Ken Barber [Sat, 9 Jun 2012 23:18:04 +0000 (00:18 +0100)]
(#10025) Make tcp_flags support a feature.
Thomas Vander Stichele [Sun, 4 Mar 2012 17:16:20 +0000 (18:16 +0100)]
(#10025) Add support for --tcp-flags
Ken Barber [Wed, 6 Jun 2012 14:55:28 +0000 (07:55 -0700)]
Merge pull request #79 from mediatemple/limitfix
(#14641) Fix for incorrect limit command arguments for ip6tables provider
Ken Barber [Mon, 28 May 2012 11:32:39 +0000 (04:32 -0700)]
Merge pull request #80 from dcarley/10274-zero_prefixlen_addresses
(#10274) Nullify addresses with zero prefixlen
Dan Carley [Fri, 25 May 2012 06:41:36 +0000 (07:41 +0100)]
(#10274) Nullify addresses with zero prefixlen
Modify the behaviour of Util::Firewall.host_to_ip, as used by the type to
parse source and destination addresses, to return nil if the resulting CIDR
represented address has a prefix length of zero. Includes type and provider
tests for IPv4 and IPv6.
IPtables silently omits rules with source and destination addresses that
have a prefix length of zero (eg. 0.0.0.0/0) because they are functionally
equivialent to not specifying any address. This was causing rules to be
unecessarily reloaded.
The behaviour of Util::IPcidr remains the same. Now includes some additional
tests for it's identification of zero prefixlen IPv4 and IPv6 addresses.
Dan Carley [Fri, 25 May 2012 09:24:39 +0000 (10:24 +0100)]
(#10274) Document Util::Firewall.host_to_ip
Document the current behaviour of Util::Firewall.host_to_ip before it is
modified to handle addresses with zero prefix lengths.
Michael Hsu [Tue, 22 May 2012 15:02:27 +0000 (08:02 -0700)]
(#14641) Fix for incorrect limit command arguments for ip6tables provider
Ken Barber [Sun, 20 May 2012 17:20:39 +0000 (18:20 +0100)]
Merge branch 'ignore_errors'
* ignore_errors:
(#14590) Fix for when iptables-save spews out "FATAL" errors.
Sharif Nassar [Sat, 21 Jan 2012 01:22:16 +0000 (17:22 -0800)]
(#14590) Fix for when iptables-save spews out "FATAL" errors.
On some broken Virtuozzo containers, /lib/modules/$(uname -r)/modules.dep is
absent. This causes iptables-save to give some "FATAL" errors. This patch
fixes the parser to ignore them instead of generating garbage rules that make
for errors in the puppet agent run.
Ken Barber [Sun, 13 May 2012 21:52:58 +0000 (22:52 +0100)]
Merge branch 'ticket/master/14455'
* ticket/master/14455:
(#14455) Add tests for interface names containing a "+". Add a few missing tests for VLAN support.
(#14455) Support interface names containing "+"
Simon Deziel [Sat, 12 May 2012 15:24:59 +0000 (11:24 -0400)]
(#14455) Add tests for interface names containing a "+". Add a few missing tests for VLAN support.
Simon Deziel [Sat, 12 May 2012 15:23:45 +0000 (11:23 -0400)]
(#14455) Support interface names containing "+"
Previously iniface and outiface wouldn't allow + in the interface names. This
patch fixes that.
Ken Barber [Thu, 12 Apr 2012 09:03:40 +0000 (02:03 -0700)]
Merge pull request #72 from jashort/ticket/13896-fix_example
(#13896) Fix Firewall Example
Jason Short [Wed, 11 Apr 2012 23:49:50 +0000 (16:49 -0700)]
* (#13896) Changed 'jump' to 'action', commands to lower case
Dan Carley [Mon, 26 Mar 2012 08:44:38 +0000 (01:44 -0700)]
Merge pull request #69 from kbarber/ticket/10619-Unable_to_purge_rules
* (#10619) Add the table when deleting rules
* (#10619) Fix tests since we are now prefixing -t <table> during delete
* Fix extraneous trailing whitespace
Dan Carley [Mon, 26 Mar 2012 08:37:15 +0000 (01:37 -0700)]
Merge pull request #70 from kbarber/ticket/11305-support_vlan_interface
* (#11305) Support vlan interfaces
* (#11305) Add tests for VLAN support for iniface/outiface
Ken Barber [Mon, 26 Mar 2012 08:19:10 +0000 (01:19 -0700)]
Merge pull request #61 from adamgibbins/master
Improved Puppet DSL style as per the guidelines.
Ken Barber [Sat, 24 Mar 2012 22:38:21 +0000 (22:38 +0000)]
Fix extraneous trailing whitespace
Ken Barber [Sat, 24 Mar 2012 22:35:07 +0000 (22:35 +0000)]
(#10619) Fix tests since we are now prefixing -t <table> during delete
Johan Huysmans [Fri, 9 Dec 2011 11:47:54 +0000 (12:47 +0100)]
(#10619) Add the table when deleting rules
This fixes purging from tables other then 'filter'.
Ken Barber [Sun, 25 Mar 2012 02:07:36 +0000 (03:07 +0100)]
(#11305) Add tests for VLAN support for iniface/outiface
This adds tests generally for iniface and outiface, and includes examples
of interfaces with VLAN's to support that change.
Johan Huysmans [Fri, 9 Dec 2011 09:05:28 +0000 (10:05 +0100)]
(#11305) Support vlan interfaces (interface containing ".")
Dan Carley [Tue, 20 Mar 2012 08:01:52 +0000 (01:01 -0700)]
Merge pull request #68 from kbarber/ticket/master/13216-fixed_setup_instructions_in_readme
(#13216) Fix README so setup instructions actually work
Ken Barber [Mon, 19 Mar 2012 17:44:48 +0000 (17:44 +0000)]
(#13216) Fix README so setup instructions actually work
The old setup instructions were vague, and incorrect. This fixes those
instructions so they actually work, and breaks them out into their own
section.(#13216) Fix README so setup instructions actually work
Ken Barber [Mon, 19 Mar 2012 16:36:09 +0000 (09:36 -0700)]
Merge pull request #67 from dcarley/13201-autoreq_chain
(#13201) Firewall autorequire Firewallchains
Dan Carley [Sun, 18 Mar 2012 13:16:38 +0000 (13:16 +0000)]
(#13201) Tests and docstring for chain autorequire
Test for autorequire behaviour on :chain, :jump, and :chain + :jump params.
With both specified and default/undef :table and :provider params.
Document autorequire behaviour in docstring.
Dan Carley [Sat, 17 Mar 2012 11:00:56 +0000 (11:00 +0000)]
(#13201) Firewall autorequire Firewallchains
Autorequire Firewallchain resources for Firewall resources that have jump or
chain parameters. Remove require params from README examples now that
they're not essential.
Only deals with iptables and ip6tables providers, which have support for
chains. Doesn't attempt to weed out chains that might be builtin. Just let
Puppet determine which of the resources are really managed.
Dan Carley [Sat, 17 Mar 2012 10:01:15 +0000 (03:01 -0700)]
Merge pull request #63 from kbarber/ticket/master/13192_allvalidchains_order
(#13192) Fix allvalidchain iteration
Ken Barber [Fri, 16 Mar 2012 22:16:23 +0000 (15:16 -0700)]
(#13192) Fix allvalidchain iteration
Before this patch, we were getting errors because chain & table were swapped
during creation.
Jonathan Boyett [Fri, 16 Mar 2012 18:43:04 +0000 (11:43 -0700)]
Merge pull request #62 from kbarber/ticket/10162-firewallchain_support_for_merge
Ticket/10162 firewallchain support for merge
Ken Barber [Fri, 16 Mar 2012 17:11:03 +0000 (10:11 -0700)]
(#10162) Fix examples for firewallchain in README
Ken Barber [Mon, 12 Mar 2012 18:40:45 +0000 (11:40 -0700)]
(#10162) Modify firewallchain name to be chain:table:protocol
We've decided to change the ordering of the namevar so that it is now:
chain:table:protocol
So its closer to a linear hierachy ie. chain in table in protocol.
Previously this was table:chain:protocol which made less sense.
Ken Barber [Mon, 12 Mar 2012 04:16:33 +0000 (21:16 -0700)]
(#10162) Various fixes for firewallchain resource
* Convert commands to optional_commands to avoid iptables installation chicken
& egg scenarios.
* Downcase tables to match the table names in xtables
* Force fully qualifying the name as <table>:<chain>:<protocol>, we can add
meaningful defaults later.
* puppet resource <name> command wasn't working as expected, but stripping out
some of the meaningful defaults I was able to get this to work.
* Reformat some of the code to avoid overrunning 80 chars where possible
* Remove trailing whitespace
* Add flush to provider so that resource modifications immediately update the
resource in reports and when using puppet resource.
* Removed any commented out code
* Improved documentation
* Change policy so its undefined when not set, instead of being :empty
* Fix test mocking so they will run on a Mac
Daniel Black [Thu, 1 Mar 2012 01:46:02 +0000 (12:46 +1100)]
(#10162) add firewallchain type and iptables_chain provider
Add firewallchain type and iptables_chain provider. This is required
to support the firewall class and it is envisaged that an autorequire
will be used to automatically require the user chain. This type can also set
policies on inbuilt chains.
Provider covers ebtables (optional), iptables, ip6tables.
Adam Gibbins [Sun, 11 Mar 2012 21:16:40 +0000 (21:16 +0000)]
Make Puppet DSL compliant with the style guides and puppet lint.
Dan Carley [Thu, 8 Mar 2012 15:57:01 +0000 (15:57 +0000)]
Merge branch '12897-validate_log_params'
(#12897) Require jump=>LOG for log params
Daniel Black [Sun, 18 Dec 2011 09:16:19 +0000 (20:16 +1100)]
(#12897) Require jump=>LOG for log params
This validates that when log_prefix or log_level is specified the jump
should be 'LOG'
Ken Barber [Mon, 23 Jan 2012 17:18:26 +0000 (17:18 +0000)]
Merge branch 'ticket/10165-port-commasep'
* ticket/10165-port-commasep:
(#10165) Display multi-value: port, sport, dport and state command seperated
Daniel Black [Mon, 23 Jan 2012 05:55:44 +0000 (16:55 +1100)]
(#10165) Display multi-value: port, sport, dport and state command seperated
Previously the output that changed was munged when puppet was being ran, this
change provides a comma seperated output when the values change instead.
Ken Barber [Sun, 22 Jan 2012 19:40:15 +0000 (19:40 +0000)]
Merge branch 'ticket/master/11673_ospf'
* ticket/master/11673_ospf:
(#11673) Adding OSPF(v3) protocol to puppetlabs-firewall
Arnoud Vermeer [Tue, 3 Jan 2012 09:59:28 +0000 (10:59 +0100)]
(#11673) Adding OSPF(v3) protocol to puppetlabs-firewall
Added support for ospf to the proto property.
Ken Barber [Fri, 13 Jan 2012 17:35:29 +0000 (17:35 +0000)]
Revert "Merge pull request #34 from mediatemple/class-firewall"
This reverts commit
bfbf01b08d6cf05795dd9b69815e8556e95dcf07, reversing
changes made to
0b55830db9447d0398b6b346bf513dfa6e2ccd08.
This patch breaks the build, and wasn't ready for merge. The rspec test
scaffolding wasn't prepared and hasn't been tested with this module properly.
Jonathan Boyett [Fri, 13 Jan 2012 17:11:24 +0000 (09:11 -0800)]
Merge pull request #34 from mediatemple/class-firewall
Initial creation of class firewall for issue #10984
Ken Barber [Thu, 29 Dec 2011 11:05:16 +0000 (03:05 -0800)]
Merge pull request #50 from grooverdan/ticket/11443_fix_error_message
(#11443) simple fix of the error message for allowed values of the jump property
Daniel Black [Thu, 29 Dec 2011 05:11:50 +0000 (16:11 +1100)]
(#11443) simple fix of the error message for allowed values of the jump property
The condition on jump says its allowed accept, reject and drop. Update
the error message to say the same thing
Ken Barber [Thu, 29 Dec 2011 04:33:14 +0000 (04:33 +0000)]
(#11334) Fix broken call to super for ruby-1.9.2 in munge.
Ken Barber [Thu, 29 Dec 2011 04:26:11 +0000 (04:26 +0000)]
Merge branch 'ticket/master/11334-MARK_support'
* ticket/master/11334-MARK_support:
(#11334) Add support for MARK target and set-mark property.
Johan Huysmans [Mon, 12 Dec 2011 09:34:43 +0000 (10:34 +0100)]
(#11334) Add support for MARK target and set-mark property.
This commit adds support for the set-mark iptables property and will validate
its use against the MARK jump target. This will also support handling decimal
or hexadecimal conversion where necessary.
Sharif Nassar [Sat, 12 Nov 2011 13:31:11 +0000 (05:31 -0800)]
(#10984) Initial creation of class firewall
* Add Exec[firewall-persist] to save rules. This allows the host to
have iptables rules on reboot, before puppet runs.
* Debian hates you. Add iptables init scripts for loading iptables at
boot on releases of Debian that do not have them already.
* Add brains to the iptables/ip6tables providers to ensure kernel modules
are loaded.
Ken Barber [Mon, 5 Dec 2011 22:54:04 +0000 (22:54 +0000)]
(maint) Updated CHANGELOG.md to use bullet points for Changes for v0.0.4
Ken Barber [Mon, 5 Dec 2011 22:48:58 +0000 (22:48 +0000)]
Merge branch 'ticket/11114-release_0.0.4'
* ticket/11114-release_0.0.4:
(#11114) Release 0.0.4 - CHANGELOG.md and Modulefile update
Jonathan Boyett [Mon, 5 Dec 2011 19:48:00 +0000 (11:48 -0800)]
(#11114) Release 0.0.4 - CHANGELOG.md and Modulefile update
Ken Barber [Sat, 3 Dec 2011 21:18:23 +0000 (21:18 +0000)]
Merge branch 'ticket/10957-iptables-facts'
* ticket/10957-iptables-facts:
(#10957) add iptables_version and ip6tables_version facts
Jonathan Boyett [Wed, 30 Nov 2011 23:54:29 +0000 (15:54 -0800)]
(#10957) add iptables_version and ip6tables_version facts
These facts return the version of iptables or ip6tables by running --version
on the binary in question.
Ken Barber [Sat, 3 Dec 2011 20:56:02 +0000 (20:56 +0000)]
Merge branch 'ticket/10723-hosts_to_cidr'
* ticket/10723-hosts_to_cidr:
(#10723) Munge hostnames and IPs to IPs with CIDR
Jonathan Boyett [Thu, 17 Nov 2011 17:43:19 +0000 (09:43 -0800)]
(#10723) Munge hostnames and IPs to IPs with CIDR
Previously when hostnames were used in the source and destination properties
they were being converted to IP address by iptables. This meant that later
comparisons were failing because the property in code (a hostname) and the
'real' property returned by introspection (an ip address) were not matching.
This code using the munge facility will automatically detect and convert
hostnames to IP addresses in the type so the comparison works as expected.
The side-effect is that puppet does the hostname to IP conversion, not
iptables.
Ken Barber [Thu, 1 Dec 2011 11:18:36 +0000 (11:18 +0000)]
Merge branch 'ticket/11093-log_level'
* ticket/11093-log_level:
(#11093) Improve log_level property so it converts names to numbers
Jonathan Boyett [Thu, 1 Dec 2011 02:52:35 +0000 (18:52 -0800)]
(#11093) Improve log_level property so it converts names to numbers
Previously the log_level property was constantly reloading due to the fact
that iptables was converting names to numbers. So unless you were using
numbers in your log_level setting, it was constantly telling you it needed
to be changed.
Now we convert the names to numbers in the munge so when comparing it will
always hopefully match.
Also, the default value when the jump value is 'LOG' is now set to 4 (warn)
based on iptables own defaults.
Jonathan Boyett [Wed, 30 Nov 2011 21:12:05 +0000 (13:12 -0800)]
Merge pull request #38 from mediatemple/owner-match
(#10718) Add owner-match support
Sharif Nassar [Mon, 14 Nov 2011 03:10:08 +0000 (19:10 -0800)]
(#10718) Add owner-match support
Jonathan Boyett [Wed, 30 Nov 2011 20:49:12 +0000 (12:49 -0800)]
Merge pull request #39 from mediatemple/ipencap-fixtures
(#10997) Add fixtures for ipencap
Dan Carley [Thu, 24 Nov 2011 16:08:52 +0000 (08:08 -0800)]
Merge pull request #37 from mediatemple/whitespace
Whitespace cleanup. (#11034)
Ken Barber [Tue, 22 Nov 2011 10:57:13 +0000 (10:57 +0000)]
Merge branch 'ticket/10997-ipencap'
* ticket/10997-ipencap:
(#10997) Add ipencap (protocol 4) support to firewall type property 'proto'
Sharif Nassar [Sat, 12 Nov 2011 21:08:29 +0000 (13:08 -0800)]
(#10997) Add ipencap (protocol 4) support to firewall type property 'proto'
This change adds ipencap as a viable option, and adds it to tests as well.
Jonathan Boyett [Fri, 18 Nov 2011 22:12:02 +0000 (14:12 -0800)]
Merge pull request #33 from saysjonathan/ticket/10690-port
(#10690) add port property support to ip6tables
Jonathan Boyett [Fri, 18 Nov 2011 21:54:35 +0000 (13:54 -0800)]
(#10690) add port property support to ip6tables
Sharif Nassar [Mon, 14 Nov 2011 06:04:42 +0000 (22:04 -0800)]
Add fixtures for ipencap
Sharif Nassar [Sun, 13 Nov 2011 12:23:28 +0000 (04:23 -0800)]
Whitespace cleanup.
Garrett Honeycutt [Sun, 13 Nov 2011 00:59:29 +0000 (16:59 -0800)]
Merge pull request #32 from kbarber/ticket/10792-release_0.0.3
(#10792) Release 0.0.3 - CHANGELOG and Modulefile update
Ken Barber [Sat, 12 Nov 2011 23:27:54 +0000 (23:27 +0000)]
(#10792) Release 0.0.3 - CHANGELOG and Modulefile update
Ken Barber [Sun, 13 Nov 2011 00:13:26 +0000 (00:13 +0000)]
Merge branch 'maint/fix_copyright_and_licensing'
* maint/fix_copyright_and_licensing:
(maint) Fix licensing references to GNU GPL.
Ken Barber [Sun, 13 Nov 2011 00:12:18 +0000 (00:12 +0000)]
(maint) Fix licensing references to GNU GPL.
Ken Barber [Sat, 12 Nov 2011 18:41:00 +0000 (18:41 +0000)]
Merge branch 'ticket/10693-limit_module'
* ticket/10693-limit_module:
(#10693) Ensure -m limit is added for iptables when using 'limit' param
Jonathan Boyett [Thu, 10 Nov 2011 00:07:56 +0000 (16:07 -0800)]
(#10693) Ensure -m limit is added for iptables when using 'limit' param
Previously we had only been adding --limit to the iptables arguments
which meant the 'limit' parameter was not working at all. This patch
fixes that.
Ken Barber [Sat, 12 Nov 2011 16:52:42 +0000 (16:52 +0000)]
Merge branch 'ticket/10690-multiport_ports'
* ticket/10690-multiport_ports:
(#10690) Create new port property
Jonathan Boyett [Wed, 9 Nov 2011 23:17:41 +0000 (15:17 -0800)]
(#10690) Create new port property
This new property will allow you to specify ports that match both destination
and source.
This works the same as dport and sport parameters, so it provides array
support and hyphen separated ranges of ports as well.
Ken Barber [Sat, 12 Nov 2011 16:38:18 +0000 (16:38 +0000)]
Merge branch 'ticket/10700-comment_validation'
* ticket/10700-comment_validation:
(#10700) allow additional characters in comment string
Jonathan Boyett [Thu, 10 Nov 2011 02:55:08 +0000 (18:55 -0800)]
(#10700) allow additional characters in comment string
Ken Barber [Sun, 30 Oct 2011 11:31:48 +0000 (11:31 +0000)]
Merge branch 'ticket/9082-state-change'
* ticket/9082-state-change:
(#9082) Sort iptables --state option values internally to keep it consistent across runs
Chris Boulton [Mon, 24 Oct 2011 06:27:31 +0000 (17:27 +1100)]
(#9082) Sort iptables --state option values internally to keep it consistent across runs
Previously we were getting multiple re-runs due to the fact that iptables
returns a different order with iptables-save then what was used when creating
the rule.
This patch fixes that by sorting states with should=.
Added unit tests to ensure states are correctly sorted. Also added comments in
code to ensure people understand why
Dan Carley [Thu, 27 Oct 2011 11:25:00 +0000 (04:25 -0700)]
Merge pull request #26 from kbarber/ticket/10324-extra_spaces
(#10324) Remove extraneous whitespace from iptables rule line in spec tes
Ken Barber [Thu, 27 Oct 2011 11:20:36 +0000 (12:20 +0100)]
(#10324) Remove extraneous whitespace from iptables rule line in spec tests
The extra spaces between port numbers were messing up the parse and
putting elements in the wrong parts of the hash during rule_to_hash.
This wasn't causing a test problem now, but was creating an issue for
other work people were doing on the module.
Jonathan Boyett [Wed, 26 Oct 2011 18:33:48 +0000 (11:33 -0700)]
Merge pull request #23 from kbarber/ticket/10303-release_0.0.2
(#10303) Release 0.0.2 - CHANGELOG and Modulefile update
Ken Barber [Wed, 26 Oct 2011 18:24:32 +0000 (19:24 +0100)]
(#10303) Release 0.0.2 - CHANGELOG and Modulefile update
Jonathan Boyett [Wed, 26 Oct 2011 16:49:34 +0000 (09:49 -0700)]
Merge pull request #22 from kbarber/ticket/10295-util_loader
(#10295) Work around bug #4248 whereby the puppet/util paths are not bein
Ken Barber [Wed, 26 Oct 2011 10:24:33 +0000 (12:24 +0200)]
(#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster
This patch suggested by Dan Carley will work-around the puppet/util error
specified in bug #4248 by loading relative paths instead.
This also fixes the load errors related to running the resource in a standalone
puppet case as well.
If the load fails for some reason, we fall back to the normal load behaviour.
This order is important as we want to load libraries before sync in case the
user has disabled pluginsync in the meantime. This will ensure we attempt to
get the latest copy, but have a fall back just in case.
I believe this fix will need to be applied for some time to support older Puppet
versions.
I've updated the documentation to provide more thorough instructions for
cases where people are using environments, and to tell people to pluginsync
on the master and potentially restart their puppetmaster first just in case.
Jonathan Boyett [Wed, 26 Oct 2011 15:31:42 +0000 (08:31 -0700)]
Merge pull request #21 from kbarber/ticket/10002-range_of_ports
(#10002) Change to dport and sport to handle ranges, and fix handling of
Ken Barber [Tue, 11 Oct 2011 17:29:17 +0000 (18:29 +0100)]
(#10002) Change to dport and sport to handle ranges, and fix handling of name to port.
We hadn't been allowing ranges of the kind 22:1000 for ranges. This patch
fixes that. Thanks to Jason Hancock for finding this issue and providing a sample
patch.
Instead of using colon though, it was decided we would use a hyphen to specify a range
as its more agnostic. This patch does the filtering for both writing the rule and
reading the rule.
Also - the way we were doing name to port conversion had been broken. I found
this out while fixing the ranges, and have now fixed it and added tests.
Jonathan Boyett [Tue, 25 Oct 2011 15:02:50 +0000 (08:02 -0700)]
Merge pull request #20 from kbarber/ticket/10263-tests_fail_on_puppet-2.6.x
(#10263) Fix tests on Puppet 2.6.x
Ken Barber [Tue, 25 Oct 2011 09:10:42 +0000 (10:10 +0100)]
(#10263) Fix tests on Puppet 2.6.x
Due to the lack of Puppet::Test::LogCollector class, tests fail on puppet
2.6.x. Instead of just using the class, I'm testing its existance first
and only using it if it exists. Otherwise, I'm going to fall back to 2.6.x
methodology.
This seems to make tests work on 2.6.7 (and up) and 2.7.1 (and up) which is
sufficient for now.
Jonathan Boyett [Sat, 22 Oct 2011 18:24:44 +0000 (11:24 -0700)]
Merge pull request #17 from kbarber/ticket/10163-doc_cleanup
(#10163) Cleanup some of the inline documentation and README file to alig
Ken Barber [Wed, 19 Oct 2011 07:57:48 +0000 (08:57 +0100)]
(#10163) Cleanup some of the inline documentation and README file to align with general forge usage.
* The README.markdown file had a lot of property information that was
duplicated in the type itself. The README.markdown file has more info in
some cases, I have moved this into the type.
* The README.markdown lacked documentation on how to install the module using
the forge which meant users accessing it via github would be inclined to
download the development version from github instead.
* Cleaned up doc string alignments and made it consistent with all types.
Jonathan Boyett [Tue, 18 Oct 2011 21:35:54 +0000 (14:35 -0700)]
Merge pull request #15 from kbarber/ticket/9362-action_property
(#9362) Create action property and perform transformation for accept, dro
Ken Barber [Mon, 10 Oct 2011 07:11:27 +0000 (08:11 +0100)]
(#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter.
This commit introduces the new 'action' parameter which is designed to designate
the action to take when a match succeeds. This is a cross-platform parameter and
for the values 'accept','drop','reject' it will take the place of the existing
jump parameter.
The jump parameter is deemed as an iptables specific parameter so by splitting
out this parameter for common actions it allows us to extend the firewall
resource to include other providers much more easily in the future. By having
such a common parameter we will be able to compare resources between boxes that
may have different firewall implementations.
The new behaviour is to force the usage for action parameter, and using
'accept', 'drop' or 'reject' for jump will now no longer work.
Also - the default of 'accept' for jump has been removed which means you MUST
specify an action if you want your rule to do something. Without an action the
rule will match, but do nothing (so only useful for keeping counters generally).
To aid in the testing of this new property I've added new ways to test converting
iptables rules to hashes and hashes to general_args. This should simplify the
testing of new bugs as well.
Jonathan Boyett [Tue, 18 Oct 2011 20:29:04 +0000 (13:29 -0700)]
Merge pull request #16 from kbarber/ticket/10088-contributing
(#10088) Provide a customised version of CONTRIBUTING.md
Ken Barber [Fri, 14 Oct 2011 10:13:10 +0000 (12:13 +0200)]
(#10088) Provide a customised version of CONTRIBUTING.md
The goal here is to provide some clear documentation to point contributors
at when they want to submit code. This document is a copy of the facter one,
slight modified for puppetlabs-firewall.
Jonathan Boyett [Tue, 11 Oct 2011 22:38:37 +0000 (15:38 -0700)]
Merge pull request #14 from kbarber/ticket/10026-type_rspec_rake_cleanup
Ticket/10026 type rspec rake cleanup
Ken Barber [Tue, 11 Oct 2011 19:21:54 +0000 (20:21 +0100)]
(#10026) Re-arrange provider and type spec files to align with Puppet.
If moved the spec files now under 'puppet' to align with how Puppet does it. This
also makes more sense as this lines up with the module/class names now.
The iptables_type_spec.rb is now just firewall_type.rb to designate it is for
the generic firewall type.
iptables_prov_spec.rb is now iptables_spec.rb. The provider part is implicit
in the path.
Ken Barber [Tue, 11 Oct 2011 19:18:01 +0000 (20:18 +0100)]
(#10026) Add aliases for test,specs,tests to Rakefile and provide -T as default.
I've cleaned up the Rakefile a bit so that the aliases:
* test
* specs
* tests
Now point to "spec". The (s) versions are used by rvm but generally these are
all provided for convenience in case someone uses the wrong form.
I've also changed the default rake task to show the list of tasks (rake -T).
The description for rake spec is also a bit longer.
Ken Barber [Tue, 11 Oct 2011 18:55:22 +0000 (19:55 +0100)]
Merge branch 'ticket/9439-existing_rules'
* ticket/9439-existing_rules:
(#9439) fix parsing and deleting existing rules
Reviewed-by: Ken Barber <ken@bob.sh>
Code Review / puppet-modules / puppetlabs-firewall.git / log