diff --git a/spec/acceptance/connmark_spec.rb b/spec/acceptance/connmark_spec.rb
diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb
diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
diff --git a/spec/acceptance/firewall_bridging_spec.rb b/spec/acceptance/firewall_bridging_spec.rb
diff --git a/spec/acceptance/firewall_clusterip_spec.rb b/spec/acceptance/firewall_clusterip_spec.rb
diff --git a/spec/acceptance/firewall_dscp_spec.rb b/spec/acceptance/firewall_dscp_spec.rb
diff --git a/spec/acceptance/firewall_gid_spec.rb b/spec/acceptance/firewall_gid_spec.rb
diff --git a/spec/acceptance/firewall_iptmodules_spec.rb b/spec/acceptance/firewall_iptmodules_spec.rb
diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
diff --git a/spec/acceptance/firewall_tee_spec.rb b/spec/acceptance/firewall_tee_spec.rb
diff --git a/spec/acceptance/firewall_time_spec.rb b/spec/acceptance/firewall_time_spec.rb
diff --git a/spec/acceptance/firewall_uid_spec.rb b/spec/acceptance/firewall_uid_spec.rb
diff --git a/spec/acceptance/hashlimit_spec.rb b/spec/acceptance/hashlimit_spec.rb
diff --git a/spec/acceptance/invert_spec.rb b/spec/acceptance/invert_spec.rb
diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb
diff --git a/spec/acceptance/isfragment_spec.rb b/spec/acceptance/isfragment_spec.rb
diff --git a/spec/acceptance/match_mark_spec.rb b/spec/acceptance/match_mark_spec.rb
diff --git a/spec/acceptance/nflog_spec.rb b/spec/acceptance/nflog_spec.rb
diff --git a/spec/acceptance/params_spec.rb b/spec/acceptance/params_spec.rb
diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb
diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb
@@ -23,6 +23,7 @@
   context 'when flush iptables and make sure it returns nothing afterwards' do
     before(:all) do
       iptables_flush_all_tables
+      ip6tables_flush_all_tables
     end
 
     # No rules, means no output thanks. And no errors as well.
@@ -64,8 +65,7 @@
     end
   end
 
-  context 'when accepts rules with multiple comments', unless: (fact('operatingsystem') == 'RedHat' && fact('operatingsystemmajrelease') <= '5') ||
-                                                               (fact('operatingsystem') == 'CentOS' && fact('operatingsystemmajrelease') <= '5') do
+  context 'when accepts rules with multiple comments', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')) do
     before(:all) do
       iptables_flush_all_tables
       shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http" -m comment --comment "http"')
@@ -112,22 +112,20 @@
     end
   end
 
-  if default['platform'] !~ %r{sles-10}
-    context 'when accepts rules utilizing the statistic module' do
-      before :all do
-        iptables_flush_all_tables
-        # This command doesn't work with all versions/oses, so let it fail
-        shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', acceptable_exit_codes: [0, 1, 2])
-        shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6')
-        shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7')
-      end
+  context 'when accepts rules utilizing the statistic module' do
+    before :all do
+      iptables_flush_all_tables
+      # This command doesn't work with all versions/oses, so let it fail
+      shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', acceptable_exit_codes: [0, 1, 2])
+      shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6')
+      shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7')
+    end
 
-      it do
-        shell('puppet resource firewall') do |r|
-          r.exit_code.should be_zero
-          # don't check stdout, testing preexisting rules, output is normal
-          r.stderr.should be_empty
-        end
+    it do
+      shell('puppet resource firewall') do |r|
+        r.exit_code.should be_zero
+        # don't check stdout, testing preexisting rules, output is normal
+        r.stderr.should be_empty
       end
     end
   end
@@ -184,23 +182,21 @@
   # version of iptables that ships with el5 doesn't work with the
   # ip6tables provider
   # TODO: Test below fails if this file is run seperately. i.e. bundle exec rspec spec/acceptance/resource_cmd_spec.rb
-  if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
-    context 'when dport/sport with ip6tables' do
-      before :all do
-        if fact('osfamily') == 'Debian'
-          shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections')
-          shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections')
-          shell('apt-get install iptables-persistent -y')
-        end
-        ip6tables_flush_all_tables
-        shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar')
+  context 'when dport/sport with ip6tables', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do
+    before :all do
+      if os['family'] == 'debian'
+        shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections')
+        shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections')
+        shell('apt-get install iptables-persistent -y')
       end
-      it do
-        shell('puppet resource firewall \'000-foobar\' provider=ip6tables') do |r|
-          r.exit_code.should be_zero
-          # don't check stdout, testing preexisting rules, output is normal
-          r.stderr.should be_empty
-        end
+      ip6tables_flush_all_tables
+      shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar')
+    end
+    it do
+      shell('puppet resource firewall \'000-foobar\' provider=ip6tables') do |r|
+        r.exit_code.should be_zero
+        # don't check stdout, testing preexisting rules, output is normal
+        r.stderr.should be_empty
       end
     end
   end

diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb
@@ -27,7 +27,7 @@
           source      => '10.0.0.0/8',
           destination => '!10.0.0.0/8',
           proto       => 'tcp',
-          state       => 'NEW',
+          ctstate       => 'NEW',
           port        => [80,443,21,20,22,53,123,43,873,25,465],
           action      => 'accept',
         }
@@ -93,15 +93,14 @@
         }
     PUPPETCODE
     it 'applies cleanly' do
-      # Run it twice and test for idempotency
       apply_manifest(pp1, catch_failures: true)
-      expect(apply_manifest(pp1, catch_failures: true).exit_code).to be_zero
+      apply_manifest(pp1, catch_changes: true)
     end
     regex_values = [
       %r{INPUT ACCEPT}, %r{FORWARD ACCEPT}, %r{OUTPUT ACCEPT},
       %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT},
       %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT},
-      %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m state --state NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength
+      %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength
       %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT}
     ]
     it 'contains appropriate rules' do
@@ -143,7 +142,7 @@ class { '::firewall': }
 
         firewall { '010 INPUT allow established and related':
           proto  => 'all',
-          state  => ['ESTABLISHED', 'RELATED'],
+          ctstate  => ['ESTABLISHED', 'RELATED'],
           action => 'accept',
           before => Firewallchain['INPUT:filter:IPv4'],
         }
@@ -162,7 +161,7 @@ class { '::firewall': }
         firewall { '020 ssh':
           proto  => 'tcp',
           dport  => '22',
-          state  => 'NEW',
+          ctstate  => 'NEW',
           action => 'accept',
           before => Firewallchain['INPUT:filter:IPv4'],
         }
@@ -172,7 +171,7 @@ class { '::firewall': }
           chain    => 'OUTPUT',
           proto    => 'tcp',
           dport    => '25',
-          state    => 'NEW',
+          ctstate    => 'NEW',
           action   => 'accept',
         }
         firewall { '013 icmp echo-request':
@@ -194,7 +193,7 @@ class { '::firewall': }
         firewall { '443 ssl on aliased interface':
           proto   => 'tcp',
           dport   => '443',
-          state   => 'NEW',
+          ctstate   => 'NEW',
           action  => 'accept',
           iniface => 'eth0:3',
         }
@@ -221,7 +220,7 @@ class { '::firewall': }
         firewall { '010 allow established and related':
           chain  => 'FORWARD',
           proto  => 'all',
-          state  => ['ESTABLISHED','RELATED'],
+          ctstate  => ['ESTABLISHED','RELATED'],
           action => 'accept',
           before => Firewallchain['FORWARD:filter:IPv4'],
         }
@@ -241,7 +240,7 @@ class { '::firewall': }
     it 'applies cleanly' do
       # Run it twice and test for idempotency
       apply_manifest(pp2, catch_failures: true)
-      apply_manifest(pp2, catch_changes: do_catch_changes)
+      apply_manifest(pp2, catch_changes: true)
     end
 
     regex_values = [
@@ -252,17 +251,17 @@ class { '::firewall': }
       %r{LOCAL_INPUT_PRE},
       %r{-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE},
       %r{-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"001 ssh needed for beaker testing\" -j ACCEPT},
-      %r{-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment \"010 INPUT allow established and related\" -j ACCEPT},
+      %r{-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment \"010 INPUT allow established and related\" -j ACCEPT},
       %r{-A INPUT -d 127.0.0.0\/(8|255\.0\.0\.0) (! -i|-i !) lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable},
       %r{-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT},
       %r{-A INPUT -p icmp -m icmp --icmp-type 3 -m comment --comment \"013 icmp destination-unreachable\" -j ACCEPT},
       %r{-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m icmp --icmp-type 8 -m comment --comment \"013 icmp echo-request\" -j ACCEPT},
       %r{-A INPUT -p icmp -m icmp --icmp-type 11 -m comment --comment \"013 icmp time-exceeded\" -j ACCEPT},
-      %r{-A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment \"020 ssh\" -j ACCEPT},
-      %r{-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m state --state NEW -m comment --comment \"443 ssl on aliased interface\" -j ACCEPT},
+      %r{-A INPUT -p tcp -m multiport --dports 22 -m conntrack --ctstate NEW -m comment --comment \"020 ssh\" -j ACCEPT},
+      %r{-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m conntrack --ctstate NEW -m comment --comment \"443 ssl on aliased interface\" -j ACCEPT},
       %r{-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT},
-      %r{-A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment \"010 allow established and related\" -j ACCEPT},
-      %r{-A OUTPUT (! -o|-o !) eth0:2 -p tcp -m multiport --dports 25 -m state --state NEW -m comment --comment \"025 smtp\" -j ACCEPT},
+      %r{-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment \"010 allow established and related\" -j ACCEPT},
+      %r{-A OUTPUT (! -o|-o !) eth0:2 -p tcp -m multiport --dports 25 -m conntrack --ctstate NEW -m comment --comment \"025 smtp\" -j ACCEPT},
     ]
     it 'contains appropriate rules' do
       shell('iptables-save') do |r|

diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
@@ -255,10 +255,10 @@
     },
   },
   'string_escape_sequences' => {
-    line: '-A INPUT -m comment --comment "000 parse escaped \\"s, \\\'s, and \\\\s"',
+    line: '-A INPUT -m comment --comment "000 parse escaped \\"s, \\"s, \\\'s, \\\'s, \\\\s and \\\\s"',
     table: 'filter',
     params: {
-      name: '000 parse escaped "s, \'s, and \\s',
+      name: '000 parse escaped "s, "s, \'s, \'s, \\s and \\s',
     },
   },
   'log_level_debug' => {

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -1,3 +1,7 @@
+RSpec.configure do |c|
+  c.mock_with :rspec
+end
+
 require 'puppetlabs_spec_helper/module_spec_helper'
 require 'rspec-puppet-facts'
 
@@ -19,7 +23,7 @@
   next unless File.exist?(f) && File.readable?(f) && File.size?(f)
 
   begin
-    default_facts.merge!(YAML.safe_load(File.read(f)))
+    default_facts.merge!(YAML.safe_load(File.read(f), [], [], true))
   rescue => e
     RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}"
   end
@@ -34,6 +38,7 @@
   end
   c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT']
   c.after(:suite) do
+    RSpec::Puppet::Coverage.report!(0)
   end
 end
 

diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb
@@ -1,5 +1,30 @@
-RSpec.configure do |config|
-  config.mock_with :rspec
+if ENV['COVERAGE'] == 'yes'
+  require 'simplecov'
+  require 'simplecov-console'
+  require 'codecov'
+
+  SimpleCov.formatters = [
+    SimpleCov::Formatter::HTMLFormatter,
+    SimpleCov::Formatter::Console,
+    SimpleCov::Formatter::Codecov,
+  ]
+  SimpleCov.start do
+    track_files 'lib/**/*.rb'
+
+    add_filter '/spec'
+
+    # do not track vendored files
+    add_filter '/vendor'
+    add_filter '/.vendor'
+
+    # do not track gitignored files
+    # this adds about 4 seconds to the coverage check
+    # this could definitely be optimized
+    add_filter do |f|
+      # system returns true if exit status is 0, which with git-check-ignore means file is ignored
+      system("git check-ignore --quiet #{f.filename}")
+    end
+  end
 end
 
 def with_debian_facts

diff --git a/spec/unit/puppet/provider/iptables_spec.rb b/spec/unit/puppet/provider/iptables_spec.rb
@@ -269,7 +269,7 @@
     let(:instance) { provider.new(resource) }
 
     it 'rule name contains a MD5 sum of the line' do
-      expect(resource[:name]).to eq("9000 #{Digest::MD5.hexdigest(resource[:line])}")
+      expect(resource[:name]).to eq("9000 #{Digest::SHA256.hexdigest(resource[:line])}")
     end
 
     resource_types = [:chain, :source, :destination, :proto, :dport, :sport, :action]
@@ -290,7 +290,7 @@
     let(:instance) { provider.new(resource) }
 
     it 'rule name contains a MD5 sum of the line' do
-      expect(resource[:name]).to eq("9000 #{Digest::MD5.hexdigest(resource[:line])}")
+      expect(resource[:name]).to eq("9000 #{Digest::SHA256.hexdigest(resource[:line])}")
     end
 
     resource_types = [:chain, :proto, :dport, :state, :action]

diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
@@ -137,6 +137,38 @@
     end
   end
 
+  describe 'source error checking' do
+    it 'Invalid address when 256.168.2.0/24' do
+      expect(-> { resource[:source] = '256.168.2.0/24' }).to raise_error(
+        Puppet::Error, %r{host_to_ip failed}
+      )
+    end
+  end
+
+  describe 'destination error checking' do
+    it 'Invalid address when 256.168.2.0/24' do
+      expect(-> { resource[:destination] = '256.168.2.0/24' }).to raise_error(
+        Puppet::Error, %r{host_to_ip failed}
+      )
+    end
+  end
+
+  describe 'src_range error checking' do
+    it 'Invalid IP when 392.168.1.1-192.168.1.10' do
+      expect(-> { resource[:src_range] = '392.168.1.1-192.168.1.10' }).to raise_error(
+        Puppet::Error, %r{Invalid IP address}
+      )
+    end
+  end
+
+  describe 'dst_range error checking' do
+    it 'Invalid IP when 392.168.1.1-192.168.1.10' do
+      expect(-> { resource[:dst_range] = '392.168.1.1-192.168.1.10' }).to raise_error(
+        Puppet::Error, %r{Invalid IP address}
+      )
+    end
+  end
+
   [:dport, :sport].each do |port|
     describe port do
       it "should accept a #{port} as string" do
@@ -413,6 +445,9 @@
     it 'fails if value is not numeric' do
       expect(-> { resource[:burst] = 'foo' }).to raise_error(Puppet::Error)
     end
+    it 'fails if value contains /sec' do
+      expect(-> { resource[:burst] = '1500/sec' }).to raise_error(Puppet::Error)
+    end
   end
 
   describe ':recent' do
@@ -431,6 +466,7 @@
       }.to raise_error(RuntimeError, %r{Only one of the parameters 'action' and 'jump' can be set$})
     end
   end
+
   describe ':gid and :uid' do
     it 'allows me to set uid' do
       resource[:uid] = 'root'