firewall

Table of Contents

1. Overview - What is the firewall module?
2. Module description - What does the module do?
3. Setup - The basics of getting started with firewall
   • What firewall affects
   • Setup requirements
   • Beginning with firewall
   • Upgrading
4. Usage - Configuration and customization options
   • Default rules - Setting up general configurations for all firewalls
   • Application-specific rules - Options for configuring and managing firewalls across applications
   • Rule inversion
   • Additional uses for the firewall module
   • Duplicate rule behaviour
   • Additional information
5. Reference - An under-the-hood peek at what the module is doing
6. Limitations - OS compatibility, etc.
7. Firewall_multi - Arrays for certain parameters
8. Development - Guide for contributing to the module
   • Tests - Testing your configuration

Overview

The firewall module lets you manage firewall rules with Puppet.

Module description

PuppetLabs' firewall module introduces the firewall resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the firewallchain resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported.

The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining pre and post rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs.

Setup

What firewall affects

• Every node running a firewall
• Firewall settings in your system
• Connection settings for managed nodes
• Unmanaged resources (get purged)

Setup requirements

Firewall uses Ruby-based providers, so you must enable pluginsync.

Beginning with firewall

In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them.

If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet server.

The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet server. If you create the pre and post classes described in the first section, then you also need to create the rules described in the second section.

Create the my_fw::pre and my_fw::post Classes

This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.

The code in this section does the following:

• The 'require' parameter in firewall {} ensures my_fw::pre is run before any other rules.
• In the my_fw::post class declaration, the 'before' parameter ensures my_fw::post is run after any other rules.

The rules in the pre and post classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run.

1. Add the pre class to my_fw/manifests/pre.pp, and any default rules to your pre.pp file first — in the order you want them to run.

class my_fw::pre {
  Firewall {
    require => undef,
  }

  # Default firewall rules
  firewall { '000 accept all icmp':
    proto  => 'icmp',
    action => 'accept',
  }
  -> firewall { '001 accept all to lo interface':
    proto   => 'all',
    iniface => 'lo',
    action  => 'accept',
  }
  -> firewall { '002 reject local traffic not on loopback interface':
    iniface     => '! lo',
    proto       => 'all',
    destination => '127.0.0.1/8',
    action      => 'reject',
  }
  -> firewall { '003 accept related established rules':
    proto  => 'all',
    state  => ['RELATED', 'ESTABLISHED'],
    action => 'accept',
  }
}

The rules in pre allow basic networking (such as ICMP and TCP) and ensure that existing connections are not closed.

2. Add the post class to my_fw/manifests/post.pp and include any default rules — apply these last.

class my_fw::post {
  firewall { '999 drop all':
    proto  => 'all',
    action => 'drop',
    before => undef,
  }
}

Alternatively, the firewallchain type can be used to set the default policy:

firewallchain { 'INPUT:filter:IPv4':
  ensure => present,
  policy => drop,
  before => undef,
}

Create firewall rules

The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box.

Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.

1. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the pre and post classes are run in the correct order and avoid locking you out of your box during the first Puppet run.

Firewall {
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}

2. Declare the my_fw::pre and my_fw::post classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:

class { ['my_fw::pre', 'my_fw::post']: }

3. Include the firewall class to ensure the correct packages are installed:

class { 'firewall': }

4. If you want to remove unmanaged firewall rules, add the following code to set up a metatype to purge unmanaged firewall resources in your site.pp or another top-scope file. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.

resources { 'firewall':
  purge => true,
}

To purge unmanaged firewall chains, add:

resources { 'firewallchain':
  purge => true,
}

Internal chains can not be deleted. In order to avoid all the confusing Warning/Notice messages when using purge => true, like these ones:

Notice: Compiled catalog for blonde-height.delivery.puppetlabs.net in environment production in 0.05 seconds
Warning: Firewallchain[INPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain INPUT:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[INPUT:mangle:IPv4]/ensure: removed
Warning: Firewallchain[FORWARD:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain FORWARD:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[FORWARD:mangle:IPv4]/ensure: removed
Warning: Firewallchain[OUTPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain OUTPUT:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[OUTPUT:mangle:IPv4]/ensure: removed
Warning: Firewallchain[POSTROUTING:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain POSTROUTING:mangle:IPv4
Notice: /Stage[main]/Main/Firewallchain[POSTROUTING:mangle:IPv4]/ensure: removed

Please create firewallchains for every internal chain. Here is an example:

firewallchain { 'POSTROUTING:mangle:IPv6':
  ensure  => present,
}

resources { 'firewallchain':
  purge => true,
}

Note: If there are unmanaged rules in unmanaged chains, it will take a second Puppet run for the firewall chain to be purged.

Note: If you need more fine-grained control about which unmananged rules get removed, investigate the purge and ignore_foreign parameters available in firewallchain.

Upgrading

Use these steps if you already have a version of the firewall module installed.

From version 0.2.0 and more recent

Upgrade the module with the puppet module tool as normal:

puppet module upgrade puppetlabs/firewall

Usage

There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc.

All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. 000 runs first, 999 runs last.

Note: The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range.

Default rules

You can place default rules in either my_fw::pre or my_fw::post, depending on when you would like them to run. Rules placed in the pre class will run first, and rules in the post class, last.

In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'.

Examples of default rules

Basic accept ICMP request example:

firewall { '000 accept all icmp requests':
  proto  => 'icmp',
  action => 'accept',
}

Drop all:

firewall { '999 drop all other requests':
  action => 'drop',
}

Example of an IPv6 rule

IPv6 rules can be specified using the ip6tables provider:

firewall { '006 Allow inbound SSH (v6)':
  dport    => 22,
  proto    => 'tcp',
  action   => 'accept',
  provider => 'ip6tables',
}

Application-specific rules

Puppet doesn't care where you define rules, and this means that you can place your firewall resources as close to the applications and services that you manage as you wish. If you use the roles and profiles pattern then it makes sense to create your firewall rules in the profiles, so they remain close to the services managed by the profile.

This is an example of firewall rules in a profile:

class profile::apache {
  include apache
  apache::vhost { 'mysite':
    ensure => present,
  }

  firewall { '100 allow http and https access':
    dport  => [80, 443],
    proto  => 'tcp',
    action => 'accept',
  }
}

Rule inversion

Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.

Parameters that understand inversion are: connmark, ctstate, destination, dport, dst_range, dst_type, iniface, outiface, port, proto, source, sport, src_range and src_type.

Examples:

firewall { '001 disallow esp protocol':
  action => 'accept',
  proto  => '! esp',
}

firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset':
  chain     => 'INPUT',
  state     => 'NEW',
  action    => 'drop',
  proto     => 'tcp',
  sport     => ['! http', '! 443'],
  source    => '! 10.0.0.0/8',
  tcp_flags => '! FIN,SYN,RST,ACK SYN',
}

Additional uses for the firewall module

You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows:

node 'some.node.com' {
  firewall { '111 open port 111':
    dport => 111,
  }
}

You can also do more complex things with the firewall resource. This example sets up static NAT for the source network 10.1.2.0/24:

firewall { '100 snat for network foo2':
  chain    => 'POSTROUTING',
  jump     => 'MASQUERADE',
  proto    => 'all',
  outiface => 'eth0',
  source   => '10.1.2.0/24',
  table    => 'nat',
}

You can also change the TCP MSS value for VPN client traffic:

firewall { '110 TCPMSS for VPN clients':
  chain     => 'FORWARD',
  table     => 'mangle',
  source    => '10.0.2.0/24',
  proto     => 'tcp',
  tcp_flags => 'SYN,RST SYN',
  mss       => '1361:1541',
  set_mss   => '1360',
  jump      => 'TCPMSS',
}

The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:

firewall { '503 Mirror traffic to IDS':
  proto   => 'all',
  jump    => 'TEE',
  gateway => '10.0.0.2',
  chain   => 'PREROUTING',
  table   => 'mangle',
}

The following example creates a new chain and forwards any port 5000 access to it.

firewall { '100 forward to MY_CHAIN':
  chain   => 'INPUT',
  jump    => 'MY_CHAIN',
}

# The namevar here is in the format chain_name:table:protocol
firewallchain { 'MY_CHAIN:filter:IPv4':
  ensure  => present,
}

firewall { '100 my rule':
  chain   => 'MY_CHAIN',
  action  => 'accept',
  proto   => 'tcp',
  dport   => 5000,
}

Setup NFLOG for a rule.

firewall {'666 for NFLOG':
  proto           => 'all',
  jump            => 'NFLOG',
  nflog_group     => 3,
  nflog_prefix    => 'nflog-test',
  nflog_range     => 256,
  nflog_threshold => 1,
}

Duplicate rule behaviour

It is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This configuration is not supported by the firewall module.

In the event of a duplicate rule, the module will by default display a warning message notifying the user that it has found a duplicate but will continue to update the resource.

This behaviour is configurable via the onduplicaterulebehaviour parameter. Users can choose from the following behaviours:

• ignore - The duplicate rule is ignored and any updates to the resource will continue unaffected.
• warn - The duplicate rule is logged as a warning and any updates to the resource will continue unaffected.
• error - The duplicate rule is logged as an error and any updates to the resource will be skipped.

With either the ignore or warn (default) behaviour, Puppet may create another duplicate rule. To prevent this behavior and report the resource as failing during the Puppet run, specify the error behaviour.

Additional information

Access the inline documentation:

puppet describe firewall

Or

puppet doc -r type
(and search for firewall)

Reference

For information on the classes and types, see the REFERENCE.md. For information on the facts, see below.

Facts:

• ip6tables_version
• iptables_version
• iptables_persistent_version

Fact: ip6tables_version

A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.

Fact: iptables_version

A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution.

Fact: iptables_persistent_version

Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.

Limitations

For an extensive list of supported operating systems, see metadata.json

SLES

The socket parameter is not supported on SLES. In this release it will cause the catalog to fail with iptables failures, rather than correctly warn you that the features are unusable.

Oracle Enterprise Linux

The socket and owner parameters are unsupported on Oracle Enterprise Linux when the "Unbreakable" kernel is used. These may function correctly when using the stock RedHat kernel instead. Declaring either of these parameters on an unsupported system will result in iptable rules failing to apply.

Passing firewall parameter values as arrays with firewall_multi module

You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays.

A community module, alexharvey-firewall_multi, provides a defined type wrapper to spawn firewall resources for arrays of certain inputs.

For example:

firewall_multi { '100 allow http and https access':
  source => [
    '10.0.10.0/24',
    '10.0.12.0/24',
    '10.1.1.128',
  ],
  dport  => [80, 443],
  proto  => 'tcp',
  action => 'accept',
}

For more information see the documentation at alexharvey-firewall_multi.

Known issues

MCollective causes PE to reverse firewall rule order

Firewall rules appear in reverse order if you use MCollective to run Puppet in Puppet Enterprise 2016.1, 2015.3, 2015.2, or 3.8.x.

If you use MCollective to kick off Puppet runs (mco puppet runonce -I agent.example.com) while also using the puppetlabs/firewall module, your firewall rules might be listed in reverse order.

In many firewall configurations, the last rule drops all packets. If the rule order is reversed, this rule is listed first and network connectivity fails.

To prevent this issue, do not use MCollective to kick off Puppet runs. Use any of the following instead:

• Run puppet agent -t on the command line.
• Use a cron job.
• Click Run Puppet in the console.

condition parameter

The condition parameter requires xtables-addons to be installed locally. For ubuntu distributions xtables-addons-common package can be installed by running command: apt-get install xtables-addons-common or running a manifest:

package { 'xtables-addons-common':
  ensure => 'latest',
}

For other distributions (RedHat, Debian, Centos etc) manual installation of the xtables-addons package is required.

Reporting Issues

Please report any bugs in the Puppetlabs JIRA issue tracker:

https://tickets.puppetlabs.com/projects/MODULES/issues

Development

Acceptance tests for this module leverage puppet_litmus. To run the acceptance tests follow the instructions here. You can also find a tutorial and walkthrough of using Litmus and the PDK on YouTube.

If you run into an issue with this module, or if you would like to request a feature, please file a ticket. Every Monday the Puppet IA Content Team has office hours in the Puppet Community Slack, alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC).

If you have problems getting this module up and running, please contact Support.

If you submit a change to this module, be sure to regenerate the reference documentation as follows:

puppet strings generate --format markdown --out REFERENCE.md

Testing

Make sure you have:

• rake
• bundler

Install the necessary gems:

bundle install

And run the tests from the root of the source code:

bundle exec rake parallel_spec

See also .travis.yml for information on running the acceptance and other tests.

Reference

Table of Contents

Classes

Public Classes

• firewall: Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins

Private Classes

• firewall::linux: Main linux class, includes all other classes
• firewall::linux::archlinux: Manages iptables and ip6tables services, and creates files used for persistence, on Arch Linux systems.
• firewall::linux::debian: Installs the iptables-persistent package for Debian-alike systems. This allows rules to be stored to file and restored on boot.
• firewall::linux::gentoo: Manages iptables and ip6tables services, and creates files used for persistence, on Gentoo Linux systems.
• firewall::linux::redhat: Manages the iptables service on RedHat-alike systems.
• firewall::params: Provides defaults for the Apt module parameters.

Resource types

• firewall: This type provides the capability to manage firewall rules within puppet.
• firewallchain: This type provides the capability to manage rule chains for firewalls.

Classes

firewall

Performs the basic setup tasks required for using the firewall resources.

At the moment this takes care of:

iptables-persistent package installation Include the firewall class for nodes that need to use the resources in this module:

Examples

class { 'firewall': }

Parameters

The following parameters are available in the firewall class:

• ensure
• ensure_v6
• pkg_ensure
• service_name
• service_name_v6
• package_name
• ebtables_manage

ensure

Data type: Any

Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.

Default value: running

ensure_v6

Data type: Any

Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.

Default value: undef

pkg_ensure

Data type: Any

Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.

Default value: present

service_name

Data type: Any

Specify the name of the IPv4 iptables service.

Default value: $firewall::params::service_name

service_name_v6

Data type: Any

Specify the name of the IPv6 iptables service.

Default value: $firewall::params::service_name_v6

package_name

Data type: Any

Specify the platform-specific package(s) to install.

Default value: $firewall::params::package_name

ebtables_manage

Data type: Any

Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.

Default value: false

Resource types

firewall

Autorequires:

If Puppet is managing the iptables or ip6tables chains specified in the chain or jump parameters, the firewall resource will autorequire those firewallchain resources.

If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, and the provider is iptables or ip6tables, the firewall resource will autorequire those packages to ensure that any required binaries are installed.

Providers

Note: Not all features are available with all providers.

• ip6tables: Ip6tables type provider

  • Required binaries: ip6tables-save, ip6tables.
  • Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag, ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.

• iptables: Iptables type provider

  • Required binaries: iptables-save, iptables.
  • Default for kernel == linux.
  • Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.

Features

• address_type: The ability to match on source or destination address type.

• clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.

• condition: Match if a specific condition variable is (un)set (requires xtables-addons)

• connection_limiting: Connection limiting features.

• conntrack: Connection tracking features.

• dnat: Destination NATing.

• hop_limiting: Hop limiting features.

• icmp_match: The ability to match ICMP types.

• interface_match: Interface matching.

• iprange: The ability to match on source or destination IP range.

• ipsec_dir: The ability to match IPsec policy direction.

• ipsec_policy: The ability to match IPsec policy.

• iptables: The provider provides iptables features.

• isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet.

• isfragment: The ability to match fragments.

• ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet.

• islastfrag: The ability to match the last fragment of an ipv6 packet.

• length: The ability to match the length of the layer-3 payload.

• log_level: The ability to control the log level.

• log_prefix: The ability to add prefixes to log messages.

• log_uid: The ability to log the userid of the process which generated the packet.

• log_tcp_sequence: The ability to log TCP sequence numbers.

• log_tcp_options: The ability to log TCP packet header.

• log_ip_options: The ability to log IP/IPv6 packet header.

• mark: The ability to match or set the netfilter mark value associated with the packet.

• mask: The ability to match recent rules based on the ipv4 mask.

• nflog_group: The ability to set the group number for NFLOG.

• nflog_prefix: The ability to set a prefix for nflog messages.

• nflog_range: The ability to set nflog_range.

• nflog_threshold: The ability to set nflog_threshold.

• owner: The ability to match owners.

• pkttype: The ability to match a packet type.

• rate_limiting: Rate limiting features.

• recent_limiting: The netfilter recent module.

• reject_type: The ability to control reject messages.

• set_mss: Set the TCP MSS of a packet.

• snat: Source NATing.

• socket: The ability to match open sockets.

• state_match: The ability to match stateful firewall states.

• string_matching: The ability to match a given string by using some pattern matching strategy.

• tcp_flags: The ability to match on particular TCP flag settings.

• netmap: The ability to map entire subnets via source or destination nat rules.

• hashlimit: The ability to use the hashlimit-module.

• bpf: The ability to use Berkeley Paket Filter rules.

• ipvs: The ability to match IP Virtual Server packets.

• ct_target: The ability to set connection tracking parameters for a packet or its associated connection.

• random_fully: The ability to use --random-fully flag.

Properties

The following properties are available in the firewall type.

action

Valid values: accept, reject, drop

This is the action to perform on a match. Can be one of:

• accept - the packet is accepted
• reject - the packet is rejected with a suitable ICMP response
• drop - the packet is dropped

If you specify no value it will simply match the rule but perform no action unless you provide a provider specific parameter (such as jump).

burst

Valid values: %r{^\d+$}

Rate limiting burst value (per second) before limit checks apply.

bytecode

Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility.

cgroup

Matches against the net_cls cgroup ID of the packet.

chain

Valid values: %r{^[a-zA-Z0-9\-_]+$}

Name of the chain to use. Can be one of the built-ins:

• INPUT
• FORWARD
• OUTPUT
• PREROUTING
• POSTROUTING

Or you can provide a user-based chain.

Default value: INPUT

checksum_fill

Valid values: true, false

Compute and fill missing packet checksums.

clamp_mss_to_pmtu

Valid values: true, false

Sets the clamp mss to pmtu flag.

clusterip_clustermac

Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i

Used with the CLUSTERIP jump target. Specify the ClusterIP MAC address. Has to be a link-layer multicast address.

clusterip_hash_init

Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization.

clusterip_hashmode

Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport

Used with the CLUSTERIP jump target. Specify the hashing mode.

clusterip_local_node

Valid values: %r{\d+}

Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization.

clusterip_new

Valid values: true, false

Used with the CLUSTERIP jump target. Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.

clusterip_total_nodes

Valid values: %r{\d+}

Used with the CLUSTERIP jump target. Number of total nodes within this cluster.

condition

Match on boolean value (0/1) stored in /proc/net/nf_condition/name.

connlimit_above

Valid values: %r{^\d+$}

Connection limiting value for matched connections above n.

connlimit_mask

Valid values: %r{^\d+$}

Connection limiting by subnet mask for matched connections. IPv4: 0-32 IPv6: 0-128

connmark

Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already.

ctdir

Valid values: REPLY, ORIGINAL

Matches a packet that is flowing in the specified direction using the conntrack module. If this flag is not specified at all, matches packets in both directions. Values can be:

• REPLY
• ORIGINAL

ctexpire

Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}

Matches a packet based on lifetime remaining in seconds or range of values using the conntrack module. For example:

ctexpire => '100:150'

ctorigdst

The original destination address using the conntrack module. For example:

ctorigdst => '192.168.2.0/24'

You can also negate a mask by putting ! in front. For example:

ctorigdst => '! 192.168.2.0/24'

The ctorigdst can also be an IPv6 address if your provider supports it.

ctorigdstport

Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}

The original destination port to match for this filter using the conntrack module. For example:

ctorigdstport => '80'

You can also specify a port range: For example:

ctorigdstport => '80:81'

You can also negate a port by putting ! in front. For example:

ctorigdstport => '! 80'

ctorigsrc

The original source address using the conntrack module. For example:

ctorigsrc => '192.168.2.0/24'

You can also negate a mask by putting ! in front. For example:

ctorigsrc => '! 192.168.2.0/24'

The ctorigsrc can also be an IPv6 address if your provider supports it.

ctorigsrcport

Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}

The original source port to match for this filter using the conntrack module. For example:

ctorigsrcport => '80'

You can also specify a port range: For example:

ctorigsrcport => '80:81'

You can also negate a port by putting ! in front. For example:

ctorigsrcport => '! 80'

ctproto

Valid values: %r{^!?\s?\d+$}

The specific layer-4 protocol number to match for this rule using the conntrack module.

ctrepldst

The reply destination address using the conntrack module. For example:

ctrepldst => '192.168.2.0/24'

You can also negate a mask by putting ! in front. For example:

ctrepldst => '! 192.168.2.0/24'

The ctrepldst can also be an IPv6 address if your provider supports it.

ctrepldstport

Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}

The reply destination port to match for this filter using the conntrack module. For example:

ctrepldstport => '80'

You can also specify a port range: For example:

ctrepldstport => '80:81'

You can also negate a port by putting ! in front. For example:

ctrepldstport => '! 80'

ctreplsrc

The reply source address using the conntrack module. For example:

ctreplsrc => '192.168.2.0/24'

You can also negate a mask by putting ! in front. For example:

ctreplsrc => '! 192.168.2.0/24'

The ctreplsrc can also be an IPv6 address if your provider supports it.

ctreplsrcport

Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}

The reply source port to match for this filter using the conntrack module. For example:

ctreplsrcport => '80'

You can also specify a port range: For example:

ctreplsrcport => '80:81'

You can also negate a port by putting ! in front. For example:

ctreplsrcport => '! 80'

ctstate

Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED, SNAT, DNAT

Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Values can be:

• INVALID
• ESTABLISHED
• NEW
• RELATED
• UNTRACKED
• SNAT
• DNAT

ctstatus

Valid values: NONE, EXPECTED, SEEN_REPLY, ASSURED, CONFIRMED

Matches a packet based on its status using the conntrack module. Values can be:

• EXPECTED
• SEEN_REPLY
• ASSURED
• CONFIRMED

date_start

Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07

date_stop

Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07

destination

The destination address to match. For example:

destination => '192.168.1.0/24'

You can also negate a mask by putting ! in front. For example:

destination  => '! 192.168.2.0/24'

The destination can also be an IPv6 address if your provider supports it.

dport

The destination port to match for this filter (if the protocol supports ports). Will accept a single element or an array.

For some firewall providers you can pass a range of ports in the format:

<start_number>-<ending_number>

For example:

1-1024

This would cover ports 1 to 1024.

dst_cc

Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}

dst attribute for the module geoip

dst_range

The destination IP range. For example:

dst_range => '192.168.1.1-192.168.1.10'

The destination IP range must be in 'IP1-IP2' format.

dst_type

Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| [ address_type, "! #{address_type}".to_sym, "#{address_type} --limit-iface-in".to_sym, "#{address_type} --limit-iface-out".to_sym, "! #{address_type} --limit-iface-in".to_sym, "! #{address_type} --limit-iface-out".to_sym, ] }.flatten

The destination address type. For example:

dst_type => ['LOCAL']

Can be one of:

• UNSPEC - an unspecified address
• UNICAST - a unicast address
• LOCAL - a local address
• BROADCAST - a broadcast address
• ANYCAST - an anycast packet
• MULTICAST - a multicast address
• BLACKHOLE - a blackhole address
• UNREACHABLE - an unreachable address
• PROHIBIT - a prohibited address
• THROW - undocumented
• NAT - undocumented
• XRESOLVE - undocumented

In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:

dst_type => ['LOCAL --limit-iface-in']

It can also be negated using '!':

dst_type => ['! LOCAL']

Will accept a single element or an array.

ensure

Valid values: present, absent

Manage the state of this rule.

Default value: present

gateway

The TEE target will clone a packet and redirect this clone to another machine on the local network segment. gateway is the target host's IP.

gid

GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement.

goto

The value for the iptables --goto parameter. Normal values are:

• QUEUE
• RETURN
• DNAT
• SNAT
• LOG
• MASQUERADE
• REDIRECT
• MARK

But any valid chain name is allowed.

hashlimit_above

Match if the rate is above amount/quantum. This parameter or hashlimit_upto is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'.

hashlimit_burst

Valid values: %r{^\d+$}

Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too.

hashlimit_dstmask

Like --hashlimit-srcmask, but for destination addresses.

hashlimit_htable_expire

After how many milliseconds do hash entries expire.

hashlimit_htable_gcinterval

How many milliseconds between garbage collection intervals.

hashlimit_htable_max

Maximum entries in the hash.

hashlimit_htable_size

The number of buckets of the hash table

hashlimit_mode

A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. Allowed values are: srcip, srcport, dstip, dstport

hashlimit_name

The name for the /proc/net/ipt_hashlimit/foo entry. This parameter is required.

hashlimit_srcmask

When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.

hashlimit_upto

Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). This parameter or hashlimit_above is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'.

helper

Invoke the nf_conntrack_xxx helper module for this packet.

hop_limit

Valid values: %r{^\d+$}

Hop limiting value for matched packets.

icmp

When matching ICMP packets, this is the type of ICMP packet to match.

A value of "any" is not supported. To achieve this behaviour the parameter should simply be omitted or undefined. An array of values is also not supported. To match against multiple ICMP types, please use separate rules for each ICMP type.

iniface

Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}

Input interface to filter on. Supports interface alias like eth0:0. To negate the match try this:

  iniface => '! lo',

ipsec_dir

Valid values: in, out

Sets the ipsec policy direction

ipsec_policy

Valid values: none, ipsec

Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to --pol ipsec such as: --strict, --reqid 100, --next, --proto esp, etc.

ipset

Matches against the specified ipset list. Requires ipset kernel module. Will accept a single element or an array. The value is the name of the blacklist, followed by a space, and then 'src' and/or 'dst' separated by a comma. For example: 'blacklist src,dst'

ipvs

Valid values: true, false

Indicates that the current packet belongs to an IPVS connection.

isfirstfrag

Valid values: true, false

If true, matches if the packet is the first fragment. Sadly cannot be negated. ipv6.

isfragment

Valid values: true, false

Set to true to match tcp fragments (requires type to be set to tcp)

ishasmorefrags

Valid values: true, false

If true, matches if the packet has it's 'more fragments' bit set. ipv6.

islastfrag

Valid values: true, false

If true, matches if the packet is the last fragment. ipv6.

jump

The value for the iptables --jump parameter. Normal values are:

• QUEUE
• RETURN
• DNAT
• SNAT
• LOG
• NFLOG
• MASQUERADE
• REDIRECT
• MARK
• CT

But any valid chain name is allowed.

For the values ACCEPT, DROP, and REJECT, you must use the generic 'action' parameter. This is to enfore the use of generic parameters where possible for maximum cross-platform modelling.

If you set both 'accept' and 'jump' parameters, you will get an error as only one of the options should be set.

kernel_timezone

Valid values: true, false

Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.

length

Sets the length of layer-3 payload to match.

limit

Rate limiting value for matched packets. The format is: rate/[/second/|/minute|/hour|/day].

Example values are: '50/sec', '40/min', '30/hour', '10/day'."

log_ip_options

Valid values: true, false

When combined with jump => "LOG" logging of the TCP IP/IPv6 packet header.

log_level

When combined with jump => "LOG" specifies the system log level to log to.

log_prefix

When combined with jump => "LOG" specifies the log prefix to use when logging.

log_tcp_options

Valid values: true, false

When combined with jump => "LOG" logging of the TCP packet header.

log_tcp_sequence

Valid values: true, false

When combined with jump => "LOG" enables logging of the TCP sequence numbers.

log_uid

Valid values: true, false

When combined with jump => "LOG" specifies the uid of the process making the connection.

mac_source

Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i

MAC Source

mask

Sets the mask to use when recent is enabled.

match_mark

Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already.

month_days

Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February.

mss

Match a given TCP MSS value or range.

nflog_group

Used with the jump target NFLOG. The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). Defaults to 0.

nflog_prefix

Used with the jump target NFLOG. A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs.

nflog_range

Used with the jump target NFLOG. The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it.

nflog_threshold

Used with the jump target NFLOG. Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. Defaults to 1.

notrack

Valid values: true, false

Invoke the disable connection tracking for this packet. This parameter can be used with iptables version >= 1.8.3

outiface

Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}

Output interface to filter on. Supports interface alias like eth0:0. To negate the match try this:

  outiface => '! lo',

physdev_in

Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}

Match if the packet is entering a bridge from the given interface.

physdev_is_bridged

Valid values: true, false

Match if the packet is transversing a bridge.

physdev_is_in

Valid values: true, false

Matches if the packet has entered through a bridge interface.

physdev_is_out

Valid values: true, false

Matches if the packet will leave through a bridge interface.

physdev_out

Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}

Match if the packet is leaving a bridge via the given interface.

pkttype

Valid values: unicast, broadcast, multicast

Sets the packet type to match.

port

note This property has been DEPRECATED

The destination or source port to match for this filter (if the protocol supports ports). Will accept a single element or an array.

For some firewall providers you can pass a range of ports in the format:

<start_number>-<ending_number>

For example:

1-1024

This would cover ports 1 to 1024.

proto

Valid values: [:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :carp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto| [proto, "! #{proto}".to_sym] }.flatten

The specific protocol to match for this rule.

Default value: tcp

queue_bypass

Valid values: true, false

Used with NFQUEUE jump target Allow packets to bypass :queue_num if userspace process is not listening

queue_num

Used with NFQUEUE jump target. What queue number to send packets to

random

Valid values: true, false

When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping.

random_fully

Valid values: true, false

When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable fully randomized port mapping.

NOTE Requires Kernel >= 3.13 and iptables >= 1.6.2

rdest

Valid values: true, false

Recent module; add the destination IP address to the list. Must be boolean true.

reap

Valid values: true, false

Recent module; can only be used in conjunction with the rseconds attribute. When used, this will cause entries older than 'seconds' to be purged. Must be boolean true.

recent

Valid values: set, update, rcheck, remove

Enable the recent module. Takes as an argument one of set, update, rcheck or remove. For example:

# If anyone's appeared on the 'badguy' blacklist within
#  the last 60 seconds, drop their traffic, and update the timestamp.
firewall { '100 Drop badguy traffic':
  recent   => 'update',
  rseconds => 60,
  rsource  => true,
  rname    => 'badguy',
  action   => 'DROP',
  chain    => 'FORWARD',
}

# No-one should be sending us traffic on eth0 from the
#  localhost, Blacklist them
firewall { '101 blacklist strange traffic':
  recent      => 'set',
  rsource     => true,
  rname       => 'badguy',
  destination => '127.0.0.0/8',
  iniface     => 'eth0',
  action      => 'DROP',
  chain       => 'FORWARD',
}

reject

When combined with action => "REJECT" you can specify a different icmp response to be sent back to the packet sender.

rhitcount

Recent module; used in conjunction with recent => 'update' or `recent => 'rcheck'. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value.

rname

Recent module; The name of the list. Takes a string argument.

rpfilter

Valid values: loose, validmark, accept-local, invert

Enable the rpfilter module.

rseconds

Recent module; used in conjunction with one of recent => 'rcheck' or recent => 'update'. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.

rsource

Valid values: true, false

Recent module; add the source IP address to the list. Must be boolean true.

rttl

Valid values: true, false

Recent module; may only be used in conjunction with one of recent => 'rcheck' or recent => 'update'. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the recent => 'set' rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. Must be boolean true.

set_dscp

Set DSCP Markings.

set_dscp_class

This sets the DSCP field according to a predefined DiffServ class.

set_mark

Set the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already.

set_mss

Sets the TCP MSS value for packets.

socket

Valid values: true, false

If true, matches if an open socket can be found by doing a coket lookup on the packet.

source

The source address. For example:

source => '192.168.2.0/24'

You can also negate a mask by putting ! in front. For example:

source => '! 192.168.2.0/24'

The source can also be an IPv6 address if your provider supports it.

sport

The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array.

For some firewall providers you can pass a range of ports in the format:

<start_number>-<ending_number>

For example:

1-1024

This would cover ports 1 to 1024.

src_cc

Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}

src attribute for the module geoip

src_range

The source IP range. For example:

src_range => '192.168.1.1-192.168.1.10'

The source IP range must be in 'IP1-IP2' format.

src_type

Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| [ address_type, "! #{address_type}".to_sym, "#{address_type} --limit-iface-in".to_sym, "#{address_type} --limit-iface-out".to_sym, "! #{address_type} --limit-iface-in".to_sym, "! #{address_type} --limit-iface-out".to_sym, ] }.flatten

The source address type. For example:

src_type => ['LOCAL']

Can be one of:

• UNSPEC - an unspecified address
• UNICAST - a unicast address
• LOCAL - a local address
• BROADCAST - a broadcast address
• ANYCAST - an anycast packet
• MULTICAST - a multicast address
• BLACKHOLE - a blackhole address
• UNREACHABLE - an unreachable address
• PROHIBIT - a prohibited address
• THROW - undocumented
• NAT - undocumented
• XRESOLVE - undocumented

In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:

src_type => ['LOCAL --limit-iface-in']

It can also be negated using '!':

src_type => ['! LOCAL']

Will accept a single element or an array.

stat_every

Match one packet every nth packet. Requires stat_mode => 'nth'

stat_mode

Valid values: nth, random

Set the matching mode for statistic matching.

stat_packet

Valid values: %r{^\d+$}

Set the initial counter value for the nth mode. Must be between 0 and the value of stat_every. Defaults to 0. Requires stat_mode => 'nth'

stat_probability

Set the probability from 0 to 1 for a packet to be randomly matched. It works only with stat_mode => 'random'.

state

Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED

Matches a packet based on its state in the firewall stateful inspection table. Values can be:

• INVALID
• ESTABLISHED
• NEW
• RELATED
• UNTRACKED

string

String matching feature. Matches the packet against the pattern given as an argument.

string_algo

Valid values: bm, kmp

String matching feature, pattern matching strategy.

string_from

String matching feature, offset from which we start looking for any matching.

string_hex

String matching feature. Matches the package against the hex pattern given as an argument.

string_to

String matching feature, offset up to which we should scan.

table

Valid values: nat, mangle, filter, raw, rawpost

Table to use. Can be one of:

• nat
• mangle
• filter
• raw
• rawpost

Default value: filter

tcp_flags

Match when the TCP flags are as specified. Is a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. The flags are: SYN ACK FIN RST URG PSH ALL NONE Note that you specify them in the order that iptables --list-rules would list them to avoid having puppet think you changed the flags. Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection initiation.

time_contiguous

Valid values: true, false

When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.

time_start

Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.

time_stop

Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.

to

For NETMAP this will replace the destination IP

todest

When using jump => "DNAT" you can specify the new destination address using this paramter.

toports

For DNAT this is the port that will replace the destination port.

tosource

When using jump => "SNAT" you can specify the new source address using this parameter.

uid

UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement.

week_days

Valid values: Mon, Tue, Wed, Thu, Fri, Sat, Sun

Only match on the given weekdays.

zone

Assign this packet to zone id and only have lookups done in that zone.

Parameters

The following parameters are available in the firewall type.

• line
• name
• provider

line

Read-only property for caching the rule line.

name

Valid values: %r{^\d+[[:graph:][:space:]]+$}

namevar

The canonical name of the rule. This name is also used for ordering so make sure you prefix the rule with a number:

000 this runs first
999 this runs last

Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem.

provider

The specific backend to use for this firewall resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

firewallchain

Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that allow it.

Autorequires: If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, and the provider is iptables_chain, the firewall resource will autorequire those packages to ensure that any required binaries are installed.

Providers

• iptables_chain is the only provider that supports firewallchain.

Features

• iptables_chain: The provider provides iptables chain features.
• policy: Default policy (inbuilt chains only).

Properties

The following properties are available in the firewallchain type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

policy

Valid values: accept, drop, queue, return

This is the action to when the end of the chain is reached. It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) and can be one of:

• accept - the packet is accepted
• drop - the packet is dropped
• queue - the packet is passed userspace
• return - the packet is returned to calling (jump) queue or the default of inbuilt chains

Parameters

The following parameters are available in the firewallchain type.

• ignore
• ignore_foreign
• name
• provider
• purge

ignore

Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of iptables-save.

This can be a single regex, or an array of them. To support flags, use the ruby inline flag mechanism. Meaning a regex such as /foo/i can be written as '(?i)foo' or '(?i:foo)'

Full example:

firewallchain { 'INPUT:filter:IPv4':
  purge => true,
  ignore => [
    '-j fail2ban-ssh', # ignore the fail2ban jump rule
    '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
  ],
}

ignore_foreign

Valid values: false, true

Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules in this chain. This can be used to ignore rules that were not put in by puppet. Beware that nothing keeps other systems from configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured rules.

Default value: false

name

namevar

The canonical name of the chain.

For iptables the format must be {chain}:{table}:{protocol}.

provider

The specific backend to use for this firewallchain resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

purge

Valid values: false, true

Purge unmanaged firewall rules in this chain

Default value: false

Change log

All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

v3.4.0 (2022-02-28)

Full Changelog

Added

• (SEC-944) Handle duplicate system rules #1030 (chelnak)

Fixed

• pdksync - (IAC-1787) - Remove Support for CentOS 6 #1027 (david22swan)

v3.3.0 (2021-12-15)

Full Changelog

Added

• pdksync - (IAC-1753) - Add Support for AlmaLinux 8 #1020 (david22swan)
• pdksync - (IAC-1751) - Add Support for Rocky 8 #1017 (david22swan)

Fixed

• Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range #1019 (cmd-ntrf)
• Fedora 34 and iptables-compat fix; properly utilising iptables param. #1018 (adamboutcher)
• pdksync - (IAC-1598) - Remove Support for Debian 8 #1015 (david22swan)
• Add carp protocol to :proto property #1014 (adrianiurca)
• (MODULES-6876) lib/puppet/provider/firewall/iptables.rb - comments cleanup for parsing #981 (tskirvin)

v3.2.0 (2021-09-06)

Full Changelog

Added

• pdksync - (IAC-1709) - Add Support for Debian 11 #1005 (david22swan)

Fixed

• Fix "undefined method `gsub' for nil:NilClass" when changing existing rule UID from absent to any present #1010 (onyxmaster)

v3.1.0 (2021-07-26)

Full Changelog

Added

• add compatibility with Rocky Linux #998 (vchepkov)

Fixed

• (MODULES-11138) - Fix mac_source Facter.fact().value() issue with Facter 3 #1002 (adrianiurca)

v3.0.2 (2021-07-19)

Full Changelog

Fixed

• sles-15: mac_source is downcased by iptables #997 (adrianiurca)
• fix: parsing random_fully in ip6tables #996 (scoiatael)

v3.0.1 (2021-06-21)

Full Changelog

Fixed

• Fixed link to REFERENCE.md #993 (Samgarr)
• Update README.md #986 (arjenz)

v3.0.0 (2021-03-01)

Full Changelog

Changed

• pdksync - (MAINT) Remove SLES 11 support #977 (sanfrancrisko)
• pdksync - (MAINT) Remove RHEL 5 family support #976 (sanfrancrisko)
• pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 #972 (carabasdaniel)

v2.8.1 (2021-02-09)

Full Changelog

Fixed

• [MODULES-10907] Do not remove spaces from hex string with ! #967 (adrianiurca)

v2.8.0 (2020-12-14)

Full Changelog

Added

• pdksync - (feat) - Add support for Puppet 7 #959 (daianamezdrea)
• (IAC-966) - MODULES-10522: Add support for the --condition parameter #941 (adrianiurca)

Fixed

• Restore copyright names #951 (hunner)

v2.7.0 (2020-10-15)

Full Changelog

Added

• (IAC-1190) add ignore_foreign when purging firewallchains #948 (DavidS)

v2.6.0 (2020-10-01)

Full Changelog

Fixed

• Fix extra quotes in firewall string matching #944 (IBBoard)
• (IAC-987) - Removal of inappropriate terminology #942 (david22swan)

v2.5.0 (2020-07-28)

Full Changelog

Added

• Add acceptance and unit test #931 (adrianiurca)
• [IAC-899] - Add acceptance test for string_hex parameter #930 (adrianiurca)
• Add support for NFLOG options to ip6tables #921 (frh)

v2.4.0 (2020-05-13)

Full Changelog

Added

• pdksync - (IAC-973) - Update travis/appveyor to run on new default branch main #933 (david22swan)
• Add support for u32 module in iptables #917 (sanfrancrisko)
• Add support for cgroup arg #916 (akerl-unpriv)
• Extend LOG options #914 (martialblog)

Fixed

• (MODULES-8543) Remove nftables' backend warning from iptables_save outtput #911 (NITEMAN)

v2.3.0 (2020-03-26)

Full Changelog

Added

• Add iptables --hex-string support to firewall resource #907 (alexconrey)
• Add random_fully and rpfilter support #892 (treydock)
• (MODULES-7800) Add the ability to specify iptables connection tracking helpers. #890 (jimmyt86)
• Support conntrack module #872 (haught)

Fixed

• (maint) Use fact.flush only when available #906 (Filipovici-Andrei)
• (MODULES-10358) - Clarification added to Boolean validation checks #886 (david22swan)
• Merge and remove duplicate README file, lint code snippets #878 (runejuhl)

v2.2.0 (2019-12-09)

Full Changelog

Added

• Add support for Debian Unstable #876 (martialblog)
• (FM-8673) - Support added for CentOS 8 #873 (david22swan)
• FM-8400 - add debian10 support #862 (lionce)
• FM-8219 - Convert to litmus #855 (lionce)

Fixed

• Change - Avoid puppet failures on windows nodes #874 (blackknight36)
• Fix parsing iptables rules with hyphen in comments #861 (Hexta)

v2.1.0 (2019-09-24)

Full Changelog

Added

• (MODULES-6136) Add zone property of CT target. #852 (rwf14f)
• (FM-8025) Add RedHat 8 support #847 (eimlav)

Fixed

• MODULES-9801 - fix negated physdev #858 (lionce)

v2.0.0 (2019-05-14)

Full Changelog

Changed

• pdksync - (MODULES-8444) - Raise lower Puppet bound #841 (david22swan)

Added

• (FM-7903) - Implement Puppet Strings #838 (david22swan)

Fixed

• (MODULES-8736) IPtables support on RHEL8 #824 (EmilienM)

1.15.3 (2019-04-04)

Full Changelog

Fixed

• (MODULES-8855) Move ipvs test to exception spec #834 (eimlav)
• (MODULES-8842) Fix ipvs not idempotent #833 (eimlav)

1.15.2 (2019-03-26)

Full Changelog

Fixed

• (MODULES-8615) Fix rules with ipvs not parsing #828 (eimlav)
• (MODULES-7333) - Change hashing method from MD5 to SHA256 #827 (david22swan)
• (MODULES-6547) Fix existing rules with --dport not parsing #826 (eimlav)
• (MODULES-8648) - Fix for failures on SLES 11 #816 (david22swan)
• (MODULES-8584) Handle multiple escaped quotes in comments properly #815 (mateusz-gozdek-sociomantic)
• External control for iptables-persistent #795 (identw)

1.15.1 (2019-02-01)

Full Changelog

Fixed

• (DOC-3056) Remove mention of rules ordering #809 (clairecadman)
• (FM-7712) - Remove Gentoo 1.0 testing/support for Firewall module #808 (david22swan)
• (MODULES-8360) Fix IPv6 bug relating to Bugzilla 1015 #804 (alexharv074)

1.15.0 (2019-01-18)

Full Changelog

Added

• (MODULES-8143) - Add SLES 15 support #798 (eimlav)
• Add nftables wrapper support for RHEL8 #794 (mwhahaha)
• Changed regex for iniface and outiface to allow '@' in interface names #791 (GeorgeCox)
• (MODULES-8214) Handle src_type and dst_type as array #790 (mateusz-gozdek-sociomantic)
• (MODULES-7990) Merge multiple comments into one while parsing rules #789 (mateusz-gozdek-sociomantic)
• add -g flag handling in ip6tables.rb provider #788 (cestith)
• (MODULES-7681) Add support for bytecode property #771 (baurmatt)

Fixed

• pdksync - (FM-7655) Fix rubygems-update for ruby \< 2.3 #801 (tphoney)
• (MODULES-6340) - Address failure when name begins with 9XXX #796 (eimlav)
• Amazon linux 2 changed its major version to 2 with the last update... #793 (erik-frontify)

1.14.0 (2018-09-27)

Full Changelog

Added

• pdksync - (MODULES-6805) metadata.json shows support for puppet 6 #782 (tphoney)
• (FM-7399) - Prepare for changelog generator #780 (pmcmaw)

1.13.0

Full Changelog

Added

• pdksync - (MODULES-7705) - Bumping stdlib dependency from \< 5.0.0 to \< 6.0.0 #775 (pmcmaw)
• Add support for Amazon Linux 2 #768 (erik-frontify)
• (FM-7232) - Update firewall to support Ubuntu 18.04 #767 (david22swan)
• [FM-7044] Addition of Debian 9 support to firewall #765 (david22swan)
• [FM-6961] Removal of unsupported OS from firewall #764 (david22swan)

Fixed

• (MODULES-7627) - Update README Limitations section #769 (eimlav)
• Corrections to readme #766 (alexharv074)
• (MODULES-6129) negated option with address mask bugfix #756 (mirekys)
• (MODULES-2119) iptables delete -p all exception #749 (mikkergimenez)

1.12.0

Summary

This release uses the PDK convert functionality which in return makes the module PDK compliant. It also includes a roll up of maintenance changes.

Added

• PDK convert firewall (MODULES-6455).
• Modulesync updates.

Fixed

• Set correct seluser for CentOS/RHEL 5.x (MODULES-6092).
• Fix error parsing rules with dashes in the chain name (MODULES-6261).
• Changes to address additional Rubocop failures.
• (maint) Addressing puppet-lint doc warnings.

Supported Release 1.11.0

Summary

This release is to implement Rubocop changes within the module.

Added

• Rubocop has been implemented in the module.

Changed

• Module sync was updated.
• Unparsable rules are now skipped with a warning.

Supported Release 1.10.0

Summary

This is a clean release prior to the module being run through rubocop.

Added

• Hashlimit module added.
• Firewall multi notes added.
• Gidd lookup now added.
• Simple sanity check added to hash parser rule.

Changed

• Version requirement has been updated.
• An array is no lnger accepted for icmp types.
• UNTRACKED is now considered to be a valid state.
• Modulesync updates.
• ip6tables can be disabled.
• Readme format has been fixed.
• Fixes made to accomodate Puppet lint.
• Fix to regex i 'connlimit_spec.rb' and 'firewall_spec.rb'.
• General test fixes.
• Negated match sets know properly dealt with.
• Correct IP version for hostname resolution now chosen.
• Unmanaged rule regex regarding iptable has been fixed.

Removed

• Ubuntu 10.04 and 12.04 removed.

Supported Release 1.9.0

Summary

This release includes several bugfixes and NFLOG support.

Added

• Support for NFLOG including the NFLOG jump target and four commandline options (FM-4896)
• Support for the geoip module (MODULES-4279)
• Management of the ebtables package

Fixed

• iptables parser fails with "Invalid address from IPAddr.new: -m" (MODULES-4234)
• selinux context for iptables configuration
• Replace Puppet.version.to_f with Puppet::Util::Package.versioncmp ( MODULES-4528)

Supported Release 1.8.2

Summary

This release includes numerous features and bugfixes, See below.

Bugfixes

• Fixing issue with double quotes being removed when part of the rule comment
• Add the --wait flag to the insert/update/delete iptables actions to prevent failures from occuring when iptables is running outside of puppet for iptables >= 1.4.20
• Fix iptables_version and ip6tables_version facts not returning the version

Features

• Support for multiple IP sets in a single rule
• Implement queue_bypass and queue_num parameters for NFQUEUE jump target
• Tighten SELinux permissions on persistent files
• RHEL7 SELinux support for puppet 3
• Manage ip6tables service for Redhat Family

Supported Release 1.8.1

Summary

This release documents an important issue with mcollective that may impact users of the firewall module. Workarounds are suggested as part of this advisory until mcollective can be patched.

Bugfixes

• Add mcollective rule-reversal known limitation

Supported Release 1.8.0

Summary

This release includes numerous features, bugfixes and other improvements including better handling when trying to delete already absent rules.

Features

• Added new 'pkg_ensure' parameter to allow the updating of the iptables package.
• Added new 'log_uid' property.
• Added 'sctp' to the 'proto' property.
• Added support for IPv6 NAT in Linux kernels >= 3.7.
• Added support for the security table.

Bugfixes

• (MODULES-2783) Replaced hardcoded iptables service references with $service_name variable.
• (MODULES-1341) Recover when deleting absent rules.
• (MODULES-3032) Facter flush is called to clear Facter cache get up to date value for ':iptables_persistent_version'.
• (MODULES-2159) Fixed idempotency issue when using connlimit.
• Fixed the handling of chain names that contain '-f'.

Improvements

• Numerous unit and acceptance test improvements.
• Improved handling/use of the '$::iptables_persistent_version' custom fact.
• Better handling of operating systems that use SELinux.

Supported Release 1.7.2

Summary

Small release for support of newer PE versions. This increments the version of PE in the metadata.json file.

2015-08-25 - Supported Release 1.7.1

Summary

This is a bugfix release to deprecate the port parameter. Using the unspecific 'port' parameter can lead to firewall rules that are unexpectedly too lax. It is recommended to always use the specific dport and sport parameters to avoid this ambiguity.

Bugfixes

• Deprecate the port parameter

2015-07-28 - Supported Release 1.7.0

Summary

This release includes numerous features, bugfixes and other improvements including Puppet 4 & PE 2015.2 support as well as ClusterIP and DSCP jump target support.

Features

• Puppet 4 and PE 2015.2 official support
• ClusterIP jump target (including options) now supported
• DSCP jump target (including options) now supported
• SLES 10 now compatible (but not supported)

Bugfixes

• (MODULES-1967) Parse escape sequences from iptables
• (MODULES-1592) Allow src_type and dst_type prefixed with '!' to pass validation
• (MODULES-2186) - iptables rules with -A in comment now supported
• (MODULES-1976) Revise rule name validation for ruby 1.9
• Fix installation hang on Debian Jessie
• Fix for physdev idempotency on EL5

Improvements

• Documentation improvements
• Enforce the seluser on selinux systems
• All the relevent services are now autorequired by the firewall and firewallchain types
• Replace Facter.fact().value() calls with Facter.value() to support Facter 3

2015-05-19 - Supported Release 1.6.0

Summary

This release includes support for TEE, MSS, the time ipt module, Debian 8 support, and a number of test fixes and other improvements.

Features

• Add TEE support
• Add MSS support (including clamp-mss-to-pmtu support)
• Add support for the time ipt module (-m time)
• Add support for Debian 8
• Add support for ICMPv6 types 'neighbour-{solicitation,advertisement}'
• Add support for ICMPv6 type 'too-big'
• Add support for new 'match_mark' property
• Added 'ipv4' and 'ipv6' options to 'proto' property

Bugfixes

• Fix for Systemd-based OSes where systemd needs restarted before being able to pick up new services (MODULES-1984)
• Arch Linux package management fix

2015-03-31 - Supported Release 1.5.0

Summary

This release includes physdev_is_bridged support, checksum_fill support, basic Gentoo compatibility, and a number of test fixes and improvements.

Features

• Add physdev_is_bridged support
• Add checksum_fill support
• Add basic Gentoo compatibility (unsupported)

Bugfixes

• Implementation for resource map munging to allow a single ipt module to be used multiple times in a single rule on older versions of iptables (MODULES-1808)
• Test fixes

2015-01-27 - Supported Release 1.4.0

Summary

This release includes physdev support, the ability to look up usernames from uuid, and a number of bugfixes

Features

• Add netmap feature
• Add physdev support
• Add ability to look up username from uuid (MODULES-753, MODULES-1688)

Bugfixes

• Sync iptables/ip6tables providers (MODULES-1612)
• Fix package names for Amazon and Ubuntu 14.10 (MODULES-1029)
• Fix overly aggressive gsub when ensure => absent (MODULES-1453)
• Unable to parse -m (tcp|udp) rules (MODULES-1552)
• Fix ip6tables provider when iptables-ipv6 package isn't installed for EL6 (MODULES-633)
• Test fixes

2014-12-16 - Supported Release 1.3.0

Summary

This release includes a number of bugfixes and features, including fixing tcp_flags support, and added support for interface aliases, negation for iniface and outiface, and extra configurability for packages and service names.

Features

• Add support for interface aliases (eth0:0) (MODULES-1469)
• Add negation for iniface, outiface (MODULES-1470)
• Make package and service names configurable (MODULES-1309)

Bugfixes

• Fix test regexes for EL5 (MODULES-1565)
• Fix tcp_flags support for ip6tables (MODULES-556)
• Don't arbitrarily limit set_mark for certain chains

2014-11-04 - Supported Release 1.2.0

Summary

This release has a number of new features and bugfixes, including rule inversion, future parser support, improved EL7 support, and the ability to purge ip6tables rules.

Features

• Documentation updates!
• Test updates!
• Add ipset support
• Enable rule inversion
• Future parser support
• Improved support for EL7
• Support netfilter-persistent
• Add support for statistics module
• Add support for mac address source rules
• Add cbt protocol

Bugfixes

• Incorrect use of source => :iptables in the ip6tables provider was making it impossible to purge ip6tables rules (MODULES-41)
• Don't require toports when jump => 'REDIRECT' (MODULES-1086)
• Don't limit which chains iniface and outiface parameters can be used in
• Don't fail on rules added with ipsec/strongswan (MODULES-796)

2014-07-08 - Supported Release 1.1.3

Summary

This is a supported release with test coverage enhancements.

Bugfixes

• Confine to supported kernels

2014-06-04 - Release 1.1.2

Summary

This is a release of the code previously released as 1.1.1, with updated metadata.

2014-05-16 Release 1.1.1

Summary

This release reverts the alphabetical ordering of 1.1.0. We found this caused a regression in the Openstack modules so in the interest of safety we have removed this for now.

2014-05-13 Release 1.1.0

Summary

This release has a significant change from previous releases; we now apply the firewall resources alphabetically by default, removing the need to create pre and post classes just to enforce ordering. It only effects default ordering and further information can be found in the README about this. Please test this in development before rolling into production out of an abundance of caution.

We've also added mask which is required for --recent in recent (no pun intended) versions of iptables, as well as connlimit and connmark. This release has been validated against Ubuntu 14.04 and RHEL7 and should be fully working on those platforms.

Features

• Apply firewall resources alphabetically.
• Add support for connlimit and connmark.
• Add mask as a parameter. (Used exclusively with the recent parameter).

Bugfixes

• Add systemd support for RHEL7.
• Replace &&'s with the correct and in manifests.
• Fix tests on Trusty and RHEL7
• Fix for Fedora Rawhide.
• Fix boolean flag tests.
• Fix DNAT->SNAT typo in an error message.

Known Bugs

• For Oracle, the owner and socket parameters require a workaround to function. Please see the Limitations section of the README.

2014-03-04 Supported Release 1.0.2

Summary

This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath.

Features

Bugfixes

Known Bugs

• For Oracle, the owner and socket parameters require a workaround to function. Please see the Limitations section of the README.

Supported release - 2014-03-04 1.0.1

Summary

An important bugfix was made to the offset calculation for unmanaged rules to handle rules with 9000+ in the name.

Features

Bugfixes

• Offset calculations assumed unmanaged rules were numbered 9000+.
• Gracefully fail to manage ip6tables on iptables 1.3.x

Known Bugs

• For Oracle, the owner and socket parameters require a workaround to function. Please see the Limitations section of the README.

---

1.0.0 - 2014-02-11

No changes, just renumbering to 1.0.0.

---

0.5.0 - 2014-02-10

Summary:

This is a bigger release that brings in "recent" connection limiting (think "port knocking"), firewall chain purging on a per-chain/per-table basis, and support for a few other use cases. This release also fixes a major bug which could cause modifications to the wrong rules when unmanaged rules are present.

New Features:

• Add "recent" limiting via parameters rdest, reap, recent, rhitcount, rname, rseconds, rsource, and rttl
• Add negation support for source and destination
• Add per-chain/table purging support to firewallchain
• IPv4 specific
  • Add random port forwarding support
  • Add ipsec policy matching via ipsec_dir and ipsec_policy
• IPv6 specific
  • Add support for hop limiting via hop_limit parameter
  • Add fragmentation matchers via ishasmorefrags, islastfrag, and isfirstfrag
  • Add support for conntrack stateful firewall matching via ctstate

Bugfixes:

• Boolean fixups allowing false values
• Better detection of unmanaged rules
• Fix multiport rule detection
• Fix sport/dport rule detection
• Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
• Allow INPUT with the nat table
• Fix src_range & dst_range order detection
• Documentation clarifications
• Fixes to spec tests

---

0.4.2 - 2013-09-10

Another attempt to fix the packaging issue. We think we understand exactly what is failing and this should work properly for the first time.

---

0.4.1 - 2013-08-09

Bugfix release to fix a packaging issue that may have caused puppet module install commands to fail.

---

0.4.0 - 2013-07-11

This release adds support for address type, src/dest ip ranges, and adds additional testing and bugfixes.

Features

• Add src_type and dst_type attributes (Nick Stenning)
• Add src_range and dst_range attributes (Lei Zhang)
• Add SL and SLC operatingsystems as supported (Steve Traylen)

Bugfixes

• Fix parser for bursts other than 5 (Chris Rutter)
• Fix parser for -f in --comment (Georg Koester)
• Add doc headers to class files (Dan Carley)
• Fix lint warnings/errors (Wolf Noble)

---

0.3.1 - 2013/6/10

This minor release provides some bugfixes and additional tests.

Changes

• Update tests for rspec-system-puppet 2 (Ken Barber)
• Update rspec-system tests for rspec-system-puppet 1.5 (Ken Barber)
• Ensure all services have 'hasstatus => true' for Puppet 2.6 (Ken Barber)
• Accept pre-existing rule with invalid name (Joe Julian)
• Swap log_prefix and log_level order to match the way it's saved (Ken Barber)
• Fix log test to replicate bug #182 (Ken Barber)
• Split argments while maintaining quoted strings (Joe Julian)
• Add more log param tests (Ken Barber)
• Add extra tests for logging parameters (Ken Barber)
• Clarify OS support (Ken Barber)

---

0.3.0 - 2013/4/25

This release introduces support for Arch Linux and extends support for Fedora 15 and up. There are also lots of bugs fixed and improved testing to prevent regressions.

Changes

• Fix error reporting for insane hostnames (Tomas Doran)
• Support systemd on Fedora 15 and up (Eduardo Gutierrez)
• Move examples to docs (Ken Barber)
• Add support for Arch Linux platform (Ingmar Steen)
• Add match rule for fragments (Georg Koester)
• Fix boolean rules being recognized as changed (Georg Koester)
• Same rules now get deleted (Anastasis Andronidis)
• Socket params test (Ken Barber)
• Ensure parameter can disable firewall (Marc Tardif)

---

0.2.1 - 2012/3/13

This maintenance release introduces the new README layout, and fixes a bug with iptables_persistent_version.

Changes

• (GH-139) Throw away STDERR from dpkg-query in Fact
• Update README to be consistent with module documentation template
• Fix failing spec tests due to dpkg change in iptables_persistent_version

---

0.2.0 - 2012/3/3

This release introduces automatic persistence, removing the need for the previous manual dependency requirement for persistent the running rules to the OS persistence file.

Previously you would have required the following in your site.pp (or some other global location):

# Always persist firewall rules
exec { 'persist-firewall':
  command     => $operatingsystem ? {
    'debian'          => '/sbin/iptables-save > /etc/iptables/rules.v4',
    /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
  },
  refreshonly => true,
}
Firewall {
  notify  => Exec['persist-firewall'],
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}
Firewallchain {
  notify  => Exec['persist-firewall'],
}
resources { "firewall":
  purge => true
}

You only need:

class { 'firewall': }
Firewall {
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}

To install pre-requisites and to create dependencies on your pre & post rules. Consult the README for more information.

Changes

• Firewall class manifests (Dan Carley)
• Firewall and firewallchain persistence (Dan Carley)
• (GH-134) Autorequire iptables related packages (Dan Carley)
• Typo in #persist_iptables OS normalisation (Dan Carley)
• Tests for #persist_iptables (Dan Carley)
• (GH-129) Replace errant return in autoreq block (Dan Carley)

---

0.1.1 - 2012/2/28

This release primarily fixes changing parameters in 3.x

Changes

• (GH-128) Change method_missing usage to define_method for 3.x compatibility
• Update travis.yml gem specifications to actually test 2.6
• Change source in Gemfile to use a specific URL for Ruby 2.0.0 compatibility

---

0.1.0 - 2012/2/24

This release is somewhat belated, so no summary as there are far too many changes this time around. Hopefully we won't fall this far behind again :-).

Changes

• Add support for MARK target and set-mark property (Johan Huysmans)
• Fix broken call to super for ruby-1.9.2 in munge (Ken Barber)
• simple fix of the error message for allowed values of the jump property (Daniel Black)
• Adding OSPF(v3) protocol to puppetlabs-firewall (Arnoud Vermeer)
• Display multi-value: port, sport, dport and state command seperated (Daniel Black)
• Require jump=>LOG for log params (Daniel Black)
• Reject and document icmp => "any" (Dan Carley)
• add firewallchain type and iptables_chain provider (Daniel Black)
• Various fixes for firewallchain resource (Ken Barber)
• Modify firewallchain name to be chain:table:protocol (Ken Barber)
• Fix allvalidchain iteration (Ken Barber)
• Firewall autorequire Firewallchains (Dan Carley)
• Tests and docstring for chain autorequire (Dan Carley)
• Fix README so setup instructions actually work (Ken Barber)
• Support vlan interfaces (interface containing ".") (Johan Huysmans)
• Add tests for VLAN support for iniface/outiface (Ken Barber)
• Add the table when deleting rules (Johan Huysmans)
• Fix tests since we are now prefixing -t)
• Changed 'jump' to 'action', commands to lower case (Jason Short)
• Support interface names containing "+" (Simon Deziel)
• Fix for when iptables-save spews out "FATAL" errors (Sharif Nassar)
• Fix for incorrect limit command arguments for ip6tables provider (Michael Hsu)
• Document Util::Firewall.host_to_ip (Dan Carley)
• Nullify addresses with zero prefixlen (Dan Carley)
• Add support for --tcp-flags (Thomas Vander Stichele)
• Make tcp_flags support a feature (Ken Barber)
• OUTPUT is a valid chain for the mangle table (Adam Gibbins)
• Enable travis-ci support (Ken Barber)
• Convert an existing test to CIDR (Dan Carley)
• Normalise iptables-save to CIDR (Dan Carley)
• be clearer about what distributions we support (Ken Barber)
• add gre protocol to list of acceptable protocols (Jason Hancock)
• Added pkttype property (Ashley Penney)
• Fix mark to not repeat rules with iptables 1.4.1+ (Sharif Nassar)
• Stub iptables_version for now so tests run on non-Linux hosts (Ken Barber)
• Stub iptables facts for set_mark tests (Dan Carley)
• Update formatting of README to meet Puppet Labs best practices (Will Hopper)
• Support for ICMP6 type code resolutions (Dan Carley)
• Insert order hash included chains from different tables (Ken Barber)
• rspec 2.11 compatibility (Jonathan Boyett)
• Add missing class declaration in README (sfozz)
• array_matching is contraindicated (Sharif Nassar)
• Convert port Fixnum into strings (Sharif Nassar)
• Update test framework to the modern age (Ken Barber)
• working with ip6tables support (wuwx)
• Remove gemfile.lock and add to gitignore (William Van Hevelingen)
• Update travis and gemfile to be like stdlib travis files (William Van Hevelingen)
• Add support for -m socket option (Ken Barber)
• Add support for single --sport and --dport parsing (Ken Barber)
• Fix tests for Ruby 1.9.3 from 3e13bf3 (Dan Carley)
• Mock Resolv.getaddress in #host_to_ip (Dan Carley)
• Update docs for source and dest - they are not arrays (Ken Barber)

---

0.0.4 - 2011/12/05

This release adds two new parameters, 'uid' and 'gid'. As a part of the owner module, these params allow you to specify a uid, username, gid, or group got a match:

firewall { '497 match uid':
  port => '123',
  proto => 'mangle',
  chain => 'OUTPUT',
  action => 'drop'
  uid => '123'
}

This release also adds value munging for the 'log_level', 'source', and 'destination' parameters. The 'source' and 'destination' now support hostnames:

firewall { '498 accept from puppetlabs.com':
  port => '123',
  proto => 'tcp',
  source => 'puppetlabs.com',
  action => 'accept'
}

The 'log_level' parameter now supports using log level names, such as 'warn', 'debug', and 'panic':

firewall { '499 logging':
  port => '123',
  proto => 'udp',
  log_level => 'debug',
  action => 'drop'
}

Additional changes include iptables and ip6tables version facts, general whitespace cleanup, and adding additional unit tests.

Changes

• (#10957) add iptables_version and ip6tables_version facts
• (#11093) Improve log_level property so it converts names to numbers
• (#10723) Munge hostnames and IPs to IPs with CIDR
• (#10718) Add owner-match support
• (#10997) Add fixtures for ipencap
• (#11034) Whitespace cleanup
• (#10690) add port property support to ip6tables

---

0.0.3 - 2011/11/12

This release introduces a new parameter 'port' which allows you to set both source and destination ports for a match:

firewall { "500 allow NTP requests":
  port => "123",
  proto => "udp",
  action => "accept",
}

We also have the limit parameter finally working:

firewall { "500 limit HTTP requests":
  dport => 80,
  proto => tcp,
  limit => "60/sec",
  burst => 30,
  action => accept,
}

State ordering has been fixed now, and more characters are allowed in the namevar:

• Alphabetical
• Numbers
• Punctuation
• Whitespace

Changes

• (#10693) Ensure -m limit is added for iptables when using 'limit' param
• (#10690) Create new port property
• (#10700) allow additional characters in comment string
• (#9082) Sort iptables --state option values internally to keep it consistent across runs
• (#10324) Remove extraneous whitespace from iptables rule line in spec tests

---

0.0.2 - 2011/10/26

This is largely a maintanence and cleanup release, but includes the ability to specify ranges of ports in the sport/dport parameter:

firewall { "500 allow port range":
  dport => ["3000-3030","5000-5050"],
  sport => ["1024-65535"],
  action => "accept",
}

Changes

• (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppet server
• (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port
• (#10263) Fix tests on Puppet 2.6.x
• (#10163) Cleanup some of the inline documentation and README file to align with general forge usage

---

0.0.1 - 2011/10/18

Initial release.

Changes

• (#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter
• (#10088) Provide a customised version of CONTRIBUTING.md
• (#10026) Re-arrange provider and type spec files to align with Puppet
• (#10026) Add aliases for test,specs,tests to Rakefile and provide -T as default
• (#9439) fix parsing and deleting existing rules
• (#9583) Fix provider detection for gentoo and unsupported linuxes for the iptables provider
• (#9576) Stub provider so it works properly outside of Linux
• (#9576) Align spec framework with Puppet core
• and lots of other earlier development tasks ...

* This Changelog was automatically generated by github_changelog_generator