GitHub puppet-firewalld
Puppet module for managing firewalld

Repo Checks ( 13 of 18 successfull )
Metadata Valid
No translation
passed
Correct Puppet Version Range
Supported Puppet version range is %{PUPPET_SUPPORT_RANGE}
failed
With Puppet Version Range
Puppet version range is present in requirements in metadata.json
passed
With Operatingsystem Support
No translation
passed
Operatingsystems
No translation
passed
Supports Only Current Redhat
No translation
passed
Supports Latest Redhat
No translation
passed
Supports Only Current Centos
No translation
passed
Supports Latest Centos
No translation
failed
Supports Only Current Oraclelinux
No translation
passed
Supports Latest Oraclelinux
No translation
failed
In Modulesync Repo
Is listed as a module managed using modulesync_config
passed
Synced
Has a .msync.yml file
passed
Latest Modulesync
Has been synchronized with the latest tagged version of modulesync_config
failed
Has Modulesync
Is present in voxpupuli/modulesync_config/managed_modules.yml
passed
Released
Is in modulesync_config and in forge releases.
passed
Valid Sync File
If a (optional) sync file is present, it must not contain a `.travis.yml` entry.
failed
Reference Dot Md
The repository has a REFERENCE.md. It needs to be generated / puppet-strings documentation is missing.
passed

Open Pull Requests

Added `icmp_block_inversion` parameter for inverting `icmp_blocks` list
needs-tests
tests-fail
Open PR in GitHub
Add support for policy objects
modulesync 5.3.0; Drop Puppet 5 support
modulesync
backwards-incompatible
tests-fail

modulesync 4.0.0

Open PR in GitHub
Fix276
needs-squash
needs-rebase

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

This pull request allows the reload of firewalld rules to get triggered when they are not present in the runtime stage of firewalld and are only present in permanent. It fixes the rules that get stuck in permanent stage because of a skipped reload caused by a puppet error between the deployment of rules and the reload.

This Pull Request (PR) fixes the following issues

Fixes #276

Open PR in GitHub
enable eb-family for all relevant firewalld-types
tests-fail

see https://github.com/voxpupuli/puppet-firewalld/issues/298

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

<!--
Replace this comment with a description of your pull request.
-->
allow usage of family "eb" for creating bridge-rules.

This Pull Request (PR) fixes the following issues

<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->
Fixes #298

Open PR in GitHub
Speed up ipset entries changes
enhancement

We now use --add-entries-from-file and --remove-entries-from-file to
change firewalld ipset. Adding or removing entries one by one was really
slow.

This pull request is based on
https://github.com/42wim/puppet-firewalld/blob/04683b46cbe6e6a925c585283941cc363752aceb/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
first pull request was here: jfroche/puppet-firewalld#4

Open PR in GitHub
Support specifying priority on rich rules
enhancement

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

Adds support for the priority option on rich rules, to allow ordering them outside of the normally implicit - and not guaranteed to be deterministic - ordering imposed by when they're added.

Open PR in GitHub
Set default_zone and log_denied when firewalld is offline

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

Change the exec resources that set defaultzone and logdenied to fallback to the firewall-offline-cmd when firewalld is not running. This is useful, for example, in container environments or kickstart post-installs where the firewalld service can't be run but we still want these settings configured.

This Pull Request (PR) fixes the following issues

The bug this PR fixes does not have an associated issue.

Open PR in GitHub
Add the parameter `protocols` to the `firewalld_zone` resource type

Hello!

The module does not allow to add/modify protocols for a zone with the firewalld_zone resource type, but the parameter can be used with the firewall-cmd tool like
firewall-cmd --zone=example --add-protocol=icmp

See docs: firewall-cmd

Open PR in GitHub
Release of 4.4.1
skip-changelog

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

<!--
Replace this comment with a description of your pull request.
-->

This Pull Request (PR) fixes the following issues

<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->

Open PR in GitHub
Add enhancement for purging unmanaged zones
merge-conflicts
needs-rebase
needs-tests

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

This pull request adds the ability to purge unmanaged firewalld zones.

This Pull Request (PR) fixes the following issues:

Fixes #134

Open PR in GitHub
Fix rich rule with typed action

This updates the parsing to support a rich rule with a configured reject type.

It might be possible to use symbols for keys, but I couldn't get that to work and don't know enough ruby to sort it out.

Fixes: #193
Replaces: #194

Prior to this change set, the rich rule would produce the below error message(s)
```
Failures:

1) Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" queries the status
Failure/Error: raise Puppet::Error, "Rule action hash should contain action and type keys. Use a string if you only want to declare the action to be accept or reject. Got #{value}"

Puppet::ResourceError:
Parameter action failed on Firewalldrichrule[reject ssh tcp reset]: Rule action hash should contain action and type keys. Use a string if you only want to declare the action to be accept or reject. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrichrule.rb:107:in block (3 levels) in <top (required)>'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:463:in
validate'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:498:in value='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:694:in
[]='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2548:in block in set_parameters'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in
each'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in set_parameters'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2449:in
initialize'
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in `new'
# ./spec/unit/puppet/type/firewalld
richrulespec.rb:218:in block (5 levels) in <top (required)>'
# ./spec/unit/puppet/type/firewalld_rich_rule_spec.rb:221:in
block (5 levels) in '
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:228:in block (5 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# Puppet::Error:
# Rule action hash should contain
actionandtypekeys. Use a string if you only want to declare the action to beacceptorreject`. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalld
rich_rule.rb:107:in `block (3 levels) in '

2) Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" creates
Failure/Error: raise Puppet::Error, "Rule action hash should contain action and type keys. Use a string if you only want to declare the action to be accept or reject. Got #{value}"

Puppet::ResourceError:
Parameter action failed on Firewalldrichrule[reject ssh tcp reset]: Rule action hash should contain action and type keys. Use a string if you only want to declare the action to be accept or reject. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrichrule.rb:107:in block (3 levels) in <top (required)>'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:463:in
validate'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:498:in value='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:694:in
[]='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2548:in block in set_parameters'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in
each'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in set_parameters'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2449:in
initialize'
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in `new'
# ./spec/unit/puppet/type/firewalld
richrulespec.rb:218:in block (5 levels) in <top (required)>'
# ./spec/unit/puppet/type/firewalld_rich_rule_spec.rb:221:in
block (5 levels) in '
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:233:in block (5 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# Puppet::Error:
# Rule action hash should contain
actionandtypekeys. Use a string if you only want to declare the action to beacceptorreject`. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalld
rich_rule.rb:107:in `block (3 levels) in '

3) Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" destroys
Failure/Error: raise Puppet::Error, "Rule action hash should contain action and type keys. Use a string if you only want to declare the action to be accept or reject. Got #{value}"

Puppet::ResourceError:
Parameter action failed on Firewalldrichrule[reject ssh tcp reset]: Rule action hash should contain action and type keys. Use a string if you only want to declare the action to be accept or reject. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrichrule.rb:107:in block (3 levels) in <top (required)>'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:463:in
validate'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:498:in value='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:694:in
[]='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2548:in block in set_parameters'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in
each'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in set_parameters'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2449:in
initialize'
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in `new'
# ./spec/unit/puppet/type/firewalld
richrulespec.rb:218:in block (5 levels) in <top (required)>'
# ./spec/unit/puppet/type/firewalld_rich_rule_spec.rb:221:in
block (5 levels) in '
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:238:in block (5 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# Puppet::Error:
# Rule action hash should contain
actionandtypekeys. Use a string if you only want to declare the action to beacceptorreject`. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalld
rich_rule.rb:107:in `block (3 levels) in '

Finished in 2.34 seconds (files took 2.74 seconds to load)
124 examples, 3 failures

Failed examples:

rspec './spec/unit/puppet/type/firewalldrichrulespec.rb[1:4:10:1]' # Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" queries the status
rspec './spec/unit/puppet/type/firewalld
richrulespec.rb[1:4:10:2]' # Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" creates
rspec './spec/unit/puppet/type/firewalldrichrulespec.rb[1:4:10:3]' # Puppet::Type::Firewalldrich_rule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" destroys
```

Open PR in GitHub