aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-10-01implement ipset supportTim Meusel
2019-10-01Merge pull request #84 from bastelfreak/docs4Tim Meusel
update docker firewalling example
2019-10-01Merge pull request #81 from bastelfreak/hotifxTim Meusel
disable conntrack filtering in FORWARD/OUTPUT
2019-10-01update docker firewalling exampleTim Meusel
2019-10-01disable conntrack filtering in FORWARD/OUTPUTThore Bödecker
conntrack filtering basically doesn't work in those chains, so we need to disable it.
2019-10-01Merge pull request #83 from bastelfreak/docs3Tim Meusel
delete legacy docs/ folder
2019-10-01delete legacy docs/ folderTim Meusel
We now have a REFERENCE.md in the repository. We don't need the docs/ folder anymore.
2019-09-21Merge pull request #75 from Dan33l/move_common_initTim Meusel
move common from hiera data values to init.pp
2019-09-18move common from hiera data values to init.ppFabien COMBERNOUS
2019-09-13[blacksmith] Bump version to 2.5.1-rc0Tim Meusel
2019-09-13Merge pull request #70 from Dan33l/release-2.5.0Tim Meusel
release 2.5.0
2019-09-13release 2.5.0Fabien COMBERNOUS
2019-09-13Merge pull request #73 from foxxx0/add-more-examplesFabien COMBERNOUS
Add more examples
2019-09-13Merge pull request #72 from foxxx0/fix-kernel-incompatibilitiesTim Meusel
fix kernel incompatibilities
2019-09-13add conntrack/NOTRACK exampleThore Bödecker
2019-09-13fix kernel incompatibilitiesThore Bödecker
Certain kernel modules and thus iptables functionality was introduced at later releases, so we need to properly reflect that in our default chain initialization procedure. `INPUT` chain for `nat` table was introduced with 2.6.36 `ip6table_nat` kernel module for NAT functionality with IPv6 was introduced with 3.17 This commit implements the required conditional constraints and includes the rspec tests to validate it.
2019-09-13Merge pull request #71 from bastelfreak/docs2Tim Meusel
enhance puppet-strings documentation
2019-09-13enhance puppet-strings documentationTim Meusel
2019-09-12Merge pull request #69 from bastelfreak/debianFabien COMBERNOUS
readd Debian 9/10 support
2019-09-12readd Debian 9/10 supportTim Meusel
2019-09-12Merge pull request #68 from foxxx0/collect-chains-from-hieraTim Meusel
expose parameter to initialize custom chains
2019-09-12Merge pull request #67 from foxxx0/allow-proto-arrayTim Meusel
allow using an array for $proto
2019-09-11expose parameter to initialize custom chainsThore Bödecker
Previously it was not possible to define custom chains with parameter, e.g. in order to collect them from hiera. This commit adds this functionality, just like it was already in place for ferm::rules.
2019-09-11allow using an array for $protoThore Bödecker
This enables defining ferm::rule with multiple protocols at once, because using 'all' for $proto does not allow using $dport/$sport.
2019-09-11Merge pull request #58 from voxpupuli/multi-table-supportTim Meusel
add ability to configure rules in tables other than the default "filter" table
2019-09-11add ability to define rules in tables != filterThore Bödecker
Previously it was neither possible to properly define custom chains nor to define rules in tables other than the default filter table. For various legitimate reasons it can be required to define rules in the raw, nat or mangle tables, e.g. to use NOTRACK or to configure DNAT/SNAT/MASQUERADE. Additionally it might come in handy to define custom chains to group certain rules and allow a more efficient evaluation for incoming packets by not cramming all rules into the filter/INPUT chain so that (worst-case) all packets need to traverse and evaluate all rules. I have tried to maintain backwards compatibility and to not change default filenames/paths so that it won't result in leftover obsolete unmaged files from previous versions of this module. In order to improve the naming schema the rule $policy has been renamed to $action, however both parameters are available and optional now, with some sanity checks that require at most one of them and issueing a warning() for users of the now deprecated $policy parameter. All previous tests have been adapted to the changes, a long with an additional set of tests for the new feature. Fixes #61
2019-09-09Merge pull request #59 from Dan33l/enable_acceptanceFabien COMBERNOUS
enable acceptance and drop EOL ubuntu1404
2019-09-09enable acceptanceFabien COMBERNOUS
2019-09-09drop EOL ubuntu1404Fabien COMBERNOUS
2019-09-09Merge pull request #65 from Dan33l/status_optionTim Meusel
add missing status option for CentOS 6 init script
2019-09-09add status optionFabien COMBERNOUS
2019-09-09Merge pull request #62 from Dan33l/drop_debian_from_supported_osesTim Meusel
drop Debian from supported OSes
2019-09-09drop Debian from supported OSesFabien COMBERNOUS
2019-09-02[blacksmith] Bump version to 2.4.1-rc0Tim Meusel
2019-09-02Merge pull request #56 from bastelfreak/rel240Tim Meusel
release 2.4.0
2019-09-02release 2.4.0Tim Meusel
2019-09-02Merge pull request #55 from bastelfreak/chainsTim Meusel
allow preserving of chains in tables
2019-09-02allow preserving of chains in tablesThore Bödecker
2019-09-01Merge pull request #54 from bastelfreak/debian10Tim Meusel
Add Debian 10 support & make configdirectory configureable
2019-09-01Add Debian 10 support & make configdirectory configureableTim Meusel
2019-08-31Merge pull request #52 from bastelfreak/docsDavid Hollinger III
allow all supported iptables protocolls & enhance puppet-strings documentation Unverified
2019-08-31Merge pull request #53 from bastelfreak/freebsdDavid Hollinger III
remove FreeBSD from supported OS list
2019-08-31remove FreeBSD from supported OS listTim Meusel
This module only works on systems with a linux kernel and iptables.
2019-08-31enhance puppet-strings documentationTim Meusel
2019-08-31allow all supported iptables protocollsTim Meusel
2019-08-12Merge pull request #51 from kBite/allow-array-for-saddr-daddrTim Meusel
Allow array for saddr and daddr
2019-08-09Update README.md kBite
add missing 'a' Co-Authored-By: Tim Meusel <tim@bastelfreak.de>
2019-08-09add second pair of parenthesisKilian Engelhardt
Previously this second pair of parenthesis was part of Hiera values; e.g.: subnet01 = '( ip01/32 ip02/32 )' Now it needs to be added by ferm::rule.
2019-08-09add test for array supportKilian Engelhardt
2019-08-09add example using Hiera subnet variables to README.mdKilian Engelhardt