review.fuel-infra Code Review - puppet-modules/puppetlabs-firewall.git/commit

author	Hunter Haugen <hunter@puppetlabs.com>
	Mon, 10 Feb 2014 23:53:42 +0000 (15:53 -0800)
committer	Hunter Haugen <hunter@puppetlabs.com>
	Tue, 11 Feb 2014 01:17:35 +0000 (17:17 -0800)
commit	2d4a2b7cc2ef3ebb549229f1f423ab5fed597d7a
tree	b7d99f6305ad2bc1070b73fefe3d81dff1e99adc	tree \| snapshot
parent	1bdf3612c26e44a25c8321742e9769054450750f	commit \| diff

Release 0.5.0

Summary:
This is a bigger release that brings in "recent" connection limiting (think
"port knocking"), firewall chain purging on a per-chain/per-table basis, and
support for a few other use cases. This release also fixes a major bug which
could cause modifications to the wrong rules when unmanaged rules are present.

New Features:
* Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`,
  `rname`, `rseconds`, `rsource`, and `rttl`
* Add negation support for source and destination
* Add per-chain/table purging support to `firewallchain`
* IPv4 specific
  * Add random port forwarding support
  * Add ipsec policy matching via `ipsec_dir` and `ipsec_policy`
* IPv6 specific
  * Add support for hop limiting via `hop_limit` parameter
  * Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag`
  * Add support for conntrack stateful firewall matching via `ctstate`

Bugfixes:
- Boolean fixups allowing false values
- Better detection of unmanaged rules
- Fix multiport rule detection
- Fix sport/dport rule detection
- Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
- Allow INPUT with the nat table
- Fix `src_range` & `dst_range` order detection
- Documentation clarifications
- Fixes to spec tests

Changelog		diff \| blob \| history
Modulefile		diff \| blob \| history