aboutsummaryrefslogtreecommitdiff
path: root/manifests
AgeCommit message (Collapse)Author
2020-06-25use verbose multiport syntax for better compatThore Bödecker
The dports/sports shortcut is only supported starting with ferm v2.5 which was released very recently. In order to support a wider range of distributions and ferm versions, this commits switches to the more verbose version of the multiport features.
2020-06-22implement multiport support for dport/sportThore Bödecker
2020-05-18add install_method parameterFabien COMBERNOUS
2020-05-07Allow adding custom ferm dsl for subchains. This is important for using ↵Rehan Mahmood
complex iptable rules that are currently not supported by this module or would be very hard to manage just using puppet.
2020-05-06Ubuntu/Debian: Notify service on config changesTim Meusel
Without this change it's possible that we try to start the service and afterwards modify the debian/ubuntu specifc config file that otherwise prevents the service from starting.
2020-04-21by default dont log dropped packetsTim Meusel
2020-04-21make dropping of pakets marked as invalid optionalTim Meusel
2020-04-21use dedicated conntrack parametersFabien COMBERNOUS
2020-04-09cleanup puppet-strings documentationTim Meusel
2019-10-29revert PR81Fabien COMBERNOUS
2019-10-08ipset: allow multiple instances of defined resourceTim Meusel
2019-10-01implement ipset supportTim Meusel
2019-10-01Merge pull request #84 from bastelfreak/docs4Tim Meusel
update docker firewalling example
2019-10-01update docker firewalling exampleTim Meusel
2019-10-01disable conntrack filtering in FORWARD/OUTPUTThore Bödecker
conntrack filtering basically doesn't work in those chains, so we need to disable it.
2019-09-18move common from hiera data values to init.ppFabien COMBERNOUS
2019-09-13fix kernel incompatibilitiesThore Bödecker
Certain kernel modules and thus iptables functionality was introduced at later releases, so we need to properly reflect that in our default chain initialization procedure. `INPUT` chain for `nat` table was introduced with 2.6.36 `ip6table_nat` kernel module for NAT functionality with IPv6 was introduced with 3.17 This commit implements the required conditional constraints and includes the rspec tests to validate it.
2019-09-13enhance puppet-strings documentationTim Meusel
2019-09-12readd Debian 9/10 supportTim Meusel
2019-09-12Merge pull request #68 from foxxx0/collect-chains-from-hieraTim Meusel
expose parameter to initialize custom chains
2019-09-11expose parameter to initialize custom chainsThore Bödecker
Previously it was not possible to define custom chains with parameter, e.g. in order to collect them from hiera. This commit adds this functionality, just like it was already in place for ferm::rules.
2019-09-11allow using an array for $protoThore Bödecker
This enables defining ferm::rule with multiple protocols at once, because using 'all' for $proto does not allow using $dport/$sport.
2019-09-11add ability to define rules in tables != filterThore Bödecker
Previously it was neither possible to properly define custom chains nor to define rules in tables other than the default filter table. For various legitimate reasons it can be required to define rules in the raw, nat or mangle tables, e.g. to use NOTRACK or to configure DNAT/SNAT/MASQUERADE. Additionally it might come in handy to define custom chains to group certain rules and allow a more efficient evaluation for incoming packets by not cramming all rules into the filter/INPUT chain so that (worst-case) all packets need to traverse and evaluate all rules. I have tried to maintain backwards compatibility and to not change default filenames/paths so that it won't result in leftover obsolete unmaged files from previous versions of this module. In order to improve the naming schema the rule $policy has been renamed to $action, however both parameters are available and optional now, with some sanity checks that require at most one of them and issueing a warning() for users of the now deprecated $policy parameter. All previous tests have been adapted to the changes, a long with an additional set of tests for the new feature. Fixes #61
2019-09-02allow preserving of chains in tablesThore Bödecker
2019-09-01Add Debian 10 support & make configdirectory configureableTim Meusel
2019-08-08allow arrays for saddr and daddrKilian Engelhardt
check for data type IP address when using arrays add debug output when it's failing
2019-07-11add support for interface specific rulesTim Meusel
2019-04-05add parameter manage_initfile with default falseKilian Engelhardt
2019-04-05install init script for RedHat-like OSKilian Engelhardt
2019-03-06enhance type validation; require stdlib 4.25.0Tim Meusel
This isn't a breaking change. Now puppet just stops accepting values that the underlying software (ferm) doesn't accept.
2019-01-24permit to choose ipv4, ipv6 or bothFabien COMBERNOUS
2018-12-19Simplify puppet-strings documentationTim Meusel
2018-12-19Add puppet-strings docs for ferm::ruleTim Meusel
2018-12-19Implement logging to kernel logTim Meusel
2018-07-13add proto_options to enable usage of icmp typesKilian Engelhardt
2018-07-11disable rule caching on ubuntuTim Meusel
Fixes #16. Ubuntu caches rules. This doesn't allow us to reload the daemon and to apply new rules. Also this is a ubuntu only feature, it works well on all other platforms without cache.
2018-03-17introduce parameter disable_conntrackKilian Engelhardt
Default value of disable_conntrack is 'false'. Existing installations are not affected by this change.
2018-03-15initial commitTim Meusel