655 changes: 643 additions & 12 deletions .rubocop.yml
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions .sync.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ Gemfile:
optional:
":development":
- gem: 'puppet-resource_api'
- gem: github_changelog_generator
version: '= 1.15.2'
.rubocop.yml:
include_todos: true
Rakefile:
changelog_user: puppetlabs
changelog_max_issues: 500
Expand Down
67 changes: 34 additions & 33 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).

## [v8.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v8.0.0) - 2024-02-08

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.2...v8.0.0)

### Changed
- [CAT-1425] : Removing RedHat/Scientific/OracleLinux 6 [#1163](https://github.com/puppetlabs/puppetlabs-firewall/pull/1163) ([rajat-puppet](https://github.com/rajat-puppet))

### Fixed

- (GH-1164) Only common jump values should be enforced as upcase [#1165](https://github.com/puppetlabs/puppetlabs-firewall/pull/1165) ([david22swan](https://github.com/david22swan))

## [v7.0.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/v7.0.2) - 2023-09-14

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.1...v7.0.2)
Expand Down Expand Up @@ -37,14 +48,14 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v5.0.0...v6.0.0)

### Added

- Add support for parsing and using --tcp-option [#1126](https://github.com/puppetlabs/puppetlabs-firewall/pull/1126) ([greatflyingsteve](https://github.com/greatflyingsteve))

### Changed
- (CONT-242) Fix duplicate rule detection [#1140](https://github.com/puppetlabs/puppetlabs-firewall/pull/1140) ([david22swan](https://github.com/david22swan))
- pdksync - (MAINT) - Require Stdlib 9.x only [#1135](https://github.com/puppetlabs/puppetlabs-firewall/pull/1135) ([LukasAud](https://github.com/LukasAud))

### Added

- Add support for parsing and using --tcp-option [#1126](https://github.com/puppetlabs/puppetlabs-firewall/pull/1126) ([greatflyingsteve](https://github.com/greatflyingsteve))

### Fixed

- disable firewalld for RedHat 9 [#1142](https://github.com/puppetlabs/puppetlabs-firewall/pull/1142) ([robertc99](https://github.com/robertc99))
Expand Down Expand Up @@ -88,13 +99,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.6.0...v4.0.0)

### Changed
- (CONT-256) Removing outdated code [#1084](https://github.com/puppetlabs/puppetlabs-firewall/pull/1084) ([LukasAud](https://github.com/LukasAud))

### Added

- add support for using rpfilter in rules [#1059](https://github.com/puppetlabs/puppetlabs-firewall/pull/1059) ([cmusik](https://github.com/cmusik))

### Changed
- (CONT-256) Removing outdated code [#1084](https://github.com/puppetlabs/puppetlabs-firewall/pull/1084) ([LukasAud](https://github.com/LukasAud))

### Fixed

- (CONT-173) - Updating deprecated facter instances [#1079](https://github.com/puppetlabs/puppetlabs-firewall/pull/1079) ([jordanbreen28](https://github.com/jordanbreen28))
Expand Down Expand Up @@ -326,13 +337,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.3...v2.0.0)

### Changed
- pdksync - (MODULES-8444) - Raise lower Puppet bound [#841](https://github.com/puppetlabs/puppetlabs-firewall/pull/841) ([david22swan](https://github.com/david22swan))

### Added

- (FM-7903) - Implement Puppet Strings [#838](https://github.com/puppetlabs/puppetlabs-firewall/pull/838) ([david22swan](https://github.com/david22swan))

### Changed
- pdksync - (MODULES-8444) - Raise lower Puppet bound [#841](https://github.com/puppetlabs/puppetlabs-firewall/pull/841) ([david22swan](https://github.com/david22swan))

### Fixed

- (MODULES-8736) IPtables support on RHEL8 [#824](https://github.com/puppetlabs/puppetlabs-firewall/pull/824) ([EmilienM](https://github.com/EmilienM))
Expand Down Expand Up @@ -438,6 +449,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.9.0...1.10.0)

### Changed
- (MODULES-5501) - Remove unsupported Ubuntu [#715](https://github.com/puppetlabs/puppetlabs-firewall/pull/715) ([pmcmaw](https://github.com/pmcmaw))
- (Modules-1141) No longer accepts an array for icmp types #puppethack [#705](https://github.com/puppetlabs/puppetlabs-firewall/pull/705) ([spynappels](https://github.com/spynappels))

### Added

- (MODULES-5144) Prep for puppet 5 [#709](https://github.com/puppetlabs/puppetlabs-firewall/pull/709) ([hunner](https://github.com/hunner))
Expand All @@ -446,10 +461,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
- MODULES-4828 version_requirement updated #puppethack [#704](https://github.com/puppetlabs/puppetlabs-firewall/pull/704) ([neilbinney](https://github.com/neilbinney))
- Add gid lookup [#682](https://github.com/puppetlabs/puppetlabs-firewall/pull/682) ([crispygoth](https://github.com/crispygoth))

### Changed
- (MODULES-5501) - Remove unsupported Ubuntu [#715](https://github.com/puppetlabs/puppetlabs-firewall/pull/715) ([pmcmaw](https://github.com/pmcmaw))
- (Modules-1141) No longer accepts an array for icmp types #puppethack [#705](https://github.com/puppetlabs/puppetlabs-firewall/pull/705) ([spynappels](https://github.com/spynappels))

### Fixed

- [MODULES-5924] Fix unmanaged rule regex when updating a iptable. [#729](https://github.com/puppetlabs/puppetlabs-firewall/pull/729) ([sathlan](https://github.com/sathlan))
Expand Down Expand Up @@ -502,16 +513,16 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.8.0...1.8.1)

### Changed
- (maint) Remove nat flush [#625](https://github.com/puppetlabs/puppetlabs-firewall/pull/625) ([hunner](https://github.com/hunner))

### Added

- (Modules 3329) Add support for iptables length and string extensions [#630](https://github.com/puppetlabs/puppetlabs-firewall/pull/630) ([shumbert](https://github.com/shumbert))
- Add VirtuozzoLinux to the RedHat family [#617](https://github.com/puppetlabs/puppetlabs-firewall/pull/617) ([jpnc](https://github.com/jpnc))
- support for multiple ipsets in a rule [#615](https://github.com/puppetlabs/puppetlabs-firewall/pull/615) ([nabam](https://github.com/nabam))
- Add 'ip' and 'pim' to proto [#610](https://github.com/puppetlabs/puppetlabs-firewall/pull/610) ([lunkwill42](https://github.com/lunkwill42))

### Changed
- (maint) Remove nat flush [#625](https://github.com/puppetlabs/puppetlabs-firewall/pull/625) ([hunner](https://github.com/hunner))

### Fixed

- allow FreeBSD when dependencies require this class [#624](https://github.com/puppetlabs/puppetlabs-firewall/pull/624) ([rcalixte](https://github.com/rcalixte))
Expand Down Expand Up @@ -662,6 +673,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.1.3...1.2.0)

### Changed
- Doesn't actually support OEL5 [#418](https://github.com/puppetlabs/puppetlabs-firewall/pull/418) ([underscorgan](https://github.com/underscorgan))

### Added

- Update to support PE3.x [#420](https://github.com/puppetlabs/puppetlabs-firewall/pull/420) ([underscorgan](https://github.com/underscorgan))
Expand All @@ -671,9 +685,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
- add ipset support [#383](https://github.com/puppetlabs/puppetlabs-firewall/pull/383) ([vzctl](https://github.com/vzctl))
- Add support for mac address source rules pt2 [#337](https://github.com/puppetlabs/puppetlabs-firewall/pull/337) ([damjanek](https://github.com/damjanek))

### Changed
- Doesn't actually support OEL5 [#418](https://github.com/puppetlabs/puppetlabs-firewall/pull/418) ([underscorgan](https://github.com/underscorgan))

### Fixed

- ip6tables isn't supported on EL5 [#428](https://github.com/puppetlabs/puppetlabs-firewall/pull/428) ([underscorgan](https://github.com/underscorgan))
Expand Down Expand Up @@ -704,13 +715,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.0.2...1.1.0)

### Changed
- Apply firewall resources alphabetically [#342](https://github.com/puppetlabs/puppetlabs-firewall/pull/342) ([mcanevet](https://github.com/mcanevet))

### Added

- (MODULES-689) Add support for connlimit and connmark [#344](https://github.com/puppetlabs/puppetlabs-firewall/pull/344) ([csschwe](https://github.com/csschwe))

### Changed
- Apply firewall resources alphabetically [#342](https://github.com/puppetlabs/puppetlabs-firewall/pull/342) ([mcanevet](https://github.com/mcanevet))

### Fixed

- Fix access to distmoduledir [#354](https://github.com/puppetlabs/puppetlabs-firewall/pull/354) ([hunner](https://github.com/hunner))
Expand Down Expand Up @@ -779,11 +790,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.4.1...0.4.2)

### Fixed

- Only workaround if we're using the old package. [#233](https://github.com/puppetlabs/puppetlabs-firewall/pull/233) ([mrwacky42](https://github.com/mrwacky42))
- 22090 - Use list of RedHat OSes from newer facter. [#232](https://github.com/puppetlabs/puppetlabs-firewall/pull/232) ([mrwacky42](https://github.com/mrwacky42))

## [0.4.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.4.1) - 2013-08-12

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.4.0...0.4.1)
Expand Down Expand Up @@ -870,26 +876,21 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a

- Mock Resolv.getaddress in #host_to_ip [#110](https://github.com/puppetlabs/puppetlabs-firewall/pull/110) ([dcarley](https://github.com/dcarley))
- ip6tables provider allways execute /sbin/iptables command [#105](https://github.com/puppetlabs/puppetlabs-firewall/pull/105) ([wuwx](https://github.com/wuwx))
- (#16004) array_matching is contraindicated. [#100](https://github.com/puppetlabs/puppetlabs-firewall/pull/100) ([mrwacky42](https://github.com/mrwacky42))
- (#10322) Insert order hash included chains from different tables [#89](https://github.com/puppetlabs/puppetlabs-firewall/pull/89) ([kbarber](https://github.com/kbarber))
- (#10274) Nullify addresses with zero prefixlen [#80](https://github.com/puppetlabs/puppetlabs-firewall/pull/80) ([dcarley](https://github.com/dcarley))
- (#14641) Fix for incorrect limit command arguments for ip6tables provider [#79](https://github.com/puppetlabs/puppetlabs-firewall/pull/79) ([cheethoe](https://github.com/cheethoe))
- Ticket/10619 unable to purge rules [#69](https://github.com/puppetlabs/puppetlabs-firewall/pull/69) ([kbarber](https://github.com/kbarber))
- (#13201) Firewall autorequire Firewallchains [#67](https://github.com/puppetlabs/puppetlabs-firewall/pull/67) ([dcarley](https://github.com/dcarley))
- (#13192) Fix allvalidchain iteration [#63](https://github.com/puppetlabs/puppetlabs-firewall/pull/63) ([kbarber](https://github.com/kbarber))
- Improved Puppet DSL style as per the guidelines. [#61](https://github.com/puppetlabs/puppetlabs-firewall/pull/61) ([adamgibbins](https://github.com/adamgibbins))
- (#10164) Reject and document icmp => "any" [#60](https://github.com/puppetlabs/puppetlabs-firewall/pull/60) ([dcarley](https://github.com/dcarley))
- (#11443) simple fix of the error message for allowed values of the jump property [#50](https://github.com/puppetlabs/puppetlabs-firewall/pull/50) ([grooverdan](https://github.com/grooverdan))
- Initial creation of class firewall for issue #10984 [#34](https://github.com/puppetlabs/puppetlabs-firewall/pull/34) ([mrwacky42](https://github.com/mrwacky42))

## [v0.0.4](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.4) - 2011-12-05

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v0.0.3...v0.0.4)

### Added

- (#10997) Add fixtures for ipencap [#39](https://github.com/puppetlabs/puppetlabs-firewall/pull/39) ([mrwacky42](https://github.com/mrwacky42))
- Add owner-match support [#38](https://github.com/puppetlabs/puppetlabs-firewall/pull/38) ([mrwacky42](https://github.com/mrwacky42))
- (#10690) add port property support to ip6tables [#33](https://github.com/puppetlabs/puppetlabs-firewall/pull/33) ([saysjonathan](https://github.com/saysjonathan))

## [v0.0.3](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.3) - 2011-11-12
Expand Down
51 changes: 28 additions & 23 deletions Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,32 +14,37 @@ def location_for(place_or_version, fake_version = nil)
end

group :development do
gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.5.1', require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.6.1', require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.6.3', require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "voxpupuli-puppet-lint-plugins", '~> 4.0', require: false
gem "facterdb", '~> 1.18', require: false
gem "metadata-json-lint", '>= 2.0.2', '< 4.0.0', require: false
gem "puppetlabs_spec_helper", '~> 5.0', require: false
gem "rspec-puppet-facts", '~> 2.0', require: false
gem "codecov", '~> 0.2', require: false
gem "dependency_checker", '~> 0.2', require: false
gem "parallel_tests", '= 3.12.1', require: false
gem "pry", '~> 0.10', require: false
gem "simplecov-console", '~> 0.5', require: false
gem "puppet-debugger", '~> 1.0', require: false
gem "rubocop", '= 1.48.1', require: false
gem "rubocop-performance", '= 1.16.0', require: false
gem "rubocop-rspec", '= 2.19.0', require: false
gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-resource_api", require: false
gem "github_changelog_generator", '= 1.15.2', require: false
gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.5.1', require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.6.1', require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.6.3', require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "racc", '~> 1.4.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
gem "facterdb", '~> 1.18', require: false
gem "metadata-json-lint", '~> 3.0', require: false
gem "puppetlabs_spec_helper", '~> 6.0', require: false
gem "rspec-puppet-facts", '~> 2.0', require: false
gem "codecov", '~> 0.2', require: false
gem "dependency_checker", '~> 1.0.0', require: false
gem "parallel_tests", '= 3.12.1', require: false
gem "pry", '~> 0.10', require: false
gem "simplecov-console", '~> 0.5', require: false
gem "puppet-debugger", '~> 1.0', require: false
gem "rubocop", '= 1.48.1', require: false
gem "rubocop-performance", '= 1.16.0', require: false
gem "rubocop-rspec", '= 2.19.0', require: false
gem "puppet-strings", '~> 4.0', require: false
gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-resource_api", require: false
end
group :system_tests do
gem "puppet_litmus", '~> 1.0', require: false, platforms: [:ruby, :x64_mingw]
gem "serverspec", '~> 2.41', require: false
gem "serverspec", '~> 2.41', require: false
end
group :release_prep do
gem "puppet-strings", '~> 4.0', require: false
gem "puppetlabs_spec_helper", '~> 6.0', require: false
end

puppet_version = ENV['PUPPET_GEM_VERSION']
Expand Down
11 changes: 8 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
* [Additional information](#additional-information)
5. [Reference - An under-the-hood peek at what the module is doing](#reference)
6. [Limitations - OS compatibility, etc.](#limitations)
7. [License](#license)
7. [Firewall_multi - Arrays for certain parameters](#firewall_multi)
8. [Development - Guide for contributing to the module](#development)
* [Tests - Testing your configuration](#tests)
Expand Down Expand Up @@ -509,17 +510,21 @@ For other distributions (RedHat, Debian, Centos etc) manual installation of the

#### Reporting Issues

Please report any bugs in the Puppetlabs JIRA issue tracker:
Please report any bugs in the Puppetlabs GitHub issue tracker:

<https://tickets.puppetlabs.com/projects/MODULES/issues>
<https://github.com/puppetlabs/puppetlabs-firewall/issues>

## License

This codebase is licensed under the Apache2.0 licensing, however due to the nature of the codebase the open source dependencies may also use a combination of [AGPL](https://opensource.org/license/agpl-v3/), [BSD-2](https://opensource.org/license/bsd-2-clause/), [BSD-3](https://opensource.org/license/bsd-3-clause/), [GPL2.0](https://opensource.org/license/gpl-2-0/), [LGPL](https://opensource.org/license/lgpl-3-0/), [MIT](https://opensource.org/license/mit/) and [MPL](https://opensource.org/license/mpl-2-0/) Licensing.

## Development

Acceptance tests for this module leverage [puppet_litmus](https://github.com/puppetlabs/puppet_litmus).
To run the acceptance tests follow the instructions [here](https://github.com/puppetlabs/puppet_litmus/wiki/Tutorial:-use-Litmus-to-execute-acceptance-tests-with-a-sample-module-(MoTD)#install-the-necessary-gems-for-the-module).
You can also find a tutorial and walkthrough of using Litmus and the PDK on [YouTube](https://www.youtube.com/watch?v=FYfR7ZEGHoE).

If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://tickets.puppetlabs.com/browse/MODULES/).
If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://github.com/puppetlabs/puppetlabs-firewall/issues).
Every Monday the Puppet IA Content Team has [office hours](https://puppet.com/community/office-hours) in the [Puppet Community Slack](http://slack.puppet.com/), alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC).

If you have problems getting this module up and running, please [contact Support](http://puppetlabs.com/services/customer-support).
Expand Down
6 changes: 2 additions & 4 deletions REFERENCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -730,8 +730,7 @@ Data type: `Optional[Variant[String[1], Integer]]`

##### `goto`

Data type: `Optional[Pattern[/^[a-zA-Z0-9_]+$/]]`
_*this data type contains a regex that may not be accurately reflected in generated documentation_
Data type: `Optional[String[1]]`

The value for the iptables --goto parameter. Normal values are:

Expand Down Expand Up @@ -927,8 +926,7 @@ Data type: `Optional[Boolean]`

##### `jump`

Data type: `Optional[Pattern[/^[a-zA-Z0-9_]+$/]]`
_*this data type contains a regex that may not be accurately reflected in generated documentation_
Data type: `Optional[String[1]]`

This value for the iptables --jump parameter and the action to perform on a match. Common values are:

Expand Down
86 changes: 2 additions & 84 deletions Rakefile
View file
Original file line number Diff line number Diff line change
@@ -1,91 +1,9 @@
# frozen_string_literal: true

require 'bundler'
require 'puppet_litmus/rake_tasks' if Bundler.rubygems.find_name('puppet_litmus').any?
require 'puppet_litmus/rake_tasks' if Gem.loaded_specs.key? 'puppet_litmus'
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-syntax/tasks/puppet-syntax'
require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any?
require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any?
require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any?

def changelog_user
return unless Rake.application.top_level_tasks.include? "changelog"
returnVal = "puppetlabs" || JSON.load(File.read('metadata.json'))['author']
raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil?
puts "GitHubChangelogGenerator user:#{returnVal}"
returnVal
end

def changelog_project
return unless Rake.application.top_level_tasks.include? "changelog"

returnVal = nil
returnVal ||= begin
metadata_source = JSON.load(File.read('metadata.json'))['source']
metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z})

metadata_source_match && metadata_source_match[1]
end

raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil?

puts "GitHubChangelogGenerator project:#{returnVal}"
returnVal
end

def changelog_future_release
return unless Rake.application.top_level_tasks.include? "changelog"
returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version']
raise "unable to find the future_release (version) in metadata.json" if returnVal.nil?
puts "GitHubChangelogGenerator future_release:#{returnVal}"
returnVal
end
require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings'

PuppetLint.configuration.send('disable_relative')


if Bundler.rubygems.find_name('github_changelog_generator').any?
GitHubChangelogGenerator::RakeTask.new :changelog do |config|
raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?
config.user = "#{changelog_user}"
config.project = "#{changelog_project}"
config.since_tag = "v3.0.0"
config.max_issues = 500
config.future_release = "#{changelog_future_release}"
config.exclude_labels = ['maintenance']
config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
config.add_pr_wo_labels = true
config.issues = false
config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB"
config.configure_sections = {
"Changed" => {
"prefix" => "### Changed",
"labels" => ["backwards-incompatible"],
},
"Added" => {
"prefix" => "### Added",
"labels" => ["enhancement", "feature"],
},
"Fixed" => {
"prefix" => "### Fixed",
"labels" => ["bug", "documentation", "bugfix"],
},
}
end
else
desc 'Generate a Changelog from GitHub'
task :changelog do
raise <<EOM
The changelog tasks depends on recent features of the github_changelog_generator gem.
Please manually add it to your .sync.yml for now, and run `pdk update`:
---
Gemfile:
optional:
':development':
- gem: 'github_changelog_generator'
version: '~> 1.15'
condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')"
EOM
end
end

6 changes: 4 additions & 2 deletions lib/puppet/provider/firewall/firewall.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -863,8 +863,10 @@ def self.process_input(should)
should[key][0] = ['!', should[key][0]].join(' ') if negated
end

# `jump` values should always be uppercase
should[:jump] = should[:jump].upcase if should[:jump]
# `jump` common values should always be uppercase
jump_common_values = ['accept', 'reject', 'drop', 'queue', 'return', 'dnat', 'snat', 'log', 'nflog',
'netmp', 'masquerade', 'redirect', 'mark', 'ct']
should[:jump] = should[:jump].upcase if should[:jump] && jump_common_values.include?(should[:jump].downcase)

# `source` and `destination` must be put through host_to_mask
should[:source] = PuppetX::Firewall::Utility.host_to_mask(should[:source], should[:protocol]) if should[:source]
Expand Down
6 changes: 3 additions & 3 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "puppetlabs-firewall",
"version": "7.0.2",
"version": "8.0.0",
"author": "puppetlabs",
"summary": "Manages Firewalls such as iptables",
"license": "Apache-2.0",
Expand Down Expand Up @@ -83,6 +83,6 @@
}
],
"template-url": "https://github.com/puppetlabs/pdk-templates.git#main",
"template-ref": "heads/main-0-gc6d4446",
"pdk-version": "2.7.1"
"template-ref": "heads/main-0-g79a2f93",
"pdk-version": "3.0.0"
}
4 changes: 1 addition & 3 deletions spec/acceptance/firewall_attributes_exceptions_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,7 @@

# --bytecode is only supported by operatingsystems using nftables (in general Linux kernel 3.13, RedHat 7 (and derivates) with 3.10)
# Skipping those from which we know they would fail.
describe 'bytecode property', unless: (os[:family] == 'redhat' && os[:release][0] <= '6') ||
(os[:family] == 'sles' && os[:release][0..1] <= '11') ||
(fetch_os_name == 'oraclelinux' && os[:release][0] <= '7') ||
describe 'bytecode property', unless: (fetch_os_name == 'oraclelinux' && os[:release][0] == '7') ||
(os[:family] == 'ubuntu') do
describe 'bytecode' do
context 'when 4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' do
Expand Down
78 changes: 0 additions & 78 deletions spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,29 +86,6 @@ class { '::firewall': }
end
end
end

context 'when multiple addrtype fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5')) do
pp = <<-PUPPETCODE
class { '::firewall': }
firewall { '616 - test':
proto => tcp,
jump => accept,
#{type} => ['LOCAL', '! LOCAL'],
protocol => 'IPv6',
}
PUPPETCODE
it 'fails' do
apply_manifest(pp, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Multiple #{type} elements are available from iptables version})
end
end

it 'does not contain the rule' do
run_shell('ip6tables-save') do |r|
expect(r.stdout).not_to match(%r{-A INPUT -p (tcp|6) -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT})
end
end
end
end
end

Expand Down Expand Up @@ -139,61 +116,6 @@ class { '::firewall': }
end
end

# ipset is hard to test, only testing on ubuntu 14
describe 'ipset', if: (os[:family] == 'redhat' && os[:release].start_with?('14')) do
before(:all) do
pp = <<-PUPPETCODE
exec { 'hackery pt 1':
command => 'service iptables-persistent flush',
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
package { 'ipset':
ensure => present,
require => Exec['hackery pt 1'],
}
exec { 'hackery pt 2':
command => 'service iptables-persistent start',
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
require => Package['ipset'],
}
class { '::firewall': }
exec { 'create ipset blacklist':
command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120',
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
require => Package['ipset'],
}
-> exec { 'create ipset honeypot':
command => 'ipset create honeypot hash:ip family inet6 maxelem 1024 hashsize 65535 timeout 120',
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
-> exec { 'add blacklist':
command => 'ipset add blacklist 2001:db8::1,80',
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
-> exec { 'add honeypot':
command => 'ipset add honeypot 2001:db8::5',
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
}
firewall { '612 - test':
ensure => present,
chain => 'INPUT',
proto => tcp,
jump => drop,
ipset => ['blacklist src,dst', '! honeypot dst'],
protocol => 'IPv6',
require => Exec['add honeypot'],
}
PUPPETCODE
apply_manifest(pp, catch_failures: true)
end

it 'contains the rule' do
run_shell('ip6tables-save') do |r|
expect(r.stdout).to match(%r{-A INPUT -p (tcp|6) -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP})
end
end
end

describe 'src_range' do
context 'when 2001::db8::1-2001:db8::ff' do
pp = <<-PUPPETCODE
Expand Down
2 changes: 1 addition & 1 deletion spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

require 'spec_helper_acceptance'

describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redhat' && os[:release].start_with?('5', '6')) || (os[:family] == 'sles') do
describe 'firewall attribute testing, happy path', unless: (os[:family] == 'sles') do
before :all do
iptables_flush_all_tables
ip6tables_flush_all_tables
Expand Down
2 changes: 1 addition & 1 deletion spec/acceptance/resource_cmd_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@
end
end

context 'when accepts rules with multiple comments', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')) do
context 'when accepts rules with multiple comments' do
before(:all) do
iptables_flush_all_tables
run_shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http" -m comment --comment "http"')
Expand Down
6 changes: 3 additions & 3 deletions spec/default_facts.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# Facts specified here will override the values provided by rspec-puppet-facts.
---
networking:
ip: "172.16.254.254"
ip6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA"
mac: "AA:AA:AA:AA:AA:AA"
ip: "172.16.254.254"
ip6: "FE80:0000:0000:0000:AAAA:AAAA:AAAA"
mac: "AA:AA:AA:AA:AA:AA"
is_pe: false
4 changes: 2 additions & 2 deletions spec/spec_helper.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

default_facts = {
puppetversion: Puppet.version,
facterversion: Facter.version
facterversion: Facter.version,
}

default_fact_files = [
Expand All @@ -25,7 +25,7 @@
next unless File.exist?(f) && File.readable?(f) && File.size?(f)

begin
default_facts.merge!(YAML.safe_load(File.read(f), [], [], true))
default_facts.merge!(YAML.safe_load(File.read(f), permitted_classes: [], permitted_symbols: [], aliases: true))
rescue StandardError => e
RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}"
end
Expand Down
2 changes: 1 addition & 1 deletion spec/spec_helper_acceptance_local.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ def fetch_os_name
c.before :suite do
# Depmod is not availible by default on our AlmaLinux/CentOS 8 docker image
LitmusHelper.instance.run_shell('yum install kmod -y') if ['almalinux-8', 'centos-8'].include?("#{fetch_os_name}-#{os[:release].to_i}")
if ['centos-6', 'centos-7', 'oraclelinux-6', 'scientific-6', 'scientific-7'].include?("#{fetch_os_name}-#{os[:release].to_i}")
if ['centos-7', 'scientific-7'].include?("#{fetch_os_name}-#{os[:release].to_i}")
LitmusHelper.instance.run_shell('yum update -y')
LitmusHelper.instance.run_shell('depmod -a')
['filter', 'nat', 'mangle', 'raw'].each do |t|
Expand Down
2 changes: 1 addition & 1 deletion spec/unit/classes/firewall_linux_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
describe 'firewall::linux', type: :class do
['RedHat', 'CentOS'].each do |os|
context "with Redhat Like: operatingsystem => #{os}" do
releases = ['6', '7', '8']
releases = ['7', '8']
releases.each do |osrel|
context "when operatingsystemrelease => #{osrel}" do
let(:facts) do
Expand Down