Hunter Haugen [Mon, 3 Mar 2014 18:16:33 +0000 (10:16 -0800)]
Merge pull request #326 from hunner/oel_limit
Change OEL limitation description
Ashley Penney [Mon, 3 Mar 2014 16:58:26 +0000 (11:58 -0500)]
Merge pull request #327 from laurenrother/1.0.x
Add "Release Notes/Known Bugs" to Changelog
Lauren Rother [Sat, 1 Mar 2014 01:41:47 +0000 (17:41 -0800)]
Adds "Release Notes/Known Bugs" to Changelog, updates file format to markdown, standardizes the format of previous entries
Per a request to have initial release notes that specifically listed known issues for this PE 3.2 release, and barred by time constraints from automating a pull from open issues in JIRA, this commit adds a Release Note and Known Bug section to the Changelog for the imminent 3.2 release. As it will display on the Forge, updates file type to markdown and standardizes previous entries. Adds template for release notes to be filled in later.
Hunter Haugen [Sat, 1 Mar 2014 01:42:14 +0000 (17:42 -0800)]
Change OEL limitation description
Ashley Penney [Fri, 28 Feb 2014 20:19:34 +0000 (15:19 -0500)]
Merge pull request #325 from apenney/suse-fix
One lousy letter away from working perfectly on SLES.
Ashley Penney [Fri, 28 Feb 2014 20:17:52 +0000 (20:17 +0000)]
One lousy letter away from working perfectly on SLES.
Ashley Penney [Fri, 28 Feb 2014 19:08:38 +0000 (14:08 -0500)]
Merge pull request #324 from apenney/socket-owner-sles-madness
Socket owner sles madness
Ashley Penney [Fri, 28 Feb 2014 17:44:20 +0000 (17:44 +0000)]
Update the tests to not test socket on SLES.
Ashley Penney [Fri, 28 Feb 2014 17:44:11 +0000 (17:44 +0000)]
Update the limitations documentation for SLES and Oracle Linux 5.
Hunter Haugen [Tue, 25 Feb 2014 00:35:13 +0000 (16:35 -0800)]
Merge pull request #315 from petems/80_character_lint_fix
Puppet-lint fix for > 80 character line
Hunter Haugen [Fri, 21 Feb 2014 21:07:48 +0000 (13:07 -0800)]
Merge pull request #323 from hunner/fix_path
Remove path from tests
Hunter Haugen [Fri, 21 Feb 2014 21:06:00 +0000 (13:06 -0800)]
Remove path from tests
On sles and potentially other platforms iptables is not in /sbin
Hunter Haugen [Fri, 21 Feb 2014 20:56:16 +0000 (12:56 -0800)]
Merge pull request #322 from hunner/fix_socket
Fix logic for supported socket platforms
Hunter Haugen [Fri, 21 Feb 2014 20:55:20 +0000 (12:55 -0800)]
Fix logic for supported socket platforms
Hunter Haugen [Thu, 20 Feb 2014 20:34:07 +0000 (12:34 -0800)]
Merge branch 'master' into 1.0.x
Ashley Penney [Thu, 20 Feb 2014 19:04:04 +0000 (14:04 -0500)]
Merge pull request #321 from hunner/fix_over_9000
Bugfix: Account for rules sorted after unmanaged rules
Hunter Haugen [Wed, 19 Feb 2014 23:32:24 +0000 (15:32 -0800)]
Bugfix: Account for rules sorted after unmanaged rules
The offset calculation assumed unmanaged rules are numbered 9000+ and
would be sorted to the end and didn't need to be accounted for. This
caused failures when people used9-numbered rules. This should fix that.
Additionally, for rules that are 9-numbered, they should be ordered
*after* unmanaged rules, so this fixes that too.
So when encountering unmanaged rules, the order will be something like
this:
- Managed rules that begin with 0 through 8
- Unmanaged rules (which are assigned 9-numbers)
- Managed rules that begin with 9 (but not numbered lower than the
unmanaged rules)
Mixing unmanaged rules with managed rules is still not officially
supported, but at least we can try and behave with them.
Ashley Penney [Wed, 19 Feb 2014 19:54:11 +0000 (19:54 +0000)]
Add PE support.
Ashley Penney [Wed, 19 Feb 2014 19:55:33 +0000 (14:55 -0500)]
Merge pull request #319 from apenney/add-pe
Add PE support.
Ashley Penney [Wed, 19 Feb 2014 19:54:11 +0000 (19:54 +0000)]
Add PE support.
Ashley Penney [Wed, 19 Feb 2014 16:39:15 +0000 (11:39 -0500)]
Merge pull request #316 from hunner/release_1.0.1
Release 1.0.1
Hunter Haugen [Wed, 19 Feb 2014 04:23:02 +0000 (20:23 -0800)]
Release 1.0.1
Bugfix: gracefully fail to manage ip6tables on iptables 1.3.x
Hunter Haugen [Wed, 19 Feb 2014 04:19:26 +0000 (20:19 -0800)]
Merge pull request #314 from hunner/fix_cent5
Fix various differences for rhel5
Hunter Haugen [Tue, 18 Feb 2014 21:13:22 +0000 (13:13 -0800)]
Fix various differences for rhel5
iptables 1.3.5 ships on rhel 5 and is really old. It doesn't support
`--comment` on ip6tables, doesn't support `-m socket` or `--random`, and
the format of netmasks uses subnet mask format instead of CIDR.
Peter Souter [Wed, 12 Feb 2014 15:25:38 +0000 (15:25 +0000)]
Puppet-lint fix for > 80 character line
Hunter Haugen [Tue, 18 Feb 2014 18:06:55 +0000 (10:06 -0800)]
Merge pull request #312 from justinstoller/maint/1.0.x/remove_basic_spec
Remove acceptance/basic_spec
Ashley Penney [Tue, 18 Feb 2014 17:10:45 +0000 (12:10 -0500)]
Merge pull request #309 from petems/ignore_vagrant_folder
Ignore .vagrant folder
Justin Stoller [Sat, 15 Feb 2014 06:20:35 +0000 (22:20 -0800)]
Remove acceptance/basic_spec
This removes the legacy "basic_spec" that was used as an introduction to
module testing. It assumes the FOSS path for the module dir. Since the
default module dir changes in PE depending on whether or not the module
is distributed with PE or not, these basic specs have been removed from
other modules.
Hunter Haugen [Fri, 14 Feb 2014 23:46:16 +0000 (15:46 -0800)]
Merge pull request #311 from hunner/fix_nobody
Use iptables-save and parse the output
Hunter Haugen [Fri, 14 Feb 2014 21:19:54 +0000 (13:19 -0800)]
Use iptables-save and parse the output
`iptables -S` didn't work on older OSs, so the tests have been adapted
for that.
There was one test for the NAT table that I'm not sure what the purpose
was, since it seemed to be testing munge instead. I edited it to get it
to pass.
Peter Souter [Wed, 12 Feb 2014 14:57:42 +0000 (14:57 +0000)]
Ignore .vagrant folder
Hunter Haugen [Wed, 12 Feb 2014 00:49:38 +0000 (16:49 -0800)]
Merge pull request #308 from hunner/dynamic_gemsource
Allow custom gemsource
Hunter Haugen [Wed, 12 Feb 2014 00:31:58 +0000 (16:31 -0800)]
Allow custom gemsource
Ashley Penney [Tue, 11 Feb 2014 21:53:46 +0000 (16:53 -0500)]
Merge pull request #307 from apenney/100-release
Prepare a 1.0 release.
Ashley Penney [Tue, 11 Feb 2014 21:52:58 +0000 (16:52 -0500)]
Prepare a 1.0 release.
Ashley Penney [Tue, 11 Feb 2014 15:44:00 +0000 (10:44 -0500)]
Merge pull request #305 from justinstoller/dont_assume_vagrant
remove vagrant specific test assumption
Hunter Haugen [Tue, 11 Feb 2014 01:23:00 +0000 (17:23 -0800)]
Merge pull request #304 from hunner/release_0.5.0
Release 0.5.0
Hunter Haugen [Mon, 10 Feb 2014 23:53:42 +0000 (15:53 -0800)]
Release 0.5.0
Summary:
This is a bigger release that brings in "recent" connection limiting (think
"port knocking"), firewall chain purging on a per-chain/per-table basis, and
support for a few other use cases. This release also fixes a major bug which
could cause modifications to the wrong rules when unmanaged rules are present.
New Features:
* Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`,
`rname`, `rseconds`, `rsource`, and `rttl`
* Add negation support for source and destination
* Add per-chain/table purging support to `firewallchain`
* IPv4 specific
* Add random port forwarding support
* Add ipsec policy matching via `ipsec_dir` and `ipsec_policy`
* IPv6 specific
* Add support for hop limiting via `hop_limit` parameter
* Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag`
* Add support for conntrack stateful firewall matching via `ctstate`
Bugfixes:
- Boolean fixups allowing false values
- Better detection of unmanaged rules
- Fix multiport rule detection
- Fix sport/dport rule detection
- Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
- Allow INPUT with the nat table
- Fix `src_range` & `dst_range` order detection
- Documentation clarifications
- Fixes to spec tests
Justin Stoller [Mon, 10 Feb 2014 02:49:31 +0000 (18:49 -0800)]
remove vagrant specific test assumption
Ashley Penney [Sat, 8 Feb 2014 00:23:23 +0000 (19:23 -0500)]
Merge pull request #303 from hunner/fix_unmanaged
Fix for #286 for pre-existing rules at the start of a chain
Hunter Haugen [Thu, 6 Feb 2014 23:47:27 +0000 (15:47 -0800)]
Fix for #286 for pre-existing rules at the start of a chain
In #286 we fixed rule offset detection for existing managed and
unmanaged rules, but in the case where the first rule in a chain was
unmanaged, managed rules were still being inserted under it.
This patch changes it so that if the first rule detected for offset is
unmanaged, then we should insert before that for more consistent
behavior.
Ashley Penney [Thu, 6 Feb 2014 21:42:00 +0000 (16:42 -0500)]
Merge pull request #302 from hunner/fix_match_extension
Fix #300 for match extension protocol
Hunter Haugen [Thu, 6 Feb 2014 20:42:46 +0000 (12:42 -0800)]
Fix #300 for match extension protocol
So... #300 fixed matching `-m (tcp|udp)` at the beginning of `-m
multiport` or `--dport` or `--sport` rules, but broke actual *creation*
of those rules because `-m (tcp|udp)` was used as an iptables argument,
which it is not.
This change removes the problematic argument from `@resource_map` and
instead just substitutes `-m (tcp|udp)` out of any existing rules before
matching. The `-m tcp` match extension arguments are optional anyway,
and not needed for iptables functionality and don't change the semantics
at all.
Ashley Penney [Thu, 6 Feb 2014 00:14:32 +0000 (19:14 -0500)]
Merge pull request #300 from hunner/fix_multiport
(MODULES-451) Match extension protocol for multiport
Hunter Haugen [Thu, 6 Feb 2014 00:02:56 +0000 (16:02 -0800)]
(MODULES-451) Match extension protocol for multiport
The `-m (tcp|udp)` match extension flag before multiport `--sport` and
`--dport` flags is considered optional, but may be present on some
rules. This patches the provides recognition of those rules.
Ashley Penney [Wed, 5 Feb 2014 23:19:07 +0000 (18:19 -0500)]
Merge pull request #299 from hunner/negation_support
(MODULES-48) Parse negated rules
Hunter Haugen [Wed, 5 Feb 2014 22:38:16 +0000 (14:38 -0800)]
(MODULES-48) Parse negated rules
This adds tests mentioned in #141 and MODULES-48 to make sure that they
are covered by #267
Closes #141
Ashley Penney [Wed, 5 Feb 2014 22:41:48 +0000 (17:41 -0500)]
Merge pull request #298 from hunner/add_random
Add --random support as per #141 comment
Hunter Haugen [Wed, 5 Feb 2014 21:59:08 +0000 (13:59 -0800)]
Add --random support as per #141 comment
Ashley Penney [Wed, 5 Feb 2014 21:29:15 +0000 (16:29 -0500)]
Merge pull request #297 from hunner/recent_docs
Update the 'recent' module example with a more complete one linked to from the iptables man page
Ashley Penney [Wed, 5 Feb 2014 18:54:58 +0000 (13:54 -0500)]
Merge pull request #293 from hunner/range_fix
(MODULES-16) Correct src_range dst_range ordering
Mike Bryant [Tue, 4 Feb 2014 23:38:05 +0000 (23:38 +0000)]
Update the 'recent' module example with a more complete one linked to from the iptables man page.
Hunter Haugen [Mon, 3 Feb 2014 23:19:16 +0000 (15:19 -0800)]
(MODULES-16) Correct src_range dst_range ordering
I wasn't able to reproduce the bug in testing, but several people were
able to and the proposed fix is a correct assumption.
Hunter Haugen [Wed, 5 Feb 2014 01:09:30 +0000 (17:09 -0800)]
Merge pull request #296 from hunner/ticket/21166-add_support_for_iptables-recent
(MODULES-31) add support for iptables recent
Hunter Haugen [Wed, 5 Feb 2014 00:34:44 +0000 (16:34 -0800)]
Some documentation fixups and newvalues to make tests pass
Mike Bryant [Mon, 3 Feb 2014 16:26:43 +0000 (16:26 +0000)]
Add unit and acceptance tests for the recent iptables module
Stephen Grier [Mon, 30 Sep 2013 00:23:27 +0000 (01:23 +0100)]
Make rsource, rdest, reap and rttl known_booleans and remove munging.
Stephen Grier [Sun, 9 Jun 2013 00:33:24 +0000 (01:33 +0100)]
(#21166) Add support the the iptables recent module.
Ashley Penney [Tue, 4 Feb 2014 00:11:59 +0000 (16:11 -0800)]
Merge pull request #294 from apenney/rolesandprofiles
WIP: Rewrite this to make it clear the roles and profiles pattern would be
Ashley Penney [Mon, 3 Feb 2014 23:44:07 +0000 (18:44 -0500)]
Rewrite this to make it clear the roles and profiles pattern would be
the better idea.
Ashley Penney [Mon, 3 Feb 2014 21:23:47 +0000 (13:23 -0800)]
Merge pull request #291 from hunner/isfragment_fix
(MODULES-442) Correct boolean properties behavior
Hunter Haugen [Fri, 31 Jan 2014 21:19:27 +0000 (13:19 -0800)]
(MODULES-442) Correct boolean properties behavior
The boolean properties had a few things incorrect with them.
- Any value passed was considered `true`. This was compounded further by
the next issue.
- When the read property was false, it was set to 'nil'. This caused
`<property> => false` to not work after the previous was fixed.
Random other fixes to tests that were failing or poorly implemented are
also included
Ashley Penney [Wed, 29 Jan 2014 15:12:18 +0000 (07:12 -0800)]
Merge pull request #288 from hunner/fail_chains
(MODULES-441) Helpfully fail when modifying chains
Ashley Penney [Wed, 29 Jan 2014 15:11:29 +0000 (07:11 -0800)]
Merge pull request #287 from hunner/purge
Add purge support to firewallchain
Ashley Penney [Wed, 29 Jan 2014 15:09:52 +0000 (07:09 -0800)]
Merge pull request #286 from hunner/fix_source
(MODULES-439) Work around existing rules
Hunter Haugen [Wed, 29 Jan 2014 02:08:42 +0000 (18:08 -0800)]
(MODULES-441) Helpfully fail when modifying chains
It is not intended for chains to be modified using the firewall
resource, but it would still try and result in obscure incorrect errors.
This raises a more helpful error
Hunter Haugen [Tue, 28 Jan 2014 22:39:25 +0000 (14:39 -0800)]
Update specs and make compatible with 1.8.7
`.keep_if` is not in Ruby 1.8.7
The resource was trying to change from chain INPUT to OUTPUT which isn't
supported.
Patrick Hemmer [Sun, 5 Jan 2014 19:55:33 +0000 (14:55 -0500)]
add specs for chain purge
Patrick Hemmer [Tue, 17 Dec 2013 22:00:18 +0000 (17:00 -0500)]
add support for removing unmanaged firewall rules
Hunter Haugen [Tue, 28 Jan 2014 01:31:22 +0000 (17:31 -0800)]
(MODULES-439) Work around existing rules
The firewall resource is not intended to be used with rules that are not
also managed by puppet; the behavior when doing so was undefined. This
is an attempt to make it more defined.
The behavior is that any rule added by puppet will be inserted in its
given order in relation to the other rules managed by puppet, but ahead
of any rules not managed by puppet.
Hunter Haugen [Thu, 23 Jan 2014 19:09:59 +0000 (11:09 -0800)]
Merge pull request #285 from ghoneycutt/travis
Travis
Garrett Honeycutt [Thu, 23 Jan 2014 18:36:11 +0000 (13:36 -0500)]
Add support for Puppet v3.4.0
Garrett Honeycutt [Thu, 23 Jan 2014 18:35:06 +0000 (13:35 -0500)]
Enable fast finish in Travis
http://blog.travis-ci.com/2013-11-27-fast-finishing-builds/
Garrett Honeycutt [Thu, 23 Jan 2014 18:33:03 +0000 (13:33 -0500)]
Ensure valid YAML for .travis.yml
Ashley Penney [Thu, 23 Jan 2014 17:22:17 +0000 (09:22 -0800)]
Merge pull request #282 from apenney/add-tests
Add acceptance tests
Ashley Penney [Wed, 15 Jan 2014 18:50:10 +0000 (13:50 -0500)]
Add additional firewallchain{} tests.
Ashley Penney [Mon, 13 Jan 2014 21:20:50 +0000 (16:20 -0500)]
Add additional acceptance tests to cover all parameters.
Ashley Penney [Mon, 6 Jan 2014 18:04:34 +0000 (10:04 -0800)]
Merge pull request #280 from jeffb-bt/master
Allow --dport --sport without preceding -m
Ashley Penney [Mon, 6 Jan 2014 18:01:15 +0000 (10:01 -0800)]
Merge pull request #276 from ghoneycutt/rspec_puppet_v1
Support rspec-puppet v1.0.0
Jeff '2 bits' Bachtel [Mon, 6 Jan 2014 05:51:23 +0000 (00:51 -0500)]
Allow --dport --sport without preceding -m
Test rule added to spec
Garrett Honeycutt [Fri, 27 Dec 2013 22:39:21 +0000 (17:39 -0500)]
Support rspec-puppet v1.0.0
include_class has been replaced with contain_class.
http://bombasticmonkey.com/2013/12/05/rspec-puppet-1.0.0/
Ashley Penney [Fri, 20 Dec 2013 23:22:06 +0000 (15:22 -0800)]
Merge pull request #267 from phemmer/negation_support
Negation support
Patrick Hemmer [Fri, 20 Dec 2013 20:30:50 +0000 (15:30 -0500)]
update spec for host_to_mask to override Resolv
Ashley Penney [Fri, 20 Dec 2013 22:52:32 +0000 (14:52 -0800)]
Merge pull request #268 from phemmer/ipsec_support
add ipsec policy matching
Ashley Penney [Fri, 20 Dec 2013 22:51:59 +0000 (14:51 -0800)]
Merge pull request #271 from phemmer/fix_builtin_chains
fix handling of builtin chains
Ashley Penney [Fri, 20 Dec 2013 22:51:29 +0000 (14:51 -0800)]
Merge pull request #270 from phemmer/nat_input
allow input chain in nat table
Ashley Penney [Fri, 20 Dec 2013 22:44:28 +0000 (14:44 -0800)]
Merge pull request #273 from apenney/add-beaker-tests
Convert rspec-system tests to beaker-rspec.
Ashley Penney [Thu, 19 Dec 2013 17:25:31 +0000 (12:25 -0500)]
Convert rspec-system tests to beaker-rspec.
This work migrates the existing tests to beaker-rspec.
Patrick Hemmer [Fri, 20 Dec 2013 20:20:11 +0000 (15:20 -0500)]
update specs to allow INPUT:nat:IPv4
Patrick Hemmer [Tue, 17 Dec 2013 00:27:26 +0000 (19:27 -0500)]
fix negation handling for complex arguments
Jan Vansteenkiste [Thu, 23 Aug 2012 07:13:26 +0000 (09:13 +0200)]
Use a more generic way for parsing negated options, not only for destination and source
Jan Vansteenkiste [Thu, 23 Aug 2012 07:13:04 +0000 (09:13 +0200)]
Added a test case for /older/ alternative negation syntax
Jan Vansteenkiste [Thu, 23 Aug 2012 06:51:24 +0000 (08:51 +0200)]
Generic generating command line options for negated rules
Jan Vansteenkiste [Wed, 22 Aug 2012 21:15:06 +0000 (23:15 +0200)]
spec test fixtures should represent real use cases
Jan Vansteenkiste [Wed, 22 Aug 2012 21:11:39 +0000 (23:11 +0200)]
Fix parsing of rules and generating the command line to set the rule
Jan Vansteenkiste [Wed, 22 Aug 2012 16:00:57 +0000 (18:00 +0200)]
Fix parsing negated values
Jan Vansteenkiste [Wed, 22 Aug 2012 16:00:37 +0000 (18:00 +0200)]
Added fixtures to test parsing negated addresses
Jan Vansteenkiste [Wed, 22 Aug 2012 16:00:24 +0000 (18:00 +0200)]
Add test to see if type takes negative values
Jan Vansteenkiste [Wed, 22 Aug 2012 15:14:57 +0000 (17:14 +0200)]
Use host_to_mask so we can negate a mask. Also added documentation.
A custom provider should probably be aware that these kind of masks are possible.
Jan Vansteenkiste [Wed, 22 Aug 2012 15:11:23 +0000 (17:11 +0200)]
Added host_to_mask method and added tests for it
Code Review / puppet-modules / puppetlabs-firewall.git / log