diff --git a/README.markdown b/README.markdown
diff --git a/README.md b/README.md
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -123,7 +123,7 @@ installed.
   * ip6tables: Ip6tables type provider
 
     * Required binaries: ip6tables-save, ip6tables.
-    * Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match,
+    * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match,
     interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
     ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
     owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
@@ -133,7 +133,7 @@ installed.
 
     * Required binaries: iptables-save, iptables.
     * Default for kernel == linux.
-    * Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match,
+    * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match,
     interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
     log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
     nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
@@ -146,6 +146,8 @@ installed.
 
   * connection_limiting: Connection limiting features.
 
+  * conntrack: Connection tracking features.
+
   * dnat: Destination NATing.
 
   * hop_limiting: Hop limiting features.
@@ -222,6 +224,8 @@ installed.
 
   * ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
 
+  * random_fully: The ability to use --random-fully flag.
+
 #### Properties
 
 The following properties are available in the `firewall` type.
@@ -489,6 +493,7 @@ The value for the iptables --jump parameter. Normal values are:
 * MASQUERADE
 * REDIRECT
 * MARK
+* CT
 
 But any valid chain name is allowed.
 
@@ -550,6 +555,15 @@ For DNAT this is the port that will replace the destination port.
 
 For NETMAP this will replace the destination IP
 
+##### `random_fully`
+
+Valid values: `true`, `false`
+
+When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+this boolean will enable fully randomized port mapping.
+
+**NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2
+
 ##### `random`
 
 Valid values: `true`, `false`
@@ -628,7 +642,7 @@ table. Values can be:
 
 ##### `ctstate`
 
-Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED
+Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED, SNAT, DNAT
 
 Matches a packet based on its state in the firewall stateful inspection
 table, using the conntrack module. Values can be:
@@ -638,6 +652,162 @@ table, using the conntrack module. Values can be:
 * NEW
 * RELATED
 * UNTRACKED
+* SNAT
+* DNAT
+
+##### `ctproto`
+
+Valid values: %r{^!?\s?\d+$}
+
+The specific layer-4 protocol number to match for this rule using the
+conntrack module.
+
+##### `ctorigsrc`
+
+The original source address using the conntrack module. For example:
+
+    ctorigsrc => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctorigsrc => '! 192.168.2.0/24'
+
+The ctorigsrc can also be an IPv6 address if your provider supports it.
+
+##### `ctorigdst`
+
+The original destination address using the conntrack module. For example:
+
+    ctorigdst => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctorigdst => '! 192.168.2.0/24'
+
+The ctorigdst can also be an IPv6 address if your provider supports it.
+
+##### `ctreplsrc`
+
+The reply source address using the conntrack module. For example:
+
+    ctreplsrc => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctreplsrc => '! 192.168.2.0/24'
+
+The ctreplsrc can also be an IPv6 address if your provider supports it.
+
+##### `ctrepldst`
+
+The reply destination address using the conntrack module. For example:
+
+    ctrepldst => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctrepldst => '! 192.168.2.0/24'
+
+The ctrepldst can also be an IPv6 address if your provider supports it.
+
+##### `ctorigsrcport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The original source port to match for this filter using the conntrack module.
+For example:
+
+    ctorigsrcport => '80'
+
+You can also specify a port range: For example:
+
+    ctorigsrcport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctorigsrcport => '! 80'
+
+##### `ctorigdstport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The original destination port to match for this filter using the conntrack module.
+For example:
+
+    ctorigdstport => '80'
+
+You can also specify a port range: For example:
+
+    ctorigdstport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctorigdstport => '! 80'
+
+##### `ctreplsrcport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The reply source port to match for this filter using the conntrack module.
+For example:
+
+    ctreplsrcport => '80'
+
+You can also specify a port range: For example:
+
+    ctreplsrcport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctreplsrcport => '! 80'
+
+##### `ctrepldstport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The reply destination port to match for this filter using the conntrack module.
+For example:
+
+    ctrepldstport => '80'
+
+You can also specify a port range: For example:
+
+    ctrepldstport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctrepldstport => '! 80'
+
+##### `ctstatus`
+
+Valid values: NONE, EXPECTED, SEEN_REPLY, ASSURED, CONFIRMED
+
+Matches a packet based on its status using the conntrack module. Values can be:
+
+* EXPECTED
+* SEEN_REPLY
+* ASSURED
+* CONFIRMED
+
+##### `ctexpire`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+Matches a packet based on lifetime remaining in seconds or range of values
+using the conntrack module. For example:
+
+    ctexpire => '100:150'
+
+##### `ctdir`
+
+Valid values: REPLY, ORIGINAL
+
+Matches a packet that is flowing in the specified direction using the
+conntrack module. If this flag is not specified at all, matches packets
+in both directions. Values can be:
+
+* REPLY
+* ORIGINAL
 
 ##### `connmark`
 
@@ -816,6 +986,12 @@ This may be useful if you have problems with people faking their source
 address in order to DoS you via this module by disallowing others access
 to your site by sending bogus packets to you.  Must be boolean true.
 
+##### `rpfilter`
+
+Valid values: loose, validmark, accept-local, invert
+
+Enable the rpfilter module.
+
 ##### `socket`
 
 Valid values: `true`, `false`
@@ -1026,6 +1202,11 @@ Sets the length of layer-3 payload to match.
 String matching feature. Matches the packet against the pattern
 given as an argument.
 
+##### `string_hex`
+
+String matching feature. Matches the package against the hex pattern
+given as an argument.
+
 ##### `string_algo`
 
 Valid values: bm, kmp
@@ -1131,6 +1312,10 @@ Indicates that the current packet belongs to an IPVS connection.
 
 Assign this packet to zone id and only have lookups done in that zone.
 
+##### `helper`
+
+Invoke the nf_conntrack_xxx helper module for this packet.
+
 #### Parameters
 
 The following parameters are available in the `firewall` type.

diff --git a/Rakefile b/Rakefile
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'puppet_litmus/rake_tasks' if Bundler.rubygems.find_name('puppet_litmus').any?
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-syntax/tasks/puppet-syntax'

diff --git a/distelli-manifest.yml b/distelli-manifest.yml
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -3,6 +3,7 @@
 
   has_feature :iptables
   has_feature :connection_limiting
+  has_feature :conntrack
   has_feature :hop_limiting
   has_feature :rate_limiting
   has_feature :recent_limiting
@@ -35,6 +36,7 @@
   has_feature :queue_num
   has_feature :queue_bypass
   has_feature :ct_target
+  has_feature :rpfilter
 
   optional_commands(ip6tables: 'ip6tables',
                     ip6tables_save: 'ip6tables-save')
@@ -48,6 +50,12 @@
                 '--set-xmark'
               end
 
+  kernelversion = Facter.value('kernelversion')
+  if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
+     (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0)
+    has_feature :random_fully
+  end
+
   def initialize(*args)
     ip6tables_version = Facter.value('ip6tables_version')
     raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d})
@@ -71,7 +79,19 @@ def self.iptables_save(*args)
     connlimit_above: '-m connlimit --connlimit-above',
     connlimit_mask: '--connlimit-mask',
     connmark: '-m connmark --mark',
-    ctstate: '-m conntrack --ctstate',
+    ctstate: '--ctstate',
+    ctproto: '--ctproto',
+    ctorigsrc: '--ctorigsrc',
+    ctorigdst: '--ctorigdst',
+    ctreplsrc: '--ctreplsrc',
+    ctrepldst: '--ctrepldst',
+    ctorigsrcport: '--ctorigsrcport',
+    ctorigdstport: '--ctorigdstport',
+    ctreplsrcport: '--ctreplsrcport',
+    ctrepldstport: '--ctrepldstport',
+    ctstatus: '--ctstatus',
+    ctexpire: '--ctexpire',
+    ctdir: '--ctdir',
     destination: '-d',
     dport: ['-m multiport --dports', '--dport'],
     dst_range: '--dst-range',
@@ -111,6 +131,7 @@ def self.iptables_save(*args)
     reject: '--reject-with',
     rhitcount: '--hitcount',
     rname: '--name',
+    rpfilter: '-m rpfilter',
     rseconds: '--seconds',
     rsource: '--rsource',
     rttl: '--rttl',
@@ -166,6 +187,7 @@ def self.iptables_save(*args)
     hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
     bytecode: '-m bpf --bytecode',
     zone: '--zone',
+    helper: '--helper',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -180,6 +202,7 @@ def self.iptables_save(*args)
     :rsource,
     :rdest,
     :reap,
+    :rpfilter,
     :rttl,
     :socket,
     :physdev_is_bridged,
@@ -207,6 +230,8 @@ def self.iptables_save(*args)
     addrtype: [:src_type, :dst_type],
     iprange: [:src_range, :dst_range],
     owner: [:uid, :gid],
+    conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
+                :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir],
     time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
     geoip: [:src_cc, :dst_cc],
     hashlimit: [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask,
@@ -253,12 +278,14 @@ def self.iptables_save(*args)
                     :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
                     :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
                     :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state,
-                    :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
+                    :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
+                    :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir,
+                    :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
                     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
                     :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
                     :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name]
+                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name]
 end
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -8,6 +8,7 @@
 
   has_feature :iptables
   has_feature :connection_limiting
+  has_feature :conntrack
   has_feature :rate_limiting
   has_feature :recent_limiting
   has_feature :snat
@@ -44,6 +45,7 @@
   has_feature :queue_bypass
   has_feature :ipvs
   has_feature :ct_target
+  has_feature :rpfilter
 
   optional_commands(iptables: 'iptables',
                     iptables_save: 'iptables-save')
@@ -58,6 +60,12 @@
                 '--set-xmark'
               end
 
+  kernelversion = Facter.value('kernelversion')
+  if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
+     (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0)
+    has_feature :random_fully
+  end
+
   @protocol = 'IPv4'
 
   @resource_map = {
@@ -67,7 +75,19 @@
     connlimit_above: '-m connlimit --connlimit-above',
     connlimit_mask: '--connlimit-mask',
     connmark: '-m connmark --mark',
-    ctstate: '-m conntrack --ctstate',
+    ctstate: '--ctstate',
+    ctproto: '--ctproto',
+    ctorigsrc: '--ctorigsrc',
+    ctorigdst: '--ctorigdst',
+    ctreplsrc: '--ctreplsrc',
+    ctrepldst: '--ctrepldst',
+    ctorigsrcport: '--ctorigsrcport',
+    ctorigdstport: '--ctorigdstport',
+    ctreplsrcport: '--ctreplsrcport',
+    ctrepldstport: '--ctrepldstport',
+    ctstatus: '--ctstatus',
+    ctexpire: '--ctexpire',
+    ctdir: '--ctdir',
     destination: '-d',
     dport: ['-m multiport --dports', '--dport'],
     dst_range: '--dst-range',
@@ -102,13 +122,15 @@
     proto: '-p',
     queue_num: '--queue-num',
     queue_bypass: '--queue-bypass',
+    random_fully: '--random-fully',
     random: '--random',
     rdest: '--rdest',
     reap: '--reap',
     recent: '-m recent',
     reject: '--reject-with',
     rhitcount: '--hitcount',
     rname: '--name',
+    rpfilter: '-m rpfilter',
     rseconds: '--seconds',
     rsource: '--rsource',
     rttl: '--rttl',
@@ -127,6 +149,7 @@
     stat_probability: '--probability',
     state: '-m state --state',
     string: '-m string --string',
+    string_hex: '-m string --hex-string',
     string_algo: '--algo',
     string_from: '--from',
     string_to: '--to',
@@ -172,6 +195,7 @@
     bytecode: '-m bpf --bytecode',
     ipvs: '-m ipvs --ipvs',
     zone: '--zone',
+    helper: '--helper',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -181,6 +205,7 @@
     :clamp_mss_to_pmtu,
     :isfragment,
     :log_uid,
+    :random_fully,
     :random,
     :rdest,
     :reap,
@@ -214,6 +239,8 @@
     addrtype: [:src_type, :dst_type],
     iprange: [:src_range, :dst_range],
     owner: [:uid, :gid],
+    conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
+                :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir],
     time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
     geoip: [:src_cc, :dst_cc],
     hashlimit: [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask,
@@ -231,7 +258,7 @@ def self.munge_resource_map_from_existing_values(resource_map_original, compare)
             resource_map_new[argument][0] = "-m #{ipt_module} #{resource_map_original[argument].first}"
             break
           end
-        elsif compare.include?(resource_map_original[argument])
+        elsif compare.include?(resource_map_original[argument] + ' ')
           resource_map_new[argument] = "-m #{ipt_module} #{resource_map_original[argument]}"
           break
         end
@@ -296,17 +323,19 @@ def munge_resource_map_from_resource(resource_map_original, compare)
     :proto, :isfragment, :stat_mode, :stat_every, :stat_packet, :stat_probability,
     :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
     :src_type, :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy,
-    :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
+    :state, :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
+    :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir,
+    :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_hex, :string_algo,
     :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
     :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,
-    :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
+    :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix,
     :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name
   ]
 
   def insert
@@ -475,6 +504,8 @@ def self.rule_to_hash(line, table, counter)
                  values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true')
                elsif resource_map[bool].eql?(%r{'--physdev-is-\S+'})
                  values.sub(%r{'#{resource_map[bool]} "! "'}, "#{resource_map[bool]} true")
+               elsif bool == :random
+                 values.sub(%r{#{resource_map[bool]}(\s|$)(?!"!")}, "#{resource_map[bool]} true")
                else
                  # append `true` to booleans that are not already negated (followed by "!")
                  values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true")
@@ -545,7 +576,7 @@ def self.rule_to_hash(line, table, counter)
     # POST PARSE CLUDGING
     #####################
 
-    [:dport, :sport, :port, :state, :ctstate].each do |prop|
+    [:dport, :sport, :port, :state, :ctstate, :ctstatus].each do |prop|
       hash[prop] = hash[prop].split(',') unless hash[prop].nil?
     end
 
@@ -607,6 +638,17 @@ def self.rule_to_hash(line, table, counter)
     [
       :connmark,
       :ctstate,
+      :ctproto,
+      :ctorigsrc,
+      :ctorigdst,
+      :ctreplsrc,
+      :ctrepldst,
+      :ctorigsrcport,
+      :ctorigdstport,
+      :ctreplsrcport,
+      :ctrepldstport,
+      :ctstatus,
+      :ctexpire,
       :destination,
       :dport,
       :dst_range,
@@ -646,6 +688,7 @@ def self.rule_to_hash(line, table, counter)
     # iptables-save and user supplied resources is consistent.
     hash[:state]   = hash[:state].sort   unless hash[:state].nil?
     hash[:ctstate] = hash[:ctstate].sort unless hash[:ctstate].nil?
+    hash[:ctstatus] = hash[:ctstatus].sort unless hash[:ctstatus].nil?
 
     # This forces all existing, commentless rules or rules with invalid comments to be moved
     # to the bottom of the stack.

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
diff --git a/lib/puppet/util/firewall.rb b/lib/puppet/util/firewall.rb
@@ -47,8 +47,7 @@ def icmp_name_to_number(value_icmp, protocol)
 
   # Convert log_level names to their respective numbers
   def log_level_name_to_number(value)
-    # TODO: make this 0-7 only
-    if value =~ %r{\d}
+    if value =~ %r{\A[0-7]\z}
       value
     else
       case value
@@ -183,8 +182,9 @@ def persist_iptables(proto)
     if os_key == 'Debian'
       # We need to call flush to clear Facter cache as it's possible the cached value will be nil due to the fact
       # that the iptables-persistent package was potentially installed after the initial Fact gathering.
-      Facter.fact(:iptables_persistent_version).flush
-      persist_ver = Facter.value(:iptables_persistent_version)
+      fact = Facter.fact(:iptables_persistent_version)
+      fact.flush if fact.respond_to?(:flush)
+      persist_ver = fact.value
       if persist_ver && Puppet::Util::Package.versioncmp(persist_ver, '0.5.0') < 0
         os_key = 'Debian_manual'
       end

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-firewall",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "author": "puppetlabs",
   "summary": "Manages Firewalls such as iptables",
   "license": "Apache-2.0",
@@ -78,6 +78,6 @@
     }
   ],
   "template-url": "https://github.com/puppetlabs/pdk-templates#master",
-  "template-ref": "heads/master-0-g643529a",
-  "pdk-version": "1.14.1"
+  "template-ref": "1.17.0-0-gd3a4319",
+  "pdk-version": "1.17.0"
 }
diff --git a/provision.yaml b/provision.yaml
@@ -1,16 +1,22 @@
 ---
 default:
   provisioner: docker
-  images: ['waffleimage/centos7']
-waffle_deb:
-  provisioner: docker_exp
-  images: ['waffleimage/debian8', 'waffleimage/debian9', 'waffleimage/ubuntu14.04', 'waffleimage/ubuntu16.04', 'waffleimage/ubuntu18.04']
-waffle_el:
-  provisioner: docker
-  images: ['waffleimage/centos7']
+  images: ['litmusimage/centos:7']
 vagrant:
   provisioner: vagrant
   images: ['centos/7', 'generic/ubuntu1804']
+travis_deb:
+  provisioner: docker
+  images: ['litmusimage/debian:8', 'litmusimage/debian:9'] # 'litmusimage/debian10' removed due to failures present only on Docker
+travis_ub:
+  provisioner: docker
+  images: ['litmusimage/ubuntu:14.04', 'litmusimage/ubuntu:16.04', 'litmusimage/ubuntu:18.04']
+travis_el6:
+  provisioner: docker
+  images: []
+travis_el7:
+  provisioner: docker
+  images: ['litmusimage/centos:7']
 release_checks:
   provisioner: vmpooler
   images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'centos-8-x86_64', 'oracle-6-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'debian-10-x86_64', 'sles-11-x86_64', 'sles-12-x86_64', 'sles-15-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64']
diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb
@@ -1338,4 +1338,35 @@ class { '::firewall': }
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1310000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length
     end
   end
+
+  describe 'random-fully' do
+    supports_random_fully = if os[:family] == 'redhat' && os[:release].start_with?('8')
+                              true
+                            elsif os[:family] == 'debian' && os[:release].start_with?('10')
+                              true
+                            else
+                              false
+                            end
+
+    before(:all) do
+      pp = <<-PUPPETCODE
+        firewall { '901 - set random-fully':
+          table        => 'nat',
+          chain        => 'POSTROUTING',
+          jump         => 'MASQUERADE',
+          random_fully => true,
+        }
+      PUPPETCODE
+      idempotent_apply(pp)
+    end
+
+    let(:result) { run_shell('iptables-save') }
+
+    it 'adds random-fully rule', if: supports_random_fully do
+      expect(result.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE --random-fully})
+    end
+    it 'adds rule without random-fully', unless: supports_random_fully do
+      expect(result.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE})
+    end
+  end
 end
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -322,6 +322,12 @@ class { '::firewall': }
             physdev_out        => "eth1",
             physdev_is_bridged => true,
           }
+          firewall { '900 - set rpfilter':
+            table    => 'raw',
+            chain    => 'PREROUTING',
+            action   => 'accept',
+            rpfilter => 'invert',
+          }
           firewall { '1000 - set_dscp':
             proto     => 'tcp',
             jump      => 'DSCP',

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
@@ -713,6 +713,14 @@
       string_from: '1',
     },
   },
+  'hexstring_matching_1' => {
+    line: '-A INPUT -m string --hex-string "|0000FF0001|" --algo bm',
+    table: 'filter',
+    params: {
+      string_hex: '|0000FF0001|',
+      string_algo: 'bm',
+    },
+  },
   'nfqueue_jump1' => {
     line: '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -j NFQUEUE --queue-num 50 -m comment --comment "000 nfqueue specify queue_num"',
     table: 'filter',

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.configure do |c|
   c.mock_with :rspec
 end

diff --git a/spec/unit/documentation/readme_spec.rb b/spec/unit/documentation/readme_spec.rb
diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
@@ -436,6 +436,108 @@
     end
   end
 
+  describe ':ctproto' do
+    it 'accepts numeric value' do
+      resource[:ctproto] = 6
+      expect(resource[:ctproto]).to be 6
+    end
+    it 'accepts negated string value' do
+      resource[:ctproto] = '! 6'
+      expect(resource[:ctproto]).to eql '! 6'
+    end
+  end
+
+  [:ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst].each do |addr|
+    describe addr do
+      it "should accept a #{addr} as a string without /32" do
+        resource[addr] = '127.0.0.1'
+        expect(resource[addr]).to eql '127.0.0.1'
+      end
+      it "should accept a #{addr} as a string with /32" do
+        resource[addr] = '127.0.0.1/32'
+        expect(resource[addr]).to eql '127.0.0.1'
+      end
+      it "should accept a #{addr} as a string with cidr" do
+        resource[addr] = '10.0.0.0/8'
+        expect(resource[addr]).to eql '10.0.0.0/8'
+      end
+      it "should accept a #{addr} as a string with ipv6 cidr" do
+        resource[addr] = '2001:DB8::/64'
+        expect(resource[addr]).to eql '2001:DB8::/64'
+      end
+      it "should accept a negated #{addr} as a string" do
+        resource[addr] = '! 127.0.0.1'
+        expect(resource[addr]).to eql '! 127.0.0.1'
+      end
+      it "should accept a negated #{addr} as a string with cidr" do
+        resource[addr] = '! 10.0.0.0/8'
+        expect(resource[addr]).to eql '! 10.0.0.0/8'
+      end
+    end
+  end
+
+  [:ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport].each do |port|
+    describe port do
+      it "should accept #{port} as numeric value" do
+        resource[port] = 80
+        expect(resource[port]).to be 80
+      end
+      it "should accept #{port} as range value" do
+        resource[port] = '80:81'
+        expect(resource[port]).to eql '80:81'
+      end
+      it "should accept a negated #{port} as string value" do
+        resource[port] = '! 80'
+        expect(resource[port]).to eql '! 80'
+      end
+      it "should accept a negated #{port} as range value" do
+        resource[port] = '! 80:81'
+        expect(resource[port]).to eql '! 80:81'
+      end
+    end
+  end
+
+  describe ':ctstatus' do
+    it 'accepts value as a string - EXPECTED' do
+      resource[:ctstatus] = :EXPECTED
+      expect(resource[:ctstatus]).to eql [:EXPECTED]
+    end
+
+    it 'accepts value as an array - EXPECTED, SEEN_REPLY' do
+      resource[:ctstatus] = [:EXPECTED, :SEEN_REPLY]
+      expect(resource[:ctstatus]).to eql [:EXPECTED, :SEEN_REPLY]
+    end
+
+    it 'sorts values alphabetically - SEEN_REPLY, EXPECTED' do
+      resource[:ctstatus] = [:SEEN_REPLY, :EXPECTED]
+      expect(resource[:ctstatus]).to eql [:EXPECTED, :SEEN_REPLY]
+    end
+  end
+
+  describe ':ctexpire' do
+    it 'accepts numeric values' do
+      resource[:ctexpire] = 100
+      expect(resource[:ctexpire]).to be 100
+    end
+
+    it 'accepts numeric range values' do
+      resource[:ctexpire] = '100:120'
+      expect(resource[:ctexpire]).to eql '100:120'
+    end
+  end
+
+  describe ':ctdir' do
+    it 'accepts value as a string - REPLY' do
+      resource[:ctdir] = :REPLY
+      expect(resource[:ctdir]).to be :REPLY
+    end
+
+    it 'accepts value as a string - ORIGINAL' do
+      resource[:ctdir] = :ORIGINAL
+      expect(resource[:ctdir]).to be :ORIGINAL
+    end
+  end
+
   describe ':burst' do
     it 'accepts numeric values' do
       resource[:burst] = 12