Age | Commit message (Collapse) | Author |
|
|
|
|
|
- implement validations for port ranges
- add test cases for these scenarios
|
|
The dports/sports shortcut is only supported starting with ferm v2.5 which
was released very recently.
In order to support a wider range of distributions and ferm versions,
this commits switches to the more verbose version of the multiport
features.
|
|
|
|
|
|
complex iptable rules that are currently not supported by this module or would be very hard to manage just using puppet.
|
|
Without this change it's possible that we try to start the service and
afterwards modify the debian/ubuntu specifc config file that otherwise
prevents the service from starting.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
update docker firewalling example
|
|
|
|
conntrack filtering basically doesn't work in those chains, so we need
to disable it.
|
|
|
|
Certain kernel modules and thus iptables functionality was introduced at
later releases, so we need to properly reflect that in our default chain
initialization procedure.
`INPUT` chain for `nat` table was introduced with 2.6.36
`ip6table_nat` kernel module for NAT functionality with IPv6 was
introduced with 3.17
This commit implements the required conditional constraints and includes
the rspec tests to validate it.
|
|
|
|
|
|
expose parameter to initialize custom chains
|
|
Previously it was not possible to define custom chains with parameter,
e.g. in order to collect them from hiera.
This commit adds this functionality, just like it was already in place for
ferm::rules.
|
|
This enables defining ferm::rule with multiple protocols at once,
because using 'all' for $proto does not allow using $dport/$sport.
|
|
Previously it was neither possible to properly define custom chains nor
to define rules in tables other than the default filter table.
For various legitimate reasons it can be required to define rules in the
raw, nat or mangle tables, e.g. to use NOTRACK or to configure
DNAT/SNAT/MASQUERADE.
Additionally it might come in handy to define custom chains to group
certain rules and allow a more efficient evaluation for incoming packets
by not cramming all rules into the filter/INPUT chain so that
(worst-case) all packets need to traverse and evaluate all rules.
I have tried to maintain backwards compatibility and to not change
default filenames/paths so that it won't result in leftover obsolete unmaged
files from previous versions of this module.
In order to improve the naming schema the rule $policy has been renamed
to $action, however both parameters are available and optional now, with
some sanity checks that require at most one of them and issueing a
warning() for users of the now deprecated $policy parameter.
All previous tests have been adapted to the changes, a long with an
additional set of tests for the new feature.
Fixes #61
|
|
|
|
|
|
check for data type IP address when using arrays
add debug output when it's failing
|
|
|
|
|
|
|
|
This isn't a breaking change. Now puppet just stops accepting values
that the underlying software (ferm) doesn't accept.
|
|
|
|
|
|
|
|
|
|
|
|
Fixes #16. Ubuntu caches rules. This doesn't allow us to reload the
daemon and to apply new rules. Also this is a ubuntu only feature, it
works well on all other platforms without cache.
|
|
Default value of disable_conntrack is 'false'. Existing installations
are not affected by this change.
|
|
|