Release version 2.3.0

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d86d2fc9a59ecc3bb741f980fa049404e85df4ef..f7a3c6d538c804f72ed05847a9a40ffd859e77a8 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,23 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
+## [v2.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.3.0) (2020-03-26)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.2.0...v2.3.0)
+
+### Added
+
+- Add iptables --hex-string support to firewall resource [\#907](https://github.com/puppetlabs/puppetlabs-firewall/pull/907) ([alexconrey](https://github.com/alexconrey))
+- Add random\_fully and rpfilter support [\#892](https://github.com/puppetlabs/puppetlabs-firewall/pull/892) ([treydock](https://github.com/treydock))
+- \(MODULES-7800\) Add the ability to specify iptables connection tracking helpers. [\#890](https://github.com/puppetlabs/puppetlabs-firewall/pull/890) ([jimmyt86](https://github.com/jimmyt86))
+- Support conntrack module [\#872](https://github.com/puppetlabs/puppetlabs-firewall/pull/872) ([haught](https://github.com/haught))
+
+### Fixed
+
+- \(maint\) Use fact.flush only when available [\#906](https://github.com/puppetlabs/puppetlabs-firewall/pull/906) ([Filipovici-Andrei](https://github.com/Filipovici-Andrei))
+- \(MODULES-10358\) - Clarification added to Boolean validation checks [\#886](https://github.com/puppetlabs/puppetlabs-firewall/pull/886) ([david22swan](https://github.com/david22swan))
+- Merge and remove duplicate README file, lint code snippets [\#878](https://github.com/puppetlabs/puppetlabs-firewall/pull/878) ([runejuhl](https://github.com/runejuhl))
+
 ## [v2.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.2.0) (2019-12-09)
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.1.0...v2.2.0)

diff --git a/REFERENCE.md b/REFERENCE.md
index ea9a8aa8f8d575d2029dbfaf1e47755160ab6109..d0eb3908ddce04f0ffff1ee1938518eab878293e 100644 (file)
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -123,7 +123,7 @@ installed.
   * ip6tables: Ip6tables type provider
 
     * Required binaries: ip6tables-save, ip6tables.
-    * Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match,
+    * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match,
     interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
     ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
     owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
@@ -133,7 +133,7 @@ installed.
 
     * Required binaries: iptables-save, iptables.
     * Default for kernel == linux.
-    * Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match,
+    * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match,
     interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
     log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
     nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
@@ -146,6 +146,8 @@ installed.
 
   * connection_limiting: Connection limiting features.
 
+  * conntrack: Connection tracking features.
+
   * dnat: Destination NATing.
 
   * hop_limiting: Hop limiting features.
@@ -222,6 +224,8 @@ installed.
 
   * ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
 
+  * random_fully: The ability to use --random-fully flag.
+
 #### Properties
 
 The following properties are available in the `firewall` type.
@@ -489,6 +493,7 @@ The value for the iptables --jump parameter. Normal values are:
 * MASQUERADE
 * REDIRECT
 * MARK
+* CT
 
 But any valid chain name is allowed.
 
@@ -550,6 +555,15 @@ For DNAT this is the port that will replace the destination port.
 
 For NETMAP this will replace the destination IP
 
+##### `random_fully`
+
+Valid values: `true`, `false`
+
+When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+this boolean will enable fully randomized port mapping.
+
+**NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2
+
 ##### `random`
 
 Valid values: `true`, `false`
@@ -628,7 +642,7 @@ table. Values can be:
 
 ##### `ctstate`
 
-Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED
+Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED, SNAT, DNAT
 
 Matches a packet based on its state in the firewall stateful inspection
 table, using the conntrack module. Values can be:
@@ -638,6 +652,162 @@ table, using the conntrack module. Values can be:
 * NEW
 * RELATED
 * UNTRACKED
+* SNAT
+* DNAT
+
+##### `ctproto`
+
+Valid values: %r{^!?\s?\d+$}
+
+The specific layer-4 protocol number to match for this rule using the
+conntrack module.
+
+##### `ctorigsrc`
+
+The original source address using the conntrack module. For example:
+
+    ctorigsrc => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctorigsrc => '! 192.168.2.0/24'
+
+The ctorigsrc can also be an IPv6 address if your provider supports it.
+
+##### `ctorigdst`
+
+The original destination address using the conntrack module. For example:
+
+    ctorigdst => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctorigdst => '! 192.168.2.0/24'
+
+The ctorigdst can also be an IPv6 address if your provider supports it.
+
+##### `ctreplsrc`
+
+The reply source address using the conntrack module. For example:
+
+    ctreplsrc => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctreplsrc => '! 192.168.2.0/24'
+
+The ctreplsrc can also be an IPv6 address if your provider supports it.
+
+##### `ctrepldst`
+
+The reply destination address using the conntrack module. For example:
+
+    ctrepldst => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+    ctrepldst => '! 192.168.2.0/24'
+
+The ctrepldst can also be an IPv6 address if your provider supports it.
+
+##### `ctorigsrcport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The original source port to match for this filter using the conntrack module.
+For example:
+
+    ctorigsrcport => '80'
+
+You can also specify a port range: For example:
+
+    ctorigsrcport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctorigsrcport => '! 80'
+
+##### `ctorigdstport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The original destination port to match for this filter using the conntrack module.
+For example:
+
+    ctorigdstport => '80'
+
+You can also specify a port range: For example:
+
+    ctorigdstport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctorigdstport => '! 80'
+
+##### `ctreplsrcport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The reply source port to match for this filter using the conntrack module.
+For example:
+
+    ctreplsrcport => '80'
+
+You can also specify a port range: For example:
+
+    ctreplsrcport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctreplsrcport => '! 80'
+
+##### `ctrepldstport`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+The reply destination port to match for this filter using the conntrack module.
+For example:
+
+    ctrepldstport => '80'
+
+You can also specify a port range: For example:
+
+    ctrepldstport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+    ctrepldstport => '! 80'
+
+##### `ctstatus`
+
+Valid values: NONE, EXPECTED, SEEN_REPLY, ASSURED, CONFIRMED
+
+Matches a packet based on its status using the conntrack module. Values can be:
+
+* EXPECTED
+* SEEN_REPLY
+* ASSURED
+* CONFIRMED
+
+##### `ctexpire`
+
+Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+
+Matches a packet based on lifetime remaining in seconds or range of values
+using the conntrack module. For example:
+
+    ctexpire => '100:150'
+
+##### `ctdir`
+
+Valid values: REPLY, ORIGINAL
+
+Matches a packet that is flowing in the specified direction using the
+conntrack module. If this flag is not specified at all, matches packets
+in both directions. Values can be:
+
+* REPLY
+* ORIGINAL
 
 ##### `connmark`
 
@@ -816,6 +986,12 @@ This may be useful if you have problems with people faking their source
 address in order to DoS you via this module by disallowing others access
 to your site by sending bogus packets to you.  Must be boolean true.
 
+##### `rpfilter`
+
+Valid values: loose, validmark, accept-local, invert
+
+Enable the rpfilter module.
+
 ##### `socket`
 
 Valid values: `true`, `false`
@@ -1136,6 +1312,10 @@ Indicates that the current packet belongs to an IPVS connection.
 
 Assign this packet to zone id and only have lookups done in that zone.
 
+##### `helper`
+
+Invoke the nf_conntrack_xxx helper module for this packet.
+
 #### Parameters
 
 The following parameters are available in the `firewall` type.

diff --git a/metadata.json b/metadata.json
index 07491d5fcdc09b6f6311bce18702e7ae091aa8dd..ad78d24e5abd5c7f7a57a945cdc9c6c0da8838cb 100644 (file)
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-firewall",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "author": "puppetlabs",
   "summary": "Manages Firewalls such as iptables",
   "license": "Apache-2.0",