Nick Stenning [Fri, 14 Jun 2013 11:08:38 +0000 (12:08 +0100)]
Add support for --src-type and --dst-type
Add support for filtering by source and destination address types. Supported by
iptables only, this feature allows filtering packets by the address type (such
as whether the packet came from a local address, a broadcast address, a
multicast address, etc).
Adds the `:address_type` feature to allow a provider to declare support for
filtering on the basis of address type.
Dan Carley [Thu, 13 Jun 2013 20:10:04 +0000 (21:10 +0100)]
[#200] Add tests for --limit-burst
Both explicit (when a `:burst` parameter or `--limit-burst` argument is
present) and implicit (when neither are specified but `:limit` or `--limit`
are present and the default burst is `5`).
Marc Tardif [Wed, 24 Apr 2013 18:46:26 +0000 (14:46 -0400)]
(#171) Added ensure parameter to firewall class
This change adds the ensure parameter to the firewall class so that
the appropriate iptables service for the operating system can be
stopped. The reason for this change is to extend the class so that
it is not just limited to running the service.
The change to the manifests still made all the rspec tests pass,
so it should not introduce any regressions. More rspec tests were
also added to exercise the new code paths introduced.
Ken Barber [Sat, 13 Apr 2013 19:00:43 +0000 (20:00 +0100)]
Add tests for the recommended setup
Using the documented recommended setup, we test if it works with no error and
test if it is idempotent by running it again, looking for resource changes.
Ken Barber [Fri, 12 Apr 2013 12:48:56 +0000 (13:48 +0100)]
Merge branch '20125'
* 20125:
(#20125) Add persistence support for Archlinux platform
(#20125) Use PATH to find (ip|ip6|eb)tables for chain provider
(#20125) Use PATH to find (ip|ip6)tables for (ip|ip6)tables provider
(#20125) Add archlinux firewall class and unit test
Ken Barber [Wed, 10 Apr 2013 12:44:38 +0000 (13:44 +0100)]
Get rid of examples it isn't being maintained and it belongs in docs
I think the expectation that people should drop to looking at code for examples
is wrong anyway, we should express examples through documentation if we can.
Add a check to see if running Fedora 15 in order to use init scripts
provided by systemd. This adds compatibility for systemd on Fedora,
which currently returns an incorrect failure message when persisting
rules.
Dan Carley [Mon, 4 Mar 2013 08:08:51 +0000 (08:08 +0000)]
(GH-139) Throw away STDERR from dpkg-query in Fact
Newer versions of dpkg-query, as of Ubuntu 12.10, will make noise on STDERR
if the queried package isn't currently installed. Facter's `exec()` outputs
this without giving us a chance to catch it.
Pipe STDERR to `/dev/null` so that it's not seen by the end-user. STDOUT
will still be `nil` if the package isn't installed. It doesn't seem
reasonable to spec test for this without reaching deep into Facter, so I'm
not going to.
Dan Carley [Sun, 3 Mar 2013 14:32:38 +0000 (14:32 +0000)]
(GH-129) Replace errant return in autoreq block
It's not valid to use `return` within a block. We could use `next []`,
however it's probably better form to just always return the array, whether
it's populated or not. This will stop the error:
err: Got an uncaught exception of type LocalJumpError: unexpected return
When one of the listed providers isn't selected. Which is suitable, because
this autorequire won't be suitable to any other future providers anyway.
Dan Carley [Sat, 2 Mar 2013 18:30:12 +0000 (18:30 +0000)]
Tests for #persist_iptables
Basic coverage of protocol and OS detection. Including older and newer
Debian versions. Nearly all based on expectations since there aren't any
return values.
Dan Carley [Sat, 2 Mar 2013 17:44:34 +0000 (17:44 +0000)]
Typo in #persist_iptables OS normalisation
Debian is upstream of Ubuntu. Not the other way around. Would have affected
users of Facter <1.6.2 which doesn't have osfamily. Discovered while writing
tests, yey tests.
Dan Carley [Fri, 1 Mar 2013 18:55:32 +0000 (18:55 +0000)]
(GH-134) Autorequire iptables related packages
autorequires from firewall and firewallchain resources to iptables and
iptables-persistent packages, when the appropriate provider is selected and
the packages are managed in the catalog. This will prevent failed rule
creation and persistence on fresh nodes where the packages may not be
pre-installed.
- Persistence may fail on the first run if Firewall resources are actioned
before the Package resource.
- Older iptables-persistent doesn't support the restoration of ip6tables.
- ebtables cannot be restored.
Ken Barber [Thu, 28 Feb 2013 21:15:02 +0000 (21:15 +0000)]
(GH-128) Change method_missing to define_method
Previously method_missing was enough to create dynamic methods but Puppet 3.0
broke that functionality. So here we used 'define_method' instead to work
around that.
Code Review / puppet-modules / puppetlabs-firewall.git / log