# Change log
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
-## [v3.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.6.0) - 2022-10-03
-[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.5.0...v3.6.0)
+## [v4.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v4.0.0) (2022-11-22)
-### Added
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.6.0...v4.0.0)
-- pdksync - (GH-cat-11) Certify Support for Ubuntu 22.04 [#1063](https://github.com/puppetlabs/puppetlabs-firewall/pull/1063) ([david22swan](https://github.com/david22swan))
+### Changed
-- pdksync - (GH-cat-12) Add Support for Redhat 9 [#1054](https://github.com/puppetlabs/puppetlabs-firewall/pull/1054) ([david22swan](https://github.com/david22swan))
+- \(CONT-256\) Removing outdated code [\#1084](https://github.com/puppetlabs/puppetlabs-firewall/pull/1084) ([LukasAud](https://github.com/LukasAud))
+
+### Added
+
+- add support for using rpfilter in rules [\#1059](https://github.com/puppetlabs/puppetlabs-firewall/pull/1059) ([cmusik](https://github.com/cmusik))
### Fixed
-- (GH-1055) Fix for `--random-fully` [#1058](https://github.com/puppetlabs/puppetlabs-firewall/pull/1058) ([david22swan](https://github.com/david22swan))
+- \(CONT-173\) - Updating deprecated facter instances [\#1079](https://github.com/puppetlabs/puppetlabs-firewall/pull/1079) ([jordanbreen28](https://github.com/jordanbreen28))
+- pdksync - \(CONT-189\) Remove support for RedHat6 / OracleLinux6 / Scientific6 [\#1078](https://github.com/puppetlabs/puppetlabs-firewall/pull/1078) ([david22swan](https://github.com/david22swan))
+- pdksync - \(CONT-130\) - Dropping Support for Debian 9 [\#1075](https://github.com/puppetlabs/puppetlabs-firewall/pull/1075) ([jordanbreen28](https://github.com/jordanbreen28))
+- fix service port number lookup to use protocol [\#1023](https://github.com/puppetlabs/puppetlabs-firewall/pull/1023) ([kjetilho](https://github.com/kjetilho))
+
+## [v3.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.6.0) (2022-10-03)
-### Other
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.5.0...v3.6.0)
+
+### Added
-- allow persistence of firewall rules for Suse [#1061](https://github.com/puppetlabs/puppetlabs-firewall/pull/1061) ([corporate-gadfly](https://github.com/corporate-gadfly))
+- pdksync - \(GH-cat-11\) Certify Support for Ubuntu 22.04 [\#1063](https://github.com/puppetlabs/puppetlabs-firewall/pull/1063) ([david22swan](https://github.com/david22swan))
+- pdksync - \(GH-cat-12\) Add Support for Redhat 9 [\#1054](https://github.com/puppetlabs/puppetlabs-firewall/pull/1054) ([david22swan](https://github.com/david22swan))
-## [v3.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.5.0) - 2022-05-17
+### Fixed
+
+- allow persistence of firewall rules for Suse [\#1061](https://github.com/puppetlabs/puppetlabs-firewall/pull/1061) ([corporate-gadfly](https://github.com/corporate-gadfly))
+- \(GH-1055\) Fix for `--random-fully` [\#1058](https://github.com/puppetlabs/puppetlabs-firewall/pull/1058) ([david22swan](https://github.com/david22swan))
+
+## [v3.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.5.0) (2022-05-17)
[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.4.0...v3.5.0)
### Added
-- CentOS Stream 9 Support (should include RHEL9 when that releases) [#1028](https://github.com/puppetlabs/puppetlabs-firewall/pull/1028) ([tskirvin](https://github.com/tskirvin))
+- CentOS Stream 9 Support \(should include RHEL9 when that releases\) [\#1028](https://github.com/puppetlabs/puppetlabs-firewall/pull/1028) ([tskirvin](https://github.com/tskirvin))
### Fixed
-- pdksync - (GH-iac-334) Remove Support for Ubuntu 14.04/16.04 [#1038](https://github.com/puppetlabs/puppetlabs-firewall/pull/1038) ([david22swan](https://github.com/david22swan))
-
-- Fix rpfilter parameter [#1013](https://github.com/puppetlabs/puppetlabs-firewall/pull/1013) ([onyxmaster](https://github.com/onyxmaster))
+- pdksync - \(GH-iac-334\) Remove Support for Ubuntu 14.04/16.04 [\#1038](https://github.com/puppetlabs/puppetlabs-firewall/pull/1038) ([david22swan](https://github.com/david22swan))
+- Fix rpfilter parameter [\#1013](https://github.com/puppetlabs/puppetlabs-firewall/pull/1013) ([onyxmaster](https://github.com/onyxmaster))
## [v3.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.4.0) (2022-02-28)
### Fixed
-- pdksync - \(IAC-1787\) - Remove Support for CentOS 6 [\#1027](https://github.com/puppetlabs/puppetlabs-firewall/pull/1027) ([david22swan](https://github.com/david22swan))
+- pdksync - \(IAC-1787\) Remove Support for CentOS 6 [\#1027](https://github.com/puppetlabs/puppetlabs-firewall/pull/1027) ([david22swan](https://github.com/david22swan))
## [v3.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.3.0) (2021-12-15)
* `firewall::linux::debian`: Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot.
* `firewall::linux::gentoo`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems.
* `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems.
-* `firewall::params`: Provides defaults for the Apt module parameters.
+* `firewall::params`: Provides defaults for the Apt module parameters
### Resource types
The following parameters are available in the `firewall` class:
-* [`ensure`](#ensure)
-* [`ensure_v6`](#ensure_v6)
-* [`pkg_ensure`](#pkg_ensure)
-* [`service_name`](#service_name)
-* [`service_name_v6`](#service_name_v6)
-* [`package_name`](#package_name)
-* [`ebtables_manage`](#ebtables_manage)
+* [`ensure`](#-firewall--ensure)
+* [`ensure_v6`](#-firewall--ensure_v6)
+* [`pkg_ensure`](#-firewall--pkg_ensure)
+* [`service_name`](#-firewall--service_name)
+* [`service_name_v6`](#-firewall--service_name_v6)
+* [`package_name`](#-firewall--package_name)
+* [`ebtables_manage`](#-firewall--ebtables_manage)
-##### <a name="ensure"></a>`ensure`
+##### <a name="-firewall--ensure"></a>`ensure`
Data type: `Any`
Default value: `running`
-##### <a name="ensure_v6"></a>`ensure_v6`
+##### <a name="-firewall--ensure_v6"></a>`ensure_v6`
Data type: `Any`
Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
-Default value: ``undef``
+Default value: `undef`
-##### <a name="pkg_ensure"></a>`pkg_ensure`
+##### <a name="-firewall--pkg_ensure"></a>`pkg_ensure`
Data type: `Any`
Default value: `present`
-##### <a name="service_name"></a>`service_name`
+##### <a name="-firewall--service_name"></a>`service_name`
Data type: `Any`
Default value: `$firewall::params::service_name`
-##### <a name="service_name_v6"></a>`service_name_v6`
+##### <a name="-firewall--service_name_v6"></a>`service_name_v6`
Data type: `Any`
Default value: `$firewall::params::service_name_v6`
-##### <a name="package_name"></a>`package_name`
+##### <a name="-firewall--package_name"></a>`package_name`
Data type: `Any`
Default value: `$firewall::params::package_name`
-##### <a name="ebtables_manage"></a>`ebtables_manage`
+##### <a name="-firewall--ebtables_manage"></a>`ebtables_manage`
Data type: `Any`
Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
-Default value: ``false``
+Default value: `false`
## Resource types
##### `checksum_fill`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Compute and fill missing packet checksums.
##### `clamp_mss_to_pmtu`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Sets the clamp mss to pmtu flag.
##### `clusterip_new`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Used with the CLUSTERIP jump target.
Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
##### `ipvs`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Indicates that the current packet belongs to an IPVS connection.
##### `isfirstfrag`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
If true, matches if the packet is the first fragment.
Sadly cannot be negated. ipv6.
##### `isfragment`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Set to true to match tcp fragments (requires type to be set to tcp)
##### `ishasmorefrags`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
If true, matches if the packet has it's 'more fragments' bit set. ipv6.
##### `islastfrag`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
If true, matches if the packet is the last fragment. ipv6.
##### `kernel_timezone`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
##### `log_ip_options`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
When combined with jump => "LOG" logging of the TCP IP/IPv6
packet header.
##### `log_tcp_options`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
When combined with jump => "LOG" logging of the TCP packet
header.
##### `log_tcp_sequence`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
When combined with jump => "LOG" enables logging of the TCP sequence
numbers.
##### `log_uid`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
When combined with jump => "LOG" specifies the uid of the process making
the connection.
##### `notrack`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Invoke the disable connection tracking for this packet.
This parameter can be used with iptables version >= 1.8.3
##### `physdev_is_bridged`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Match if the packet is transversing a bridge.
##### `physdev_is_in`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Matches if the packet has entered through a bridge interface.
##### `physdev_is_out`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Matches if the packet will leave through a bridge interface.
##### `queue_bypass`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Used with NFQUEUE jump target
Allow packets to bypass :queue_num if userspace process is not listening
##### `random`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
this boolean will enable randomized port mapping.
##### `random_fully`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
this boolean will enable fully randomized port mapping.
##### `rdest`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Recent module; add the destination IP address to the list.
Must be boolean true.
##### `reap`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Recent module; can only be used in conjunction with the `rseconds`
attribute. When used, this will cause entries older than 'seconds' to be
##### `rsource`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Recent module; add the source IP address to the list.
Must be boolean true.
##### `rttl`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
Recent module; may only be used in conjunction with one of `recent =>
'rcheck'` or `recent => 'update'`. When used, this will narrow the match
##### `socket`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
If true, matches if an open socket can be found by doing a coket lookup
on the packet.
##### `time_contiguous`
-Valid values: ``true``, ``false``
+Valid values: `true`, `false`
When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
The following parameters are available in the `firewall` type.
-* [`line`](#line)
-* [`name`](#name)
-* [`provider`](#provider)
+* [`line`](#-firewall--line)
+* [`name`](#-firewall--name)
+* [`onduplicaterulebehaviour`](#-firewall--onduplicaterulebehaviour)
+* [`provider`](#-firewall--provider)
-##### <a name="line"></a>`line`
+##### <a name="-firewall--line"></a>`line`
Read-only property for caching the rule line.
-##### <a name="name"></a>`name`
+##### <a name="-firewall--name"></a>`name`
Valid values: `%r{^\d+[[:graph:][:space:]]+$}`
Depending on the provider, the name of the rule can be stored using
the comment feature of the underlying firewall subsystem.
-##### <a name="provider"></a>`provider`
+##### <a name="-firewall--onduplicaterulebehaviour"></a>`onduplicaterulebehaviour`
+
+Valid values: `ignore`, `warn`, `error`
+
+In certain situations it is possible for an unmanaged rule to exist
+on the target system that has the same comment as the rule
+specified in the manifest.
+
+This setting determines what happens when such a duplicate is found.
+
+It offers three options:
+
+ * ignore - The duplicate rule is ignored and any updates to the resource will continue unaffected.
+ * warn - The duplicate rule is logged as a warning and any updates to the resource will continue unaffected.
+ * error - The duplicate rule is logged as an error and any updates to the resource will be skipped.
+
+Default value: `warn`
+
+##### <a name="-firewall--provider"></a>`provider`
The specific backend to use for this `firewall` resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
The following parameters are available in the `firewallchain` type.
-* [`ignore`](#ignore)
-* [`ignore_foreign`](#ignore_foreign)
-* [`name`](#name)
-* [`provider`](#provider)
-* [`purge`](#purge)
+* [`ignore`](#-firewallchain--ignore)
+* [`ignore_foreign`](#-firewallchain--ignore_foreign)
+* [`name`](#-firewallchain--name)
+* [`provider`](#-firewallchain--provider)
+* [`purge`](#-firewallchain--purge)
-##### <a name="ignore"></a>`ignore`
+##### <a name="-firewallchain--ignore"></a>`ignore`
Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
This is matched against the output of `iptables-save`.
}
```
-##### <a name="ignore_foreign"></a>`ignore_foreign`
+##### <a name="-firewallchain--ignore_foreign"></a>`ignore_foreign`
-Valid values: ``false``, ``true``
+Valid values: `false`, `true`
Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules
in this chain.
configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured
rules.
-Default value: ``false``
+Default value: `false`
-##### <a name="name"></a>`name`
+##### <a name="-firewallchain--name"></a>`name`
namevar
For iptables the format must be {chain}:{table}:{protocol}.
-##### <a name="provider"></a>`provider`
+##### <a name="-firewallchain--provider"></a>`provider`
The specific backend to use for this `firewallchain` resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
-##### <a name="purge"></a>`purge`
+##### <a name="-firewallchain--purge"></a>`purge`
-Valid values: ``false``, ``true``
+Valid values: `false`, `true`
Purge unmanaged firewall rules in this chain
-Default value: ``false``
+Default value: `false`
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff