow the updating of the iptables package.
- Added new 'log_uid' property.
- Added 'sctp' to the 'proto' property.
- Added support for IPv6 NAT in Linux kernels >= 3.7.
- Added support for the security table.
Bugfixes
- (MODULES-2783) Replaced hardcoded iptables service references with $service_name variable.
- (MODULES-1341) Recover when deleting absent rules.
- (MODULES-3032) Facter flush is called to clear Facter cache get up to date value for ':iptables_persistent_version'.
- (MODULES-2159) Fixed idempotency issue when using connlimit.
- Fixed the handling of chain names that contain '-f'.
Improvements
- Numerous unit and acceptance test improvements.
- Improved handling/use of the '$::iptables_persistent_version' custom fact.
- Better handling of operating systems that use SELinux.
Supported Release 1.7.2
Summary
Small release for support of newer PE versions. This increments the version of PE in the metadata.json file.
2015-08-25 - Supported Release 1.7.1
Summary
This is a bugfix release to deprecate the port parameter. Using the unspecific 'port' parameter can lead to firewall rules that are unexpectedly too lax. It is recommended to always use the specific dport and sport parameters to avoid this ambiguity.
Bugfixes
- Deprecate the port parameter
2015-07-28 - Supported Release 1.7.0
Summary
This release includes numerous features, bugfixes and other improvements including Puppet 4 & PE 2015.2 support as well as ClusterIP and DSCP jump target support.
Features
- Puppet 4 and PE 2015.2 official support
- ClusterIP jump target (including options) now supported
- DSCP jump target (including options) now supported
- SLES 10 now compatible (but not supported)
Bugfixes
- (MODULES-1967) Parse escape sequences from iptables
- (MODULES-1592) Allow src_type and dst_type prefixed with '!' to pass validation
- (MODULES-2186) - iptables rules with -A in comment now supported
- (MODULES-1976) Revise rule name validation for ruby 1.9
- Fix installation hang on Debian Jessie
- Fix for physdev idempotency on EL5
Improvements
- Documentation improvements
- Enforce the seluser on selinux systems
- All the relevent services are now autorequired by the firewall and firewallchain types
- Replace Facter.fact().value() calls with Facter.value() to support Facter 3
2015-05-19 - Supported Release 1.6.0
Summary
This release includes support for TEE, MSS, the time ipt module, Debian 8 support, and a number of test fixes and other improvements.
Features
- Add TEE support
- Add MSS support (including clamp-mss-to-pmtu support)
- Add support for the time ipt module (-m time)
- Add support for Debian 8
- Add support for ICMPv6 types 'neighbour-{solicitation,advertisement}'
- Add support for ICMPv6 type 'too-big'
- Add support for new 'match_mark' property
- Added 'ipv4' and 'ipv6' options to 'proto' property
Bugfixes
- Fix for Systemd-based OSes where systemd needs restarted before being able to pick up new services (MODULES-1984)
- Arch Linux package management fix
2015-03-31 - Supported Release 1.5.0
Summary
This release includes physdev_is_bridged support, checksum_fill support, basic Gentoo compatibility, and a number of test fixes and improvements.
Features
- Add
physdev_is_bridged
support - Add
checksum_fill
support - Add basic Gentoo compatibility (unsupported)
Bugfixes
- Implementation for resource map munging to allow a single ipt module to be used multiple times in a single rule on older versions of iptables (MODULES-1808)
- Test fixes
2015-01-27 - Supported Release 1.4.0
Summary
This release includes physdev support, the ability to look up usernames from uuid, and a number of bugfixes
Features
- Add
netmap
feature - Add
physdev
support - Add ability to look up username from uuid (MODULES-753, MODULES-1688)
Bugfixes
- Sync iptables/ip6tables providers (MODULES-1612)
- Fix package names for Amazon and Ubuntu 14.10 (MODULES-1029)
- Fix overly aggressive gsub when
ensure => absent
(MODULES-1453) - Unable to parse
-m (tcp|udp)
rules (MODULES-1552) - Fix ip6tables provider when
iptables-ipv6
package isn't installed for EL6 (MODULES-633) - Test fixes
2014-12-16 - Supported Release 1.3.0
Summary
This release includes a number of bugfixes and features, including fixing tcp_flags
support, and added support for interface aliases, negation for iniface and outiface, and extra configurability for packages and service names.
Features
- Add support for interface aliases (eth0:0) (MODULES-1469)
- Add negation for iniface, outiface (MODULES-1470)
- Make package and service names configurable (MODULES-1309)
Bugfixes
- Fix test regexes for EL5 (MODULES-1565)
- Fix
tcp_flags
support for ip6tables (MODULES-556) - Don't arbitrarily limit
set_mark
for certain chains
2014-11-04 - Supported Release 1.2.0
Summary
This release has a number of new features and bugfixes, including rule inversion, future parser support, improved EL7 support, and the ability to purge ip6tables rules.
Features
- Documentation updates!
- Test updates!
- Add ipset support
- Enable rule inversion
- Future parser support
- Improved support for EL7
- Support netfilter-persistent
- Add support for statistics module
- Add support for mac address source rules
- Add cbt protocol
Bugfixes
- Incorrect use of
source => :iptables
in the ip6tables provider was making it impossible to purge ip6tables rules (MODULES-41) - Don't require
toports
whenjump => 'REDIRECT'
(MODULES-1086) - Don't limit which chains iniface and outiface parameters can be used in
- Don't fail on rules added with ipsec/strongswan (MODULES-796)
2014-07-08 - Supported Release 1.1.3
Summary
This is a supported release with test coverage enhancements.
Bugfixes
- Confine to supported kernels
2014-06-04 - Release 1.1.2
Summary
This is a release of the code previously released as 1.1.1, with updated metadata.
2014-05-16 Release 1.1.1
Summary
This release reverts the alphabetical ordering of 1.1.0. We found this caused a regression in the Openstack modules so in the interest of safety we have removed this for now.
2014-05-13 Release 1.1.0
Summary
This release has a significant change from previous releases; we now apply the firewall resources alphabetically by default, removing the need to create pre and post classes just to enforce ordering. It only effects default ordering and further information can be found in the README about this. Please test this in development before rolling into production out of an abundance of caution.
We've also added mask
which is required for --recent in recent (no pun
intended) versions of iptables, as well as connlimit and connmark. This
release has been validated against Ubuntu 14.04 and RHEL7 and should be fully
working on those platforms.
Features
- Apply firewall resources alphabetically.
- Add support for connlimit and connmark.
- Add
mask
as a parameter. (Used exclusively with the recent parameter).
Bugfixes
- Add systemd support for RHEL7.
- Replace &&'s with the correct and in manifests.
- Fix tests on Trusty and RHEL7
- Fix for Fedora Rawhide.
- Fix boolean flag tests.
- Fix DNAT->SNAT typo in an error message.
Known Bugs
- For Oracle, the
owner
andsocket
parameters require a workaround to function. Please see the Limitations section of the README.
2014-03-04 Supported Release 1.0.2
Summary
This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath.
Features
Bugfixes
Known Bugs
- For Oracle, the
owner
andsocket
parameters require a workaround to function. Please see the Limitations section of the README.
Supported release - 2014-03-04 1.0.1
Summary
An important bugfix was made to the offset calculation for unmanaged rules to handle rules with 9000+ in the name.
Features
Bugfixes
- Offset calculations assumed unmanaged rules were numbered 9000+.
- Gracefully fail to manage ip6tables on iptables 1.3.x
Known Bugs
- For Oracle, the
owner
andsocket
parameters require a workaround to function. Please see the Limitations section of the README.
1.0.0 - 2014-02-11
No changes, just renumbering to 1.0.0.
0.5.0 - 2014-02-10
Summary:
This is a bigger release that brings in "recent" connection limiting (think "port knocking"), firewall chain purging on a per-chain/per-table basis, and support for a few other use cases. This release also fixes a major bug which could cause modifications to the wrong rules when unmanaged rules are present.
New Features:
- Add "recent" limiting via parameters
rdest
,reap
,recent
,rhitcount
,rname
,rseconds
,rsource
, andrttl
- Add negation support for source and destination
- Add per-chain/table purging support to
firewallchain
- IPv4 specific
- Add random port forwarding support
- Add ipsec policy matching via
ipsec_dir
andipsec_policy
- IPv6 specific
- Add support for hop limiting via
hop_limit
parameter - Add fragmentation matchers via
ishasmorefrags
,islastfrag
, andisfirstfrag
- Add support for conntrack stateful firewall matching via
ctstate
- Add support for hop limiting via
Bugfixes:
- Boolean fixups allowing false values
- Better detection of unmanaged rules
- Fix multiport rule detection
- Fix sport/dport rule detection
- Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
- Allow INPUT with the nat table
- Fix
src_range
&dst_range
order detection - Documentation clarifications
- Fixes to spec tests
0.4.2 - 2013-09-10
Another attempt to fix the packaging issue. We think we understand exactly what is failing and this should work properly for the first time.
0.4.1 - 2013-08-09
Bugfix release to fix a packaging issue that may have caused puppet module install commands to fail.
0.4.0 - 2013-07-11
This release adds support for address type, src/dest ip ranges, and adds additional testing and bugfixes.
Features
- Add
src_type
anddst_type
attributes (Nick Stenning) - Add
src_range
anddst_range
attributes (Lei Zhang) - Add SL and SLC operatingsystems as supported (Steve Traylen)
Bugfixes
- Fix parser for bursts other than 5 (Chris Rutter)
- Fix parser for -f in --comment (Georg Koester)
- Add doc headers to class files (Dan Carley)
- Fix lint warnings/errors (Wolf Noble)
0.3.1 - 2013/6/10
This minor release provides some bugfixes and additional tests.
Changes
- Update tests for rspec-system-puppet 2 (Ken Barber)
- Update rspec-system tests for rspec-system-puppet 1.5 (Ken Barber)
- Ensure all services have 'hasstatus => true' for Puppet 2.6 (Ken Barber)
- Accept pre-existing rule with invalid name (Joe Julian)
- Swap log_prefix and log_level order to match the way it's saved (Ken Barber)
- Fix log test to replicate bug #182 (Ken Barber)
- Split argments while maintaining quoted strings (Joe Julian)
- Add more log param tests (Ken Barber)
- Add extra tests for logging parameters (Ken Barber)
- Clarify OS support (Ken Barber)
0.3.0 - 2013/4/25
This release introduces support for Arch Linux and extends support for Fedora 15 and up. There are also lots of bugs fixed and improved testing to prevent regressions.
Changes
- Fix error reporting for insane hostnames (Tomas Doran)
- Support systemd on Fedora 15 and up (Eduardo Gutierrez)
- Move examples to docs (Ken Barber)
- Add support for Arch Linux platform (Ingmar Steen)
- Add match rule for fragments (Georg Koester)
- Fix boolean rules being recognized as changed (Georg Koester)
- Same rules now get deleted (Anastasis Andronidis)
- Socket params test (Ken Barber)
- Ensure parameter can disable firewall (Marc Tardif)
0.2.1 - 2012/3/13
This maintenance release introduces the new README layout, and fixes a bug with iptables_persistent_version.
Changes
- (GH-139) Throw away STDERR from dpkg-query in Fact
- Update README to be consistent with module documentation template
- Fix failing spec tests due to dpkg change in iptables_persistent_version
0.2.0 - 2012/3/3
This release introduces automatic persistence, removing the need for the previous manual dependency requirement for persistent the running rules to the OS persistence file.
Previously you would have required the following in your site.pp (or some other global location):
# Always persist firewall rules
exec { 'persist-firewall':
command => $operatingsystem ? {
'debian' => '/sbin/iptables-save > /etc/iptables/rules.v4',
/(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
},
refreshonly => true,
}
Firewall {
notify => Exec['persist-firewall'],
before => Class['my_fw::post'],
require => Class['my_fw::pre'],
}
Firewallchain {
notify => Exec['persist-firewall'],
}
resources { "firewall":
purge => true
}
You only need:
class { 'firewall': }
Firewall {
before => Class['my_fw::post'],
require => Class['my_fw::pre'],
}
To install pre-requisites and to create dependencies on your pre & post rules. Consult the README for more information.
Changes
- Firewall class manifests (Dan Carley)
- Firewall and firewallchain persistence (Dan Carley)
- (GH-134) Autorequire iptables related packages (Dan Carley)
- Typo in #persist_iptables OS normalisation (Dan Carley)
- Tests for #persist_iptables (Dan Carley)
- (GH-129) Replace errant return in autoreq block (Dan Carley)
0.1.1 - 2012/2/28
This release primarily fixes changing parameters in 3.x
Changes
- (GH-128) Change method_missing usage to define_method for 3.x compatibility
- Update travis.yml gem specifications to actually test 2.6
- Change source in Gemfile to use a specific URL for Ruby 2.0.0 compatibility
0.1.0 - 2012/2/24
This release is somewhat belated, so no summary as there are far too many changes this time around. Hopefully we won't fall this far behind again :-).
Changes
- Add support for MARK target and set-mark property (Johan Huysmans)
- Fix broken call to super for ruby-1.9.2 in munge (Ken Barber)
- simple fix of the error message for allowed values of the jump property (Daniel Black)
- Adding OSPF(v3) protocol to puppetlabs-firewall (Arnoud Vermeer)
- Display multi-value: port, sport, dport and state command seperated (Daniel Black)
- Require jump=>LOG for log params (Daniel Black)
- Reject and document icmp => "any" (Dan Carley)
- add firewallchain type and iptables_chain provider (Daniel Black)
- Various fixes for firewallchain resource (Ken Barber)
- Modify firewallchain name to be chain:table:protocol (Ken Barber)
- Fix allvalidchain iteration (Ken Barber)
- Firewall autorequire Firewallchains (Dan Carley)
- Tests and docstring for chain autorequire (Dan Carley)
- Fix README so setup instructions actually work (Ken Barber)
- Support vlan interfaces (interface containing ".") (Johan Huysmans)
- Add tests for VLAN support for iniface/outiface (Ken Barber)
- Add the table when deleting rules (Johan Huysmans)
- Fix tests since we are now prefixing -t)
- Changed 'jump' to 'action', commands to lower case (Jason Short)
- Support interface names containing "+" (Simon Deziel)
- Fix for when iptables-save spews out "FATAL" errors (Sharif Nassar)
- Fix for incorrect limit command arguments for ip6tables provider (Michael Hsu)
- Document Util::Firewall.host_to_ip (Dan Carley)
- Nullify addresses with zero prefixlen (Dan Carley)
- Add support for --tcp-flags (Thomas Vander Stichele)
- Make tcp_flags support a feature (Ken Barber)
- OUTPUT is a valid chain for the mangle table (Adam Gibbins)
- Enable travis-ci support (Ken Barber)
- Convert an existing test to CIDR (Dan Carley)
- Normalise iptables-save to CIDR (Dan Carley)
- be clearer about what distributions we support (Ken Barber)
- add gre protocol to list of acceptable protocols (Jason Hancock)
- Added pkttype property (Ashley Penney)
- Fix mark to not repeat rules with iptables 1.4.1+ (Sharif Nassar)
- Stub iptables_version for now so tests run on non-Linux hosts (Ken Barber)
- Stub iptables facts for set_mark tests (Dan Carley)
- Update formatting of README to meet Puppet Labs best practices (Will Hopper)
- Support for ICMP6 type code resolutions (Dan Carley)
- Insert order hash included chains from different tables (Ken Barber)
- rspec 2.11 compatibility (Jonathan Boyett)
- Add missing class declaration in README (sfozz)
- array_matching is contraindicated (Sharif Nassar)
- Convert port Fixnum into strings (Sharif Nassar)
- Update test framework to the modern age (Ken Barber)
- working with ip6tables support (wuwx)
- Remove gemfile.lock and add to gitignore (William Van Hevelingen)
- Update travis and gemfile to be like stdlib travis files (William Van Hevelingen)
- Add support for -m socket option (Ken Barber)
- Add support for single --sport and --dport parsing (Ken Barber)
- Fix tests for Ruby 1.9.3 from 3e13bf3 (Dan Carley)
- Mock Resolv.getaddress in #host_to_ip (Dan Carley)
- Update docs for source and dest - they are not arrays (Ken Barber)
0.0.4 - 2011/12/05
This release adds two new parameters, 'uid' and 'gid'. As a part of the owner module, these params allow you to specify a uid, username, gid, or group got a match:
firewall { '497 match uid':
port => '123',
proto => 'mangle',
chain => 'OUTPUT',
action => 'drop'
uid => '123'
}
This release also adds value munging for the 'log_level', 'source', and 'destination' parameters. The 'source' and 'destination' now support hostnames:
firewall { '498 accept from puppetlabs.com':
port => '123',
proto => 'tcp',
source => 'puppetlabs.com',
action => 'accept'
}
The 'log_level' parameter now supports using log level names, such as 'warn', 'debug', and 'panic':
firewall { '499 logging':
port => '123',
proto => 'udp',
log_level => 'debug',
action => 'drop'
}
Additional changes include iptables and ip6tables version facts, general whitespace cleanup, and adding additional unit tests.
Changes
- (#10957) add iptables_version and ip6tables_version facts
- (#11093) Improve log_level property so it converts names to numbers
- (#10723) Munge hostnames and IPs to IPs with CIDR
- (#10718) Add owner-match support
- (#10997) Add fixtures for ipencap
- (#11034) Whitespace cleanup
- (#10690) add port property support to ip6tables
0.0.3 - 2011/11/12
This release introduces a new parameter 'port' which allows you to set both source and destination ports for a match:
firewall { "500 allow NTP requests":
port => "123",
proto => "udp",
action => "accept",
}
We also have the limit parameter finally working:
firewall { "500 limit HTTP requests":
dport => 80,
proto => tcp,
limit => "60/sec",
burst => 30,
action => accept,
}
State ordering has been fixed now, and more characters are allowed in the namevar:
- Alphabetical
- Numbers
- Punctuation
- Whitespace
Changes
- (#10693) Ensure -m limit is added for iptables when using 'limit' param
- (#10690) Create new port property
- (#10700) allow additional characters in comment string
- (#9082) Sort iptables --state option values internally to keep it consistent across runs
- (#10324) Remove extraneous whitespace from iptables rule line in spec tests
0.0.2 - 2011/10/26
This is largely a maintanence and cleanup release, but includes the ability to specify ranges of ports in the sport/dport parameter:
firewall { "500 allow port range":
dport => ["3000-3030","5000-5050"],
sport => ["1024-65535"],
action => "accept",
}
Changes
- (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppet server
- (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port
- (#10263) Fix tests on Puppet 2.6.x
- (#10163) Cleanup some of the inline documentation and README file to align with general forge usage
0.0.1 - 2011/10/18
Initial release.
Changes
- (#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter
- (#10088) Provide a customised version of CONTRIBUTING.md
- (#10026) Re-arrange provider and type spec files to align with Puppet
- (#10026) Add aliases for test,specs,tests to Rakefile and provide -T as default
- (#9439) fix parsing and deleting existing rules
- (#9583) Fix provider detection for gentoo and unsupported linuxes for the iptables provider
- (#9576) Stub provider so it works properly outside of Linux
- (#9576) Align spec framework with Puppet core
- and lots of other earlier development tasks ...
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/stdlib (>= 4.0.0 < 9.0.0)
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.