Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppetlabs-firewall', '8.1.3'
Learn more about managing modules with a PuppetfileDocumentation
firewall
Table of Contents
- Overview - What is the firewall module?
- Module description - What does the module do?
- Setup - The basics of getting started with firewall
- Usage - Configuration and customization options
- Reference - An under-the-hood peek at what the module is doing
- Limitations - OS compatibility, etc.
- License
- Firewall_multi - Arrays for certain parameters
- Development - Guide for contributing to the module
Overview
The firewall module lets you manage firewall rules with Puppet.
Module description
PuppetLabs' firewall module introduces the firewall
resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the firewallchain
resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported.
The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining pre
and post
rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs.
Setup
What firewall affects
- Every node running a firewall
- Firewall settings in your system
- Connection settings for managed nodes
- Unmanaged resources (get purged)
Setup requirements
Firewall uses Ruby-based providers, so you must enable pluginsync.
Beginning with firewall
In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them.
If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet server.
The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet server. If you create the pre
and post
classes described in the first section, then you also need to create the rules described in the second section.
Create the my_fw::pre
and my_fw::post
Classes
This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.
The code in this section does the following:
- The 'require' parameter in
firewall {}
ensuresmy_fw::pre
is run before any other rules. - In the
my_fw::post
class declaration, the 'before' parameter ensuresmy_fw::post
is run after any other rules.
The rules in the pre
and post
classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run.
- Add the
pre
class tomy_fw/manifests/pre.pp
, and any default rules to your pre.pp file first — in the order you want them to run.
class my_fw::pre {
Firewall {
require => undef,
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
jump => 'accept',
}
-> firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
jump => 'accept',
}
-> firewall { '002 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
jump => 'reject',
}
-> firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
jump => 'accept',
}
}
The rules in pre
allow basic networking (such as ICMP and TCP) and ensure that
existing connections are not closed.
- Add the
post
class tomy_fw/manifests/post.pp
and include any default rules — apply these last.
class my_fw::post {
firewall { '999 drop all':
proto => 'all',
jump => 'drop',
before => undef,
}
}
Alternatively, the firewallchain type can be used to set the default policy:
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
policy => drop,
before => undef,
}
Create firewall rules
The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box.
Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.
- Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the
pre
andpost
classes are run in the correct order and avoid locking you out of your box during the first Puppet run.
Firewall {
before => Class['my_fw::post'],
require => Class['my_fw::pre'],
}
- Declare the
my_fw::pre
andmy_fw::post
classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:
class { ['my_fw::pre', 'my_fw::post']: }
- Include the
firewall
class to ensure the correct packages are installed:
class { 'firewall': }
- If you want to remove unmanaged firewall rules, add the following code to set up a metatype to purge unmanaged firewall resources in your site.pp or another top-scope file. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
resources { 'firewall':
purge => true,
}
To purge unmanaged firewall chains, add:
resources { 'firewallchain':
purge => true,
}
Internal chains can not be deleted. In order to avoid all the confusing
Warning/Notice messages when using purge => true
, like these ones:
Warning: Inbuilt Chains may not be deleted. Chain POSTROUTING:mangle:IPv6
will be flushed and have it's policy reverted to default.
Please create firewallchains for every internal chain. Here is an example:
firewallchain { 'POSTROUTING:mangle:IPv6':
ensure => present,
}
resources { 'firewallchain':
purge => true,
}
Note: If you need more fine-grained control about which unmananged rules get removed, investigate the
purge
andignore_foreign
parameters available infirewallchain
.
Note:
ignore_foreign
offirewallchain
does not work as expected with a resources purge offirewall
.
Upgrading
Use these steps if you already have a version of the firewall module installed.
From version 0.2.0 and more recent
Upgrade the module with the puppet module tool as normal:
puppet module upgrade puppetlabs/firewall
Usage
There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc.
All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. 000 runs first, 999 runs last.
Note: The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range.
Default rules
You can place default rules in either my_fw::pre
or my_fw::post
, depending on when you would like them to run. Rules placed in the pre
class will run first, and rules in the post
class, last.
In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'.
Examples of default rules
Basic accept ICMP request example:
firewall { '000 accept all icmp requests':
proto => 'icmp',
jump => 'accept',
}
Drop all:
firewall { '999 drop all other requests':
jump => 'drop',
}
Example of an IPv6 rule
IPv6 rules can be specified using the ip6tables provider:
firewall { '006 Allow inbound SSH (v6)':
dport => 22,
proto => 'tcp',
jump => 'accept',
protocol => 'ip6tables',
}
Application-specific rules
Puppet doesn't care where you define rules, and this means that you can place your firewall resources as close to the applications and services that you manage as you wish. If you use the roles and profiles pattern then it makes sense to create your firewall rules in the profiles, so they remain close to the services managed by the profile.
This is an example of firewall rules in a profile:
class profile::apache {
include apache
apache::vhost { 'mysite':
ensure => present,
}
firewall { '100 allow http and https access':
dport => [80, 443],
proto => 'tcp',
jump => 'accept',
}
}
Rule inversion
Firewall rules may be inverted by prefixing the value of a parameter by "! ".
Parameters that understand inversion are: connmark, ctstate, destination, dport, dst_range, dst_type, iniface, outiface, port, proto, source, sport, src_range and src_type.
If the value is an array, then either the first value of the array, or all of its values must be prefixed in order to invert them all. For most array attributes it is not possible to invert only one passed value.
Examples:
firewall { '001 disallow esp protocol':
jump => 'accept',
proto => '! esp',
}
firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset':
chain => 'INPUT',
state => 'NEW',
jump => 'drop',
proto => 'tcp',
sport => ['! http', '443'],
source => '! 10.0.0.0/8',
tcp_flags => '! FIN,SYN,RST,ACK SYN',
}
There are exceptions to this however, with attributes such as src_type, dst_type and ipset allowing the user to negate each passed values seperately.
Examples:
firewall { '001 allow local disallow anycast':
jump => 'accept',
src_type => ['LOCAL', '! ANYCAST'],
}
Additional uses for the firewall module
You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows:
node 'some.node.com' {
firewall { '111 open port 111':
dport => 111,
}
}
You can also do more complex things with the firewall
resource. This example sets up static NAT for the source network 10.1.2.0/24:
firewall { '100 snat for network foo2':
chain => 'POSTROUTING',
jump => 'MASQUERADE',
proto => 'all',
outiface => 'eth0',
source => '10.1.2.0/24',
table => 'nat',
}
You can also change the TCP MSS value for VPN client traffic:
firewall { '110 TCPMSS for VPN clients':
chain => 'FORWARD',
table => 'mangle',
source => '10.0.2.0/24',
proto => 'tcp',
tcp_flags => 'SYN,RST SYN',
mss => '1361:1541',
set_mss => '1360',
jump => 'TCPMSS',
}
The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:
firewall { '503 Mirror traffic to IDS':
proto => 'all',
jump => 'TEE',
gateway => '10.0.0.2',
chain => 'PREROUTING',
table => 'mangle',
}
The following example creates a new chain and forwards any port 5000 access to it.
firewall { '100 forward to MY_CHAIN':
chain => 'INPUT',
jump => 'MY_CHAIN',
}
# The namevar here is in the format chain_name:table:protocol
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => present,
}
firewall { '100 my rule':
chain => 'MY_CHAIN',
jump => 'accept',
proto => 'tcp',
dport => 5000,
}
Setup NFLOG for a rule.
firewall {'666 for NFLOG':
proto => 'all',
jump => 'NFLOG',
nflog_group => 3,
nflog_prefix => 'nflog-test',
nflog_size => 256,
nflog_threshold => 1,
}
Duplicate rule behaviour
It is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This configuration is not supported by the firewall module.
In the event of a duplicate rule, the module will throw an error message notifying the user that it has found a duplicate and halt in it's update.
This behaviour was previously configurable via the onduplicaterulebehaviour
parameter. However the implementation of this resulted in a massive slowdown of the module and so this has been removed in favour of a simple error being thrown whenever a duplicate is detected.
Additional information
Access the inline documentation:
puppet describe firewall
Or
puppet doc -r type
(and search for firewall)
Reference
For information on the classes and types, see the REFERENCE.md. For information on the facts, see below.
Facts:
Fact: ip6tables_version
A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.
Fact: iptables_version
A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution.
Fact: iptables_persistent_version
Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.
Limitations
For an extensive list of supported operating systems, see metadata.json
SLES
The socket
parameter is not supported on SLES. In this release it will cause
the catalog to fail with iptables failures, rather than correctly warn you that
the features are unusable.
Oracle Enterprise Linux
The socket
and owner
parameters are unsupported on Oracle Enterprise Linux
when the "Unbreakable" kernel is used. These may function correctly when using
the stock RedHat kernel instead. Declaring either of these parameters on an
unsupported system will result in iptable rules failing to apply.
Passing firewall parameter values as arrays with firewall_multi
module
You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays.
A community module, alexharvey-firewall_multi, provides a defined type wrapper to spawn firewall resources for arrays of certain inputs.
For example:
firewall_multi { '100 allow http and https access':
source => [
'10.0.10.0/24',
'10.0.12.0/24',
'10.1.1.128',
],
dport => [80, 443],
proto => 'tcp',
jump => 'accept',
}
For more information see the documentation at alexharvey-firewall_multi.
Known issues
MCollective causes PE to reverse firewall rule order
Firewall rules appear in reverse order if you use MCollective to run Puppet in Puppet Enterprise 2016.1, 2015.3, 2015.2, or 3.8.x.
If you use MCollective to kick off Puppet runs (mco puppet runonce -I agent.example.com
) while also using the puppetlabs/firewall
module, your firewall rules might be listed in reverse order.
In many firewall configurations, the last rule drops all packets. If the rule order is reversed, this rule is listed first and network connectivity fails.
To prevent this issue, do not use MCollective to kick off Puppet runs. Use any of the following instead:
- Run
puppet agent -t
on the command line. - Use a cron job.
- Click Run Puppet in the console.
condition parameter
The condition
parameter requires xtables-addons
to be installed locally.
For ubuntu distributions xtables-addons-common
package can be installed by running command: apt-get install xtables-addons-common
or
running a manifest:
package { 'xtables-addons-common':
ensure => 'latest',
}
For other distributions (RedHat, Debian, Centos etc) manual installation of the xtables-addons
package is required.
Reporting Issues
Please report any bugs in the Puppetlabs GitHub issue tracker:
https://github.com/puppetlabs/puppetlabs-firewall/issues
License
This codebase is licensed under the Apache2.0 licensing, however due to the nature of the codebase the open source dependencies may also use a combination of AGPL, BSD-2, BSD-3, GPL2.0, LGPL, MIT and MPL Licensing.
Development
Acceptance tests for this module leverage puppet_litmus. To run the acceptance tests follow the instructions here. You can also find a tutorial and walkthrough of using Litmus and the PDK on YouTube.
If you run into an issue with this module, or if you would like to request a feature, please file a ticket. Every Monday the Puppet IA Content Team has office hours in the Puppet Community Slack, alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC).
If you have problems getting this module up and running, please contact Support.
If you submit a change to this module, be sure to regenerate the reference documentation as follows:
puppet strings generate --format markdown --out REFERENCE.md
Testing
Make sure you have:
- rake
- bundler
Install the necessary gems:
bundle install
And run the tests from the root of the source code:
bundle exec rake parallel_spec
See the Github Action runs for information on running the acceptance and other tests.
Migration path to v7.0.0
As of v7.0.0
of this module a major rework has been done to adopt the puppet-resource_api into the module and use it style of code in place of the original form of Puppet Type and Providers. This was done in the most part to increase the ease with with the module could be maintained and updated in the future, the changes helping to structure the module in such a way as to be more easily understood and altered going forward.
As part of this process several breaking changes where made to the code that will need to be accounted for whenever you update to this new version of the module, with these changes including:
- The
provider
attibute within thefirewall
type has been renamed toprotocol
, both to bring it in line with the matching attribute within thefirewallchain
type and due to the resource_api forbidding the use ofprovider
as a attribute name. As part of this the attribute has also been updated to acceptIPv4
andIPv6
in place ofiptables
orip6tables
, though they are still valid as input. - The
action
attribute within thefirewall
type has been removed as it was merely a restricted version of thejump
attribute, both of them managing the same function, this being reasoned as a way to enforce the use of generic parameters. From this point the parameters formerly unique toaction
should now be passed tojump
. - Strict types have now been implemented for all attributes, while this should not require changes on the user end in most cases, there may be some instances where manifests will require updated to match the new expected form of input.
- Attributes that allow both arrays and negated values have now been updated.
- For attributes that require that all passed values be negated as one, you now merely have to negate the first value within the array, rather than all of them, though negating all is still accepted.
- For attributes that allow passed values to be negated seperately this is not the case. All attributes in this situation are noted within their description.
- The
sport
anddport
attributes have been updated so that they will now accept with:
or-
as a separator when passing ranges, with:
being preferred as it matches what is passed to iptables.
Two pairs of manifest taken from the tests can be seen below, illustrating the changes that may be required, the first applying a hoplimit on ip6tables
:
firewall { '571 - hop_limit':
ensure => present,
proto => 'tcp',
dport => '571',
action => 'ACCEPT',
hop_limit => '5',
provider => 'ip6tables',
}
firewall { '571 - hop_limit':
ensure => present,
proto => 'tcp',
dport => '571',
jump => 'accept',
hop_limit => '5',
protocol => 'IPv6',
}
And the second negating access to a range of ports on iptables
:
firewall { '560 - negated ports':
proto => `tcp`,
sport => ['! 560-570','! 580'],
action => `accept`,
}
firewall { '560 - negated ports':
proto => `tcp`,
sport => '! 560:570','580',
jump => `accept`,
}
Reference
Table of Contents
Classes
Public Classes
firewall
: Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins
Private Classes
firewall::linux
: Main linux class, includes all other classesfirewall::linux::archlinux
: Managesiptables
andip6tables
services, and creates files used for persistence, on Arch Linux systems.firewall::linux::debian
: Installs theiptables-persistent
package for Debian-alike systems. This allows rules to be stored to file and restored on boot.firewall::linux::gentoo
: Managesiptables
andip6tables
services, and creates files used for persistence, on Gentoo Linux systems.firewall::linux::redhat
: Manages theiptables
service on RedHat-alike systems.firewall::params
: Provides defaults for the Apt module parameters
Resource types
firewall
: This type provides the capability to manage firewall rules within puppet via iptables. Autorequires: If Puppet is managing the iptablesfirewallchain
: This type provides the capability to manage rule chains for firewalls. Currently this supports only iptables, ip6tables and ebtables on Linu
Classes
firewall
Performs the basic setup tasks required for using the firewall resources.
At the moment this takes care of:
iptables-persistent package installation Include the firewall class for nodes that need to use the resources in this module:
Examples
class { 'firewall': }
Parameters
The following parameters are available in the firewall
class:
ensure
Data type: Enum[running, stopped, 'running', 'stopped']
Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.
Default value: running
ensure_v6
Data type: Optional[Enum[running, stopped, 'running', 'stopped']]
Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
Default value: undef
pkg_ensure
Data type: Enum[present, installed, latest, 'present', 'installed', 'latest']
Controls the state of the iptables package on your system. Valid options: 'present', 'installed' or 'latest'.
Default value: present
service_name
Data type: Variant[String[1], Array[String[1]]]
Specify the name of the IPv4 iptables service.
Default value: $firewall::params::service_name
service_name_v6
Data type: Optional[String[1]]
Specify the name of the IPv6 iptables service.
Default value: $firewall::params::service_name_v6
package_name
Data type: Optional[Variant[String[1], Array[String[1]]]]
Specify the platform-specific package(s) to install.
Default value: $firewall::params::package_name
ebtables_manage
Data type: Boolean
Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
Default value: false
Resource types
firewall
This type provides the capability to manage firewall rules within puppet via iptables.
Autorequires:
If Puppet is managing the iptables chains specified in the
chain
or jump
parameters, the firewall resource will autorequire
those firewallchain resources.
If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, the firewall resource will autorequire those packages to ensure that any required binaries are installed.
Providers
* Required binaries: iptables-save, iptables.
* Default for kernel == linux.
* Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match,
interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options,
mark, mask, mss, netmap, nflog_group, nflog_prefix,
nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
Features
-
address_type: The ability to match on source or destination address type.
-
clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
-
condition: Match if a specific condition variable is (un)set (requires xtables-addons)
-
connection_limiting: Connection limiting features.
-
conntrack: Connection tracking features.
-
dnat: Destination NATing.
-
hop_limiting: Hop limiting features.
-
icmp_match: The ability to match ICMP types.
-
interface_match: Interface matching.
-
iprange: The ability to match on source or destination IP range.
-
ipsec_dir: The ability to match IPsec policy direction.
-
ipsec_policy: The ability to match IPsec policy.
-
iptables: The provider provides iptables features.
-
isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet.
-
isfragment: The ability to match fragments.
-
ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet.
-
islastfrag: The ability to match the last fragment of an ipv6 packet.
-
length: The ability to match the length of the layer-3 payload.
-
log_level: The ability to control the log level.
-
log_prefix: The ability to add prefixes to log messages.
-
log_uid: The ability to log the userid of the process which generated the packet.
-
log_tcp_sequence: The ability to log TCP sequence numbers.
-
log_tcp_options: The ability to log TCP packet header.
-
log_ip_options: The ability to log IP/IPv6 packet header.
-
mark: The ability to match or set the netfilter mark value associated with the packet.
-
mask: The ability to match recent rules based on the ipv4 mask.
-
nflog_group: The ability to set the group number for NFLOG.
-
nflog_prefix: The ability to set a prefix for nflog messages.
-
nflog_size: Set the max size of a message to send to nflog.
-
nflog_threshold: The ability to set nflog_threshold.
-
owner: The ability to match owners.
-
pkttype: The ability to match a packet type.
-
rate_limiting: Rate limiting features.
-
recent_limiting: The netfilter recent module.
-
reject_type: The ability to control reject messages.
-
set_mss: Set the TCP MSS of a packet.
-
snat: Source NATing.
-
socket: The ability to match open sockets.
-
state_match: The ability to match stateful firewall states.
-
string_matching: The ability to match a given string by using some pattern matching strategy.
-
tcp_flags: The ability to match on particular TCP flag settings.
-
netmap: The ability to map entire subnets via source or destination nat rules.
-
hashlimit: The ability to use the hashlimit-module.
-
bpf: The ability to use Berkeley Paket Filter rules.
-
ipvs: The ability to match IP Virtual Server packets.
-
ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
-
random_fully: The ability to use --random-fully flag.
Properties
The following properties are available in the firewall
type.
burst
Data type: Optional[Integer[1]]
Rate limiting burst value (per second) before limit checks apply.
bytecode
Data type: Optional[String[1]]
Match using Linux Socket Filter. Expects a BPF program in decimal format.
This is the format generated by the nfbpf_compile utility.
cgroup
Data type: Optional[String[1]]
Matches against the net_cls cgroup ID of the packet.
To negate add a space seperate `!` to the beginning of the string
chain
Data type: String[1]
Name of the chain the rule will be a part of, ensure the chain you choose exists within your set table.
Can be one of the built-in chains:
* INPUT
* FORWARD
* OUTPUT
* PREROUTING
* POSTROUTING
Or you can provide a user-based chain.
Defaults to 'INPUT'
Default value: INPUT
checksum_fill
Data type: Optional[Boolean]
Compute and fill missing packet checksums.
clamp_mss_to_pmtu
Data type: Optional[Boolean]
Sets the clamp mss to pmtu flag.
clusterip_clustermac
Data type: Optional[Pattern[/^([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Used with the CLUSTERIP jump target.
Specify the ClusterIP MAC address. Has to be a link-layer multicast address.
This is IPv4 specific.
clusterip_hash_init
Data type: Optional[String[1]]
Used with the CLUSTERIP jump target.
Specify the random seed used for hash initialization.
This is IPv4 specific.
clusterip_hashmode
Data type: Optional[Enum['sourceip', 'sourceip-sourceport', 'sourceip-sourceport-destport']]
Used with the CLUSTERIP jump target.
Specify the hashing mode.
This is IPv4 specific.
clusterip_local_node
Data type: Optional[Integer[1]]
Used with the CLUSTERIP jump target.
Specify the random seed used for hash initialization.
This is IPv4 specific.
clusterip_new
Data type: Optional[Boolean]
Used with the CLUSTERIP jump target.
Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
This is IPv4 specific.
clusterip_total_nodes
Data type: Optional[Integer[1]]
Used with the CLUSTERIP jump target.
Number of total nodes within this cluster.
This is IPv4 specific.
condition
Data type: Optional[String[1]]
Match on boolean value (0/1) stored in /proc/net/nf_condition/name.
connlimit_above
Data type: Optional[Integer]
Connection limiting value for matched connections above n.
connlimit_mask
Data type: Optional[Integer[0,128]]
Connection limiting by subnet mask for matched connections.
IPv4: 0-32
IPv6: 0-128
connlimit_upto
Data type: Optional[Integer]
Connection limiting value for matched connections below or equal to n.
connmark
Data type: Optional[Pattern[/^(?:!\s)?[a-fA-F0-9x]+(?:\/[a-fA-F0-9x]+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match the Netfilter mark value associated with the packet. Accepts either of mark/mask or mark.
This value will be converted to hex if it is not already.
This value can be negated by adding a space seperated `!` to the beginning.
ctdir
Data type: Optional[Enum['REPLY', 'ORIGINAL']]
Matches a packet that is flowing in the specified direction using the
conntrack module. If this flag is not specified at all, matches packets
in both directions. Values can be:
* REPLY
* ORIGINAL
ctexpire
Data type: Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Matches a packet based on lifetime remaining in seconds or range of seconds
using the conntrack module. For example:
ctexpire => '100'
ctexpire => '100:150'
ctorigdst
Data type: Optional[String[1]]
The original destination address using the conntrack module. For example:
ctorigdst => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctorigdst => '! 192.168.2.0/24'
The ctorigdst can also be an IPv6 address if your provider supports it.
ctorigdstport
Data type: Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The original destination port to match for this filter using the conntrack module.
For example:
ctorigdstport => '80'
You can also specify a port range: For example:
ctorigdstport => '80:81'
You can also negate a port by putting ! in front. For example:
ctorigdstport => '! 80'
ctorigsrc
Data type: Optional[String[1]]
The original source address using the conntrack module. For example:
ctorigsrc => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctorigsrc => '! 192.168.2.0/24'
The ctorigsrc can also be an IPv6 address if your provider supports it.
ctorigsrcport
Data type: Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The original source port to match for this filter using the conntrack module.
For example:
ctorigsrcport => '80'
You can also specify a port range: For example:
ctorigsrcport => '80:81'
You can also negate a port by putting ! in front. For example:
ctorigsrcport => '! 80'
ctproto
Data type: Optional[Variant[Pattern[/^(?:!\s)?\d+$/],Integer]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The specific layer-4 protocol number to match for this rule using the
conntrack module.
ctrepldst
Data type: Optional[String[1]]
The reply destination address using the conntrack module. For example:
ctrepldst => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctrepldst => '! 192.168.2.0/24'
The ctrepldst can also be an IPv6 address if your provider supports it.
ctrepldstport
Data type: Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The reply destination port to match for this filter using the conntrack module.
For example:
ctrepldstport => '80'
You can also specify a port range: For example:
ctrepldstport => '80:81'
You can also negate a port by putting ! in front. For example:
ctrepldstport => '! 80'
ctreplsrc
Data type: Optional[String[1]]
The reply source address using the conntrack module. For example:
ctreplsrc => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
ctreplsrc => '! 192.168.2.0/24'
The ctreplsrc can also be an IPv6 address if your provider supports it.
ctreplsrcport
Data type: Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The reply source port to match for this filter using the conntrack module.
For example:
ctreplsrcport => '80'
You can also specify a port range: For example:
ctreplsrcport => '80:81'
You can also negate a port by putting ! in front. For example:
ctreplsrcport => '! 80'
ctstate
Data type: Optional[Variant[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT)$/], Array[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT)$/]]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Matches a packet based on its state in the firewall stateful inspection
table, using the conntrack module. Values can be:
* INVALID
* ESTABLISHED
* NEW
* RELATED
* UNTRACKED
* SNAT
* DNAT
Can be passed either as a single String or as an Array, if passed as an array values should be passed in order:
ctstate => 'INVALID'
ctstate => ['INVALID', 'ESTABLISHED']
Values can be negated by adding a '!'.
If you wish to negate multiple states at once, then place a ! at the start of the first array
variable. For example:
ctstate => ['! INVALID', 'ESTABLISHED']
Note:
This will negate all passed states, it is not possible to negate a single one of the array.
In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour.
ctstatus
Data type: Optional[Variant[Pattern[/^(?:!\s)?(?:EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED|NONE)$/], Array[Pattern[/^(?:!\s)?(?:EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED|NONE)$/]]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Matches a packet based on its status using the conntrack module. Values can be:
* EXPECTED
* SEEN_REPLY
* ASSURED
* CONFIRMED
* NONE
Can be passed either as a single String or as an Array:
ctstatus => 'EXPECTED'
ctstatus => ['EXPECTED', 'CONFIRMED']
Values can be negated by adding a '!'.
If you wish to negate multiple states at once, then place a ! at the start of the first array
variable. For example:
ctstatus => ['! EXPECTED', 'CONFIRMED']
Note:#{' '}
This will negate all passed states, it is not possible to negate a single one of the array.
In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour.
date_start
Data type: Optional[Pattern[/^[0-9]{4}\-(?:0[0-9]|1[0-2])\-(?:[0-2][0-9]|3[0-1])T(?:[0-1][0-9]|2[0-3])\:[0-5][0-9]\:[0-5][0-9]$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Only match during the given time, which must be in ISO 8601 "T" notation.
The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
date_stop
Data type: Optional[Pattern[/^[0-9]{4}\-(?:0[0-9]|1[0-2])\-(?:[0-2][0-9]|3[0-1])T(?:[0-1][0-9]|2[0-3])\:[0-5][0-9]\:[0-5][0-9]$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Only match during the given time, which must be in ISO 8601 "T" notation.
The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
destination
Data type: Optional[String[1]]
The destination address to match. For example:
destination => '192.168.1.0/24'
You can also negate a mask by putting ! in front. For example:
destination => '! 192.168.2.0/24'
The destination can also be an IPv6 address if your provider supports it.
dport
Data type: Optional[Variant[Array[Variant[Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]],Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The source port to match for this filter (if the protocol supports
ports). Will accept a single element or an array.
For some firewall providers you can pass a range of ports in the format:
dport => '1:1024'
This would cover ports 1 to 1024.
You can also negate a port by putting ! in front. For example:
dport => '! 54'
If you wish to negate multiple ports at once, then place a ! at the start of the first array
variable. For example:
dport => ['! 54','23']
Note:
This will negate all passed ports, it is not possible to negate a single one of the array.
In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour.
dst_cc
Data type: Optional[Pattern[/^[A-Z]{2}(,[A-Z]{2})*$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
dst attribute for the module geoip
dst_range
Data type: Optional[String[1]]
The destination IP range. For example:
dst_range => '192.168.1.1-192.168.1.10'
You can also negate the range by putting ! in front. For example:
dst_range => '! 192.168.1.1-192.168.1.10'
The destination IP range must be in 'IP1-IP2' format.
dst_type
Data type: Optional[Variant[ Array[Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]], Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The destination address type. For example:
dst_type => ['LOCAL']
Can be one of:
* UNSPEC - an unspecified address
* UNICAST - a unicast address
* LOCAL - a local address
* BROADCAST - a broadcast address
* ANYCAST - an anycast packet
* MULTICAST - a multicast address
* BLACKHOLE - a blackhole address
* UNREACHABLE - an unreachable address
* PROHIBIT - a prohibited address
* THROW - undocumented
* NAT - undocumented
* XRESOLVE - undocumented
In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
dst_type => ['LOCAL --limit-iface-in']
Each value can be negated seperately using '!':
dst_type => ['! UNICAST', '! LOCAL']
Will accept a single element or an array.
ensure
Data type: Enum[present, absent, 'present', 'absent']
Whether this rule should be present or absent on the target system.
Default value: present
gateway
Data type: Optional[Pattern[/^(\d+.\d+.\d+.\d+|\w+:\w+::\w+)$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The TEE target will clone a packet and redirect this clone to another
machine on the local network segment.
Gateway is the target host's IP.
gid
Data type: Optional[Variant[String[1], Integer]]
GID or Group owner matching rule. Accepts a single argument
only, as iptables does not accept multiple gid in a single
statement.
To negate add a space seperated '!' in front of the value.
goto
Data type: Optional[String[1]]
The value for the iptables --goto parameter. Normal values are:
* QUEUE
* RETURN
* DNAT
* SNAT
* LOG
* MASQUERADE
* REDIRECT
* MARK
But any valid chain name is allowed.
hashlimit_above
Data type: Optional[Pattern[/^\d+(?:\/(?:sec|min|hour|day))?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match if the rate is above amount/quantum.
This parameter or `hashlimit_upto` and `hashlimit_name` are required when setting any other hashlimit values.
Allowed forms are '40','40/sec','40/min','40/hour','40/day'.
hashlimit_burst
Data type: Optional[Integer[1]]
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.
When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate.
This option should be used with caution -- if the entry expires, the burst value is reset too.
hashlimit_dstmask
Data type: Optional[Integer[0,32]]
When --hashlimit-mode srcip is used, all destination addresses encountered will be grouped according to the given prefix length
and the so-created subnet will be subject to hashlimit.
Prefix must be between (inclusive) 0 and 32.
Note that --hashlimit-dstmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
hashlimit_htable_expire
Data type: Optional[Integer]
After how many milliseconds do hash entries expire.
hashlimit_htable_gcinterval
Data type: Optional[Integer]
How many milliseconds between garbage collection intervals.
hashlimit_htable_max
Data type: Optional[Integer]
Maximum entries in the hash.
hashlimit_htable_size
Data type: Optional[Integer]
The number of buckets of the hash table
hashlimit_mode
Data type: Optional[Pattern[/^(?:srcip|srcport|dstip|dstport)(?:\,(?:srcip|srcport|dstip|dstport))*$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
A comma-separated list of objects to take into consideration.
If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
Allowed values are: srcip, srcport, dstip, dstport
hashlimit_name
Data type: Optional[String[1]]
The name for the /proc/net/ipt_hashlimit/foo entry.
This parameter and either `hashlimit_upto` or `hashlimit_above` are required when setting any other hashlimit values.
hashlimit_srcmask
Data type: Optional[Integer[0,32]]
When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length
and the so-created subnet will be subject to hashlimit.
Prefix must be between (inclusive) 0 and 32.
Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
hashlimit_upto
Data type: Optional[Pattern[/^\d+(?:\/(?:sec|min|hour|day))?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second).
This parameter or `hashlimit_above` and `hashlimit_name` are required when setting any other hashlimit values.
Allowed forms are '40','40/sec','40/min','40/hour','40/day'.
helper
Data type: Optional[String[1]]
Invoke the nf_conntrack_xxx helper module for this packet.
hop_limit
Data type: Optional[Variant[Pattern[/^(?:!\s)?\d+$/],Integer]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Hop limiting value for matched packets.
To negate add a space seperated `!` the the beginning of the value
This is IPv6 specific.
icmp
Data type: Optional[Variant[String[1],Integer]]
When matching ICMP packets, this is the type of ICMP packet to match.
A value of "any" is not supported. To achieve this behaviour the
parameter should simply be omitted or undefined.
An array of values is also not supported. To match against multiple ICMP
types, please use separate rules for each ICMP type.
iniface
Data type: Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+\:@]+$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Input interface to filter on. Supports interface alias like eth0:0.
To negate the match try this:
iniface => '! lo',
ipsec_dir
Data type: Optional[Enum['in', 'out']]
Sets the ipsec policy direction
ipsec_policy
Data type: Optional[Enum['none', 'ipsec']]
Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc.
ipset
Data type: Optional[Variant[Pattern[/^(?:!\s)?[\w\-:_]+\s(?:src|dst)(?:,src|,dst)?$/], Array[Pattern[/^(?:!\s)?[\w\-:_]+\s(?:src|dst)(?:,src|,dst)?$/]]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Matches against the specified ipset list.
Requires ipset kernel module. Will accept a single element or an array.
The value is the name of the denylist, followed by a space, and then
'src' and/or 'dst' separated by a comma.
For example: 'denylist src,dst'
To negate simply place a space seperated `!` at the beginning of a value.
Values can de negated independently.
ipvs
Data type: Optional[Boolean]
Match using Linux Socket Filter. Expects a BPF program in decimal format.
This is the format generated by the nfbpf_compile utility.
isfirstfrag
Data type: Optional[Boolean]
Matches if the packet is the first fragment.
Specific to IPv6.
isfragment
Data type: Optional[Boolean]
Set to true to match tcp fragments (requires proto to be set to tcp)
ishasmorefrags
Data type: Optional[Boolean]
Matches if the packet has it's 'more fragments' bit set.
Specific to IPv6.
islastfrag
Data type: Optional[Boolean]
Matches if the packet is the last fragment.
Specific to IPv6.
jump
Data type: Optional[String[1]]
This value for the iptables --jump parameter and the action to perform on a match. Common values are:
* ACCEPT - the packet is accepted
* REJECT - the packet is rejected with a suitable ICMP response
* DROP - the packet is dropped
But can also be one of the following:
* QUEUE
* RETURN
* DNAT
* SNAT
* LOG
* NFLOG
* NETMAP
* MASQUERADE
* REDIRECT
* MARK
* CT
And any valid chain name is also allowed.
If you specify no value it will simply match the rule but perform no action.
kernel_timezone
Data type: Optional[Boolean]
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
length
Data type: Optional[Pattern[/^([0-9]+)(:)?([0-9]+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Sets the length of layer-3 payload to match.
Example values are: '500', '5:400'
limit
Data type: Optional[Pattern[/^\d+\/(?:sec(?:ond)?|min(?:ute)?|hour|day)$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Rate limiting value for matched packets. The format is:
rate/[/second/|/minute|/hour|/day]
Example values are: '50/sec', '40/min', '30/hour', '10/day'."
line
Data type: Optional[String[1]]
A read only attribute containing the full rule, used when deleting and when applying firewallchain purge attributes.
log_ip_options
Data type: Optional[Boolean]
When combined with jump => "LOG" logging of the TCP IP/IPv6 packet header.
log_level
Data type: Optional[Variant[Integer[0,7],String[1]]]
When combined with jump => "LOG" specifies the system log level to log to.
Note: log level 4/warn is the default setting and as such it is not returned by iptables-save.
As a result, explicitly setting `log_level` to this can result in idempotency errors.
log_prefix
Data type: Optional[String[1]]
When combined with jump => "LOG" specifies the log prefix to use when logging.
log_tcp_options
Data type: Optional[Boolean]
When combined with jump => "LOG" logging of the TCP packet header.
log_tcp_sequence
Data type: Optional[Boolean]
When combined with jump => "LOG" enables logging of the TCP sequence numbers.
log_uid
Data type: Optional[Boolean]
When combined with jump => "LOG" specifies the uid of the process making the connection.
mac_source
Data type: Optional[Pattern[/^(?:!\s)?([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
MAC Source
mask
Data type: Optional[Pattern[/^\d+\.\d+\.\d+\.\d+$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Recent module; sets the mask to use when `recent` is enabled.
The recent module defaults this to `255.255.255.255` when recent is set
match_mark
Data type: Optional[Pattern[/^(?:!\s)?[a-fA-F0-9x]+(?:\/[a-fA-F0-9x]+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match the Netfilter mark value associated with the packet. Accepts either of mark/mask or mark.
This value will be converted to hex if it is not already.
This value can be negated by adding a space seperated `!` to the beginning.
month_days
Data type: Optional[Variant[Integer[0,31], Array[Integer[0,31]]]]
Only match on the given days of the month. Possible values are 1 to 31.
Note that specifying 31 will of course not match on months which do not have a 31st day;
the same goes for 28-day or 29-day February.
Can be passed either as a single value or an array of values:
month_days => 5,
month_days => [5, 9, 23],
mss
Data type: Optional[Pattern[/^(?:!\s)?\d+(?:\:\d+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match a given TCP MSS value or range.
This value can be negated by adding a space seperated `!` to the beginning.
nflog_group
Data type: Optional[Integer[1, 65535]]
Used with the jump target NFLOG.
The netlink group (0 - 2^16-1) to which packets are (only applicable
for nfnetlink_log). Defaults to 0.
nflog_prefix
Data type: Optional[String]
Used with the jump target NFLOG.
A prefix string to include in the log message, up to 64 characters long,
useful for distinguishing messages in the logs.
nflog_range
Data type: Optional[Integer[1]]
Used with the jump target NFLOG.
This has never worked, use nflog_size instead.
nflog_size
Data type: Optional[Integer[1]]
Used with the jump target NFLOG.
The number of bytes to be copied to userspace (only applicable for nfnetlink_log).
nfnetlink_log instances may specify their own size, this option overrides it.
nflog_threshold
Data type: Optional[Integer[1]]
Used with the jump target NFLOG.
Number of packets to queue inside the kernel before sending them to userspace
(only applicable for nfnetlink_log). Higher values result in less overhead
per packet, but increase delay until the packets reach userspace. Defaults to 1.
notrack
Data type: Optional[Boolean]
Invoke the disable connection tracking for this packet.
This parameter can be used with iptables version >= 1.8.3
outiface
Data type: Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+\:@]+$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Output interface to filter on. Supports interface alias like eth0:0.
To negate the match try this:
outiface => '! lo',
physdev_in
Data type: Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+]+$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match if the packet is entering a bridge from the given interface.
To negate the match try this:
physdev_in => '! lo',
physdev_is_bridged
Data type: Optional[Boolean]
Match if the packet is transversing a bridge.
physdev_is_in
Data type: Optional[Boolean]
Matches if the packet has entered through a bridge interface.
physdev_is_out
Data type: Optional[Boolean]
Matches if the packet will leave through a bridge interface.
physdev_out
Data type: Optional[Pattern[/^(?:!\s)?[a-zA-Z0-9\-\._\+]+$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match if the packet is leaving a bridge via the given interface.
To negate the match try this:
physdev_out => '! lo',
pkttype
Data type: Optional[Enum['unicast', 'broadcast', 'multicast']]
Sets the packet type to match.
proto
Data type: Optional[Pattern[/^(?:!\s)?(?:ip(?:encap)?|tcp|udp|icmp|esp|ah|vrrp|carp|igmp|ipv4|ospf|gre|cbt|sctp|pim|all)/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The specific protocol to match for this rule.
Default value: tcp
protocol
Data type: Enum['iptables', 'ip6tables', 'IPv4', 'IPv6']
The protocol used to set the rule, it's allowed values have been expanded to bring it closer to its `firewallchain` counterpart.
Defaults to `IPv4`
Noted: this was previously defined as `provider`, however the resource_api does not allow this to be used as an attribute title.
Default value: IPv4
queue_bypass
Data type: Optional[Boolean]
Allow packets to bypass :queue_num if userspace process is not listening
queue_num
Data type: Optional[Integer[1]]
Used with NFQUEUE jump target.
What queue number to send packets to
random
Data type: Optional[Boolean]
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping.
random_fully
Data type: Optional[Boolean]
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable fully randomized port mapping.
rdest
Data type: Optional[Boolean]
Recent module; add the destination IP address to the list.
Mutually exclusive with `rsource`
Must be boolean true.
reap
Data type: Optional[Boolean]
Recent module; can only be used in conjunction with the `rseconds`
attribute. When used, this will cause entries older than 'seconds' to be
purged. Must be boolean true.
recent
Data type: Optional[Enum['set', 'update', 'rcheck', 'remove', '! set', '! update', '! rcheck', '! remove']]
Enable the recent module. Takes as an argument one of set, update,
rcheck or remove. For example:
```
# If anyone's appeared on the 'badguy' blacklist within
# the last 60 seconds, drop their traffic, and update the timestamp.
firewall { '100 Drop badguy traffic':
recent => 'update',
rseconds => 60,
rsource => true,
rname => 'badguy',
jump => 'DROP',
chain => 'FORWARD',
}
```
```
# No-one should be sending us traffic on eth0 from the
# localhost, Blacklist them
firewall { '101 blacklist strange traffic':
recent => 'set',
rsource => true,
rname => 'badguy',
destination => '127.0.0.0/8',
iniface => 'eth0',
jump => 'DROP',
chain => 'FORWARD',
}
```
reject
Data type: Optional[Enum['icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited', 'icmp6-no-route', 'no-route', 'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable', 'tcp-reset']]
When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender.
Valid values differ depending on if the protocol is `IPv4` or `IPv6`.
IPv4 allows: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited,
icmp-host-prohibited, icmp-admin-prohibited, or tcp-reset.
IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach,
icmp6-port-unreachable, or tcp-reset.
rhitcount
Data type: Optional[Integer[1]]
Recent module; used in conjunction with `recent => 'update'` or `recent
=> 'rcheck'. When used, this will narrow the match to only happen when
the address is in the list and packets had been received greater than or
equal to the given value.
rname
Data type: Optional[String[1]]
Recent module; The name of the list.
The recent module defaults this to `DEFAULT` when recent is set
rpfilter
Data type: Optional[Variant[Enum['loose', 'validmark', 'accept-local', 'invert'], Array[Enum['loose', 'validmark', 'accept-local', 'invert']]]]
Enable the rpfilter module.
rseconds
Data type: Optional[Integer[1]]
Recent module; used in conjunction with one of `recent => 'rcheck'` or
`recent => 'update'`. When used, this will narrow the match to only
happen when the address is in the list and was seen within the last given
number of seconds.
rsource
Data type: Optional[Boolean]
Recent module; add the source IP address to the list.
Mutually exclusive with `rdest`
The recent module defaults this behaviour to true when recent is set.
rttl
Data type: Optional[Boolean]
Recent module; may only be used in conjunction with one of `recent =>
'rcheck'` or `recent => 'update'`. When used, this will narrow the match
to only happen when the address is in the list and the TTL of the current
packet matches that of the packet which hit the `recent => 'set'` rule.
This may be useful if you have problems with people faking their source
address in order to DoS you via this module by disallowing others access
to your site by sending bogus packets to you. Must be boolean true.
set_dscp
Data type: Optional[String[1]]
Set DSCP Markings.
set_dscp_class
Data type: Optional[Enum['af11', 'af12', 'af13', 'af21', 'af22', 'af23', 'af31', 'af32', 'af33', 'af41', 'af42', 'af43', 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'cs6', 'cs7', 'ef']]
This sets the DSCP field according to a predefined DiffServ class.
set_mark
Data type: Optional[Pattern[/^[a-fA-F0-9x]+(?:\/[a-fA-F0-9x]+)?$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Set the Netfilter mark value associated with the packet. Accepts either of mark/mask or mark.
These will be converted to hex if they are not already.
set_mss
Data type: Optional[Integer[1]]
Sets the TCP MSS value for packets.
socket
Data type: Optional[Boolean]
If true, matches if an open socket can be found by doing a coket lookup
on the packet.
source
Data type: Optional[String[1]]
The source address. For example:
source => '192.168.2.0/24'
You can also negate a mask by putting ! in front. For example:
source => '! 192.168.2.0/24'
The source can also be an IPv6 address if your provider supports it.
sport
Data type: Optional[Variant[Array[Variant[Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]],Pattern[/^(?:!\s)?\d+(?:(?:\:|-)\d+)?$/],Integer]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The source port to match for this filter (if the protocol supports
ports). Will accept a single element or an array.
For some firewall providers you can pass a range of ports in the format:
sport => '1:1024'
This would cover ports 1 to 1024.
You can also negate a port by putting ! in front. For example:
sport => '! 54'
If you wish to negate multiple ports at once, then place a ! at the start of the first array
variable. For example:
sport => ['! 54','23']
Note:
This will negate all passed ports, it is not possible to negate a single one of the array.
In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour.
src_cc
Data type: Optional[Pattern[/^[A-Z]{2}(,[A-Z]{2})*$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
src attribute for the module geoip
src_range
Data type: Optional[String[1]]
The source IP range. For example:
src_range => '192.168.1.1-192.168.1.10'
You can also negate the range by apending a `!`` to the front. For example:
src_range => '! 192.168.1.1-192.168.1.10'
The source IP range must be in 'IP1-IP2' format.
src_type
Data type: Optional[Variant[ Array[Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]], Pattern[/^(?:!\s)?(?:UNSPEC|UNICAST|LOCAL|BROADCAST|ANYCAST|MULTICAST|BLACKHOLE|UNREACHABLE|UNREACHABLE|PROHIBIT|THROW|NAT|XRESOLVE)(?:\s--limit-iface-(?:in|out))?$/]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
The source address type. For example:
src_type => 'LOCAL'
Can be one of:
* UNSPEC - an unspecified address
* UNICAST - a unicast address
* LOCAL - a local address
* BROADCAST - a broadcast address
* ANYCAST - an anycast packet
* MULTICAST - a multicast address
* BLACKHOLE - a blackhole address
* UNREACHABLE - an unreachable address
* PROHIBIT - a prohibited address
* THROW - undocumented
* NAT - undocumented
* XRESOLVE - undocumented
In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
src_type => ['LOCAL --limit-iface-in']
It can also be negated using '!':
src_type => ['! LOCAL']
Will accept a single element or an array. Each element of the array should be negated seperately.
stat_every
Data type: Optional[Integer[1]]
Match one packet every nth packet. Requires `stat_mode => 'nth'`
stat_mode
Data type: Optional[Enum[nth, random]]
Set the matching mode for statistic matching.
stat_packet
Data type: Optional[Integer]
Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`.
Defaults to 0. Requires `stat_mode => 'nth'`
stat_probability
Data type: Optional[Variant[Integer[0,1], Float[0.0,1.0]]]
Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
state
Data type: Optional[Variant[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED)$/], Array[Pattern[/^(?:!\s)?(?:INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED)$/]]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Matches a packet based on its state in the firewall stateful inspection
table. Values can be:
* INVALID
* ESTABLISHED
* NEW
* RELATED
* UNTRACKED
* SNAT
* DNAT
Can be passed either as a single String or as an Array:
state => 'INVALID'
state => ['INVALID', 'ESTABLISHED']
Values can be negated by adding a '!'.
If you wish to negate multiple states at once, then place a ! at the start of the first array
variable. For example:
state => ['! INVALID', 'ESTABLISHED']
Note:
This will negate all passed states, it is not possible to negate a single one of the array.
In order to maintain compatibility it is also possible to negate all values given in the array to achieve the same behaviour.
string
Data type: Optional[String[1]]
String matching feature. Matches the packet against the pattern
given as an argument.
To negate, add a space seperated `!` to the beginning of the string.
string_algo
Data type: Optional[Enum['bm', 'kmp']]
String matching feature, pattern matching strategy.
string_from
Data type: Optional[Integer[1]]
String matching feature, offset from which we start looking for any matching.
string_hex
Data type: Optional[Pattern[/^(?:!\s)?\|[a-zA-Z0-9\s]+\|$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
String matching feature. Matches the packet against the pattern
given as an argument.
To negate, add a space seperated `!` to the beginning of the string.
string_to
Data type: Optional[Integer[1]]
String matching feature, offset up to which we should scan.
table
Data type: Enum['nat', 'mangle', 'filter', 'raw', 'rawpost', 'broute', 'security']
The table the rule will exist in.
Valid options are:
* nat
* mangle
* filter
* raw
* rawpost
Defaults to 'filter'
Default value: filter
tcp_flags
Data type: Optional[Pattern[/^(?:!\s)?((FIN|SYN|RST|PSH|ACK|URG|ALL|NONE),?)+\s((FIN|SYN|RST|PSH|ACK|URG|ALL|NONE),?)+$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match when the TCP flags are as specified.
Is a string with a list of comma-separated flag names for the mask,
then a space, then a comma-separated list of flags that should be set.
The flags are: FIN SYN RST PSH ACK URG ALL NONE
Note that you specify them in the order that iptables --list-rules
would list them to avoid having puppet think you changed the flags.
Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
ACK,RST and FIN bits cleared. Such packets are used to request
TCP connection initiation.
Can be negated by placing ! in front, i.e.
! FIN,SYN,RST,ACK SYN
tcp_option
Data type: Optional[Variant[Pattern[/^(?:!\s)?(?:[0-1][0-9]{0,2}|2[0-4][0-9]|25[0-5])$/], Integer[0,255]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Match when the TCP option is present or absent.
Given as a single TCP option, optionally prefixed with '! ' to match
on absence instead. Only one TCP option can be matched in a given rule.
TCP option numbers are an eight-bit field, so valid option numbers range
from 0-255.
time_contiguous
Data type: Optional[Boolean]
When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
time_start
Data type: Optional[Pattern[/^([0-9]|[0-1][0-9]|2[0-3])\:[0-5][0-9](?:\:[0-5][0-9])?/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
time_stop
Data type: Optional[Pattern[/^([0-9]|[0-1][0-9]|2[0-3])\:[0-5][0-9](?:\:[0-5][0-9])?/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
to
Data type: Optional[String[1]]
For NETMAP this will replace the destination IP
todest
Data type: Optional[String[1]]
When using jump => "DNAT" you can specify the new destination address using this paramter.
Can specify a single new destination IP address or an inclusive range of IP addresses.
Optionally a port or a port range with a possible follow up baseport can be provided.
Input structure: [ipaddr[-ipaddr]][:port[-port[/baseport]]]
toports
Data type: Optional[Variant[Integer[0, 65535], Pattern[/^\d+(?:-\d+)?$/]]]
*this data type contains a regex that may not be accurately reflected in generated documentation
For REDIRECT/MASQUERADE this is the port that will replace the destination/source port.
Can specify a single new port or an inclusive range of ports.
tosource
Data type: Optional[String[1]]
When using jump => "SNAT" you can specify the new source address using this paramter.
Can specify a single new destination IP address or an inclusive range of IP addresses.
Input structure: [ipaddr[-ipaddr]][:port[-port]]
u32
Data type: Optional[Pattern[/^0x[0-9a-fA-F]+&0x[0-9a-fA-F]+=0x[0-9a-fA-F]+(?::0x[0-9a-fA-F]+)?(?:&&0x[0-9a-fA-F]+&0x[0-9a-fA-F]+=0x[0-9a-fA-F]+(?::0x[0-9a-fA-F]+)?)*$/]]
*this data type contains a regex that may not be accurately reflected in generated documentation
Enable the u32 module. Takes as an argument one of set, update,
rcheck or remove. For example:
firewall { '032 u32 test':
ensure => present,
table => 'mangle',
chain => 'PREROUTING',
u32 => '0x4&0x1fff=0x0&&0x0&0xf000000=0x5000000',
jump => 'DROP',
}
uid
Data type: Optional[Variant[String[1], Integer]]
UID or Username owner matching rule. Accepts a single argument
only, as iptables does not accept multiple uid in a single
statement.
To negate add a space seperated '!' in front of the value.
week_days
Data type: Optional[Variant[Enum['Mon','Tue','Wed','Thu','Fri','Sat','Sun'], Array[Enum['Mon','Tue','Wed','Thu','Fri','Sat','Sun']]]]
Only match on the given weekdays.
Can be passed either as a single value or an array of values:
week_days => 'Mon',
week_days => ['Mon', 'Tue', 'Wed'],
zone
Data type: Optional[Integer]
Assign this packet to zone id and only have lookups done in that zone.
Parameters
The following parameters are available in the firewall
type.
name
namevar
Data type: Pattern[/(^\d+(?:[ \t-]\S+)+$)/]
*this data type contains a regex that may not be accurately reflected in generated documentation
The canonical name of the rule. This name is also used for ordering
so make sure you prefix the rule with a number:
000 this runs first
999 this runs last
Depending on the provider, the name of the rule can be stored using
the comment feature of the underlying firewall subsystem.
firewallchain
This type provides the capability to manage rule chains for firewalls.
Currently this supports only iptables, ip6tables and ebtables on Linux. And provides support for setting the default policy on chains and tables that allow it.
Providers
- iptables_chain is the only provider that supports firewallchain.
Features
- iptables_chain: The provider provides iptables chain features.
- policy: Default policy (inbuilt chains only).
Properties
The following properties are available in the firewallchain
type.
ensure
Data type: Enum[present, absent]
Whether this chain should be present or absent on the target system.
Setting this to absent will first remove all rules associated with this chain and then delete the chain itself.
Inbuilt chains however will merely remove any added rules and, if it has been changed, return their policy to the default.
Default value: present
ignore
Data type: Optional[Variant[String[1], Array[String[1]]]]
Regex to perform on firewall rules to exempt unmanaged rules from purging.
This is matched against the output of `iptables-save`.
This can be a single regex, or an array of them.
To support flags, use the ruby inline flag mechanism.
Meaning a regex such as
/foo/i
can be written as
'(?i)foo' or '(?i:foo)'
Full example:
```
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => [
'-j fail2ban-ssh', # ignore the fail2ban jump rule
'--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
],
}
```
ignore_foreign
Data type: Boolean
Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules in this chain.
This can be used to ignore rules that were not put in by puppet. Beware that nothing keeps other systems from configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured rules.
policy
Data type: Optional[Enum['accept', 'drop', 'queue', 'return']]
This action to take when the end of the chain is reached.
This can only be set on inbuilt chains (i.e. INPUT, FORWARD, OUTPUT,
PREROUTING, POSTROUTING) and can be one of:
* accept - the packet is accepted
* drop - the packet is dropped
* queue - the packet is passed userspace
* return - the packet is returned to calling (jump) queue
or the default of inbuilt chains
purge
Data type: Boolean
Whether or not to purge unmanaged rules in this chain
Parameters
The following parameters are available in the firewallchain
type.
name
namevar
Data type: Pattern[/^(?:\S+):(?:nat|mangle|filter|raw|rawpost|broute|security):(?:IP(?:v[46])?|ethernet)$/]
*this data type contains a regex that may not be accurately reflected in generated documentation
The canonical name of the chain with the required format being {chain}:{table}:{protocol}
.
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v8.1.3 - 2024-12-05
Fixed
- Prevent sources with zero prefix length being applied every agent run #1189 (nabertrand)
v8.1.2 - 2024-11-25
Fixed
- (MODULE-11463): Fix rule parsing when iptables chains with '-A' in the name #1210 (2fa)
- Allow a singular numeric port for the
--to-ports
parameter #1199 (gcoxmoz) - Add
tcp-reset
as an allowed option for--reject-with
#1194 (gcoxmoz)
v8.1.1 - 2024-10-28
Added
Fixed
v8.1.0 - 2024-09-23
Added
v8.0.3 - 2024-07-19
Fixed
v8.0.2 - 2024-05-22
Fixed
v8.0.1 - 2024-03-20
Fixed
Other
- fix typos in documentation #1195 (corporate-gadfly)
v8.0.0 - 2024-02-08
Changed
- [CAT-1425] : Removing RedHat/Scientific/OracleLinux 6 #1163 (rajat-puppet)
Fixed
- (GH-1164) Only common jump values should be enforced as upcase #1165 (david22swan)
v7.0.2 - 2023-09-14
Fixed
- (GH-1158) Fix for
dport/sport/state/ctstate/ctstatus
comparisons #1160 (david22swan)
v7.0.1 - 2023-09-14
Fixed
- (GH-1156) Fix for jump/goto attributes #1157 (david22swan)
v7.0.0 - 2023-09-13
Changed
- (CAT-376) Rework firewall module to use the resource_api #1145 (david22swan)
Fixed
- (maint) Update all README.md mentions of
action
tojump
#1151 (david22swan) - (RUBOCOP) Resolve Rubocop Issues #1149 (david22swan)
v6.0.0 - 2023-07-25
Changed
- (CONT-242) Fix duplicate rule detection #1140 (david22swan)
- pdksync - (MAINT) - Require Stdlib 9.x only #1135 (LukasAud)
Added
- Add support for parsing and using --tcp-option #1126 (greatflyingsteve)
Fixed
- disable firewalld for RedHat 9 #1142 (robertc99)
- Change ip6tables_version to constant in provider. #1134 (pjakubcz)
- Fix SELinux context on newer CentOS #1123 (tobias-urdin)
- Force firewall chain delete #1104 (cruelsmith)
v5.0.0 - 2023-03-31
Changed
- (Cont 779) Add Support for Puppet 8 / Drop Support for Puppet 6 #1118 (david22swan)
v4.1.0 - 2023-03-31
Added
Fixed
- Ignore OpenBSD, similarly to FreeBSD #1107 (buzzdeee)
- redhat9 needs iptables service #1103 (robertc99)
- debian: service: fix
ensure
parameter usage #1095 (damonbreeden)
v4.0.1 - 2022-12-07
Fixed
- (GH-1097) Bumping back required puppet version #1098 (LukasAud)
- support --nflog-size as replacement for --nflog-range #1096 (kjetilho)
- (1093) - Fix unresolved fact error #1094 (jordanbreen28)
- package "iptables" has been replaced by "iptables-nft" on EL9 #1085 (kjetilho)
v4.0.0 - 2022-11-22
Changed
Added
Fixed
- (CONT-173) - Updating deprecated facter instances #1079 (jordanbreen28)
- pdksync - (CONT-189) Remove support for RedHat6 / OracleLinux6 / Scientific6 #1078 (david22swan)
- pdksync - (CONT-130) - Dropping Support for Debian 9 #1075 (jordanbreen28)
- fix service port number lookup to use protocol #1023 (kjetilho)
v3.6.0 - 2022-10-03
Added
- pdksync - (GH-cat-11) Certify Support for Ubuntu 22.04 #1063 (david22swan)
- pdksync - (GH-cat-12) Add Support for Redhat 9 #1054 (david22swan)
Fixed
- allow persistence of firewall rules for Suse #1061 (corporate-gadfly)
- (GH-1055) Fix for
--random-fully
#1058 (david22swan)
v3.5.0 - 2022-05-17
Added
Fixed
- pdksync - (GH-iac-334) Remove Support for Ubuntu 14.04/16.04 #1038 (david22swan)
- Fix rpfilter parameter #1013 (onyxmaster)
v3.4.0 - 2022-02-28
Added
Fixed
- pdksync - (IAC-1787) Remove Support for CentOS 6 #1027 (david22swan)
v3.3.0 - 2021-12-15
Added
- pdksync - (IAC-1753) - Add Support for AlmaLinux 8 #1020 (david22swan)
- pdksync - (IAC-1751) - Add Support for Rocky 8 #1017 (david22swan)
Fixed
- Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range #1019 (cmd-ntrf)
- Fedora 34 and iptables-compat fix; properly utilising iptables param. #1018 (adamboutcher)
- pdksync - (IAC-1598) - Remove Support for Debian 8 #1015 (david22swan)
- Add carp protocol to :proto property #1014 (adrianiurca)
- (MODULES-6876) lib/puppet/provider/firewall/iptables.rb - comments cleanup for parsing #981 (tskirvin)
v3.2.0 - 2021-09-06
Added
- pdksync - (IAC-1709) - Add Support for Debian 11 #1005 (david22swan)
Fixed
- Fix "undefined method `gsub' for nil:NilClass" when changing existing rule UID from absent to any present #1010 (onyxmaster)
v3.1.0 - 2021-07-26
Added
Fixed
- (MODULES-11138) - Fix mac_source Facter.fact().value() issue with Facter 3 #1002 (adrianiurca)
v3.0.2 - 2021-07-19
Fixed
- sles-15: mac_source is downcased by iptables #997 (adrianiurca)
- fix: parsing random_fully in ip6tables #996 (scoiatael)
v3.0.1 - 2021-06-21
Fixed
v3.0.0 - 2021-03-01
Changed
- pdksync - (MAINT) Remove SLES 11 support #977 (sanfrancrisko)
- pdksync - (MAINT) Remove RHEL 5 family support #976 (sanfrancrisko)
- pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 #972 (carabasdaniel)
v2.8.1 - 2021-02-09
Fixed
- [MODULES-10907] Do not remove spaces from hex string with ! #967 (adrianiurca)
v2.8.0 - 2020-12-14
Added
- pdksync - (feat) - Add support for Puppet 7 #959 (daianamezdrea)
- (IAC-966) - MODULES-10522: Add support for the --condition parameter #941 (adrianiurca)
Fixed
v2.7.0 - 2020-10-15
Added
v2.6.0 - 2020-10-05
Added
- pdksync - (IAC-973) - Update travis/appveyor to run on new default branch main #933 (david22swan)
Fixed
- Add carp protocol to :proto property #945 (pellisesol)
- Fix extra quotes in firewall string matching #944 (IBBoard)
- (IAC-987) - Removal of inappropriate terminology #942 (david22swan)
v2.5.0 - 2020-07-28
Added
- Add acceptance and unit test #931 (adrianiurca)
- [IAC-899] - Add acceptance test for string_hex parameter #930 (adrianiurca)
- Add support for NFLOG options to ip6tables #921 (frh)
v2.4.0 - 2020-05-13
Added
- Add support for u32 module in iptables #917 (sanfrancrisko)
- Add support for cgroup arg #916 (akerl-unpriv)
- Extend LOG options #914 (martialblog)
Fixed
v2.3.0 - 2020-03-26
Added
- Add iptables --hex-string support to firewall resource #907 (alexconrey)
- Add random_fully and rpfilter support #892 (treydock)
- (MODULES-7800) Add the ability to specify iptables connection tracking helpers. #890 (jimmyt86)
- Support conntrack module #872 (haught)
Fixed
- (maint) Use fact.flush only when available #906 (Filipovici-Andrei)
- (MODULES-10358) - Clarification added to Boolean validation checks #886 (david22swan)
- Merge and remove duplicate README file, lint code snippets #878 (runejuhl)
v2.2.0 - 2019-12-09
Added
- Add support for Debian Unstable #876 (martialblog)
- (FM-8673) - Support added for CentOS 8 #873 (david22swan)
- FM-8400 - add debian10 support #862 (lionce)
- FM-8219 - Convert to litmus #855 (lionce)
Fixed
- Change - Avoid puppet failures on windows nodes #874 (blackknight36)
- Fix parsing iptables rules with hyphen in comments #861 (Hexta)
v2.1.0 - 2019-09-25
Added
- (MODULES-6136) Add zone property of CT target. #852 (rwf14f)
- (FM-8025) Add RedHat 8 support #847 (eimlav)
Fixed
v2.0.0 - 2019-05-15
Changed
- pdksync - (MODULES-8444) - Raise lower Puppet bound #841 (david22swan)
Added
- (FM-7903) - Implement Puppet Strings #838 (david22swan)
Fixed
1.15.3 - 2019-04-05
Fixed
- (MODULES-8855) Move ipvs test to exception spec #834 (eimlav)
- (MODULES-8842) Fix ipvs not idempotent #833 (eimlav)
1.15.2 - 2019-03-26
Fixed
- (MODULES-8615) Fix rules with ipvs not parsing #828 (eimlav)
- (MODULES-7333) - Change hashing method from MD5 to SHA256 #827 (david22swan)
- (MODULES-6547) Fix existing rules with --dport not parsing #826 (eimlav)
- (MODULES-8648) - Fix for failures on SLES 11 #816 (david22swan)
- (MODULES-8584) Handle multiple escaped quotes in comments properly #815 (mateusz-gozdek-sociomantic)
- External control for iptables-persistent #795 (identw)
1.15.1 - 2019-02-01
Fixed
- (DOC-3056) Remove mention of rules ordering #809 (clairecadman)
- (FM-7712) - Remove Gentoo 1.0 testing/support for Firewall module #808 (david22swan)
- (MODULES-8360) Fix IPv6 bug relating to Bugzilla 1015 #804 (alex-harvey-z3q)
1.15.0 - 2019-01-18
Added
- (MODULES-8143) - Add SLES 15 support #798 (eimlav)
- Add nftables wrapper support for RHEL8 #794 (mwhahaha)
- Changed regex for iniface and outiface to allow '@' in interface names #791 (GeorgeCox)
- (MODULES-8214) Handle src_type and dst_type as array #790 (mateusz-gozdek-sociomantic)
- (MODULES-7990) Merge multiple comments into one while parsing rules #789 (mateusz-gozdek-sociomantic)
- add -g flag handling in ip6tables.rb provider #788 (cestith)
- (MODULES-7681) Add support for bytecode property #771 (baurmatt)
Fixed
- pdksync - (FM-7655) Fix rubygems-update for ruby < 2.3 #801 (tphoney)
- (MODULES-6340) - Address failure when name begins with 9XXX #796 (eimlav)
- Amazon linux 2 changed its major version to 2 with the last update... #793 (erik-frontify)
1.14.0 - 2018-09-27
Added
- pdksync - (MODULES-6805) metadata.json shows support for puppet 6 #782 (tphoney)
- (FM-7399) - Prepare for changelog generator #780 (pmcmaw)
1.13.0 - 2018-09-19
Added
- pdksync - (MODULES-7705) - Bumping stdlib dependency from < 5.0.0 to < 6.0.0 #775 (pmcmaw)
- Add support for Amazon Linux 2 #768 (erik-frontify)
- (FM-7232) - Update firewall to support Ubuntu 18.04 #767 (david22swan)
- [FM-7044] Addition of Debian 9 support to firewall #765 (david22swan)
- [FM-6961] Removal of unsupported OS from firewall #764 (david22swan)
Fixed
- (MODULES-7627) - Update README Limitations section #769 (eimlav)
- Corrections to readme #766 (alex-harvey-z3q)
- (MODULES-6129) negated option with address mask bugfix #756 (mirekys)
- (MODULES-2119) iptables delete -p all exception #749 (mikkergimenez)
1.12.0 - 2018-01-25
Fixed
- MODULES-6261: Fix error parsing rules with dashes in the chain name #744 (hantona)
- (MODULES-6092) Set correct seluser for CentOS/RHEL 5.x #737 (mihall-primus)
1.11.0 - 2017-11-30
Fixed
1.10.0 - 2017-11-14
Changed
- (MODULES-5501) - Remove unsupported Ubuntu #715 (pmcmaw)
- (Modules-1141) No longer accepts an array for icmp types #puppethack #705 (spynappels)
Added
- (MODULES-5144) Prep for puppet 5 #709 (hunner)
- MODULE-1805 Add hashlimit-module #708 (jtruestedt)
- (MODULES-5111) Support UNTRACKED in state and ctstate rules #707 (spynappels)
- MODULES-4828 version_requirement updated #puppethack #704 (neilbinney)
- Add gid lookup #682 (crispygoth)
Fixed
- [MODULES-5924] Fix unmanaged rule regex when updating a iptable. #729 (sathlan)
- (MODULES-5692) Match more than a single space #727 (hunner)
- (MODULES-5645) Choose correct IP version for hostname resolution #721 (kpengboy)
- allow ip6tables to be disabled #694 (knackaron)
- (MODULES-4200) Add simple sanity check for the rule to hash parser #666 (comel)
Other
- (MODULES-5340) Understand negated match sets #713 (nbarrientos)
1.9.0 - 2017-05-19
Added
- (FM-4896) add NFLOG support #697 (eputnam)
- (MODULES-4234) Add support for --physdev-is-{in,out} #685 (mhutter)
- Allow managing ebtables #684 (hunner)
- MODULES-4279 Add support for the geoip module #680 (jg-development)
Fixed
- (maint) modify to account for spaces in iptables-save output #700 (eputnam)
- Change - Ensure that firewalld is stopped before iptables starts #695 (blackknight36)
- Properly handle negated
--physdev-is-...
rules #693 (mhutter) - MODULES-4279 use complete option for geoip #690 (jg-development)
1.8.2 - 2017-01-10
Added
- Add RHEL7 SELinux support for new service_name_v6 param, subsequently fix puppet lint error #671 (wilson208)
- [#puppethack] MODULES-1222 - added containment #667 (genebean)
- Add --wait to iptables commands #647 (mwhahaha)
Fixed
- Fixes SELinux compatibility with EL6 #664 (bmjen)
- Re-add RHEL7 SELinux support for puppet3 #660 (bmjen)
- Fixing issue with double quotes being removed when part of the comment #646 (kindred)
- Implemented paramters for NFQUEUE jump target #644 (pid1co)
- (MODULES-3572) Ip6tables service is not managed in the redhat family. #641 (marcofl)
1.8.1 - 2016-05-17
Changed
Added
- (Modules 3329) Add support for iptables length and string extensions #630 (shumbert)
- Add VirtuozzoLinux to the RedHat family #617 (jpnc)
- support for multiple ipsets in a rule #615 (nabam)
- Add 'ip' and 'pim' to proto #610 (lunkwill42)
Fixed
- allow FreeBSD when dependencies require this class #624 (rcalixte)
- match rules with -m ttl #612 (pulecp)
1.8.0 - 2016-02-17
Added
- (MODULES-3079) Add support for goto argument. #606 (aequitas)
- allow iptables package to be updated #583 (cristifalcas)
- Support IPv6 NAT on Linux 3.7+ #576 (nward)
Fixed
- Made Facter flushing specific to a single fact. #604 (jonnytdevops)
- (MODULES 3932) - We need to call Facter.flush to clear Facter cache #603 (jonnytdevops)
- (MODULES-2159) ignore the --connlimit-saddr switch when parsing rules #602 (paulseward)
- Adding in log_uid boolean for LOG #593 (mlosapio)
- (MODULES-2836) Fix handling of chains that contain '-f' #579 (maxvozeler)
- (MODULES-2783) Missing ip6tables service name #578 (abednarik)
1.7.2 - 2015-12-07
Added
- Add: sctp-protocol to "proto"-Parameter #589 (DavidS)
- MODULES-2769 - Add security table for iptables. #575 (werekraken)
Fixed
- (MODULES-1341) Recover when deleting absent rules #577 (reidmv)
- (MAINT) RedHat 6 also uses unconfined_t #574 (DavidS)
- MODULES-2487 Improve port deprecation warning #572 (roman-mueller)
1.7.1 - 2015-08-24
Changed
Fixed
1.7.0 - 2015-07-27
Added
- add set_dscp and set_dscp_class #560 (estonfer)
- Compatibility with Puppet 4 and Facter 3 #559 (Jmeyering)
Fixed
- Makes all the services autorequired by the firewall and firewallchain types. #556 (jonnytdevops)
- MODULES-2186 - iptables rules with -A in comment #555 (TJM)
- Fix for physdev idempotency on EL5 #551 (jonnytdevops)
- Fix addrtype inversion #543 (jonnytdevops)
- (MODULES-1976) Revise rule name validation for ruby 1.9 #517 (karmix)
- (MODULES-1967) Parse escape sequences from iptables #513 (karmix)
1.6.0 - 2015-05-19
Added
- add match_mark #527 (jonnytdevops)
- Tee Support #525 (jonnytdevops)
- MSS feature #524 (jonnytdevops)
- Added support for time ipt_module #522 (jonnytdevops)
- Add support for ICMPv6 types neighbour-{solicitation,advertisement} #515 (peikk0)
- Add support for ICMPv6 type too-big (2) #514 (peikk0)
- Added ipv{4,6} to protocol list #505 (jpds-zz)
Fixed
- Fix Arch Linux support #526 (elyscape)
- Added iptables-persistent fix for Debian 8 and Ubuntu 14.10 #523 (jonnytdevops)
- Fixed idempotency bug relating to MODULES-1984 #520 (jonnytdevops)
- (MODULES-1984) Perform daemon-reload on systemd #518 (johnduarte)
1.5.0 - 2015-03-31
Added
- MODULES-1832 - add Gentoo support #498 (derdanne)
- MODULES-1636: Add --checksum-fill support. #460 (Zlo)
Fixed
- MODULES-1808 - Implemented code for resource map munging to allow a single ipt module to be used multiple times in a single rule #496 (jonnytdevops)
- Added code for physdev_is_bridged #491 (jonnytdevops)
1.4.0 - 2015-01-27
Added
- Added support for iptables physdev_in and physdev_out parameters #473 (jonnytdevops)
- MODULES-1612 - sync mask #469 (underscorgan)
- MODULES-1612 - sync ipset #468 (underscorgan)
- MODULES-1612 - sync set_mark #464 (underscorgan)
- MODULES-1612 - Sync ipsec_dir and ipsec_policy #459 (underscorgan)
- MODULES-1612 - sync mac_source #454 (underscorgan)
- MODULES-1612 - sync src_type and dst_type #453 (underscorgan)
- MODULES-1612 - sync src_range and dst_range #452 (underscorgan)
- MODUELES-1355 - support dport/sport in ip6tables provider #451 (underscorgan)
- (MODULES-464) Add netmap feature #421 (patrobinson)
Fixed
- MODULES-1453 - overly aggressive gsub #479 (underscorgan)
- Uid negation fix #474 (jonnytdevops)
- QENG-1678 - Need to stop iptables to install ipset #472 (underscorgan)
- Fixing regressions for Amazon Linux since RH7 support was added #471 (mlehner616)
- MODULES-1612 - mask isn't supported on deb7 #470 (underscorgan)
- MODULES-1552 - Issues parsing
-m (tcp|udp)
rules #462 (underscorgan)
1.3.0 - 2014-12-16
Added
- MODULES-556: tcp_flags support for ip6tables #442 (underscorgan)
- MODULES-1309 - Make package and service names configurable #436 (underscorgan)
- MODULES-1469 MODULES-1470 Support alias (eth0:0), negation for iniface, ... #435 (underscorgan)
- FM-2022 Add SLES 12 to metadata #434 (cyberious)
Fixed
- MODULES-1572 - Fix logic broken from MODULES-1309 #441 (underscorgan)
- MODULES-1565 - Fix regexes for EL5 #438 (underscorgan)
- Don't arbitrarily limit set_mark to certain chains #427 (stesie)
1.2.0 - 2014-11-04
Changed
- Doesn't actually support OEL5 #418 (underscorgan)
Added
- Update to support PE3.x #420 (underscorgan)
- Support netfilter-persistent for later versions #403 (rra)
- (MODULES-450) Enable rule inversion #394 (hunner)
- Add cbt protocol, to be able to mitigate some DDoS attacks #388 (thias)
- add ipset support #383 (vzctl)
- Add support for mac address source rules pt2 #337 (damjanek)
Fixed
- ip6tables isn't supported on EL5 #428 (underscorgan)
- Fixed firewalld package issue #426 (paramite)
- (MODULES-41) Change source for ip6tables provider #422 (hunner)
- (MODULES-1086) toports is not reqired with jump == REDIRECT #407 (hunner)
- Bugfix stat_prob -> stat_probability #402 (hunner)
- Improve support for EL7 and other related fixes #393 (hunner)
- Fixed bug which arbitrarily limited iniface and outiface parameters #374 (lejonet)
1.1.3 - 2014-07-14
1.1.2 - 2014-06-05
Fixed
1.1.1 - 2014-05-16
1.1.0 - 2014-05-13
Changed
Added
Fixed
- Fix access to distmoduledir #354 (hunner)
- Fix support for Fedora Rawhide #350 (xbezdick)
- Fix failing persist_iptables test on RHEL7 and Fedora #341 (jeckersb)
- --reap flag is not added to iptables command #340 (simon-martin)
- Fix typo in SNAT error message #339 (cure)
- Treat RHEL 7 and later like Fedora w/r/t iptables #338 (larsks)
1.0.2 - 2014-03-04
Fixed
1.0.1 - 2014-03-03
Fixed
- Change OEL limitation description #326 (hunner)
- Socket owner sles madness #324 (apenney)
- Fix logic for supported socket platforms #322 (hunner)
- Bugfix: Account for rules sorted after unmanaged rules #321 (hunner)
- Fix various differences for rhel5 #314 (hunner)
- Use iptables-save and parse the output #311 (hunner)
1.0.0 - 2014-02-11
0.5.0 - 2014-02-10
Added
- Add --random support as per #141 comment #298 (hunner)
- (MODULES-31) add support for iptables recent #296 (hunner)
- Add purge support to firewallchain #287 (hunner)
- allow input chain in nat table #270 (phemmer)
- add ipsec policy matching #268 (phemmer)
- Negation support #267 (phemmer)
- Support conntrack stateful firewall matching #257 (nogweii)
- Add support for IPv6 hop limiting #208 (georgkoester)
- Add ipv6 frag matchers2 and generify known_boolean handling. #207 (georgkoester)
Fixed
- Fix for #286 for pre-existing rules at the start of a chain #303 (hunner)
- Fix #300 for match extension protocol #302 (hunner)
- (MODULES-451) Match extension protocol for multiport #300 (hunner)
- (MODULES-16) Correct src_range dst_range ordering #293 (hunner)
- (MODULES-442) Correct boolean properties behavior #291 (hunner)
- (MODULES-441) Helpfully fail when modifying chains #288 (hunner)
- (MODULES-439) Work around existing rules #286 (hunner)
- fix handling of builtin chains #271 (phemmer)
- Remove redundant
include
call in system spec helper. #253 (stefanozanella) - Generate parser list #248 (senax)
- No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking #240 (doc75)
0.4.2 - 2013-09-10
0.4.1 - 2013-08-12
0.4.0 - 2013-07-12
Added
list - 2013-07-09
Added
- Add SL and SLC cases for operatingsystem #220 (traylenator)
- Add support for --src-type and --dst-type #212 (nickstenning)
Fixed
- Update providers to use expect syntax #217 (hunner)
- Fix #188: -f in comment leads to puppet resource firewall failing. #204 (georgkoester)
0.3.1 - 2013-06-10
Fixed
- Ensure all services have 'hasstatus => true' for Puppet 2.6 #197 (kbarber)
- Accept pre-existing rule with invalid name #192 (joejulian)
- Swap log_prefix and log_level order to match the way it's saved #191 (joejulian)
- (#20912) Split argments while maintaining quoted strings #189 (joejulian)
0.3.0 - 2013-04-25
Added
- (#171) Added ensure parameter to firewall class #172 (cr3)
- (20096) Support systemd on Fedora 15 and up #145 (ecbypi)
Fixed
0.2.1 - 2013-03-13
0.2.0 - 2013-03-03
Added
Fixed
0.1.1 - 2013-02-28
0.1.0 - 2013-02-24
Added
- (#15556) Support for ICMP6 type code resolutions #87 (dcarley)
- (#15038) add gre protocol to list of acceptable protocols #85 (jasonhancock)
- Ticket/11305 support vlan interface #70 (kbarber)
- Ticket/10162 firewallchain support for merge #62 (kbarber)
Fixed
- Mock Resolv.getaddress in #host_to_ip #110 (dcarley)
- ip6tables provider allways execute /sbin/iptables command #105 (wuwx)
- (#10322) Insert order hash included chains from different tables #89 (kbarber)
- (#10274) Nullify addresses with zero prefixlen #80 (dcarley)
- Ticket/10619 unable to purge rules #69 (kbarber)
- (#13201) Firewall autorequire Firewallchains #67 (dcarley)
- (#13192) Fix allvalidchain iteration #63 (kbarber)
- Improved Puppet DSL style as per the guidelines. #61 (adamgibbins)
- (#10164) Reject and document icmp => "any" #60 (dcarley)
- (#11443) simple fix of the error message for allowed values of the jump property #50 (grooverdan)
v0.0.4 - 2011-12-05
Added
- (#10690) add port property support to ip6tables #33 (saysjonathan)
v0.0.3 - 2011-11-12
Fixed
- (#10700) allow additional characters in comment string #30 (saysjonathan)
v0.0.2 - 2011-10-26
Added
Fixed
- (#10295) Work around bug #4248 whereby the puppet/util paths are not bein #22 (kbarber)
- (#10002) Change to dport and sport to handle ranges, and fix handling of #21 (kbarber)
v0.0.1 - 2011-10-18
Dependencies
- puppetlabs/stdlib (>= 9.0.0 < 10.0.0)
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Quality checks
We run a couple of automated scans to help you assess a module’s quality. Each module is given a score based on how well the author has formatted their code and documentation and select modules are also checked for malware using VirusTotal.
Please note, the information below is for guidance only and neither of these methods should be considered an endorsement by Puppet.
Malware scan results
The malware detection service on Puppet Forge is an automated process that identifies known malware in module releases before they’re published. It is not intended to replace your own virus scanning solution.
Learn more about malware scans- Module name:
- puppetlabs-firewall
- Module version:
- 8.1.3
- Scan initiated:
- December 5th 2024, 4:23:38
- Detections:
- 0 / 62
- Scan stats:
- 62 undetected
- 0 harmless
- 0 failures
- 0 timeouts
- 0 malicious
- 0 suspicious
- 14 unsupported
- Scan report:
- View the detailed scan report