From 2fde44baa494485d4e172da2ae84d401b411a444 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 22 Nov 2022 00:21:14 +0000 Subject: [PATCH] Release prep v4.0.0 --- CHANGELOG.md | 43 ++++++++++----- REFERENCE.md | 145 ++++++++++++++++++++++++++++---------------------- metadata.json | 2 +- 3 files changed, 112 insertions(+), 78 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d79b6d..30cd6b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,37 +1,52 @@ # Change log All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org). -## [v3.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.6.0) - 2022-10-03 -[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.5.0...v3.6.0) +## [v4.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v4.0.0) (2022-11-22) -### Added +[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.6.0...v4.0.0) -- pdksync - (GH-cat-11) Certify Support for Ubuntu 22.04 [#1063](https://github.com/puppetlabs/puppetlabs-firewall/pull/1063) ([david22swan](https://github.com/david22swan)) +### Changed -- pdksync - (GH-cat-12) Add Support for Redhat 9 [#1054](https://github.com/puppetlabs/puppetlabs-firewall/pull/1054) ([david22swan](https://github.com/david22swan)) +- \(CONT-256\) Removing outdated code [\#1084](https://github.com/puppetlabs/puppetlabs-firewall/pull/1084) ([LukasAud](https://github.com/LukasAud)) + +### Added + +- add support for using rpfilter in rules [\#1059](https://github.com/puppetlabs/puppetlabs-firewall/pull/1059) ([cmusik](https://github.com/cmusik)) ### Fixed -- (GH-1055) Fix for `--random-fully` [#1058](https://github.com/puppetlabs/puppetlabs-firewall/pull/1058) ([david22swan](https://github.com/david22swan)) +- \(CONT-173\) - Updating deprecated facter instances [\#1079](https://github.com/puppetlabs/puppetlabs-firewall/pull/1079) ([jordanbreen28](https://github.com/jordanbreen28)) +- pdksync - \(CONT-189\) Remove support for RedHat6 / OracleLinux6 / Scientific6 [\#1078](https://github.com/puppetlabs/puppetlabs-firewall/pull/1078) ([david22swan](https://github.com/david22swan)) +- pdksync - \(CONT-130\) - Dropping Support for Debian 9 [\#1075](https://github.com/puppetlabs/puppetlabs-firewall/pull/1075) ([jordanbreen28](https://github.com/jordanbreen28)) +- fix service port number lookup to use protocol [\#1023](https://github.com/puppetlabs/puppetlabs-firewall/pull/1023) ([kjetilho](https://github.com/kjetilho)) + +## [v3.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.6.0) (2022-10-03) -### Other +[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.5.0...v3.6.0) + +### Added -- allow persistence of firewall rules for Suse [#1061](https://github.com/puppetlabs/puppetlabs-firewall/pull/1061) ([corporate-gadfly](https://github.com/corporate-gadfly)) +- pdksync - \(GH-cat-11\) Certify Support for Ubuntu 22.04 [\#1063](https://github.com/puppetlabs/puppetlabs-firewall/pull/1063) ([david22swan](https://github.com/david22swan)) +- pdksync - \(GH-cat-12\) Add Support for Redhat 9 [\#1054](https://github.com/puppetlabs/puppetlabs-firewall/pull/1054) ([david22swan](https://github.com/david22swan)) -## [v3.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.5.0) - 2022-05-17 +### Fixed + +- allow persistence of firewall rules for Suse [\#1061](https://github.com/puppetlabs/puppetlabs-firewall/pull/1061) ([corporate-gadfly](https://github.com/corporate-gadfly)) +- \(GH-1055\) Fix for `--random-fully` [\#1058](https://github.com/puppetlabs/puppetlabs-firewall/pull/1058) ([david22swan](https://github.com/david22swan)) + +## [v3.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.5.0) (2022-05-17) [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.4.0...v3.5.0) ### Added -- CentOS Stream 9 Support (should include RHEL9 when that releases) [#1028](https://github.com/puppetlabs/puppetlabs-firewall/pull/1028) ([tskirvin](https://github.com/tskirvin)) +- CentOS Stream 9 Support \(should include RHEL9 when that releases\) [\#1028](https://github.com/puppetlabs/puppetlabs-firewall/pull/1028) ([tskirvin](https://github.com/tskirvin)) ### Fixed -- pdksync - (GH-iac-334) Remove Support for Ubuntu 14.04/16.04 [#1038](https://github.com/puppetlabs/puppetlabs-firewall/pull/1038) ([david22swan](https://github.com/david22swan)) - -- Fix rpfilter parameter [#1013](https://github.com/puppetlabs/puppetlabs-firewall/pull/1013) ([onyxmaster](https://github.com/onyxmaster)) +- pdksync - \(GH-iac-334\) Remove Support for Ubuntu 14.04/16.04 [\#1038](https://github.com/puppetlabs/puppetlabs-firewall/pull/1038) ([david22swan](https://github.com/david22swan)) +- Fix rpfilter parameter [\#1013](https://github.com/puppetlabs/puppetlabs-firewall/pull/1013) ([onyxmaster](https://github.com/onyxmaster)) ## [v3.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.4.0) (2022-02-28) @@ -43,7 +58,7 @@ All notable changes to this project will be documented in this file. The format ### Fixed -- pdksync - \(IAC-1787\) - Remove Support for CentOS 6 [\#1027](https://github.com/puppetlabs/puppetlabs-firewall/pull/1027) ([david22swan](https://github.com/david22swan)) +- pdksync - \(IAC-1787\) Remove Support for CentOS 6 [\#1027](https://github.com/puppetlabs/puppetlabs-firewall/pull/1027) ([david22swan](https://github.com/david22swan)) ## [v3.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v3.3.0) (2021-12-15) diff --git a/REFERENCE.md b/REFERENCE.md index b7831fd..d4d9021 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -17,7 +17,7 @@ * `firewall::linux::debian`: Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot. * `firewall::linux::gentoo`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems. * `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems. -* `firewall::params`: Provides defaults for the Apt module parameters. +* `firewall::params`: Provides defaults for the Apt module parameters ### Resource types @@ -47,15 +47,15 @@ class { 'firewall': } The following parameters are available in the `firewall` class: -* [`ensure`](#ensure) -* [`ensure_v6`](#ensure_v6) -* [`pkg_ensure`](#pkg_ensure) -* [`service_name`](#service_name) -* [`service_name_v6`](#service_name_v6) -* [`package_name`](#package_name) -* [`ebtables_manage`](#ebtables_manage) +* [`ensure`](#-firewall--ensure) +* [`ensure_v6`](#-firewall--ensure_v6) +* [`pkg_ensure`](#-firewall--pkg_ensure) +* [`service_name`](#-firewall--service_name) +* [`service_name_v6`](#-firewall--service_name_v6) +* [`package_name`](#-firewall--package_name) +* [`ebtables_manage`](#-firewall--ebtables_manage) -##### `ensure` +##### `ensure` Data type: `Any` @@ -63,15 +63,15 @@ Controls the state of the ipv4 iptables service on your system. Valid options: ' Default value: `running` -##### `ensure_v6` +##### `ensure_v6` Data type: `Any` Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. -Default value: ``undef`` +Default value: `undef` -##### `pkg_ensure` +##### `pkg_ensure` Data type: `Any` @@ -79,7 +79,7 @@ Controls the state of the iptables package on your system. Valid options: 'prese Default value: `present` -##### `service_name` +##### `service_name` Data type: `Any` @@ -87,7 +87,7 @@ Specify the name of the IPv4 iptables service. Default value: `$firewall::params::service_name` -##### `service_name_v6` +##### `service_name_v6` Data type: `Any` @@ -95,7 +95,7 @@ Specify the name of the IPv6 iptables service. Default value: `$firewall::params::service_name_v6` -##### `package_name` +##### `package_name` Data type: `Any` @@ -103,13 +103,13 @@ Specify the platform-specific package(s) to install. Default value: `$firewall::params::package_name` -##### `ebtables_manage` +##### `ebtables_manage` Data type: `Any` Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure. -Default value: ``false`` +Default value: `false` ## Resource types @@ -295,13 +295,13 @@ Default value: `INPUT` ##### `checksum_fill` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Compute and fill missing packet checksums. ##### `clamp_mss_to_pmtu` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Sets the clamp mss to pmtu flag. @@ -333,7 +333,7 @@ Specify the random seed used for hash initialization. ##### `clusterip_new` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Used with the CLUSTERIP jump target. Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. @@ -767,32 +767,32 @@ For example: 'blacklist src,dst' ##### `ipvs` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Indicates that the current packet belongs to an IPVS connection. ##### `isfirstfrag` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` If true, matches if the packet is the first fragment. Sadly cannot be negated. ipv6. ##### `isfragment` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Set to true to match tcp fragments (requires type to be set to tcp) ##### `ishasmorefrags` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` If true, matches if the packet has it's 'more fragments' bit set. ipv6. ##### `islastfrag` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` If true, matches if the packet is the last fragment. ipv6. @@ -822,7 +822,7 @@ only one of the options should be set. ##### `kernel_timezone` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. @@ -839,7 +839,7 @@ Example values are: '50/sec', '40/min', '30/hour', '10/day'." ##### `log_ip_options` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` When combined with jump => "LOG" logging of the TCP IP/IPv6 packet header. @@ -856,21 +856,21 @@ logging. ##### `log_tcp_options` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` When combined with jump => "LOG" logging of the TCP packet header. ##### `log_tcp_sequence` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` When combined with jump => "LOG" enables logging of the TCP sequence numbers. ##### `log_uid` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` When combined with jump => "LOG" specifies the uid of the process making the connection. @@ -927,7 +927,7 @@ per packet, but increase delay until the packets reach userspace. Defaults to 1. ##### `notrack` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Invoke the disable connection tracking for this packet. This parameter can be used with iptables version >= 1.8.3 @@ -949,19 +949,19 @@ Match if the packet is entering a bridge from the given interface. ##### `physdev_is_bridged` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Match if the packet is transversing a bridge. ##### `physdev_is_in` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Matches if the packet has entered through a bridge interface. ##### `physdev_is_out` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Matches if the packet will leave through a bridge interface. @@ -1006,7 +1006,7 @@ Default value: `tcp` ##### `queue_bypass` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Used with NFQUEUE jump target Allow packets to bypass :queue_num if userspace process is not listening @@ -1018,14 +1018,14 @@ What queue number to send packets to ##### `random` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping. ##### `random_fully` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable fully randomized port mapping. @@ -1034,14 +1034,14 @@ this boolean will enable fully randomized port mapping. ##### `rdest` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Recent module; add the destination IP address to the list. Must be boolean true. ##### `reap` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Recent module; can only be used in conjunction with the `rseconds` attribute. When used, this will cause entries older than 'seconds' to be @@ -1113,14 +1113,14 @@ number of seconds. ##### `rsource` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Recent module; add the source IP address to the list. Must be boolean true. ##### `rttl` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` Recent module; may only be used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match @@ -1149,7 +1149,7 @@ Sets the TCP MSS value for packets. ##### `socket` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` If true, matches if an open socket can be found by doing a coket lookup on the packet. @@ -1323,7 +1323,7 @@ TCP connection initiation. ##### `time_contiguous` -Valid values: ``true``, ``false`` +Valid values: `true`, `false` When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. @@ -1375,15 +1375,16 @@ Assign this packet to zone id and only have lookups done in that zone. The following parameters are available in the `firewall` type. -* [`line`](#line) -* [`name`](#name) -* [`provider`](#provider) +* [`line`](#-firewall--line) +* [`name`](#-firewall--name) +* [`onduplicaterulebehaviour`](#-firewall--onduplicaterulebehaviour) +* [`provider`](#-firewall--provider) -##### `line` +##### `line` Read-only property for caching the rule line. -##### `name` +##### `name` Valid values: `%r{^\d+[[:graph:][:space:]]+$}` @@ -1398,7 +1399,25 @@ so make sure you prefix the rule with a number: Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. -##### `provider` +##### `onduplicaterulebehaviour` + +Valid values: `ignore`, `warn`, `error` + +In certain situations it is possible for an unmanaged rule to exist +on the target system that has the same comment as the rule +specified in the manifest. + +This setting determines what happens when such a duplicate is found. + +It offers three options: + + * ignore - The duplicate rule is ignored and any updates to the resource will continue unaffected. + * warn - The duplicate rule is logged as a warning and any updates to the resource will continue unaffected. + * error - The duplicate rule is logged as an error and any updates to the resource will be skipped. + +Default value: `warn` + +##### `provider` The specific backend to use for this `firewall` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. @@ -1451,13 +1470,13 @@ PREROUTING, POSTROUTING) and can be one of: The following parameters are available in the `firewallchain` type. -* [`ignore`](#ignore) -* [`ignore_foreign`](#ignore_foreign) -* [`name`](#name) -* [`provider`](#provider) -* [`purge`](#purge) +* [`ignore`](#-firewallchain--ignore) +* [`ignore_foreign`](#-firewallchain--ignore_foreign) +* [`name`](#-firewallchain--name) +* [`provider`](#-firewallchain--provider) +* [`purge`](#-firewallchain--purge) -##### `ignore` +##### `ignore` Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of `iptables-save`. @@ -1480,9 +1499,9 @@ firewallchain { 'INPUT:filter:IPv4': } ``` -##### `ignore_foreign` +##### `ignore_foreign` -Valid values: ``false``, ``true`` +Valid values: `false`, `true` Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules in this chain. @@ -1490,9 +1509,9 @@ This can be used to ignore rules that were not put in by puppet. Beware that not configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured rules. -Default value: ``false`` +Default value: `false` -##### `name` +##### `name` namevar @@ -1500,16 +1519,16 @@ The canonical name of the chain. For iptables the format must be {chain}:{table}:{protocol}. -##### `provider` +##### `provider` The specific backend to use for this `firewallchain` resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. -##### `purge` +##### `purge` -Valid values: ``false``, ``true`` +Valid values: `false`, `true` Purge unmanaged firewall rules in this chain -Default value: ``false`` +Default value: `false` diff --git a/metadata.json b/metadata.json index f96f12e..ed133ae 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-firewall", - "version": "3.6.0", + "version": "4.0.0", "author": "puppetlabs", "summary": "Manages Firewalls such as iptables", "license": "Apache-2.0", -- 2.45.2