<!--
Thank you for contributing to this project!
-->
Pull Request (PR) description
<!--
Replace this comment with a description of your pull request.
-->
This Pull Request (PR) fixes the following issues
<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->
Add ferm::ipsets parameter to enable configuration of ferm::ipset resources via Hiera.
It's basically the same as ferm::rules and ferm::chains.
includes: #174 #175 #176 #177 #178
includes: #174 #175 #176 #177
I successfully tested negation with 'saddr', 'daddr', 'sport', and 'dport' using ferm v2.6.
The new parameter negate takes String as well as Array.
'forward_accept_rfc1918':
chain: 'DOCKER-USER'
action: 'ACCEPT'
proto: 'tcp'
saddr:
- '10.0.0.0/8'
negate: 'saddr'
'forward_accept_rfc1918':
chain: 'DOCKER-USER'
action: 'ACCEPT'
proto: 'tcp'
saddr:
- '10.0.0.0/8'
negate:
- 'saddr'
<!--
Thank you for contributing to this project!
-->
Pull Request (PR) description
<!--
Replace this comment with a description of your pull request.
-->
This Pull Request (PR) fixes the following issues
<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->
some "idempotent" (non user-visible) changes
- make parameters and headers more readable
- it's opinionated, but pretty much inline with what other modules do
- refactor defined type
rule moving boilerplate to new function
- simplify
rule with some new data types
add support for my use cases
- add parameters
outerface, daddr_type, saddr_type, and ctstate
Of course, everything comes with tests and documentation. I didn't add tests for the function though, because I'd consider it tested indirectly as part of tests done on rule.
EDIT: Tests are failing due to outdated REFERENCE.md. Can't find redcarpet right now. Tried ...
```
$ bundle exec gem install redcarpet
Fetching redcarpet-3.6.0.gem
Building native extensions. This could take a while...
Successfully installed redcarpet-3.6.0
1 gem installed
$ gem install --user redcarpet
Building native extensions. This could take a while...
Successfully installed redcarpet-3.6.0
Parsing documentation for redcarpet-3.6.0
Done installing documentation for redcarpet after 0 seconds
1 gem installed
$ gem install redcarpet
Building native extensions. This could take a while...
Successfully installed redcarpet-3.6.0
Parsing documentation for redcarpet-3.6.0
Done installing documentation for redcarpet after 0 seconds
1 gem installed
```
... but still:
$ bundle exec rake strings:generate
[error]: Missing 'redcarpet' gem for Markdown formatting. Install it with `gem install redcarpet`
Will dig deeper tomorrow.
This PR adds match parameter to ipset resource to enable matching dst against ipsets.
By default it's value is src thus making it (backwards) compatible with existing configurations
Fragments that share the same order number are ordered by name.
"${chain}-${interface}-aaa"
"${chain}-${interface}-${name}"
"${chain}-${interface}-zzz"
If name starts with upper case letter they're placed outside of interface eth0 {}:
mod comment comment 'AAA-minimal_example' proto all ACCEPT;
interface eth0 {
mod comment comment 'aaa-minimal_example:' proto all ACCEPT;
mod comment comment 'minimal_example' proto all ACCEPT;
}
I looked into testing for correct ordering, but didn't find a working solution.
There is (e.g.) .that_comes_before, but that's testing against before => ....
I also unsuccessfully tried testing against the content of File[/etc/ferm.d/chains/INPUT.conf] generated by concat_file.
Add missing test for Ferm::Negation
