Mercurial > repos > other > Puppet
changeset 348:11d940c9014e
Update Firewall module to try and fix quoting string issue
It doesn't, but being up-to-date is good
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Wed, 23 Sep 2020 20:43:20 +0100 |
parents | 73d7b3ec6263 |
children | 3717200274ce |
files | modules/firewall/.github/workflows/release.yml modules/firewall/.github/workflows/weekly.yml modules/firewall/.sync.yml modules/firewall/CHANGELOG.md modules/firewall/MAINTAINERS.md modules/firewall/README.markdown modules/firewall/README.md modules/firewall/REFERENCE.md modules/firewall/distelli-manifest.yml modules/firewall/lib/puppet/provider/firewall/ip6tables.rb modules/firewall/lib/puppet/provider/firewall/iptables.rb modules/firewall/lib/puppet/type/firewall.rb modules/firewall/lib/puppet/util/firewall.rb modules/firewall/metadata.json modules/firewall/provision.yaml modules/my_fw/manifests/pre.pp |
diffstat | 16 files changed, 1707 insertions(+), 1307 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/firewall/.github/workflows/release.yml Wed Sep 23 20:43:20 2020 +0100 @@ -0,0 +1,65 @@ +name: "release" + +on: + push: + branches: + - 'release' + +jobs: + LitmusAcceptancePuppet5: + env: + HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6 + HONEYCOMB_DATASET: litmus tests + runs-on: self-hosted + strategy: + matrix: + ruby_version: [2.5.x] + puppet_gem_version: [~> 6.0] + platform: [release_checks_5] + agent_family: ['puppet5'] + + steps: + - uses: actions/checkout@v1 + - name: Litmus Parallel + uses: puppetlabs/action-litmus_parallel@master + with: + platform: ${{ matrix.platform }} + agent_family: ${{ matrix.agent_family }} + LitmusAcceptancePuppet6: + env: + HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6 + HONEYCOMB_DATASET: litmus tests + runs-on: self-hosted + strategy: + matrix: + ruby_version: [2.5.x] + puppet_gem_version: [~> 6.0] + platform: [release_checks_6] + agent_family: ['puppet6'] + + steps: + - uses: actions/checkout@v1 + - name: Litmus Parallel + uses: puppetlabs/action-litmus_parallel@master + with: + platform: ${{ matrix.platform }} + agent_family: ${{ matrix.agent_family }} + Spec: + runs-on: self-hosted + strategy: + matrix: + check: [parallel_spec, 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop'] + ruby_version: [2.5.x] + puppet_gem_version: [~> 5.0, ~> 6.0] + exclude: + - puppet_gem_version: ~> 5.0 + check: 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop' + - ruby_version: 2.5.x + puppet_gem_version: ~> 5.0 + steps: + - uses: actions/checkout@v1 + - name: Spec Tests + uses: puppetlabs/action-litmus_spec@master + with: + puppet_gem_version: ${{ matrix.puppet_gem_version }} + check: ${{ matrix.check }}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/firewall/.github/workflows/weekly.yml Wed Sep 23 20:43:20 2020 +0100 @@ -0,0 +1,64 @@ +name: "weekly" + +on: + schedule: + - cron: '0 1 * * 4' + +jobs: + LitmusAcceptancePuppet5: + env: + HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6 + HONEYCOMB_DATASET: litmus tests + runs-on: self-hosted + strategy: + matrix: + ruby_version: [2.5.x] + puppet_gem_version: [~> 6.0] + platform: [release_checks_5] + agent_family: ['puppet5'] + + steps: + - uses: actions/checkout@v1 + - name: Litmus Parallel + uses: puppetlabs/action-litmus_parallel@master + with: + platform: ${{ matrix.platform }} + agent_family: ${{ matrix.agent_family }} + LitmusAcceptancePuppet6: + env: + HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6 + HONEYCOMB_DATASET: litmus tests + runs-on: self-hosted + strategy: + matrix: + ruby_version: [2.5.x] + puppet_gem_version: [~> 6.0] + platform: [release_checks_6] + agent_family: ['puppet6'] + + steps: + - uses: actions/checkout@v1 + - name: Litmus Parallel + uses: puppetlabs/action-litmus_parallel@master + with: + platform: ${{ matrix.platform }} + agent_family: ${{ matrix.agent_family }} + Spec: + runs-on: self-hosted + strategy: + matrix: + check: [parallel_spec, 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop'] + ruby_version: [2.5.x] + puppet_gem_version: [~> 5.0, ~> 6.0] + exclude: + - puppet_gem_version: ~> 5.0 + check: 'syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop' + - ruby_version: 2.5.x + puppet_gem_version: ~> 5.0 + steps: + - uses: actions/checkout@v1 + - name: Spec Tests + uses: puppetlabs/action-litmus_spec@master + with: + puppet_gem_version: ${{ matrix.puppet_gem_version }} + check: ${{ matrix.check }}
--- a/modules/firewall/.sync.yml Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/.sync.yml Wed Sep 23 20:43:20 2020 +0100 @@ -2,53 +2,33 @@ ".gitlab-ci.yml": delete: true ".travis.yml": + global_env: + - HONEYCOMB_WRITEKEY="7f3c63a70eecc61d635917de46bea4e6",HONEYCOMB_DATASET="litmus tests" deploy_to_forge: enabled: false branches: - release - includes: - - bundler_args: - dist: trusty - env: PLATFORM=deb_puppet6 - rvm: 2.5.3 - before_script: - - bundle exec rake 'litmus:provision_list[waffle_el]' - - bundle exec rake 'litmus:install_agent[puppet6]' - - bundle exec rake litmus:install_module - script: - - bundle exec rake litmus:acceptance:parallel - services: docker - sudo: required - stage: acceptance - - bundler_args: - dist: trusty - env: PLATFORMS=deb_puppet6 - rvm: 2.5.3 - before_script: - - bundle exec rake 'litmus:provision_list[waffle_deb]' - - bundle exec bolt command run 'apt-get install wget -y' --inventoryfile inventory.yaml --nodes='*' - - bundle exec rake 'litmus:install_agent[puppet6]' - - bundle exec rake litmus:install_module - script: - - bundle exec rake litmus:acceptance:parallel - services: docker - sudo: required - stage: acceptance - - bundler_args: - dist: trusty - env: PLATFORMS=deb_puppet5 - rvm: 2.5.3 - before_script: - - bundle exec rake 'litmus:provision_list[waffle_deb]' - - bundle exec bolt command run 'apt-get install wget -y' --inventoryfile inventory.yaml --nodes='*' - - bundle exec rake 'litmus:install_agent[puppet5]' - - bundle exec rake litmus:install_module - script: - - bundle exec rake litmus:acceptance:parallel - services: docker - sudo: required - stage: acceptance + use_litmus: true + litmus: + provision_list: + - ---travis_el + - travis_deb + - travis_el7 + complex: + - collection: + puppet_collection: + - puppet6 + provision_list: + - travis_ub_6 + - collection: + puppet_collection: + - puppet5 + provision_list: + - travis_ub_5 simplecov: true + notifications: + slack: + secure: Ohw1KtRtFAeTQNL/8slgJ7lZ8PYCiooE6i9NWR+fCGNcAzU1LGhacnXqgXD6JCX53zdv8mkkd31AsrGWmx+iFueZkSYdAz+pEXduyRI9Rm6cTotlaGAB7NK+KgjEky7gmRao3EuogYbX7qIpzNaZ4rGUrjWSSeSDCSgGCEwblXk= appveyor.yml: delete: true Gemfile:
--- a/modules/firewall/CHANGELOG.md Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/CHANGELOG.md Wed Sep 23 20:43:20 2020 +0100 @@ -2,6 +2,47 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). +## [v2.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.5.0) (2020-07-28) + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.4.0...v2.5.0) + +### Added + +- Add acceptance and unit test [\#931](https://github.com/puppetlabs/puppetlabs-firewall/pull/931) ([adrianiurca](https://github.com/adrianiurca)) +- \[IAC-899\] - Add acceptance test for string\_hex parameter [\#930](https://github.com/puppetlabs/puppetlabs-firewall/pull/930) ([adrianiurca](https://github.com/adrianiurca)) +- Add support for NFLOG options to ip6tables [\#921](https://github.com/puppetlabs/puppetlabs-firewall/pull/921) ([frh](https://github.com/frh)) + +## [v2.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.4.0) (2020-05-13) + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.3.0...v2.4.0) + +### Added + +- Add support for u32 module in iptables [\#917](https://github.com/puppetlabs/puppetlabs-firewall/pull/917) ([sanfrancrisko](https://github.com/sanfrancrisko)) +- Add support for cgroup arg [\#916](https://github.com/puppetlabs/puppetlabs-firewall/pull/916) ([akerl-unpriv](https://github.com/akerl-unpriv)) +- Extend LOG options [\#914](https://github.com/puppetlabs/puppetlabs-firewall/pull/914) ([martialblog](https://github.com/martialblog)) + +### Fixed + +- \(MODULES-8543\) Remove nftables' backend warning from iptables\_save outtput [\#911](https://github.com/puppetlabs/puppetlabs-firewall/pull/911) ([NITEMAN](https://github.com/NITEMAN)) + +## [v2.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.3.0) (2020-03-26) + +[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.2.0...v2.3.0) + +### Added + +- Add iptables --hex-string support to firewall resource [\#907](https://github.com/puppetlabs/puppetlabs-firewall/pull/907) ([alexconrey](https://github.com/alexconrey)) +- Add random\_fully and rpfilter support [\#892](https://github.com/puppetlabs/puppetlabs-firewall/pull/892) ([treydock](https://github.com/treydock)) +- \(MODULES-7800\) Add the ability to specify iptables connection tracking helpers. [\#890](https://github.com/puppetlabs/puppetlabs-firewall/pull/890) ([jimmyt86](https://github.com/jimmyt86)) +- Support conntrack module [\#872](https://github.com/puppetlabs/puppetlabs-firewall/pull/872) ([haught](https://github.com/haught)) + +### Fixed + +- \(maint\) Use fact.flush only when available [\#906](https://github.com/puppetlabs/puppetlabs-firewall/pull/906) ([Filipovici-Andrei](https://github.com/Filipovici-Andrei)) +- \(MODULES-10358\) - Clarification added to Boolean validation checks [\#886](https://github.com/puppetlabs/puppetlabs-firewall/pull/886) ([david22swan](https://github.com/david22swan)) +- Merge and remove duplicate README file, lint code snippets [\#878](https://github.com/puppetlabs/puppetlabs-firewall/pull/878) ([runejuhl](https://github.com/runejuhl)) + ## [v2.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.2.0) (2019-12-09) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.1.0...v2.2.0)
--- a/modules/firewall/MAINTAINERS.md Mon Jul 20 11:19:52 2020 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,6 +0,0 @@ -## Maintenance - -Maintainers: - - Puppet Forge Modules Team `forge-modules |at| puppet |dot| com` - -Tickets: https://tickets.puppet.com/browse/MODULES. Make sure to set component to `firewall`.
--- a/modules/firewall/README.markdown Mon Jul 20 11:19:52 2020 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,485 +0,0 @@ -# firewall - -[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-firewall.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-firewall) - -#### Table of Contents - -1. [Overview - What is the firewall module?](#overview) -2. [Module description - What does the module do?](#module-description) -3. [Setup - The basics of getting started with firewall](#setup) - * [What firewall affects](#what-firewall-affects) - * [Setup requirements](#setup-requirements) - * [Beginning with firewall](#beginning-with-firewall) - * [Upgrading](#upgrading) -4. [Usage - Configuration and customization options](#usage) - * [Default rules - Setting up general configurations for all firewalls](#default-rules) - * [Application-specific rules - Options for configuring and managing firewalls across applications](#application-specific-rules) - * [Additional ses for the firewall module](#other-rules) -5. [Reference - An under-the-hood peek at what the module is doing](#reference) -6. [Limitations - OS compatibility, etc.](#limitations) -7. [Firewall_multi - Arrays for certain parameters](#firewall_multi) -8. [Development - Guide for contributing to the module](#development) - * [Tests - Testing your configuration](#tests) - -## Overview - -The firewall module lets you manage firewall rules with Puppet. - -## Module description - -PuppetLabs' firewall module introduces the `firewall` resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the `firewallchain` resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported. - -The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining `pre` and `post` rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs. - -## Setup - -### What firewall affects - -* Every node running a firewall -* Firewall settings in your system -* Connection settings for managed nodes -* Unmanaged resources (get purged) - - -### Setup requirements - -Firewall uses Ruby-based providers, so you must enable [pluginsync](http://docs.puppetlabs.com/guides/plugins_in_modules.html#enabling-pluginsync). - -### Beginning with firewall - -In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them. - -If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet master. - -The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet master. If you create the `pre` and `post` classes described in the first section, then you also need to create the rules described in the second section. - -#### Create the `my_fw::pre` and `my_fw::post` Classes - -This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed. - -The code in this section does the following: - -* The 'require' parameter in `firewall {}` ensures `my_fw::pre` is run before any other rules. -* In the `my_fw::post` class declaration, the 'before' parameter ensures `my_fw::post` is run after any other rules. - -The rules in the `pre` and `post` classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run. - -1. Add the `pre` class to `my_fw/manifests/pre.pp`, and any default rules to your pre.pp file first — in the order you want them to run. - - ~~~ puppet - class my_fw::pre { - Firewall { - require => undef, - } - - # Default firewall rules - firewall { '000 accept all icmp': - proto => 'icmp', - action => 'accept', - }-> - firewall { '001 accept all to lo interface': - proto => 'all', - iniface => 'lo', - action => 'accept', - }-> - firewall { '002 reject local traffic not on loopback interface': - iniface => '! lo', - proto => 'all', - destination => '127.0.0.1/8', - action => 'reject', - }-> - firewall { '003 accept related established rules': - proto => 'all', - state => ['RELATED', 'ESTABLISHED'], - action => 'accept', - } - } - ~~~ - - The rules in `pre` allow basic networking (such as ICMP and TCP) and ensure that existing connections are not closed. - -2. Add the `post` class to `my_fw/manifests/post.pp` and include any default rules — apply these last. - - ~~~ puppet - class my_fw::post { - firewall { '999 drop all': - proto => 'all', - action => 'drop', - before => undef, - } - } - ~~~ - -Alternatively, the [firewallchain](#type-firewallchain) type can be used to set the default policy: - - ~~~ puppet - firewallchain { 'INPUT:filter:IPv4': - ensure => present, - policy => drop, - before => undef, - } - ~~~ - -#### Create firewall rules - -The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box. - -Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables. - -1. In site.pp or another top-scope file, add the following code to set up a metatype to purge unmanaged firewall resources. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine. - - ~~~ puppet - resources { 'firewall': - purge => true, - } - ~~~ - - To purge unmanaged firewall chains, add: - - ~~~ puppet - resources { 'firewallchain': - purge => true, - } - ~~~ - - **Note** - If there are unmanaged rules in unmanaged chains, it will take two Puppet runs for the firewall chain to be purged. This is different than the `purge` parameter available in `firewallchain`. - -2. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run. - - ~~~ puppet - Firewall { - before => Class['my_fw::post'], - require => Class['my_fw::pre'], - } - ~~~ - -3. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code: - - ~~~ puppet - class { ['my_fw::pre', 'my_fw::post']: } - ~~~ - -4. Include the `firewall` class to ensure the correct packages are installed: - - ~~~ puppet - class { 'firewall': } - ~~~ - -### Upgrading - -Use these steps if you already have a version of the firewall module installed. - -#### From version 0.2.0 and more recent - -Upgrade the module with the puppet module tool as normal: - - puppet module upgrade puppetlabs/firewall - -## Usage - -There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc. - -All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. _000_ runs first, _999_ runs last. - -**Note:** The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range. - -### Default rules - -You can place default rules in either `my_fw::pre` or `my_fw::post`, depending on when you would like them to run. Rules placed in the `pre` class will run first, and rules in the `post` class, last. - -In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'. - -#### Examples of default rules - -Basic accept ICMP request example: - -~~~ puppet -firewall { '000 accept all icmp requests': - proto => 'icmp', - action => 'accept', -} -~~~ - -Drop all: - -~~~ puppet -firewall { '999 drop all other requests': - action => 'drop', -} -~~~ - -#### Example of an IPv6 rule - -IPv6 rules can be specified using the _ip6tables_ provider: - -~~~ puppet -firewall { '006 Allow inbound SSH (v6)': - dport => 22, - proto => tcp, - action => accept, - provider => 'ip6tables', -} -~~~ - -### Application-specific rules - -Puppet doesn't care where you define rules, and this means that you can place -your firewall resources as close to the applications and services that you -manage as you wish. If you use the [roles and profiles -pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it -makes sense to create your firewall rules in the profiles, so they -remain close to the services managed by the profile. - -This is an example of firewall rules in a profile: - -~~~ puppet -class profile::apache { - include apache - apache::vhost { 'mysite': ensure => present } - - firewall { '100 allow http and https access': - dport => [80, 443], - proto => tcp, - action => accept, - } -} -~~~ - -### Rule inversion - -Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value. - -Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range, src\_type, and state. - -Examples: - -~~~ puppet -firewall { '001 disallow esp protocol': - action => 'accept', - proto => '! esp', -} -firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset': - chain => 'INPUT', - state => 'NEW', - action => 'drop', - proto => 'tcp', - sport => ['! http', '! 443'], - source => '! 10.0.0.0/8', - tcp_flags => '! FIN,SYN,RST,ACK SYN', -} -~~~ - -### Additional uses for the firewall module - -You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows: - -~~~ puppet -node 'some.node.com' { - firewall { '111 open port 111': - dport => 111, - } -} -~~~ - -You can also do more complex things with the `firewall` resource. This example sets up static NAT for the source network 10.1.2.0/24: - -~~~ puppet -firewall { '100 snat for network foo2': - chain => 'POSTROUTING', - jump => 'MASQUERADE', - proto => 'all', - outiface => 'eth0', - source => '10.1.2.0/24', - table => 'nat', -} -~~~ - - -You can also change the TCP MSS value for VPN client traffic: - -~~~ puppet -firewall { '110 TCPMSS for VPN clients': - chain => 'FORWARD', - table => 'mangle', - source => '10.0.2.0/24', - proto => tcp, - tcp_flags => 'SYN,RST SYN', - mss => '1361:1541', - set_mss => '1360', - jump => 'TCPMSS', -} -~~~ - -The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target: - -~~~ puppet -firewall { '503 Mirror traffic to IDS': - proto => all, - jump => 'TEE', - gateway => '10.0.0.2', - chain => 'PREROUTING', - table => 'mangle', -} -~~~ - -The following example creates a new chain and forwards any port 5000 access to it. - -~~~ puppet -firewall { '100 forward to MY_CHAIN': - chain => 'INPUT', - jump => 'MY_CHAIN', -} -# The namevar here is in the format chain_name:table:protocol -firewallchain { 'MY_CHAIN:filter:IPv4': - ensure => present, -} -firewall { '100 my rule': - chain => 'MY_CHAIN', - action => 'accept', - proto => 'tcp', - dport => 5000, -} -~~~ - -Setup NFLOG for a rule. - -~~~ puppet -firewall {'666 for NFLOG': - proto => 'all', - jump => 'NFLOG', - nflog_group => 3, - nflog_prefix => "nflog-test", - nflog_range = 256, - nflog_threshold => 1, -} -~~~ - -### Additional information - -Access the inline documentation: - - puppet describe firewall - -Or - - puppet doc -r type - (and search for firewall) - -## Reference - -For information on the classes and types, see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-firewall/blob/master/REFERENCE.md). For information on the facts, see below. - -Facts: - -* [ip6tables_version](#fact-ip6tablesversion) -* [iptables_version](#fact-iptablesversion) -* [iptables_persistent_version](#fact-iptablespersistentversion) - -### Fact: ip6tables_version - -A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution. - -### Fact: iptables_version - -A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution. - -### Fact: iptables_persistent_version - -Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact. - -## Limitations - -For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-firewall/blob/master/metadata.json) - -### SLES - -The `socket` parameter is not supported on SLES. In this release it will cause -the catalog to fail with iptables failures, rather than correctly warn you that -the features are unusable. - -### Oracle Enterprise Linux - -The `socket` and `owner` parameters are unsupported on Oracle Enterprise Linux -when the "Unbreakable" kernel is used. These may function correctly when using -the stock RedHat kernel instead. Declaring either of these parameters on an -unsupported system will result in iptable rules failing to apply. - -## Passing firewall parameter values as arrays with `firewall_multi` module - -You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays. - -A community module, [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi), provides a defined type wrapper to spawn firewall resources for arrays of certain inputs. - -For example: - -~~~ puppet -firewall_multi { '100 allow http and https access': - source => [ - '10.0.10.0/24', - '10.0.12.0/24', - '10.1.1.128', - ], - dport => [80, 443], - proto => tcp, - action => accept, -} -~~~ - -For more information see the documentation at [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi). - -### Known issues - -#### MCollective causes PE to reverse firewall rule order - -Firewall rules appear in reverse order if you use MCollective to run Puppet in Puppet Enterprise 2016.1, 2015.3, 2015.2, or 3.8.x. - -If you use MCollective to kick off Puppet runs (`mco puppet runonce -I agent.example.com`) while also using the [`puppetlabs/firewall`](https://forge.puppet.com/puppetlabs/firewall) module, your firewall rules might be listed in reverse order. - -In many firewall configurations, the last rule drops all packets. If the rule order is reversed, this rule is listed first and network connectivity fails. - -To prevent this issue, do not use MCollective to kick off Puppet runs. Use any of the following instead: - -* Run `puppet agent -t` on the command line. -* Use a cron job. -* Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console. - -#### Reporting Issues - -Report found bugs in JIRA: - -<http://tickets.puppetlabs.com> - -## Development - -Puppet modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve. - -We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things. - -Read the module's CONTRIBUTING.md before contributing. - -This module supports: - -* iptables -* ip6tables -* ebtables (chains only) - -### Testing - -Make sure you have: - -* rake -* bundler - -Install the necessary gems: - -~~~ text -bundle install -~~~ - -And run the tests from the root of the source code: - -~~~ text -bundle exec rake parallel_spec -~~~ - -See also `.travis.yml` for information on running the acceptance and other tests.
--- a/modules/firewall/README.md Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/README.md Wed Sep 23 20:43:20 2020 +0100 @@ -66,59 +66,60 @@ 1. Add the `pre` class to `my_fw/manifests/pre.pp`, and any default rules to your pre.pp file first — in the order you want them to run. - ~~~ puppet - class my_fw::pre { - Firewall { - require => undef, - } +```puppet +class my_fw::pre { + Firewall { + require => undef, + } - # Default firewall rules - firewall { '000 accept all icmp': - proto => 'icmp', - action => 'accept', - }-> - firewall { '001 accept all to lo interface': - proto => 'all', - iniface => 'lo', - action => 'accept', - }-> - firewall { '002 reject local traffic not on loopback interface': - iniface => '! lo', - proto => 'all', - destination => '127.0.0.1/8', - action => 'reject', - }-> - firewall { '003 accept related established rules': - proto => 'all', - state => ['RELATED', 'ESTABLISHED'], - action => 'accept', - } + # Default firewall rules + firewall { '000 accept all icmp': + proto => 'icmp', + action => 'accept', + } + -> firewall { '001 accept all to lo interface': + proto => 'all', + iniface => 'lo', + action => 'accept', } - ~~~ + -> firewall { '002 reject local traffic not on loopback interface': + iniface => '! lo', + proto => 'all', + destination => '127.0.0.1/8', + action => 'reject', + } + -> firewall { '003 accept related established rules': + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + action => 'accept', + } +} +``` - The rules in `pre` allow basic networking (such as ICMP and TCP) and ensure that existing connections are not closed. +The rules in `pre` allow basic networking (such as ICMP and TCP) and ensure that +existing connections are not closed. 2. Add the `post` class to `my_fw/manifests/post.pp` and include any default rules — apply these last. - ~~~ puppet - class my_fw::post { - firewall { '999 drop all': - proto => 'all', - action => 'drop', - before => undef, - } +```puppet +class my_fw::post { + firewall { '999 drop all': + proto => 'all', + action => 'drop', + before => undef, } - ~~~ +} +``` Alternatively, the [firewallchain](#type-firewallchain) type can be used to set the default policy: - ~~~ puppet - firewallchain { 'INPUT:filter:IPv4': - ensure => present, - policy => drop, - before => undef, - } - ~~~ +```puppet +firewallchain { 'INPUT:filter:IPv4': + ensure => present, + policy => drop, + before => undef, +} +``` #### Create firewall rules @@ -128,21 +129,22 @@ 1. In site.pp or another top-scope file, add the following code to set up a metatype to purge unmanaged firewall resources. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine. - ~~~ puppet - resources { 'firewall': - purge => true, - } - ~~~ +```puppet +resources { 'firewall': + purge => true, +} +``` To purge unmanaged firewall chains, add: - ~~~ puppet - resources { 'firewallchain': - purge => true, - } - ~~~ +```puppet +resources { 'firewallchain': + purge => true, +} +``` - Internal chains can not be deleted. In order to avoid all the confusing Warning/Notice messages when using purge => true, like these ones: +Internal chains can not be deleted. In order to avoid all the confusing +Warning/Notice messages when using `purge => true`, like these ones: Notice: Compiled catalog for blonde-height.delivery.puppetlabs.net in environment production in 0.05 seconds Warning: Firewallchain[INPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain INPUT:mangle:IPv4 @@ -156,37 +158,38 @@ Please create firewallchains for every internal chain. Here is an example: - ~~~ puppet - firewallchain { 'POSTROUTING:mangle:IPv6': - ensure => present, - } - resources { 'firewallchain': - purge => true, - } - ~~~ +```puppet +firewallchain { 'POSTROUTING:mangle:IPv6': + ensure => present, +} + +resources { 'firewallchain': + purge => true, +} +``` **Note** - If there are unmanaged rules in unmanaged chains, it will take two Puppet runs for the firewall chain to be purged. This is different than the `purge` parameter available in `firewallchain`. 2. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run. - ~~~ puppet - Firewall { - before => Class['my_fw::post'], - require => Class['my_fw::pre'], - } - ~~~ +```puppet +Firewall { + before => Class['my_fw::post'], + require => Class['my_fw::pre'], +} +``` 3. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code: - ~~~ puppet - class { ['my_fw::pre', 'my_fw::post']: } - ~~~ +```puppet +class { ['my_fw::pre', 'my_fw::post']: } +``` 4. Include the `firewall` class to ensure the correct packages are installed: - ~~~ puppet - class { 'firewall': } - ~~~ +```puppet +class { 'firewall': } +``` ### Upgrading @@ -216,33 +219,33 @@ Basic accept ICMP request example: -~~~ puppet +```puppet firewall { '000 accept all icmp requests': proto => 'icmp', action => 'accept', } -~~~ +``` Drop all: -~~~ puppet +```puppet firewall { '999 drop all other requests': action => 'drop', } -~~~ +``` #### Example of an IPv6 rule IPv6 rules can be specified using the _ip6tables_ provider: -~~~ puppet +```puppet firewall { '006 Allow inbound SSH (v6)': dport => 22, - proto => tcp, - action => accept, + proto => 'tcp', + action => 'accept', provider => 'ip6tables', } -~~~ +``` ### Application-specific rules @@ -255,18 +258,20 @@ This is an example of firewall rules in a profile: -~~~ puppet +```puppet class profile::apache { include apache - apache::vhost { 'mysite': ensure => present } + apache::vhost { 'mysite': + ensure => present, + } firewall { '100 allow http and https access': dport => [80, 443], - proto => tcp, - action => accept, + proto => 'tcp', + action => 'accept', } } -~~~ +``` ### Rule inversion @@ -276,11 +281,12 @@ Examples: -~~~ puppet +```puppet firewall { '001 disallow esp protocol': action => 'accept', proto => '! esp', } + firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset': chain => 'INPUT', state => 'NEW', @@ -290,23 +296,23 @@ source => '! 10.0.0.0/8', tcp_flags => '! FIN,SYN,RST,ACK SYN', } -~~~ +``` ### Additional uses for the firewall module You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows: -~~~ puppet +```puppet node 'some.node.com' { firewall { '111 open port 111': dport => 111, } } -~~~ +``` You can also do more complex things with the `firewall` resource. This example sets up static NAT for the source network 10.1.2.0/24: -~~~ puppet +```puppet firewall { '100 snat for network foo2': chain => 'POSTROUTING', jump => 'MASQUERADE', @@ -315,67 +321,69 @@ source => '10.1.2.0/24', table => 'nat', } -~~~ +``` You can also change the TCP MSS value for VPN client traffic: -~~~ puppet +```puppet firewall { '110 TCPMSS for VPN clients': chain => 'FORWARD', table => 'mangle', source => '10.0.2.0/24', - proto => tcp, + proto => 'tcp', tcp_flags => 'SYN,RST SYN', mss => '1361:1541', set_mss => '1360', jump => 'TCPMSS', } -~~~ +``` The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target: -~~~ puppet +```puppet firewall { '503 Mirror traffic to IDS': - proto => all, + proto => 'all', jump => 'TEE', gateway => '10.0.0.2', chain => 'PREROUTING', table => 'mangle', } -~~~ +``` The following example creates a new chain and forwards any port 5000 access to it. -~~~ puppet +```puppet firewall { '100 forward to MY_CHAIN': chain => 'INPUT', jump => 'MY_CHAIN', } + # The namevar here is in the format chain_name:table:protocol firewallchain { 'MY_CHAIN:filter:IPv4': ensure => present, } + firewall { '100 my rule': chain => 'MY_CHAIN', action => 'accept', proto => 'tcp', dport => 5000, } -~~~ +``` Setup NFLOG for a rule. -~~~ puppet +```puppet firewall {'666 for NFLOG': - proto => 'all', - jump => 'NFLOG', - nflog_group => 3, - nflog_prefix => "nflog-test", - nflog_range = 256, + proto => 'all', + jump => 'NFLOG', + nflog_group => 3, + nflog_prefix => 'nflog-test', + nflog_range => 256, nflog_threshold => 1, } -~~~ +``` ### Additional information @@ -435,7 +443,7 @@ For example: -~~~ puppet +```puppet firewall_multi { '100 allow http and https access': source => [ '10.0.10.0/24', @@ -443,10 +451,10 @@ '10.1.1.128', ], dport => [80, 443], - proto => tcp, - action => accept, + proto => 'tcp', + action => 'accept', } -~~~ +``` For more information see the documentation at [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi). @@ -468,9 +476,9 @@ #### Reporting Issues -Report found bugs in JIRA: +Please report any bugs in the Puppetlabs JIRA issue tracker: -<http://tickets.puppetlabs.com> +<https://tickets.puppetlabs.com/projects/MODULES/issues> ## Development @@ -498,12 +506,14 @@ Install the necessary gems: -~~~ text +```text bundle install -~~~ +``` And run the tests from the root of the source code: -~~~ text +```text bundle exec rake parallel_spec -~~~ +``` + +See also `.travis.yml` for information on running the acceptance and other tests.
--- a/modules/firewall/REFERENCE.md Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/REFERENCE.md Wed Sep 23 20:43:20 2020 +0100 @@ -1,15 +1,16 @@ # Reference + <!-- DO NOT EDIT: This document was generated by Puppet Strings --> ## Table of Contents -**Classes** +### Classes -_Public Classes_ +#### Public Classes * [`firewall`](#firewall): Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins -_Private Classes_ +#### Private Classes * `firewall::linux`: Main linux class, includes all other classes * `firewall::linux::archlinux`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems. @@ -18,14 +19,14 @@ * `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems. * `firewall::params`: Provides defaults for the Apt module parameters. -**Resource types** +### Resource types * [`firewall`](#firewall): This type provides the capability to manage firewall rules within puppet. * [`firewallchain`](#firewallchain): This type provides the capability to manage rule chains for firewalls. ## Classes -### firewall +### `firewall` Performs the basic setup tasks required for using the firewall resources. @@ -52,7 +53,7 @@ Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'. -Default value: running +Default value: `running` ##### `ensure_v6` @@ -60,7 +61,7 @@ Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. -Default value: `undef` +Default value: ``undef`` ##### `pkg_ensure` @@ -68,7 +69,7 @@ Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. -Default value: present +Default value: `present` ##### `service_name` @@ -76,7 +77,7 @@ Specify the name of the IPv4 iptables service. -Default value: $::firewall::params::service_name +Default value: `$::firewall::params::service_name` ##### `service_name_v6` @@ -84,7 +85,7 @@ Specify the name of the IPv6 iptables service. -Default value: $::firewall::params::service_name_v6 +Default value: `$::firewall::params::service_name_v6` ##### `package_name` @@ -92,7 +93,7 @@ Specify the platform-specific package(s) to install. -Default value: $::firewall::params::package_name +Default value: `$::firewall::params::package_name` ##### `ebtables_manage` @@ -100,11 +101,11 @@ Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure. -Default value: `false` +Default value: ``false`` ## Resource types -### firewall +### `firewall` **Autorequires:** @@ -123,9 +124,10 @@ * ip6tables: Ip6tables type provider * Required binaries: ip6tables-save, ip6tables. - * Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match, + * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag, - ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss, + ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, + log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf. @@ -133,9 +135,10 @@ * Required binaries: iptables-save, iptables. * Default for kernel == linux. - * Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match, + * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, - log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix, + log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, + mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf. @@ -146,6 +149,8 @@ * connection_limiting: Connection limiting features. + * conntrack: Connection tracking features. + * dnat: Destination NATing. * hop_limiting: Hop limiting features. @@ -178,6 +183,12 @@ * log_uid: The ability to log the userid of the process which generated the packet. + * log_tcp_sequence: The ability to log TCP sequence numbers. + + * log_tcp_options: The ability to log TCP packet header. + + * log_ip_options: The ability to log IP/IPv6 packet header. + * mark: The ability to match or set the netfilter mark value associated with the packet. * mask: The ability to match recent rules based on the ipv4 mask. @@ -222,21 +233,15 @@ * ct_target: The ability to set connection tracking parameters for a packet or its associated connection. + * random_fully: The ability to use --random-fully flag. + #### Properties The following properties are available in the `firewall` type. -##### `ensure` - -Valid values: present, absent - -Manage the state of this rule. - -Default value: present - ##### `action` -Valid values: accept, reject, drop +Valid values: `accept`, `reject`, `drop` This is the action to perform on a match. Can be one of: @@ -247,25 +252,286 @@ If you specify no value it will simply match the rule but perform no action unless you provide a provider specific parameter (such as *jump*). -##### `source` +##### `burst` + +Valid values: `%r{^\d+$}` + +Rate limiting burst value (per second) before limit checks apply. + +##### `bytecode` + +Match using Linux Socket Filter. Expects a BPF program in decimal format. +This is the format generated by the nfbpf_compile utility. + +##### `cgroup` + +Matches against the net_cls cgroup ID of the packet. + +##### `chain` + +Valid values: `%r{^[a-zA-Z0-9\-_]+$}` + +Name of the chain to use. Can be one of the built-ins: + +* INPUT +* FORWARD +* OUTPUT +* PREROUTING +* POSTROUTING + +Or you can provide a user-based chain. + +Default value: `INPUT` + +##### `checksum_fill` + +Valid values: ``true``, ``false`` + +Compute and fill missing packet checksums. + +##### `clamp_mss_to_pmtu` + +Valid values: ``true``, ``false`` + +Sets the clamp mss to pmtu flag. + +##### `clusterip_clustermac` + +Valid values: `%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i` + +Used with the CLUSTERIP jump target. +Specify the ClusterIP MAC address. Has to be a link-layer multicast address. + +##### `clusterip_hash_init` + +Used with the CLUSTERIP jump target. +Specify the random seed used for hash initialization. + +##### `clusterip_hashmode` + +Valid values: `sourceip`, `sourceip-sourceport`, `sourceip-sourceport-destport` + +Used with the CLUSTERIP jump target. +Specify the hashing mode. + +##### `clusterip_local_node` -The source address. For example: +Valid values: `%r{\d+}` + +Used with the CLUSTERIP jump target. +Specify the random seed used for hash initialization. + +##### `clusterip_new` + +Valid values: ``true``, ``false`` + +Used with the CLUSTERIP jump target. +Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. + +##### `clusterip_total_nodes` + +Valid values: `%r{\d+}` + +Used with the CLUSTERIP jump target. +Number of total nodes within this cluster. + +##### `connlimit_above` + +Valid values: `%r{^\d+$}` + +Connection limiting value for matched connections above n. + +##### `connlimit_mask` + +Valid values: `%r{^\d+$}` - source => '192.168.2.0/24' +Connection limiting by subnet mask for matched connections. +IPv4: 0-32 +IPv6: 0-128 + +##### `connmark` + +Match the Netfilter mark value associated with the packet. Accepts either of: +mark/mask or mark. These will be converted to hex if they are not already. + +##### `ctdir` + +Valid values: `REPLY`, `ORIGINAL` + +Matches a packet that is flowing in the specified direction using the +conntrack module. If this flag is not specified at all, matches packets +in both directions. Values can be: + +* REPLY +* ORIGINAL + +##### `ctexpire` + +Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` + +Matches a packet based on lifetime remaining in seconds or range of values +using the conntrack module. For example: + + ctexpire => '100:150' + +##### `ctorigdst` + +The original destination address using the conntrack module. For example: + + ctorigdst => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: - source => '! 192.168.2.0/24' + ctorigdst => '! 192.168.2.0/24' + +The ctorigdst can also be an IPv6 address if your provider supports it. + +##### `ctorigdstport` + +Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` + +The original destination port to match for this filter using the conntrack module. +For example: + + ctorigdstport => '80' + +You can also specify a port range: For example: + + ctorigdstport => '80:81' + +You can also negate a port by putting ! in front. For example: + + ctorigdstport => '! 80' + +##### `ctorigsrc` + +The original source address using the conntrack module. For example: + + ctorigsrc => '192.168.2.0/24' + +You can also negate a mask by putting ! in front. For example: + + ctorigsrc => '! 192.168.2.0/24' + +The ctorigsrc can also be an IPv6 address if your provider supports it. + +##### `ctorigsrcport` -The source can also be an IPv6 address if your provider supports it. +Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` + +The original source port to match for this filter using the conntrack module. +For example: + + ctorigsrcport => '80' + +You can also specify a port range: For example: + + ctorigsrcport => '80:81' + +You can also negate a port by putting ! in front. For example: + + ctorigsrcport => '! 80' + +##### `ctproto` + +Valid values: `%r{^!?\s?\d+$}` -##### `src_range` +The specific layer-4 protocol number to match for this rule using the +conntrack module. + +##### `ctrepldst` + +The reply destination address using the conntrack module. For example: + + ctrepldst => '192.168.2.0/24' + +You can also negate a mask by putting ! in front. For example: + + ctrepldst => '! 192.168.2.0/24' + +The ctrepldst can also be an IPv6 address if your provider supports it. + +##### `ctrepldstport` + +Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` -The source IP range. For example: +The reply destination port to match for this filter using the conntrack module. +For example: + + ctrepldstport => '80' + +You can also specify a port range: For example: + + ctrepldstport => '80:81' + +You can also negate a port by putting ! in front. For example: + + ctrepldstport => '! 80' + +##### `ctreplsrc` + +The reply source address using the conntrack module. For example: + + ctreplsrc => '192.168.2.0/24' + +You can also negate a mask by putting ! in front. For example: + + ctreplsrc => '! 192.168.2.0/24' + +The ctreplsrc can also be an IPv6 address if your provider supports it. + +##### `ctreplsrcport` + +Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` + +The reply source port to match for this filter using the conntrack module. +For example: + + ctreplsrcport => '80' + +You can also specify a port range: For example: + + ctreplsrcport => '80:81' - src_range => '192.168.1.1-192.168.1.10' +You can also negate a port by putting ! in front. For example: + + ctreplsrcport => '! 80' + +##### `ctstate` + +Valid values: `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`, `UNTRACKED`, `SNAT`, `DNAT` + +Matches a packet based on its state in the firewall stateful inspection +table, using the conntrack module. Values can be: + +* INVALID +* ESTABLISHED +* NEW +* RELATED +* UNTRACKED +* SNAT +* DNAT -The source IP range must be in 'IP1-IP2' format. +##### `ctstatus` + +Valid values: `NONE`, `EXPECTED`, `SEEN_REPLY`, `ASSURED`, `CONFIRMED` + +Matches a packet based on its status using the conntrack module. Values can be: + +* EXPECTED +* SEEN_REPLY +* ASSURED +* CONFIRMED + +##### `date_start` + +Only match during the given time, which must be in ISO 8601 "T" notation. +The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 + +##### `date_stop` + +Only match during the given time, which must be in ISO 8601 "T" notation. +The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 ##### `destination` @@ -279,29 +545,6 @@ The destination can also be an IPv6 address if your provider supports it. -##### `dst_range` - -The destination IP range. For example: - - dst_range => '192.168.1.1-192.168.1.10' - -The destination IP range must be in 'IP1-IP2' format. - -##### `sport` - -The source port to match for this filter (if the protocol supports -ports). Will accept a single element or an array. - -For some firewall providers you can pass a range of ports in the format: - - <start_number>-<ending_number> - -For example: - - 1-1024 - -This would cover ports 1 to 1024. - ##### `dport` The destination port to match for this filter (if the protocol supports @@ -317,26 +560,23 @@ This would cover ports 1 to 1024. -##### `port` +##### `dst_cc` -*note* This property has been DEPRECATED +Valid values: `%r{^[A-Z]{2}(,[A-Z]{2})*$}` -The destination or source port to match for this filter (if the protocol -supports ports). Will accept a single element or an array. +dst attribute for the module geoip -For some firewall providers you can pass a range of ports in the format: +##### `dst_range` - <start_number>-<ending_number> +The destination IP range. For example: -For example: + dst_range => '192.168.1.1-192.168.1.10' - 1-1024 - -This would cover ports 1 to 1024. +The destination IP range must be in 'IP1-IP2' format. ##### `dst_type` -Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, +Valid values: `[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| [ address_type, @@ -346,7 +586,7 @@ "! #{address_type} --limit-iface-in".to_sym, "! #{address_type} --limit-iface-out".to_sym, ] - }.flatten + }.flatten` The destination address type. For example: @@ -377,127 +617,24 @@ Will accept a single element or an array. -##### `src_type` +##### `ensure` -Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, - :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| - [ - address_type, - "! #{address_type}".to_sym, - "#{address_type} --limit-iface-in".to_sym, - "#{address_type} --limit-iface-out".to_sym, - "! #{address_type} --limit-iface-in".to_sym, - "! #{address_type} --limit-iface-out".to_sym, - ] - }.flatten - -The source address type. For example: - - src_type => ['LOCAL'] - -Can be one of: +Valid values: `present`, `absent` -* UNSPEC - an unspecified address -* UNICAST - a unicast address -* LOCAL - a local address -* BROADCAST - a broadcast address -* ANYCAST - an anycast packet -* MULTICAST - a multicast address -* BLACKHOLE - a blackhole address -* UNREACHABLE - an unreachable address -* PROHIBIT - a prohibited address -* THROW - undocumented -* NAT - undocumented -* XRESOLVE - undocumented - -In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: - - src_type => ['LOCAL --limit-iface-in'] - -It can also be negated using '!': +Manage the state of this rule. - src_type => ['! LOCAL'] - -Will accept a single element or an array. - -##### `proto` - -Valid values: [:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto| - [proto, "! #{proto}".to_sym] - }.flatten - -The specific protocol to match for this rule. - -Default value: tcp - -##### `mss` - -Match a given TCP MSS value or range. - -##### `tcp_flags` +Default value: `present` -Match when the TCP flags are as specified. -Is a string with a list of comma-separated flag names for the mask, -then a space, then a comma-separated list of flags that should be set. -The flags are: SYN ACK FIN RST URG PSH ALL NONE -Note that you specify them in the order that iptables --list-rules -would list them to avoid having puppet think you changed the flags. -Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the -ACK,RST and FIN bits cleared. Such packets are used to request -TCP connection initiation. - -##### `chain` - -Valid values: %r{^[a-zA-Z0-9\-_]+$} +##### `gateway` -Name of the chain to use. Can be one of the built-ins: - -* INPUT -* FORWARD -* OUTPUT -* PREROUTING -* POSTROUTING - -Or you can provide a user-based chain. - -Default value: INPUT - -##### `table` - -Valid values: nat, mangle, filter, raw, rawpost +The TEE target will clone a packet and redirect this clone to another +machine on the local network segment. gateway is the target host's IP. -Table to use. Can be one of: - -* nat -* mangle -* filter -* raw -* rawpost - -Default value: filter - -##### `jump` - -The value for the iptables --jump parameter. Normal values are: +##### `gid` -* QUEUE -* RETURN -* DNAT -* SNAT -* LOG -* NFLOG -* MASQUERADE -* REDIRECT -* MARK - -But any valid chain name is allowed. - -For the values ACCEPT, DROP, and REJECT, you must use the generic -'action' parameter. This is to enfore the use of generic parameters where -possible for maximum cross-platform modelling. - -If you set both 'accept' and 'jump' parameters, you will get an error as -only one of the options should be set. +GID or Group owner matching rule. Accepts a string argument +only, as iptables does not accept multiple gid in a single +statement. ##### `goto` @@ -514,53 +651,184 @@ But any valid chain name is allowed. +##### `hashlimit_above` + +Match if the rate is above amount/quantum. +This parameter or hashlimit_upto is required. +Allowed forms are '40','40/second','40/minute','40/hour','40/day'. + +##### `hashlimit_burst` + +Valid values: `%r{^\d+$}` + +Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too. + +##### `hashlimit_dstmask` + +Like --hashlimit-srcmask, but for destination addresses. + +##### `hashlimit_htable_expire` + +After how many milliseconds do hash entries expire. + +##### `hashlimit_htable_gcinterval` + +How many milliseconds between garbage collection intervals. + +##### `hashlimit_htable_max` + +Maximum entries in the hash. + +##### `hashlimit_htable_size` + +The number of buckets of the hash table + +##### `hashlimit_mode` + +A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. +Allowed values are: srcip, srcport, dstip, dstport + +##### `hashlimit_name` + +The name for the /proc/net/ipt_hashlimit/foo entry. +This parameter is required. + +##### `hashlimit_srcmask` + +When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. + +##### `hashlimit_upto` + +Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). +This parameter or hashlimit_above is required. +Allowed forms are '40','40/second','40/minute','40/hour','40/day'. + +##### `helper` + +Invoke the nf_conntrack_xxx helper module for this packet. + +##### `hop_limit` + +Valid values: `%r{^\d+$}` + +Hop limiting value for matched packets. + +##### `icmp` + +When matching ICMP packets, this is the type of ICMP packet to match. + +A value of "any" is not supported. To achieve this behaviour the +parameter should simply be omitted or undefined. +An array of values is also not supported. To match against multiple ICMP +types, please use separate rules for each ICMP type. + ##### `iniface` -Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$} +Valid values: `%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}` Input interface to filter on. Supports interface alias like eth0:0. To negate the match try this: iniface => '! lo', -##### `outiface` +##### `ipsec_dir` + +Valid values: `in`, `out` + +Sets the ipsec policy direction -Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$} +##### `ipsec_policy` + +Valid values: `none`, `ipsec` + +Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc. - Output interface to filter on. Supports interface alias like eth0:0. -To negate the match try this: +##### `ipset` - outiface => '! lo', +Matches against the specified ipset list. +Requires ipset kernel module. Will accept a single element or an array. +The value is the name of the blacklist, followed by a space, and then +'src' and/or 'dst' separated by a comma. +For example: 'blacklist src,dst' + +##### `ipvs` + +Valid values: ``true``, ``false`` -##### `tosource` +Indicates that the current packet belongs to an IPVS connection. + +##### `isfirstfrag` -When using jump => "SNAT" you can specify the new source address using -this parameter. +Valid values: ``true``, ``false`` + +If true, matches if the packet is the first fragment. +Sadly cannot be negated. ipv6. + +##### `isfragment` -##### `todest` +Valid values: ``true``, ``false`` + +Set to true to match tcp fragments (requires type to be set to tcp) + +##### `ishasmorefrags` -When using jump => "DNAT" you can specify the new destination address -using this paramter. +Valid values: ``true``, ``false`` + +If true, matches if the packet has it's 'more fragments' bit set. ipv6. + +##### `islastfrag` + +Valid values: ``true``, ``false`` -##### `toports` +If true, matches if the packet is the last fragment. ipv6. -For DNAT this is the port that will replace the destination port. +##### `jump` + +The value for the iptables --jump parameter. Normal values are: -##### `to` +* QUEUE +* RETURN +* DNAT +* SNAT +* LOG +* NFLOG +* MASQUERADE +* REDIRECT +* MARK +* CT -For NETMAP this will replace the destination IP +But any valid chain name is allowed. -##### `random` +For the values ACCEPT, DROP, and REJECT, you must use the generic +'action' parameter. This is to enfore the use of generic parameters where +possible for maximum cross-platform modelling. -Valid values: `true`, `false` +If you set both 'accept' and 'jump' parameters, you will get an error as +only one of the options should be set. + +##### `kernel_timezone` -When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" -this boolean will enable randomized port mapping. +Valid values: ``true``, ``false`` + +Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. + +##### `length` + +Sets the length of layer-3 payload to match. -##### `reject` +##### `limit` + +Rate limiting value for matched packets. The format is: +rate/[/second/|/minute|/hour|/day]. + +Example values are: '50/sec', '40/min', '30/hour', '10/day'." -When combined with action => "REJECT" you can specify a different icmp -response to be sent back to the packet sender. +##### `log_ip_options` + +Valid values: ``true``, ``false`` + +When combined with jump => "LOG" logging of the TCP IP/IPv6 +packet header. ##### `log_level` @@ -572,13 +840,52 @@ When combined with jump => "LOG" specifies the log prefix to use when logging. +##### `log_tcp_options` + +Valid values: ``true``, ``false`` + +When combined with jump => "LOG" logging of the TCP packet +header. + +##### `log_tcp_sequence` + +Valid values: ``true``, ``false`` + +When combined with jump => "LOG" enables logging of the TCP sequence +numbers. + ##### `log_uid` -Valid values: `true`, `false` +Valid values: ``true``, ``false`` When combined with jump => "LOG" specifies the uid of the process making the connection. +##### `mac_source` + +Valid values: `%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i` + +MAC Source + +##### `mask` + +Sets the mask to use when `recent` is enabled. + +##### `match_mark` + +Match the Netfilter mark value associated with the packet. Accepts either of: +mark/mask or mark. These will be converted to hex if they are not already. + +##### `month_days` + +Only match on the given days of the month. Possible values are 1 to 31. +Note that specifying 31 will of course not match on months which do not have a 31st day; +the same goes for 28- or 29-day February. + +##### `mss` + +Match a given TCP MSS value or range. + ##### `nflog_group` Used with the jump target NFLOG. @@ -604,134 +911,131 @@ (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. Defaults to 1. -##### `icmp` - -When matching ICMP packets, this is the type of ICMP packet to match. +##### `notrack` -A value of "any" is not supported. To achieve this behaviour the -parameter should simply be omitted or undefined. -An array of values is also not supported. To match against multiple ICMP -types, please use separate rules for each ICMP type. - -##### `state` - -Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED +Valid values: ``true``, ``false`` -Matches a packet based on its state in the firewall stateful inspection -table. Values can be: +Invoke the disable connection tracking for this packet. +This parameter can be used with iptables version >= 1.8.3 -* INVALID -* ESTABLISHED -* NEW -* RELATED -* UNTRACKED +##### `outiface` -##### `ctstate` - -Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED +Valid values: `%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}` -Matches a packet based on its state in the firewall stateful inspection -table, using the conntrack module. Values can be: + Output interface to filter on. Supports interface alias like eth0:0. +To negate the match try this: -* INVALID -* ESTABLISHED -* NEW -* RELATED -* UNTRACKED - -##### `connmark` - -Match the Netfilter mark value associated with the packet. Accepts either of: -mark/mask or mark. These will be converted to hex if they are not already. + outiface => '! lo', -##### `connlimit_above` - -Valid values: %r{^\d+$} - -Connection limiting value for matched connections above n. - -##### `connlimit_mask` +##### `physdev_in` -Valid values: %r{^\d+$} +Valid values: `%r{^[a-zA-Z0-9\-\._\+]+$}` -Connection limiting by subnet mask for matched connections. -IPv4: 0-32 -IPv6: 0-128 - -##### `hop_limit` +Match if the packet is entering a bridge from the given interface. -Valid values: %r{^\d+$} - -Hop limiting value for matched packets. +##### `physdev_is_bridged` -##### `limit` +Valid values: ``true``, ``false`` -Rate limiting value for matched packets. The format is: -rate/[/second/|/minute|/hour|/day]. - -Example values are: '50/sec', '40/min', '30/hour', '10/day'." +Match if the packet is transversing a bridge. -##### `burst` - -Valid values: %r{^\d+$} - -Rate limiting burst value (per second) before limit checks apply. +##### `physdev_is_in` -##### `uid` +Valid values: ``true``, ``false`` -UID or Username owner matching rule. Accepts a string argument -only, as iptables does not accept multiple uid in a single -statement. - -##### `gid` +Matches if the packet has entered through a bridge interface. -GID or Group owner matching rule. Accepts a string argument -only, as iptables does not accept multiple gid in a single -statement. - -##### `match_mark` +##### `physdev_is_out` -Match the Netfilter mark value associated with the packet. Accepts either of: -mark/mask or mark. These will be converted to hex if they are not already. - -##### `set_mark` +Valid values: ``true``, ``false`` -Set the Netfilter mark value associated with the packet. Accepts either of: -mark/mask or mark. These will be converted to hex if they are not already. - -##### `clamp_mss_to_pmtu` +Matches if the packet will leave through a bridge interface. -Valid values: `true`, `false` - -Sets the clamp mss to pmtu flag. - -##### `set_dscp` - -Set DSCP Markings. +##### `physdev_out` -##### `set_dscp_class` - -This sets the DSCP field according to a predefined DiffServ class. +Valid values: `%r{^[a-zA-Z0-9\-\._\+]+$}` -##### `set_mss` - -Sets the TCP MSS value for packets. +Match if the packet is leaving a bridge via the given interface. ##### `pkttype` -Valid values: unicast, broadcast, multicast +Valid values: `unicast`, `broadcast`, `multicast` Sets the packet type to match. -##### `isfragment` +##### `port` + +*note* This property has been DEPRECATED + +The destination or source port to match for this filter (if the protocol +supports ports). Will accept a single element or an array. + +For some firewall providers you can pass a range of ports in the format: + + <start_number>-<ending_number> + +For example: + + 1-1024 + +This would cover ports 1 to 1024. + +##### `proto` + +Valid values: `[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto| + [proto, "! #{proto}".to_sym] + }.flatten` + +The specific protocol to match for this rule. + +Default value: `tcp` + +##### `queue_bypass` + +Valid values: ``true``, ``false`` + +Used with NFQUEUE jump target +Allow packets to bypass :queue_num if userspace process is not listening -Valid values: `true`, `false` +##### `queue_num` + +Used with NFQUEUE jump target. +What queue number to send packets to + +##### `random` + +Valid values: ``true``, ``false`` + +When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" +this boolean will enable randomized port mapping. + +##### `random_fully` + +Valid values: ``true``, ``false`` -Set to true to match tcp fragments (requires type to be set to tcp) +When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" +this boolean will enable fully randomized port mapping. + +**NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2 + +##### `rdest` + +Valid values: ``true``, ``false`` + +Recent module; add the destination IP address to the list. +Must be boolean true. + +##### `reap` + +Valid values: ``true``, ``false`` + +Recent module; can only be used in conjunction with the `rseconds` +attribute. When used, this will cause entries older than 'seconds' to be +purged. Must be boolean true. ##### `recent` -Valid values: set, update, rcheck, remove +Valid values: `set`, `update`, `rcheck`, `remove` Enable the recent module. Takes as an argument one of set, update, rcheck or remove. For example: @@ -764,24 +1068,28 @@ } ``` -##### `rdest` +##### `reject` -Valid values: `true`, `false` - -Recent module; add the destination IP address to the list. -Must be boolean true. +When combined with action => "REJECT" you can specify a different icmp +response to be sent back to the packet sender. -##### `rsource` +##### `rhitcount` -Valid values: `true`, `false` - -Recent module; add the source IP address to the list. -Must be boolean true. +Recent module; used in conjunction with `recent => 'update'` or `recent +=> 'rcheck'. When used, this will narrow the match to only happen when +the address is in the list and packets had been received greater than or +equal to the given value. ##### `rname` Recent module; The name of the list. Takes a string argument. +##### `rpfilter` + +Valid values: `loose`, `validmark`, `accept-local`, `invert` + +Enable the rpfilter module. + ##### `rseconds` Recent module; used in conjunction with one of `recent => 'rcheck'` or @@ -789,24 +1097,16 @@ happen when the address is in the list and was seen within the last given number of seconds. -##### `reap` - -Valid values: `true`, `false` +##### `rsource` -Recent module; can only be used in conjunction with the `rseconds` -attribute. When used, this will cause entries older than 'seconds' to be -purged. Must be boolean true. +Valid values: ``true``, ``false`` -##### `rhitcount` - -Recent module; used in conjunction with `recent => 'update'` or `recent -=> 'rcheck'. When used, this will narrow the match to only happen when -the address is in the list and packets had been received greater than or -equal to the given value. +Recent module; add the source IP address to the list. +Must be boolean true. ##### `rttl` -Valid values: `true`, `false` +Valid values: ``true``, ``false`` Recent module; may only be used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match @@ -816,57 +1116,127 @@ address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. Must be boolean true. +##### `set_dscp` + +Set DSCP Markings. + +##### `set_dscp_class` + +This sets the DSCP field according to a predefined DiffServ class. + +##### `set_mark` + +Set the Netfilter mark value associated with the packet. Accepts either of: +mark/mask or mark. These will be converted to hex if they are not already. + +##### `set_mss` + +Sets the TCP MSS value for packets. + ##### `socket` -Valid values: `true`, `false` +Valid values: ``true``, ``false`` If true, matches if an open socket can be found by doing a coket lookup on the packet. -##### `ishasmorefrags` +##### `source` + +The source address. For example: -Valid values: `true`, `false` + source => '192.168.2.0/24' + +You can also negate a mask by putting ! in front. For example: -If true, matches if the packet has it's 'more fragments' bit set. ipv6. + source => '! 192.168.2.0/24' + +The source can also be an IPv6 address if your provider supports it. -##### `islastfrag` +##### `sport` + +The source port to match for this filter (if the protocol supports +ports). Will accept a single element or an array. + +For some firewall providers you can pass a range of ports in the format: -Valid values: `true`, `false` + <start_number>-<ending_number> + +For example: -If true, matches if the packet is the last fragment. ipv6. + 1-1024 + +This would cover ports 1 to 1024. + +##### `src_cc` -##### `isfirstfrag` +Valid values: `%r{^[A-Z]{2}(,[A-Z]{2})*$}` + +src attribute for the module geoip + +##### `src_range` -Valid values: `true`, `false` +The source IP range. For example: + + src_range => '192.168.1.1-192.168.1.10' + +The source IP range must be in 'IP1-IP2' format. -If true, matches if the packet is the first fragment. -Sadly cannot be negated. ipv6. +##### `src_type` -##### `ipsec_policy` +Valid values: `[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, + :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| + [ + address_type, + "! #{address_type}".to_sym, + "#{address_type} --limit-iface-in".to_sym, + "#{address_type} --limit-iface-out".to_sym, + "! #{address_type} --limit-iface-in".to_sym, + "! #{address_type} --limit-iface-out".to_sym, + ] + }.flatten` -Valid values: none, ipsec +The source address type. For example: -Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc. + src_type => ['LOCAL'] + +Can be one of: -##### `ipsec_dir` - -Valid values: in, out - -Sets the ipsec policy direction +* UNSPEC - an unspecified address +* UNICAST - a unicast address +* LOCAL - a local address +* BROADCAST - a broadcast address +* ANYCAST - an anycast packet +* MULTICAST - a multicast address +* BLACKHOLE - a blackhole address +* UNREACHABLE - an unreachable address +* PROHIBIT - a prohibited address +* THROW - undocumented +* NAT - undocumented +* XRESOLVE - undocumented -##### `stat_mode` +In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: + + src_type => ['LOCAL --limit-iface-in'] -Valid values: nth, random +It can also be negated using '!': -Set the matching mode for statistic matching. + src_type => ['! LOCAL'] + +Will accept a single element or an array. ##### `stat_every` Match one packet every nth packet. Requires `stat_mode => 'nth'` +##### `stat_mode` + +Valid values: `nth`, `random` + +Set the matching mode for statistic matching. + ##### `stat_packet` -Valid values: %r{^\d+$} +Valid values: `%r{^\d+$}` Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'` @@ -874,74 +1244,74 @@ Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`. -##### `mask` +##### `state` -Sets the mask to use when `recent` is enabled. +Valid values: `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`, `UNTRACKED` + +Matches a packet based on its state in the firewall stateful inspection +table. Values can be: -##### `gateway` +* INVALID +* ESTABLISHED +* NEW +* RELATED +* UNTRACKED -The TEE target will clone a packet and redirect this clone to another -machine on the local network segment. gateway is the target host's IP. - -##### `ipset` +##### `string` -Matches against the specified ipset list. -Requires ipset kernel module. Will accept a single element or an array. -The value is the name of the blacklist, followed by a space, and then -'src' and/or 'dst' separated by a comma. -For example: 'blacklist src,dst' +String matching feature. Matches the packet against the pattern +given as an argument. -##### `checksum_fill` +##### `string_algo` -Valid values: `true`, `false` +Valid values: `bm`, `kmp` + +String matching feature, pattern matching strategy. -Compute and fill missing packet checksums. +##### `string_from` -##### `mac_source` - -Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i +String matching feature, offset from which we start looking for any matching. -MAC Source +##### `string_hex` -##### `physdev_in` - -Valid values: %r{^[a-zA-Z0-9\-\._\+]+$} +String matching feature. Matches the package against the hex pattern +given as an argument. -Match if the packet is entering a bridge from the given interface. +##### `string_to` -##### `physdev_out` +String matching feature, offset up to which we should scan. -Valid values: %r{^[a-zA-Z0-9\-\._\+]+$} +##### `table` -Match if the packet is leaving a bridge via the given interface. +Valid values: `nat`, `mangle`, `filter`, `raw`, `rawpost` -##### `physdev_is_bridged` - -Valid values: `true`, `false` +Table to use. Can be one of: -Match if the packet is transversing a bridge. +* nat +* mangle +* filter +* raw +* rawpost -##### `physdev_is_in` - -Valid values: `true`, `false` +Default value: `filter` -Matches if the packet has entered through a bridge interface. - -##### `physdev_is_out` - -Valid values: `true`, `false` - -Matches if the packet will leave through a bridge interface. +##### `tcp_flags` -##### `date_start` - -Only match during the given time, which must be in ISO 8601 "T" notation. -The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 +Match when the TCP flags are as specified. +Is a string with a list of comma-separated flag names for the mask, +then a space, then a comma-separated list of flags that should be set. +The flags are: SYN ACK FIN RST URG PSH ALL NONE +Note that you specify them in the order that iptables --list-rules +would list them to avoid having puppet think you changed the flags. +Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the +ACK,RST and FIN bits cleared. Such packets are used to request +TCP connection initiation. -##### `date_stop` +##### `time_contiguous` -Only match during the given time, which must be in ISO 8601 "T" notation. -The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 +Valid values: ``true``, ``false`` + +When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. ##### `time_start` @@ -953,180 +1323,36 @@ Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. -##### `month_days` +##### `to` + +For NETMAP this will replace the destination IP + +##### `todest` + +When using jump => "DNAT" you can specify the new destination address +using this paramter. + +##### `toports` -Only match on the given days of the month. Possible values are 1 to 31. -Note that specifying 31 will of course not match on months which do not have a 31st day; -the same goes for 28- or 29-day February. +For DNAT this is the port that will replace the destination port. + +##### `tosource` + +When using jump => "SNAT" you can specify the new source address using +this parameter. + +##### `uid` + +UID or Username owner matching rule. Accepts a string argument +only, as iptables does not accept multiple uid in a single +statement. ##### `week_days` -Valid values: Mon, Tue, Wed, Thu, Fri, Sat, Sun +Valid values: `Mon`, `Tue`, `Wed`, `Thu`, `Fri`, `Sat`, `Sun` Only match on the given weekdays. -##### `time_contiguous` - -Valid values: `true`, `false` - -When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. - -##### `kernel_timezone` - -Valid values: `true`, `false` - -Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. - -##### `clusterip_new` - -Valid values: `true`, `false` - -Used with the CLUSTERIP jump target. -Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. - -##### `clusterip_hashmode` - -Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport - -Used with the CLUSTERIP jump target. -Specify the hashing mode. - -##### `clusterip_clustermac` - -Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i - -Used with the CLUSTERIP jump target. -Specify the ClusterIP MAC address. Has to be a link-layer multicast address. - -##### `clusterip_total_nodes` - -Valid values: %r{\d+} - -Used with the CLUSTERIP jump target. -Number of total nodes within this cluster. - -##### `clusterip_local_node` - -Valid values: %r{\d+} - -Used with the CLUSTERIP jump target. -Specify the random seed used for hash initialization. - -##### `clusterip_hash_init` - -Used with the CLUSTERIP jump target. -Specify the random seed used for hash initialization. - -##### `length` - -Sets the length of layer-3 payload to match. - -##### `string` - -String matching feature. Matches the packet against the pattern -given as an argument. - -##### `string_algo` - -Valid values: bm, kmp - -String matching feature, pattern matching strategy. - -##### `string_from` - -String matching feature, offset from which we start looking for any matching. - -##### `string_to` - -String matching feature, offset up to which we should scan. - -##### `queue_num` - -Used with NFQUEUE jump target. -What queue number to send packets to - -##### `queue_bypass` - -Valid values: `true`, `false` - -Used with NFQUEUE jump target -Allow packets to bypass :queue_num if userspace process is not listening - -##### `src_cc` - -Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$} - -src attribute for the module geoip - -##### `dst_cc` - -Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$} - -dst attribute for the module geoip - -##### `hashlimit_name` - -The name for the /proc/net/ipt_hashlimit/foo entry. -This parameter is required. - -##### `hashlimit_upto` - -Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). -This parameter or hashlimit_above is required. -Allowed forms are '40','40/second','40/minute','40/hour','40/day'. - -##### `hashlimit_above` - -Match if the rate is above amount/quantum. -This parameter or hashlimit_upto is required. -Allowed forms are '40','40/second','40/minute','40/hour','40/day'. - -##### `hashlimit_burst` - -Valid values: %r{^\d+$} - -Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too. - -##### `hashlimit_mode` - -A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. -Allowed values are: srcip, srcport, dstip, dstport - -##### `hashlimit_srcmask` - -When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. - -##### `hashlimit_dstmask` - -Like --hashlimit-srcmask, but for destination addresses. - -##### `hashlimit_htable_size` - -The number of buckets of the hash table - -##### `hashlimit_htable_max` - -Maximum entries in the hash. - -##### `hashlimit_htable_expire` - -After how many milliseconds do hash entries expire. - -##### `hashlimit_htable_gcinterval` - -How many milliseconds between garbage collection intervals. - -##### `bytecode` - -Match using Linux Socket Filter. Expects a BPF program in decimal format. -This is the format generated by the nfbpf_compile utility. - -##### `ipvs` - -Valid values: `true`, `false` - -Indicates that the current packet belongs to an IPVS connection. - ##### `zone` Assign this packet to zone id and only have lookups done in that zone. @@ -1135,9 +1361,13 @@ The following parameters are available in the `firewall` type. +##### `line` + +Read-only property for caching the rule line. + ##### `name` -Valid values: %r{^\d+[[:graph:][:space:]]+$} +Valid values: `%r{^\d+[[:graph:][:space:]]+$}` namevar @@ -1150,11 +1380,12 @@ Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. -##### `line` +##### `provider` -Read-only property for caching the rule line. +The specific backend to use for this `firewall` resource. You will seldom need to specify this --- Puppet will usually +discover the appropriate provider for your platform. -### firewallchain +### `firewallchain` Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that @@ -1178,15 +1409,15 @@ ##### `ensure` -Valid values: present, absent +Valid values: `present`, `absent` The basic property that the resource should be in. -Default value: present +Default value: `present` ##### `policy` -Valid values: accept, drop, queue, return +Valid values: `accept`, `drop`, `queue`, `return` This is the action to when the end of the chain is reached. It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT, @@ -1202,22 +1433,6 @@ The following parameters are available in the `firewallchain` type. -##### `name` - -namevar - -The canonical name of the chain. - -For iptables the format must be {chain}:{table}:{protocol}. - -##### `purge` - -Valid values: `false`, `true` - -Purge unmanaged firewall rules in this chain - -Default value: `false` - ##### `ignore` Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). @@ -1241,3 +1456,24 @@ } ``` +##### `name` + +namevar + +The canonical name of the chain. + +For iptables the format must be {chain}:{table}:{protocol}. + +##### `provider` + +The specific backend to use for this `firewallchain` resource. You will seldom need to specify this --- Puppet will +usually discover the appropriate provider for your platform. + +##### `purge` + +Valid values: ``false``, ``true`` + +Purge unmanaged firewall rules in this chain + +Default value: ``false`` +
--- a/modules/firewall/distelli-manifest.yml Mon Jul 20 11:19:52 2020 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,25 +0,0 @@ -team-modules/puppetlabs-firewall: - PreBuild: - - source /opt/rh/rh-ruby25/enable - - echo "--- LETS update BUNDLER ---" - - bundle install --path vendor/bundle --jobs 3 - Build: - - echo "--- PROVISIONING ---" - - source /opt/rh/rh-ruby25/enable - - bundle exec rake litmus:provision_list[release_checks] - - cat inventory.yaml - - echo "--- AGENT INSTALLATION ---" - - bundle exec rake litmus:install_agent - - echo "--- MODULE INSTALLATION ---" - - bundle exec rake litmus:install_module - - echo "--- TESTS RUNNING ---" - - bundle exec rake litmus:acceptance:parallel - AfterBuildSuccess: - - source /opt/rh/rh-ruby25/enable - - bundle exec rake litmus:tear_down - AfterBuildFailure: - - source /opt/rh/rh-ruby25/enable - - bundle exec rake litmus:tear_down - CommitData: - - RepoType: Git - - RepoPath: . \ No newline at end of file
--- a/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb Wed Sep 23 20:43:20 2020 +0100 @@ -3,6 +3,7 @@ has_feature :iptables has_feature :connection_limiting + has_feature :conntrack has_feature :hop_limiting has_feature :rate_limiting has_feature :recent_limiting @@ -16,8 +17,15 @@ has_feature :log_level has_feature :log_prefix has_feature :log_uid + has_feature :log_tcp_sequence + has_feature :log_tcp_options + has_feature :log_ip_options has_feature :mark has_feature :mss + has_feature :nflog_group + has_feature :nflog_prefix + has_feature :nflog_range + has_feature :nflog_threshold has_feature :tcp_flags has_feature :pkttype has_feature :ishasmorefrags @@ -35,6 +43,7 @@ has_feature :queue_num has_feature :queue_bypass has_feature :ct_target + has_feature :rpfilter optional_commands(ip6tables: 'ip6tables', ip6tables_save: 'ip6tables-save') @@ -48,6 +57,12 @@ '--set-xmark' end + kernelversion = Facter.value('kernelversion') + if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && + (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0) + has_feature :random_fully + end + def initialize(*args) ip6tables_version = Facter.value('ip6tables_version') raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d}) @@ -71,7 +86,19 @@ connlimit_above: '-m connlimit --connlimit-above', connlimit_mask: '--connlimit-mask', connmark: '-m connmark --mark', - ctstate: '-m conntrack --ctstate', + ctstate: '--ctstate', + ctproto: '--ctproto', + ctorigsrc: '--ctorigsrc', + ctorigdst: '--ctorigdst', + ctreplsrc: '--ctreplsrc', + ctrepldst: '--ctrepldst', + ctorigsrcport: '--ctorigsrcport', + ctorigdstport: '--ctorigdstport', + ctreplsrcport: '--ctreplsrcport', + ctrepldstport: '--ctrepldstport', + ctstatus: '--ctstatus', + ctexpire: '--ctexpire', + ctdir: '--ctdir', destination: '-d', dport: ['-m multiport --dports', '--dport'], dst_range: '--dst-range', @@ -94,11 +121,18 @@ log_level: '--log-level', log_prefix: '--log-prefix', log_uid: '--log-uid', + log_tcp_sequence: '--log-tcp-sequence', + log_tcp_options: '--log-tcp-options', + log_ip_options: '--log-ip-options', mask: '--mask', match_mark: '-m mark --mark', name: '-m comment --comment', mac_source: ['-m mac --mac-source', '--mac-source'], mss: '-m tcpmss --mss', + nflog_group: '--nflog-group', + nflog_prefix: '--nflog-prefix', + nflog_range: '--nflog-range', + nflog_threshold: '--nflog-threshold', outiface: '-o', pkttype: '-m pkttype --pkt-type', port: '-m multiport --ports', @@ -111,6 +145,7 @@ reject: '--reject-with', rhitcount: '--hitcount', rname: '--name', + rpfilter: '-m rpfilter', rseconds: '--seconds', rsource: '--rsource', rttl: '--rttl', @@ -129,6 +164,7 @@ stat_probability: '--probability', state: '-m state --state', string: '-m string --string', + string_hex: '-m string --hex-string', string_algo: '--algo', string_from: '--from', string_to: '--to', @@ -166,6 +202,8 @@ hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval', bytecode: '-m bpf --bytecode', zone: '--zone', + helper: '--helper', + notrack: '--notrack', } # These are known booleans that do not take a value, but we want to munge @@ -177,9 +215,13 @@ :islastfrag, :isfirstfrag, :log_uid, + :log_tcp_sequence, + :log_tcp_options, + :log_ip_options, :rsource, :rdest, :reap, + :rpfilter, :rttl, :socket, :physdev_is_bridged, @@ -188,6 +230,7 @@ :time_contiguous, :kernel_timezone, :queue_bypass, + :notrack, ] # Properties that use "-m <ipt module name>" (with the potential to have multiple @@ -207,6 +250,8 @@ addrtype: [:src_type, :dst_type], iprange: [:src_range, :dst_range], owner: [:uid, :gid], + conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, + :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir], time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone], geoip: [:src_cc, :dst_cc], hashlimit: [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, @@ -253,12 +298,15 @@ :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state, - :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, - :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, - :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, + :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, + :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir, + :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_hex, :string_algo, + :string_from, :string_to, :jump, :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, :todest, + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, + :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name] + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name, :notrack] end
--- a/modules/firewall/lib/puppet/provider/firewall/iptables.rb Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/lib/puppet/provider/firewall/iptables.rb Wed Sep 23 20:43:20 2020 +0100 @@ -8,6 +8,7 @@ has_feature :iptables has_feature :connection_limiting + has_feature :conntrack has_feature :rate_limiting has_feature :recent_limiting has_feature :snat @@ -21,6 +22,9 @@ has_feature :log_level has_feature :log_prefix has_feature :log_uid + has_feature :log_tcp_sequence + has_feature :log_tcp_options + has_feature :log_ip_options has_feature :mark has_feature :mss has_feature :nflog_group @@ -44,6 +48,7 @@ has_feature :queue_bypass has_feature :ipvs has_feature :ct_target + has_feature :rpfilter optional_commands(iptables: 'iptables', iptables_save: 'iptables-save') @@ -58,6 +63,12 @@ '--set-xmark' end + kernelversion = Facter.value('kernelversion') + if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && + (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0) + has_feature :random_fully + end + @protocol = 'IPv4' @resource_map = { @@ -67,7 +78,19 @@ connlimit_above: '-m connlimit --connlimit-above', connlimit_mask: '--connlimit-mask', connmark: '-m connmark --mark', - ctstate: '-m conntrack --ctstate', + ctstate: '--ctstate', + ctproto: '--ctproto', + ctorigsrc: '--ctorigsrc', + ctorigdst: '--ctorigdst', + ctreplsrc: '--ctreplsrc', + ctrepldst: '--ctrepldst', + ctorigsrcport: '--ctorigsrcport', + ctorigdstport: '--ctorigdstport', + ctreplsrcport: '--ctreplsrcport', + ctrepldstport: '--ctrepldstport', + ctstatus: '--ctstatus', + ctexpire: '--ctexpire', + ctdir: '--ctdir', destination: '-d', dport: ['-m multiport --dports', '--dport'], dst_range: '--dst-range', @@ -87,6 +110,9 @@ log_level: '--log-level', log_prefix: '--log-prefix', log_uid: '--log-uid', + log_tcp_sequence: '--log-tcp-sequence', + log_tcp_options: '--log-tcp-options', + log_ip_options: '--log-ip-options', mac_source: ['-m mac --mac-source', '--mac-source'], mask: '--mask', match_mark: '-m mark --mark', @@ -102,6 +128,7 @@ proto: '-p', queue_num: '--queue-num', queue_bypass: '--queue-bypass', + random_fully: '--random-fully', random: '--random', rdest: '--rdest', reap: '--reap', @@ -109,6 +136,7 @@ reject: '--reject-with', rhitcount: '--hitcount', rname: '--name', + rpfilter: '-m rpfilter', rseconds: '--seconds', rsource: '--rsource', rttl: '--rttl', @@ -127,6 +155,7 @@ stat_probability: '--probability', state: '-m state --state', string: '-m string --string', + string_hex: '-m string --hex-string', string_algo: '--algo', string_from: '--from', string_to: '--to', @@ -137,6 +166,7 @@ tosource: '--to-source', to: '--to', uid: '--uid-owner', + u32: ['-m u32 --u32', '--u32'], physdev_in: '--physdev-in', physdev_out: '--physdev-out', physdev_is_bridged: '--physdev-is-bridged', @@ -172,6 +202,9 @@ bytecode: '-m bpf --bytecode', ipvs: '-m ipvs --ipvs', zone: '--zone', + helper: '--helper', + cgroup: '-m cgroup --cgroup', + notrack: '--notrack', } # These are known booleans that do not take a value, but we want to munge @@ -181,6 +214,10 @@ :clamp_mss_to_pmtu, :isfragment, :log_uid, + :log_tcp_sequence, + :log_tcp_options, + :log_ip_options, + :random_fully, :random, :rdest, :reap, @@ -195,6 +232,7 @@ :clusterip_new, :queue_bypass, :ipvs, + :notrack, ] # Properties that use "-m <ipt module name>" (with the potential to have multiple @@ -214,6 +252,8 @@ addrtype: [:src_type, :dst_type], iprange: [:src_range, :dst_range], owner: [:uid, :gid], + conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, + :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir], time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone], geoip: [:src_cc, :dst_cc], hashlimit: [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, @@ -231,7 +271,7 @@ resource_map_new[argument][0] = "-m #{ipt_module} #{resource_map_original[argument].first}" break end - elsif compare.include?(resource_map_original[argument]) + elsif compare.include?(resource_map_original[argument] + ' ') resource_map_new[argument] = "-m #{ipt_module} #{resource_map_original[argument]}" break end @@ -296,17 +336,19 @@ :proto, :isfragment, :stat_mode, :stat_every, :stat_packet, :stat_probability, :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, - :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, + :state, :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, + :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir, + :icmp, :limit, :burst, :length, :recent, :rseconds, :reap, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_hex, :string_algo, :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, - :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, - :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, + :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix, + :log_level, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :name, :notrack ] def insert @@ -377,7 +419,8 @@ counter = 1 # String#lines would be nice, but we need to support Ruby 1.8.5 - iptables_save.split("\n").each do |line| + nf_warning_msg = "# Warning: ip6?tables-legacy tables present, use ip6?tables-legacy-save to see them\n" + iptables_save.gsub(%r{#{nf_warning_msg}}, '').split("\n").each do |line| unless line =~ %r{^\#\s+|^\:\S+|^COMMIT|^FATAL} if line =~ %r{^\*} table = line.sub(%r{\*}, '') @@ -407,6 +450,8 @@ # --tcp-flags takes two values; we cheat by adding " around it # so it behaves like --comment values = values.gsub(%r{(!\s+)?--tcp-flags (\S*) (\S*)}, '--tcp-flags "\1\2 \3"') + # --hex-string output is in quotes, need to move ! inside quotes + values = values.gsub(%r{(!\s+)?--hex-string "(\S*?)"}, '--hex-string "\1\2"') # --match-set can have multiple values with weird iptables format if values =~ %r{-m set (!\s+)?--match-set} values = values.gsub(%r{(!\s+)?--match-set (\S*) (\S*)}, '--match-set \1\2 \3') @@ -475,6 +520,8 @@ values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true') elsif resource_map[bool].eql?(%r{'--physdev-is-\S+'}) values.sub(%r{'#{resource_map[bool]} "! "'}, "#{resource_map[bool]} true") + elsif bool == :random + values.sub(%r{#{resource_map[bool]}(\s|$)(?!"!")}, "#{resource_map[bool]} true") else # append `true` to booleans that are not already negated (followed by "!") values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true") @@ -545,7 +592,7 @@ # POST PARSE CLUDGING ##################### - [:dport, :sport, :port, :state, :ctstate].each do |prop| + [:dport, :sport, :port, :state, :ctstate, :ctstatus].each do |prop| hash[prop] = hash[prop].split(',') unless hash[prop].nil? end @@ -607,6 +654,17 @@ [ :connmark, :ctstate, + :ctproto, + :ctorigsrc, + :ctorigdst, + :ctreplsrc, + :ctrepldst, + :ctorigsrcport, + :ctorigdstport, + :ctreplsrcport, + :ctrepldstport, + :ctstatus, + :ctexpire, :destination, :dport, :dst_range, @@ -646,6 +704,7 @@ # iptables-save and user supplied resources is consistent. hash[:state] = hash[:state].sort unless hash[:state].nil? hash[:ctstate] = hash[:ctstate].sort unless hash[:ctstate].nil? + hash[:ctstatus] = hash[:ctstatus].sort unless hash[:ctstatus].nil? # This forces all existing, commentless rules or rules with invalid comments to be moved # to the bottom of the stack.
--- a/modules/firewall/lib/puppet/type/firewall.rb Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/lib/puppet/type/firewall.rb Wed Sep 23 20:43:20 2020 +0100 @@ -33,9 +33,10 @@ * ip6tables: Ip6tables type provider * Required binaries: ip6tables-save, ip6tables. - * Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match, + * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag, - ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss, + ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, + log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf. @@ -43,9 +44,10 @@ * Required binaries: iptables-save, iptables. * Default for kernel == linux. - * Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match, + * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, - log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix, + log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, + mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf. @@ -56,6 +58,8 @@ * connection_limiting: Connection limiting features. + * conntrack: Connection tracking features. + * dnat: Destination NATing. * hop_limiting: Hop limiting features. @@ -88,6 +92,12 @@ * log_uid: The ability to log the userid of the process which generated the packet. + * log_tcp_sequence: The ability to log TCP sequence numbers. + + * log_tcp_options: The ability to log TCP packet header. + + * log_ip_options: The ability to log IP/IPv6 packet header. + * mark: The ability to match or set the netfilter mark value associated with the packet. * mask: The ability to match recent rules based on the ipv4 mask. @@ -131,9 +141,12 @@ * ipvs: The ability to match IP Virtual Server packets. * ct_target: The ability to set connection tracking parameters for a packet or its associated connection. + + * random_fully: The ability to use --random-fully flag. PUPPETCODE feature :connection_limiting, 'Connection limiting features.' + feature :conntrack, 'Connection tracking features.' feature :hop_limiting, 'Hop limiting features.' feature :rate_limiting, 'Rate limiting features.' feature :recent_limiting, 'The netfilter recent module' @@ -148,6 +161,9 @@ feature :log_level, 'The ability to control the log level' feature :log_prefix, 'The ability to add prefixes to log messages' feature :log_uid, 'Add UIDs to log messages' + feature :log_tcp_sequence, 'Add TCP sequence numbers to log messages' + feature :log_tcp_options, 'Add TCP packet header to log messages' + feature :log_ip_options, 'Add IP/IPv6 packet header to log messages' feature :mark, 'Match or Set the netfilter mark value associated with the packet' feature :mss, 'Match a given TCP MSS value or range.' feature :tcp_flags, 'The ability to match on particular TCP flag settings' @@ -176,6 +192,7 @@ feature :bpf, 'Berkeley Paket Filter feature' feature :ipvs, 'Packet belongs to an IP Virtual Server connection' feature :ct_target, 'The ability to set connection tracking parameters for a packet or its associated connection' + feature :random_fully, 'The ability to use --random-fully flag' # provider specific features feature :iptables, 'The provider provides iptables features.' @@ -606,6 +623,7 @@ * MASQUERADE * REDIRECT * MARK + * CT But any valid chain name is allowed. @@ -717,6 +735,17 @@ PUPPETCODE end + newproperty(:random_fully, required_features: :random_fully) do + desc <<-PUPPETCODE + When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" + this boolean will enable fully randomized port mapping. + + **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2 + PUPPETCODE + + newvalues(:true, :false) + end + newproperty(:random, required_features: :dnat) do desc <<-PUPPETCODE When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" @@ -760,6 +789,13 @@ When combined with jump => "LOG" specifies the log prefix to use when logging. PUPPETCODE + + munge do |value| + if value == '' + raise('log_prefix should not be an empty string') + end + value + end end newproperty(:log_uid, required_features: :log_uid) do @@ -771,6 +807,33 @@ newvalues(:true, :false) end + newproperty(:log_tcp_sequence, required_features: :log_tcp_sequence) do + desc <<-PUPPETCODE + When combined with jump => "LOG" enables logging of the TCP sequence + numbers. + PUPPETCODE + + newvalues(:true, :false) + end + + newproperty(:log_tcp_options, required_features: :log_tcp_options) do + desc <<-PUPPETCODE + When combined with jump => "LOG" logging of the TCP packet + header. + PUPPETCODE + + newvalues(:true, :false) + end + + newproperty(:log_ip_options, required_features: :log_ip_options) do + desc <<-PUPPETCODE + When combined with jump => "LOG" logging of the TCP IP/IPv6 + packet header. + PUPPETCODE + + newvalues(:true, :false) + end + newproperty(:nflog_group, required_features: :nflog_group) do desc <<-PUPPETCODE Used with the jump target NFLOG. @@ -910,7 +973,7 @@ end end - newproperty(:ctstate, array_matching: :all, required_features: :state_match) do + newproperty(:ctstate, array_matching: :all, required_features: :conntrack) do desc <<-PUPPETCODE Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Values can be: @@ -920,9 +983,11 @@ * NEW * RELATED * UNTRACKED + * SNAT + * DNAT PUPPETCODE - newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED) + newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED, :SNAT, :DNAT) # States should always be sorted. This normalizes the resource states to # keep it consistent with the sorted result from iptables-save. @@ -940,6 +1005,286 @@ end end + newproperty(:ctproto, required_features: :conntrack) do + desc <<-PUPPETCODE + The specific layer-4 protocol number to match for this rule using the + conntrack module. + PUPPETCODE + newvalue(%r{^!?\s?\d+$}) + end + + newproperty(:ctorigsrc, required_features: :conntrack) do + desc <<-PUPPETCODE + The original source address using the conntrack module. For example: + + ctorigsrc => '192.168.2.0/24' + + You can also negate a mask by putting ! in front. For example: + + ctorigsrc => '! 192.168.2.0/24' + + The ctorigsrc can also be an IPv6 address if your provider supports it. + PUPPETCODE + + munge do |value| + case @resource[:provider] + when :iptables + protocol = :IPv4 + when :ip6tables + protocol = :IPv6 + else + raise('cannot work out protocol family') + end + + begin + @resource.host_to_mask(value, protocol) + if protocol == :IPv4 + value.chomp('/32') + elsif protocol == :IPv6 + value.chomp('/128') + end + rescue StandardError => e + raise("host_to_ip failed for #{value}, exception #{e}") + end + end + end + + newproperty(:ctorigdst, required_features: :conntrack) do + desc <<-PUPPETCODE + The original destination address using the conntrack module. For example: + + ctorigdst => '192.168.2.0/24' + + You can also negate a mask by putting ! in front. For example: + + ctorigdst => '! 192.168.2.0/24' + + The ctorigdst can also be an IPv6 address if your provider supports it. + PUPPETCODE + + munge do |value| + case @resource[:provider] + when :iptables + protocol = :IPv4 + when :ip6tables + protocol = :IPv6 + else + raise('cannot work out protocol family') + end + + begin + @resource.host_to_mask(value, protocol) + if protocol == :IPv4 + value.chomp('/32') + elsif protocol == :IPv6 + value.chomp('/128') + end + rescue StandardError => e + raise("host_to_ip failed for #{value}, exception #{e}") + end + end + end + + newproperty(:ctreplsrc, required_features: :conntrack) do + desc <<-PUPPETCODE + The reply source address using the conntrack module. For example: + + ctreplsrc => '192.168.2.0/24' + + You can also negate a mask by putting ! in front. For example: + + ctreplsrc => '! 192.168.2.0/24' + + The ctreplsrc can also be an IPv6 address if your provider supports it. + PUPPETCODE + + munge do |value| + case @resource[:provider] + when :iptables + protocol = :IPv4 + when :ip6tables + protocol = :IPv6 + else + raise('cannot work out protocol family') + end + + begin + @resource.host_to_mask(value, protocol) + if protocol == :IPv4 + value.chomp('/32') + elsif protocol == :IPv6 + value.chomp('/128') + end + rescue StandardError => e + raise("host_to_ip failed for #{value}, exception #{e}") + end + end + end + + newproperty(:ctrepldst, required_features: :conntrack) do + desc <<-PUPPETCODE + The reply destination address using the conntrack module. For example: + + ctrepldst => '192.168.2.0/24' + + You can also negate a mask by putting ! in front. For example: + + ctrepldst => '! 192.168.2.0/24' + + The ctrepldst can also be an IPv6 address if your provider supports it. + PUPPETCODE + + munge do |value| + case @resource[:provider] + when :iptables + protocol = :IPv4 + when :ip6tables + protocol = :IPv6 + else + raise('cannot work out protocol family') + end + + begin + @resource.host_to_mask(value, protocol) + if protocol == :IPv4 + value.chomp('/32') + elsif protocol == :IPv6 + value.chomp('/128') + end + rescue StandardError => e + raise("host_to_ip failed for #{value}, exception #{e}") + end + end + end + + newproperty(:ctorigsrcport, required_features: :conntrack) do + desc <<-PUPPETCODE + The original source port to match for this filter using the conntrack module. + For example: + + ctorigsrcport => '80' + + You can also specify a port range: For example: + + ctorigsrcport => '80:81' + + You can also negate a port by putting ! in front. For example: + + ctorigsrcport => '! 80' + + PUPPETCODE + newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) + end + + newproperty(:ctorigdstport, required_features: :conntrack) do + desc <<-PUPPETCODE + The original destination port to match for this filter using the conntrack module. + For example: + + ctorigdstport => '80' + + You can also specify a port range: For example: + + ctorigdstport => '80:81' + + You can also negate a port by putting ! in front. For example: + + ctorigdstport => '! 80' + + PUPPETCODE + newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) + end + + newproperty(:ctreplsrcport, required_features: :conntrack) do + desc <<-PUPPETCODE + The reply source port to match for this filter using the conntrack module. + For example: + + ctreplsrcport => '80' + + You can also specify a port range: For example: + + ctreplsrcport => '80:81' + + You can also negate a port by putting ! in front. For example: + + ctreplsrcport => '! 80' + + PUPPETCODE + newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) + end + + newproperty(:ctrepldstport, required_features: :conntrack) do + desc <<-PUPPETCODE + The reply destination port to match for this filter using the conntrack module. + For example: + + ctrepldstport => '80' + + You can also specify a port range: For example: + + ctrepldstport => '80:81' + + You can also negate a port by putting ! in front. For example: + + ctrepldstport => '! 80' + + PUPPETCODE + newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) + end + + newproperty(:ctstatus, array_matching: :all, required_features: :conntrack) do + desc <<-PUPPETCODE + Matches a packet based on its status using the conntrack module. Values can be: + + * EXPECTED + * SEEN_REPLY + * ASSURED + * CONFIRMED + PUPPETCODE + + newvalues(:NONE, :EXPECTED, :SEEN_REPLY, :ASSURED, :CONFIRMED) + + # Statuses should always be sorted. This normalizes the resource status to + # keep it consistent with the sorted result from iptables-save. + def should=(values) + @should = super(values).sort_by { |sym| sym.to_s } + end + + def to_s?(value) + should_to_s(value) + end + + def should_to_s(value) + value = [value] unless value.is_a?(Array) + value.join(',') + end + end + + newproperty(:ctexpire, required_features: :conntrack) do + desc <<-PUPPETCODE + Matches a packet based on lifetime remaining in seconds or range of values + using the conntrack module. For example: + + ctexpire => '100:150' + + PUPPETCODE + newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) + end + + newproperty(:ctdir, required_features: :conntrack) do + desc <<-PUPPETCODE + Matches a packet that is flowing in the specified direction using the + conntrack module. If this flag is not specified at all, matches packets + in both directions. Values can be: + + * REPLY + * ORIGINAL + PUPPETCODE + + newvalues(:REPLY, :ORIGINAL) + end + # Connection mark newproperty(:connmark, required_features: :mark) do desc <<-PUPPETCODE @@ -1332,6 +1677,17 @@ newvalues(:true, :false) end + newproperty(:rpfilter, required_features: :rpfilter) do + desc <<-PUPPETCODE + Enable the rpfilter module. + PUPPETCODE + + newvalues(:loose, :validmark, :'accept-local', :invert) + munge do |value| + _value = '--' + value + end + end + newproperty(:socket, required_features: :socket) do desc <<-PUPPETCODE If true, matches if an open socket can be found by doing a coket lookup @@ -1712,6 +2068,16 @@ end end + newproperty(:string_hex) do + desc <<-PUPPETCODE + String matching feature. Matches the package against the hex pattern + given as an argument. + PUPPETCODE + munge do |value| + _value = value.delete(' ') + end + end + newproperty(:string_algo, required_features: :string_matching) do desc <<-PUPPETCODE String matching feature, pattern matching strategy. @@ -1865,6 +2231,27 @@ PUPPETCODE end + newproperty(:helper, required_features: :ct_target) do + desc <<-PUPPETCODE + Invoke the nf_conntrack_xxx helper module for this packet. + PUPPETCODE + end + + newproperty(:cgroup) do + desc <<-PUPPETCODE + Matches against the net_cls cgroup ID of the packet. + PUPPETCODE + end + + newproperty(:notrack, required_features: :ct_target) do + # use this parameter with latest version of iptables + desc <<-PUPPETCODE + Invoke the disable connection tracking for this packet. + This parameter can be used with iptables version >= 1.8.3 + PUPPETCODE + newvalues(:true, :false) + end + autorequire(:firewallchain) do reqs = [] protocol = nil @@ -2018,9 +2405,10 @@ end end - if value(:log_prefix) || value(:log_level) || value(:log_uid) + if value(:log_prefix) || value(:log_level) || value(:log_uid) || + value(:log_tcp_sequence) || value(:log_tcp_options) || value(:log_ip_options) == :true unless value(:jump).to_s == 'LOG' - raise 'Parameter log_prefix, log_level and log_uid require jump => LOG' + raise 'Parameter log_prefix, log_level, log_tcp_sequence, log_tcp_options, log_ip_options and log_uid require jump => LOG' end end @@ -2058,13 +2446,13 @@ raise "Parameter 'stat_probability' requires 'stat_mode' to be set to 'random'" end - if value(:checksum_fill) + if value(:checksum_fill) == :true unless value(:jump).to_s == 'CHECKSUM' && value(:table).to_s == 'mangle' raise 'Parameter checksum_fill requires jump => CHECKSUM and table => mangle' end end - if value(:queue_num) || value(:queue_bypass) + if value(:queue_num) || value(:queue_bypass) == :true unless value(:jump).to_s == 'NFQUEUE' raise 'Paramter queue_number and queue_bypass require jump => NFQUEUE' end @@ -2082,6 +2470,18 @@ end end + if value(:helper) + unless value(:jump).to_s == 'CT' + raise 'Parameter helper requires jump => CT' + end + end + + if value(:notrack) + unless value(:jump).to_s == 'CT' + raise 'Parameter notrack requires jump => CT' + end + end + if value(:jump).to_s == 'CT' unless value(:table).to_s =~ %r{raw} raise 'Parameter jump => CT only applies to table => raw'
--- a/modules/firewall/lib/puppet/util/firewall.rb Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/lib/puppet/util/firewall.rb Wed Sep 23 20:43:20 2020 +0100 @@ -47,8 +47,7 @@ # Convert log_level names to their respective numbers def log_level_name_to_number(value) - # TODO: make this 0-7 only - if value =~ %r{\d} + if value =~ %r{\A[0-7]\z} value else case value @@ -183,8 +182,9 @@ if os_key == 'Debian' # We need to call flush to clear Facter cache as it's possible the cached value will be nil due to the fact # that the iptables-persistent package was potentially installed after the initial Fact gathering. - Facter.fact(:iptables_persistent_version).flush - persist_ver = Facter.value(:iptables_persistent_version) + fact = Facter.fact(:iptables_persistent_version) + fact.flush if fact.respond_to?(:flush) + persist_ver = fact.value if persist_ver && Puppet::Util::Package.versioncmp(persist_ver, '0.5.0') < 0 os_key = 'Debian_manual' end
--- a/modules/firewall/metadata.json Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/metadata.json Wed Sep 23 20:43:20 2020 +0100 @@ -1,6 +1,6 @@ { "name": "puppetlabs-firewall", - "version": "2.2.0", + "version": "2.5.0", "author": "puppetlabs", "summary": "Manages Firewalls such as iptables", "license": "Apache-2.0", @@ -67,7 +67,8 @@ "operatingsystemrelease": [ "14.04", "16.04", - "18.04" + "18.04", + "20.04" ] } ], @@ -78,6 +79,6 @@ } ], "template-url": "https://github.com/puppetlabs/pdk-templates#master", - "template-ref": "heads/master-0-g643529a", - "pdk-version": "1.14.1" + "template-ref": "heads/master-0-g88b05c7", + "pdk-version": "1.17.0" }
--- a/modules/firewall/provision.yaml Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/firewall/provision.yaml Wed Sep 23 20:43:20 2020 +0100 @@ -1,16 +1,28 @@ --- default: provisioner: docker - images: ['waffleimage/centos7'] -waffle_deb: - provisioner: docker_exp - images: ['waffleimage/debian8', 'waffleimage/debian9', 'waffleimage/ubuntu14.04', 'waffleimage/ubuntu16.04', 'waffleimage/ubuntu18.04'] -waffle_el: - provisioner: docker - images: ['waffleimage/centos7'] + images: ['litmusimage/centos:7'] vagrant: provisioner: vagrant images: ['centos/7', 'generic/ubuntu1804'] -release_checks: - provisioner: vmpooler - images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'centos-8-x86_64', 'oracle-6-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'debian-10-x86_64', 'sles-11-x86_64', 'sles-12-x86_64', 'sles-15-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64'] +travis_deb: + provisioner: docker + images: ['litmusimage/debian:8', 'litmusimage/debian:9'] # 'litmusimage/debian10' removed due to failures present only on Docker +travis_ub_5: + provisioner: docker + images: ['litmusimage/ubuntu:14.04', 'litmusimage/ubuntu:16.04', 'litmusimage/ubuntu:18.04'] +travis_ub_6: + provisioner: docker + images: ['litmusimage/ubuntu:14.04', 'litmusimage/ubuntu:16.04', 'litmusimage/ubuntu:18.04', 'litmusimage/ubuntu:20.04'] +travis_el6: + provisioner: docker + images: [] +travis_el7: + provisioner: docker + images: ['litmusimage/centos:7'] +release_checks_5: + provisioner: abs + images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'centos-8-x86_64', 'oracle-6-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'debian-10-x86_64', 'sles-12-x86_64', 'sles-15-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64'] +release_checks_6: + provisioner: abs + images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'centos-8-x86_64', 'oracle-6-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'debian-10-x86_64', 'sles-12-x86_64', 'sles-15-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64', 'ubuntu-2004-x86_64']
--- a/modules/my_fw/manifests/pre.pp Mon Jul 20 11:19:52 2020 +0100 +++ b/modules/my_fw/manifests/pre.pp Wed Sep 23 20:43:20 2020 +0100 @@ -22,7 +22,7 @@ destination => $localhost, action => 'reject', } -> - firewall { '003 accept related established rules': + firewall { '005 accept related established rules': proto => 'all', state => ['RELATED', 'ESTABLISHED'], action => 'accept',