Mercurial > repos > other > Puppet
comparison modules/firewall/CHANGELOG.md @ 39:d6f2a0ee45c0 puppet-3.6
Add "Firewall" module
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sat, 14 Mar 2015 20:58:03 +0000 |
parents | |
children | d9352a684e62 |
comparison
equal
deleted
inserted
replaced
38:a1960fb961c5 | 39:d6f2a0ee45c0 |
---|---|
1 ##2015-05-19 - Supported Release 1.6.0 | |
2 ###Summary | |
3 | |
4 This release includes support for TEE, MSS, the time ipt module, Debian 8 support, and a number of test fixes and other improvements. | |
5 | |
6 ####Features | |
7 - Add TEE support | |
8 - Add MSS support (including clamp-mss-to-pmtu support) | |
9 - Add support for the time ipt module (-m time) | |
10 - Add support for Debian 8 | |
11 - Add support for ICMPv6 types 'neighbour-{solicitation,advertisement}' | |
12 - Add support for ICMPv6 type 'too-big' | |
13 - Add support for new 'match_mark' property | |
14 - Added 'ipv4' and 'ipv6' options to 'proto' property | |
15 | |
16 ####Bugfixes | |
17 - Fix for Systemd-based OSes where systemd needs restarted before being able to pick up new services (MODULES-1984) | |
18 - Arch Linux package management fix | |
19 | |
20 ##2015-03-31 - Supported Release 1.5.0 | |
21 ###Summary | |
22 | |
23 This release includes physdev_is_bridged support, checksum_fill support, basic Gentoo compatibility, and a number of test fixes and improvements. | |
24 | |
25 ####Features | |
26 - Add `physdev_is_bridged` support | |
27 - Add `checksum_fill` support | |
28 - Add basic Gentoo compatibility (unsupported) | |
29 | |
30 ####Bugfixes | |
31 - Implementation for resource map munging to allow a single ipt module to be used multiple times in a single rule on older versions of iptables (MODULES-1808) | |
32 - Test fixes | |
33 | |
34 ##2015-01-27 - Supported Release 1.4.0 | |
35 ###Summary | |
36 | |
37 This release includes physdev support, the ability to look up usernames from uuid, and a number of bugfixes | |
38 | |
39 ####Features | |
40 - Add `netmap` feature | |
41 - Add `physdev` support | |
42 - Add ability to look up username from uuid (MODULES-753, MODULES-1688) | |
43 | |
44 ####Bugfixes | |
45 - Sync iptables/ip6tables providers (MODULES-1612) | |
46 - Fix package names for Amazon and Ubuntu 14.10 (MODULES-1029) | |
47 - Fix overly aggressive gsub when `ensure => absent` (MODULES-1453) | |
48 - Unable to parse `-m (tcp|udp)` rules (MODULES-1552) | |
49 - Fix ip6tables provider when `iptables-ipv6` package isn't installed for EL6 (MODULES-633) | |
50 - Test fixes | |
51 | |
52 ##2014-12-16 - Supported Release 1.3.0 | |
53 ###Summary | |
54 | |
55 This release includes a number of bugfixes and features, including fixing `tcp_flags` support, and added support for interface aliases, negation for iniface and outiface, and extra configurability for packages and service names. | |
56 | |
57 ####Features | |
58 - Add support for interface aliases (eth0:0) (MODULES-1469) | |
59 - Add negation for iniface, outiface (MODULES-1470) | |
60 - Make package and service names configurable (MODULES-1309) | |
61 | |
62 ####Bugfixes | |
63 - Fix test regexes for EL5 (MODULES-1565) | |
64 - Fix `tcp_flags` support for ip6tables (MODULES-556) | |
65 - Don't arbitrarily limit `set_mark` for certain chains | |
66 | |
67 ##2014-11-04 - Supported Release 1.2.0 | |
68 ###Summary | |
69 | |
70 This release has a number of new features and bugfixes, including rule inversion, future parser support, improved EL7 support, and the ability to purge ip6tables rules. | |
71 | |
72 ####Features | |
73 - Documentation updates! | |
74 - Test updates! | |
75 - Add ipset support | |
76 - Enable rule inversion | |
77 - Future parser support | |
78 - Improved support for EL7 | |
79 - Support netfilter-persistent | |
80 - Add support for statistics module | |
81 - Add support for mac address source rules | |
82 - Add cbt protocol | |
83 | |
84 ####Bugfixes | |
85 - Incorrect use of `source => :iptables` in the ip6tables provider was making it impossible to purge ip6tables rules (MODULES-41) | |
86 - Don't require `toports` when `jump => 'REDIRECT'` (MODULES-1086) | |
87 - Don't limit which chains iniface and outiface parameters can be used in | |
88 - Don't fail on rules added with ipsec/strongswan (MODULES-796) | |
89 | |
90 ##2014-07-08 - Supported Release 1.1.3 | |
91 ###Summary | |
92 This is a supported release with test coverage enhancements. | |
93 | |
94 ####Bugfixes | |
95 - Confine to supported kernels | |
96 | |
97 ##2014-06-04 - Release 1.1.2 | |
98 ###Summary | |
99 | |
100 This is a release of the code previously released as 1.1.1, with updated metadata. | |
101 | |
102 ## 2014-05-16 Release 1.1.1 | |
103 ###Summary | |
104 | |
105 This release reverts the alphabetical ordering of 1.1.0. We found this caused | |
106 a regression in the Openstack modules so in the interest of safety we have | |
107 removed this for now. | |
108 | |
109 ## 2014-05-13 Release 1.1.0 | |
110 ###Summary | |
111 | |
112 This release has a significant change from previous releases; we now apply the | |
113 firewall resources alphabetically by default, removing the need to create pre | |
114 and post classes just to enforce ordering. It only effects default ordering | |
115 and further information can be found in the README about this. Please test | |
116 this in development before rolling into production out of an abundance of | |
117 caution. | |
118 | |
119 We've also added `mask` which is required for --recent in recent (no pun | |
120 intended) versions of iptables, as well as connlimit and connmark. This | |
121 release has been validated against Ubuntu 14.04 and RHEL7 and should be fully | |
122 working on those platforms. | |
123 | |
124 ####Features | |
125 | |
126 - Apply firewall resources alphabetically. | |
127 - Add support for connlimit and connmark. | |
128 - Add `mask` as a parameter. (Used exclusively with the recent parameter). | |
129 | |
130 ####Bugfixes | |
131 | |
132 - Add systemd support for RHEL7. | |
133 - Replace &&'s with the correct and in manifests. | |
134 - Fix tests on Trusty and RHEL7 | |
135 - Fix for Fedora Rawhide. | |
136 - Fix boolean flag tests. | |
137 - Fix DNAT->SNAT typo in an error message. | |
138 | |
139 ####Known Bugs | |
140 | |
141 * For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. | |
142 | |
143 | |
144 ## 2014-03-04 Supported Release 1.0.2 | |
145 ###Summary | |
146 | |
147 This is a supported release. This release removes a testing symlink that can | |
148 cause trouble on systems where /var is on a seperate filesystem from the | |
149 modulepath. | |
150 | |
151 ####Features | |
152 ####Bugfixes | |
153 ####Known Bugs | |
154 | |
155 * For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. | |
156 | |
157 ### Supported release - 2014-03-04 1.0.1 | |
158 | |
159 ####Summary | |
160 | |
161 An important bugfix was made to the offset calculation for unmanaged rules | |
162 to handle rules with 9000+ in the name. | |
163 | |
164 ####Features | |
165 | |
166 ####Bugfixes | |
167 - Offset calculations assumed unmanaged rules were numbered 9000+. | |
168 - Gracefully fail to manage ip6tables on iptables 1.3.x | |
169 | |
170 ####Known Bugs | |
171 | |
172 * For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. | |
173 | |
174 --- | |
175 ### 1.0.0 - 2014-02-11 | |
176 | |
177 No changes, just renumbering to 1.0.0. | |
178 | |
179 --- | |
180 ### 0.5.0 - 2014-02-10 | |
181 | |
182 ##### Summary: | |
183 This is a bigger release that brings in "recent" connection limiting (think | |
184 "port knocking"), firewall chain purging on a per-chain/per-table basis, and | |
185 support for a few other use cases. This release also fixes a major bug which | |
186 could cause modifications to the wrong rules when unmanaged rules are present. | |
187 | |
188 ##### New Features: | |
189 * Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`, | |
190 `rname`, `rseconds`, `rsource`, and `rttl` | |
191 * Add negation support for source and destination | |
192 * Add per-chain/table purging support to `firewallchain` | |
193 * IPv4 specific | |
194 * Add random port forwarding support | |
195 * Add ipsec policy matching via `ipsec_dir` and `ipsec_policy` | |
196 * IPv6 specific | |
197 * Add support for hop limiting via `hop_limit` parameter | |
198 * Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag` | |
199 * Add support for conntrack stateful firewall matching via `ctstate` | |
200 | |
201 ##### Bugfixes: | |
202 - Boolean fixups allowing false values | |
203 - Better detection of unmanaged rules | |
204 - Fix multiport rule detection | |
205 - Fix sport/dport rule detection | |
206 - Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter | |
207 - Allow INPUT with the nat table | |
208 - Fix `src_range` & `dst_range` order detection | |
209 - Documentation clarifications | |
210 - Fixes to spec tests | |
211 | |
212 --------------------------------------- | |
213 | |
214 ### 0.4.2 - 2013-09-10 | |
215 | |
216 Another attempt to fix the packaging issue. We think we understand exactly | |
217 what is failing and this should work properly for the first time. | |
218 | |
219 --------------------------------------- | |
220 | |
221 ### 0.4.1 - 2013-08-09 | |
222 | |
223 Bugfix release to fix a packaging issue that may have caused puppet module | |
224 install commands to fail. | |
225 | |
226 --------------------------------------- | |
227 | |
228 ### 0.4.0 - 2013-07-11 | |
229 | |
230 This release adds support for address type, src/dest ip ranges, and adds | |
231 additional testing and bugfixes. | |
232 | |
233 #### Features | |
234 * Add `src_type` and `dst_type` attributes (Nick Stenning) | |
235 * Add `src_range` and `dst_range` attributes (Lei Zhang) | |
236 * Add SL and SLC operatingsystems as supported (Steve Traylen) | |
237 | |
238 #### Bugfixes | |
239 * Fix parser for bursts other than 5 (Chris Rutter) | |
240 * Fix parser for -f in --comment (Georg Koester) | |
241 * Add doc headers to class files (Dan Carley) | |
242 * Fix lint warnings/errors (Wolf Noble) | |
243 | |
244 --------------------------------------- | |
245 | |
246 ### 0.3.1 - 2013/6/10 | |
247 | |
248 This minor release provides some bugfixes and additional tests. | |
249 | |
250 #### Changes | |
251 | |
252 * Update tests for rspec-system-puppet 2 (Ken Barber) | |
253 * Update rspec-system tests for rspec-system-puppet 1.5 (Ken Barber) | |
254 * Ensure all services have 'hasstatus => true' for Puppet 2.6 (Ken Barber) | |
255 * Accept pre-existing rule with invalid name (Joe Julian) | |
256 * Swap log_prefix and log_level order to match the way it's saved (Ken Barber) | |
257 * Fix log test to replicate bug #182 (Ken Barber) | |
258 * Split argments while maintaining quoted strings (Joe Julian) | |
259 * Add more log param tests (Ken Barber) | |
260 * Add extra tests for logging parameters (Ken Barber) | |
261 * Clarify OS support (Ken Barber) | |
262 | |
263 --------------------------------------- | |
264 | |
265 ### 0.3.0 - 2013/4/25 | |
266 | |
267 This release introduces support for Arch Linux and extends support for Fedora 15 and up. There are also lots of bugs fixed and improved testing to prevent regressions. | |
268 | |
269 ##### Changes | |
270 | |
271 * Fix error reporting for insane hostnames (Tomas Doran) | |
272 * Support systemd on Fedora 15 and up (Eduardo Gutierrez) | |
273 * Move examples to docs (Ken Barber) | |
274 * Add support for Arch Linux platform (Ingmar Steen) | |
275 * Add match rule for fragments (Georg Koester) | |
276 * Fix boolean rules being recognized as changed (Georg Koester) | |
277 * Same rules now get deleted (Anastasis Andronidis) | |
278 * Socket params test (Ken Barber) | |
279 * Ensure parameter can disable firewall (Marc Tardif) | |
280 | |
281 --------------------------------------- | |
282 | |
283 ### 0.2.1 - 2012/3/13 | |
284 | |
285 This maintenance release introduces the new README layout, and fixes a bug with iptables_persistent_version. | |
286 | |
287 ##### Changes | |
288 | |
289 * (GH-139) Throw away STDERR from dpkg-query in Fact | |
290 * Update README to be consistent with module documentation template | |
291 * Fix failing spec tests due to dpkg change in iptables_persistent_version | |
292 | |
293 --------------------------------------- | |
294 | |
295 ### 0.2.0 - 2012/3/3 | |
296 | |
297 This release introduces automatic persistence, removing the need for the previous manual dependency requirement for persistent the running rules to the OS persistence file. | |
298 | |
299 Previously you would have required the following in your site.pp (or some other global location): | |
300 | |
301 # Always persist firewall rules | |
302 exec { 'persist-firewall': | |
303 command => $operatingsystem ? { | |
304 'debian' => '/sbin/iptables-save > /etc/iptables/rules.v4', | |
305 /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables', | |
306 }, | |
307 refreshonly => true, | |
308 } | |
309 Firewall { | |
310 notify => Exec['persist-firewall'], | |
311 before => Class['my_fw::post'], | |
312 require => Class['my_fw::pre'], | |
313 } | |
314 Firewallchain { | |
315 notify => Exec['persist-firewall'], | |
316 } | |
317 resources { "firewall": | |
318 purge => true | |
319 } | |
320 | |
321 You only need: | |
322 | |
323 class { 'firewall': } | |
324 Firewall { | |
325 before => Class['my_fw::post'], | |
326 require => Class['my_fw::pre'], | |
327 } | |
328 | |
329 To install pre-requisites and to create dependencies on your pre & post rules. Consult the README for more information. | |
330 | |
331 ##### Changes | |
332 | |
333 * Firewall class manifests (Dan Carley) | |
334 * Firewall and firewallchain persistence (Dan Carley) | |
335 * (GH-134) Autorequire iptables related packages (Dan Carley) | |
336 * Typo in #persist_iptables OS normalisation (Dan Carley) | |
337 * Tests for #persist_iptables (Dan Carley) | |
338 * (GH-129) Replace errant return in autoreq block (Dan Carley) | |
339 | |
340 --------------------------------------- | |
341 | |
342 ### 0.1.1 - 2012/2/28 | |
343 | |
344 This release primarily fixes changing parameters in 3.x | |
345 | |
346 ##### Changes | |
347 | |
348 * (GH-128) Change method_missing usage to define_method for 3.x compatibility | |
349 * Update travis.yml gem specifications to actually test 2.6 | |
350 * Change source in Gemfile to use a specific URL for Ruby 2.0.0 compatibility | |
351 | |
352 --------------------------------------- | |
353 | |
354 ### 0.1.0 - 2012/2/24 | |
355 | |
356 This release is somewhat belated, so no summary as there are far too many changes this time around. Hopefully we won't fall this far behind again :-). | |
357 | |
358 ##### Changes | |
359 | |
360 * Add support for MARK target and set-mark property (Johan Huysmans) | |
361 * Fix broken call to super for ruby-1.9.2 in munge (Ken Barber) | |
362 * simple fix of the error message for allowed values of the jump property (Daniel Black) | |
363 * Adding OSPF(v3) protocol to puppetlabs-firewall (Arnoud Vermeer) | |
364 * Display multi-value: port, sport, dport and state command seperated (Daniel Black) | |
365 * Require jump=>LOG for log params (Daniel Black) | |
366 * Reject and document icmp => "any" (Dan Carley) | |
367 * add firewallchain type and iptables_chain provider (Daniel Black) | |
368 * Various fixes for firewallchain resource (Ken Barber) | |
369 * Modify firewallchain name to be chain:table:protocol (Ken Barber) | |
370 * Fix allvalidchain iteration (Ken Barber) | |
371 * Firewall autorequire Firewallchains (Dan Carley) | |
372 * Tests and docstring for chain autorequire (Dan Carley) | |
373 * Fix README so setup instructions actually work (Ken Barber) | |
374 * Support vlan interfaces (interface containing ".") (Johan Huysmans) | |
375 * Add tests for VLAN support for iniface/outiface (Ken Barber) | |
376 * Add the table when deleting rules (Johan Huysmans) | |
377 * Fix tests since we are now prefixing -t) | |
378 * Changed 'jump' to 'action', commands to lower case (Jason Short) | |
379 * Support interface names containing "+" (Simon Deziel) | |
380 * Fix for when iptables-save spews out "FATAL" errors (Sharif Nassar) | |
381 * Fix for incorrect limit command arguments for ip6tables provider (Michael Hsu) | |
382 * Document Util::Firewall.host_to_ip (Dan Carley) | |
383 * Nullify addresses with zero prefixlen (Dan Carley) | |
384 * Add support for --tcp-flags (Thomas Vander Stichele) | |
385 * Make tcp_flags support a feature (Ken Barber) | |
386 * OUTPUT is a valid chain for the mangle table (Adam Gibbins) | |
387 * Enable travis-ci support (Ken Barber) | |
388 * Convert an existing test to CIDR (Dan Carley) | |
389 * Normalise iptables-save to CIDR (Dan Carley) | |
390 * be clearer about what distributions we support (Ken Barber) | |
391 * add gre protocol to list of acceptable protocols (Jason Hancock) | |
392 * Added pkttype property (Ashley Penney) | |
393 * Fix mark to not repeat rules with iptables 1.4.1+ (Sharif Nassar) | |
394 * Stub iptables_version for now so tests run on non-Linux hosts (Ken Barber) | |
395 * Stub iptables facts for set_mark tests (Dan Carley) | |
396 * Update formatting of README to meet Puppet Labs best practices (Will Hopper) | |
397 * Support for ICMP6 type code resolutions (Dan Carley) | |
398 * Insert order hash included chains from different tables (Ken Barber) | |
399 * rspec 2.11 compatibility (Jonathan Boyett) | |
400 * Add missing class declaration in README (sfozz) | |
401 * array_matching is contraindicated (Sharif Nassar) | |
402 * Convert port Fixnum into strings (Sharif Nassar) | |
403 * Update test framework to the modern age (Ken Barber) | |
404 * working with ip6tables support (wuwx) | |
405 * Remove gemfile.lock and add to gitignore (William Van Hevelingen) | |
406 * Update travis and gemfile to be like stdlib travis files (William Van Hevelingen) | |
407 * Add support for -m socket option (Ken Barber) | |
408 * Add support for single --sport and --dport parsing (Ken Barber) | |
409 * Fix tests for Ruby 1.9.3 from 3e13bf3 (Dan Carley) | |
410 * Mock Resolv.getaddress in #host_to_ip (Dan Carley) | |
411 * Update docs for source and dest - they are not arrays (Ken Barber) | |
412 | |
413 --------------------------------------- | |
414 | |
415 ### 0.0.4 - 2011/12/05 | |
416 | |
417 This release adds two new parameters, 'uid' and 'gid'. As a part of the owner module, these params allow you to specify a uid, username, gid, or group got a match: | |
418 | |
419 firewall { '497 match uid': | |
420 port => '123', | |
421 proto => 'mangle', | |
422 chain => 'OUTPUT', | |
423 action => 'drop' | |
424 uid => '123' | |
425 } | |
426 | |
427 This release also adds value munging for the 'log_level', 'source', and 'destination' parameters. The 'source' and 'destination' now support hostnames: | |
428 | |
429 firewall { '498 accept from puppetlabs.com': | |
430 port => '123', | |
431 proto => 'tcp', | |
432 source => 'puppetlabs.com', | |
433 action => 'accept' | |
434 } | |
435 | |
436 | |
437 The 'log_level' parameter now supports using log level names, such as 'warn', 'debug', and 'panic': | |
438 | |
439 firewall { '499 logging': | |
440 port => '123', | |
441 proto => 'udp', | |
442 log_level => 'debug', | |
443 action => 'drop' | |
444 } | |
445 | |
446 Additional changes include iptables and ip6tables version facts, general whitespace cleanup, and adding additional unit tests. | |
447 | |
448 ##### Changes | |
449 | |
450 * (#10957) add iptables_version and ip6tables_version facts | |
451 * (#11093) Improve log_level property so it converts names to numbers | |
452 * (#10723) Munge hostnames and IPs to IPs with CIDR | |
453 * (#10718) Add owner-match support | |
454 * (#10997) Add fixtures for ipencap | |
455 * (#11034) Whitespace cleanup | |
456 * (#10690) add port property support to ip6tables | |
457 | |
458 --------------------------------------- | |
459 | |
460 ### 0.0.3 - 2011/11/12 | |
461 | |
462 This release introduces a new parameter 'port' which allows you to set both | |
463 source and destination ports for a match: | |
464 | |
465 firewall { "500 allow NTP requests": | |
466 port => "123", | |
467 proto => "udp", | |
468 action => "accept", | |
469 } | |
470 | |
471 We also have the limit parameter finally working: | |
472 | |
473 firewall { "500 limit HTTP requests": | |
474 dport => 80, | |
475 proto => tcp, | |
476 limit => "60/sec", | |
477 burst => 30, | |
478 action => accept, | |
479 } | |
480 | |
481 State ordering has been fixed now, and more characters are allowed in the | |
482 namevar: | |
483 | |
484 * Alphabetical | |
485 * Numbers | |
486 * Punctuation | |
487 * Whitespace | |
488 | |
489 ##### Changes | |
490 | |
491 * (#10693) Ensure -m limit is added for iptables when using 'limit' param | |
492 * (#10690) Create new port property | |
493 * (#10700) allow additional characters in comment string | |
494 * (#9082) Sort iptables --state option values internally to keep it consistent across runs | |
495 * (#10324) Remove extraneous whitespace from iptables rule line in spec tests | |
496 | |
497 --------------------------------------- | |
498 | |
499 ### 0.0.2 - 2011/10/26 | |
500 | |
501 This is largely a maintanence and cleanup release, but includes the ability to | |
502 specify ranges of ports in the sport/dport parameter: | |
503 | |
504 firewall { "500 allow port range": | |
505 dport => ["3000-3030","5000-5050"], | |
506 sport => ["1024-65535"], | |
507 action => "accept", | |
508 } | |
509 | |
510 ##### Changes | |
511 | |
512 * (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster | |
513 * (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port | |
514 * (#10263) Fix tests on Puppet 2.6.x | |
515 * (#10163) Cleanup some of the inline documentation and README file to align with general forge usage | |
516 | |
517 --------------------------------------- | |
518 | |
519 ### 0.0.1 - 2011/10/18 | |
520 | |
521 Initial release. | |
522 | |
523 ##### Changes | |
524 | |
525 * (#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter | |
526 * (#10088) Provide a customised version of CONTRIBUTING.md | |
527 * (#10026) Re-arrange provider and type spec files to align with Puppet | |
528 * (#10026) Add aliases for test,specs,tests to Rakefile and provide -T as default | |
529 * (#9439) fix parsing and deleting existing rules | |
530 * (#9583) Fix provider detection for gentoo and unsupported linuxes for the iptables provider | |
531 * (#9576) Stub provider so it works properly outside of Linux | |
532 * (#9576) Align spec framework with Puppet core | |
533 * and lots of other earlier development tasks ... |