From f3e48d7c32db7a014038194bf7ca4e4868eab81d Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Mon, 9 May 2016 13:59:39 -0700 Subject: [PATCH] Prep 1.8.1 --- CHANGELOG.md | 109 +++++++++++++++++++++++++++----------------------- metadata.json | 2 +- 2 files changed, 59 insertions(+), 52 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f02d9a..cde8f84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,52 +1,59 @@ +## Supported Release 1.8.1 +### Summary +This release documents an important issue with mcollective that may impact users of the firewall module. Workarounds are suggested as part of this advisory until mcollective can be patched. + +#### Bugfixes +- Add mcollective rule-reversal known limitation + ## Supported Release 1.8.0 -###Summary +### Summary This release includes numerous features, bugfixes and other improvements including better handling when trying to delete already absent rules. -####Features +#### Features - Added new 'pkg_ensure' parameter to allow the updating of the iptables package. - Added new 'log_uid' property. - Added 'sctp' to the 'proto' property. - Added support for IPv6 NAT in Linux kernels >= 3.7. - Added support for the security table. -####Bugfixes +#### Bugfixes - (MODULES-2783) Replaced hardcoded iptables service references with $service_name variable. - (MODULES-1341) Recover when deleting absent rules. - (MODULES-3032) Facter flush is called to clear Facter cache get up to date value for ':iptables_persistent_version'. - (MODULES-2159) Fixed idempotency issue when using connlimit. - Fixed the handling of chain names that contain '-f'. -####Improvements +#### Improvements - Numerous unit and acceptance test improvements. - Improved handling/use of the '$::iptables_persistent_version' custom fact. - Better handling of operating systems that use SELinux. ## Supported Release 1.7.2 -###Summary +### Summary Small release for support of newer PE versions. This increments the version of PE in the metadata.json file. -##2015-08-25 - Supported Release 1.7.1 -###Summary +## 2015-08-25 - Supported Release 1.7.1 +### Summary This is a bugfix release to deprecate the port parameter. Using the unspecific 'port' parameter can lead to firewall rules that are unexpectedly too lax. It is recommended to always use the specific dport and sport parameters to avoid this ambiguity. -####Bugfixes +#### Bugfixes - Deprecate the port parameter -##2015-07-28 - Supported Release 1.7.0 -###Summary +## 2015-07-28 - Supported Release 1.7.0 +### Summary This release includes numerous features, bugfixes and other improvements including Puppet 4 & PE 2015.2 support as well as ClusterIP and DSCP jump target support. -####Features +#### Features - Puppet 4 and PE 2015.2 official support - ClusterIP jump target (including options) now supported - DSCP jump target (including options) now supported - SLES 10 now compatible (but not supported) -####Bugfixes +#### Bugfixes - (MODULES-1967) Parse escape sequences from iptables - (MODULES-1592) Allow src_type and dst_type prefixed with '!' to pass validation - (MODULES-2186) - iptables rules with -A in comment now supported @@ -54,18 +61,18 @@ This release includes numerous features, bugfixes and other improvements includi - Fix installation hang on Debian Jessie - Fix for physdev idempotency on EL5 -####Improvements +#### Improvements - Documentation improvements - Enforce the seluser on selinux systems - All the relevent services are now autorequired by the firewall and firewallchain types - Replace Facter.fact().value() calls with Facter.value() to support Facter 3 -##2015-05-19 - Supported Release 1.6.0 -###Summary +## 2015-05-19 - Supported Release 1.6.0 +### Summary This release includes support for TEE, MSS, the time ipt module, Debian 8 support, and a number of test fixes and other improvements. -####Features +#### Features - Add TEE support - Add MSS support (including clamp-mss-to-pmtu support) - Add support for the time ipt module (-m time) @@ -75,35 +82,35 @@ This release includes support for TEE, MSS, the time ipt module, Debian 8 suppor - Add support for new 'match_mark' property - Added 'ipv4' and 'ipv6' options to 'proto' property -####Bugfixes +#### Bugfixes - Fix for Systemd-based OSes where systemd needs restarted before being able to pick up new services (MODULES-1984) - Arch Linux package management fix -##2015-03-31 - Supported Release 1.5.0 -###Summary +## 2015-03-31 - Supported Release 1.5.0 +### Summary This release includes physdev_is_bridged support, checksum_fill support, basic Gentoo compatibility, and a number of test fixes and improvements. -####Features +#### Features - Add `physdev_is_bridged` support - Add `checksum_fill` support - Add basic Gentoo compatibility (unsupported) -####Bugfixes +#### Bugfixes - Implementation for resource map munging to allow a single ipt module to be used multiple times in a single rule on older versions of iptables (MODULES-1808) - Test fixes -##2015-01-27 - Supported Release 1.4.0 -###Summary +## 2015-01-27 - Supported Release 1.4.0 +### Summary This release includes physdev support, the ability to look up usernames from uuid, and a number of bugfixes -####Features +#### Features - Add `netmap` feature - Add `physdev` support - Add ability to look up username from uuid (MODULES-753, MODULES-1688) -####Bugfixes +#### Bugfixes - Sync iptables/ip6tables providers (MODULES-1612) - Fix package names for Amazon and Ubuntu 14.10 (MODULES-1029) - Fix overly aggressive gsub when `ensure => absent` (MODULES-1453) @@ -111,27 +118,27 @@ This release includes physdev support, the ability to look up usernames from uui - Fix ip6tables provider when `iptables-ipv6` package isn't installed for EL6 (MODULES-633) - Test fixes -##2014-12-16 - Supported Release 1.3.0 -###Summary +## 2014-12-16 - Supported Release 1.3.0 +### Summary This release includes a number of bugfixes and features, including fixing `tcp_flags` support, and added support for interface aliases, negation for iniface and outiface, and extra configurability for packages and service names. -####Features +#### Features - Add support for interface aliases (eth0:0) (MODULES-1469) - Add negation for iniface, outiface (MODULES-1470) - Make package and service names configurable (MODULES-1309) -####Bugfixes +#### Bugfixes - Fix test regexes for EL5 (MODULES-1565) - Fix `tcp_flags` support for ip6tables (MODULES-556) - Don't arbitrarily limit `set_mark` for certain chains -##2014-11-04 - Supported Release 1.2.0 -###Summary +## 2014-11-04 - Supported Release 1.2.0 +### Summary This release has a number of new features and bugfixes, including rule inversion, future parser support, improved EL7 support, and the ability to purge ip6tables rules. -####Features +#### Features - Documentation updates! - Test updates! - Add ipset support @@ -143,33 +150,33 @@ This release has a number of new features and bugfixes, including rule inversion - Add support for mac address source rules - Add cbt protocol -####Bugfixes +#### Bugfixes - Incorrect use of `source => :iptables` in the ip6tables provider was making it impossible to purge ip6tables rules (MODULES-41) - Don't require `toports` when `jump => 'REDIRECT'` (MODULES-1086) - Don't limit which chains iniface and outiface parameters can be used in - Don't fail on rules added with ipsec/strongswan (MODULES-796) -##2014-07-08 - Supported Release 1.1.3 -###Summary +## 2014-07-08 - Supported Release 1.1.3 +### Summary This is a supported release with test coverage enhancements. -####Bugfixes +#### Bugfixes - Confine to supported kernels -##2014-06-04 - Release 1.1.2 -###Summary +## 2014-06-04 - Release 1.1.2 +### Summary This is a release of the code previously released as 1.1.1, with updated metadata. ## 2014-05-16 Release 1.1.1 -###Summary +### Summary This release reverts the alphabetical ordering of 1.1.0. We found this caused a regression in the Openstack modules so in the interest of safety we have removed this for now. ## 2014-05-13 Release 1.1.0 -###Summary +### Summary This release has a significant change from previous releases; we now apply the firewall resources alphabetically by default, removing the need to create pre @@ -183,13 +190,13 @@ intended) versions of iptables, as well as connlimit and connmark. This release has been validated against Ubuntu 14.04 and RHEL7 and should be fully working on those platforms. -####Features +#### Features - Apply firewall resources alphabetically. - Add support for connlimit and connmark. - Add `mask` as a parameter. (Used exclusively with the recent parameter). -####Bugfixes +#### Bugfixes - Add systemd support for RHEL7. - Replace &&'s with the correct and in manifests. @@ -198,38 +205,38 @@ working on those platforms. - Fix boolean flag tests. - Fix DNAT->SNAT typo in an error message. -####Known Bugs +#### Known Bugs * For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. ## 2014-03-04 Supported Release 1.0.2 -###Summary +### Summary This is a supported release. This release removes a testing symlink that can cause trouble on systems where /var is on a seperate filesystem from the modulepath. -####Features -####Bugfixes -####Known Bugs +#### Features +#### Bugfixes +#### Known Bugs * For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. ### Supported release - 2014-03-04 1.0.1 -####Summary +#### Summary An important bugfix was made to the offset calculation for unmanaged rules to handle rules with 9000+ in the name. -####Features +#### Features -####Bugfixes +#### Bugfixes - Offset calculations assumed unmanaged rules were numbered 9000+. - Gracefully fail to manage ip6tables on iptables 1.3.x -####Known Bugs +#### Known Bugs * For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README. diff --git a/metadata.json b/metadata.json index de022e4..ca529a6 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppetlabs-firewall", - "version": "1.8.0", + "version": "1.8.1", "author": "Puppet Labs", "summary": "Manages Firewalls such as iptables", "license": "Apache-2.0", -- 2.45.2