Fixes: #316
modulesync 4.0.0
<!--
Thank you for contributing to this project!
-->
This pull request allows the reload of firewalld rules to get triggered when they are not present in the runtime stage of firewalld and are only present in permanent. It fixes the rules that get stuck in permanent stage because of a skipped reload caused by a puppet error between the deployment of rules and the reload.
Fixes #276
see https://github.com/voxpupuli/puppet-firewalld/issues/298
<!--
Thank you for contributing to this project!
-->
<!--
Replace this comment with a description of your pull request.
-->
allow usage of family "eb" for creating bridge-rules.
<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->
Fixes #298
We now use --add-entries-from-file
and --remove-entries-from-file
to
change firewalld ipset. Adding or removing entries one by one was really
slow.
This pull request is based on
https://github.com/42wim/puppet-firewalld/blob/04683b46cbe6e6a925c585283941cc363752aceb/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
first pull request was here: jfroche/puppet-firewalld#4
<!--
Thank you for contributing to this project!
-->
Adds support for the priority
option on rich rules, to allow ordering them outside of the normally implicit - and not guaranteed to be deterministic - ordering imposed by when they're added.
<!--
Thank you for contributing to this project!
-->
Change the exec resources that set defaultzone and logdenied to fallback to the firewall-offline-cmd when firewalld is not running. This is useful, for example, in container environments or kickstart post-installs where the firewalld service can't be run but we still want these settings configured.
The bug this PR fixes does not have an associated issue.
Hello!
The module does not allow to add/modify protocols for a zone with the firewalld_zone
resource type, but the parameter can be used with the firewall-cmd tool like
firewall-cmd --zone=example --add-protocol=icmp
See docs: firewall-cmd
<!--
Thank you for contributing to this project!
-->
<!--
Replace this comment with a description of your pull request.
-->
<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->
<!--
Thank you for contributing to this project!
-->
This pull request adds the ability to purge unmanaged firewalld zones.
Fixes #134
This updates the parsing to support a rich rule with a configured reject type.
It might be possible to use symbols for keys, but I couldn't get that to work and don't know enough ruby to sort it out.
Fixes: #193
Replaces: #194
Prior to this change set, the rich rule would produce the below error message(s)
```
Failures:
1) Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" queries the status
Failure/Error: raise Puppet::Error, "Rule action hash should contain action
and type
keys. Use a string if you only want to declare the action to be accept
or reject
. Got #{value}"
Puppet::ResourceError:
Parameter action failed on Firewalldrichrule[reject ssh tcp reset]: Rule action hash should contain action
and type
keys. Use a string if you only want to declare the action to be accept
or reject
. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrichrule.rb:107:in block (3 levels) in <top (required)>'
validate'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:463:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:498:in value='
[]='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:694:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2548:in block in set_parameters'
each'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in set_parameters'
initialize'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2449:in
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in `new'
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in block (5 levels) in <top (required)>'
block (5 levels) in '
# ./spec/unit/puppet/type/firewalld_rich_rule_spec.rb:221:in
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:228:in block (5 levels) in <top (required)>'
action
# ------------------
# --- Caused by: ---
# Puppet::Error:
# Rule action hash should containand
typekeys. Use a string if you only want to declare the action to be
acceptor
reject`. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrich_rule.rb:107:in `block (3 levels) in '
2) Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" creates
Failure/Error: raise Puppet::Error, "Rule action hash should contain action
and type
keys. Use a string if you only want to declare the action to be accept
or reject
. Got #{value}"
Puppet::ResourceError:
Parameter action failed on Firewalldrichrule[reject ssh tcp reset]: Rule action hash should contain action
and type
keys. Use a string if you only want to declare the action to be accept
or reject
. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrichrule.rb:107:in block (3 levels) in <top (required)>'
validate'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:463:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:498:in value='
[]='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:694:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2548:in block in set_parameters'
each'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in set_parameters'
initialize'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2449:in
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in `new'
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in block (5 levels) in <top (required)>'
block (5 levels) in '
# ./spec/unit/puppet/type/firewalld_rich_rule_spec.rb:221:in
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:233:in block (5 levels) in <top (required)>'
action
# ------------------
# --- Caused by: ---
# Puppet::Error:
# Rule action hash should containand
typekeys. Use a string if you only want to declare the action to be
acceptor
reject`. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrich_rule.rb:107:in `block (3 levels) in '
3) Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" destroys
Failure/Error: raise Puppet::Error, "Rule action hash should contain action
and type
keys. Use a string if you only want to declare the action to be accept
or reject
. Got #{value}"
Puppet::ResourceError:
Parameter action failed on Firewalldrichrule[reject ssh tcp reset]: Rule action hash should contain action
and type
keys. Use a string if you only want to declare the action to be accept
or reject
. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrichrule.rb:107:in block (3 levels) in <top (required)>'
validate'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:463:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/parameter.rb:498:in value='
[]='
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:694:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2548:in block in set_parameters'
each'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2542:in set_parameters'
initialize'
# /usr/local/bundle/ruby/2.5.0/gems/puppet-6.27.0/lib/puppet/type.rb:2449:in
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in `new'
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:218:in block (5 levels) in <top (required)>'
block (5 levels) in '
# ./spec/unit/puppet/type/firewalld_rich_rule_spec.rb:221:in
# ./spec/unit/puppet/type/firewalldrichrulespec.rb:238:in block (5 levels) in <top (required)>'
action
# ------------------
# --- Caused by: ---
# Puppet::Error:
# Rule action hash should containand
typekeys. Use a string if you only want to declare the action to be
acceptor
reject`. Got {"action"=>"reject", "type"=>"tcp-reset"}
# ./lib/puppet/type/firewalldrich_rule.rb:107:in `block (3 levels) in '
Finished in 2.34 seconds (files took 2.74 seconds to load)
124 examples, 3 failures
Failed examples:
rspec './spec/unit/puppet/type/firewalldrichrulespec.rb[1:4:10:1]' # Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" queries the status
rspec './spec/unit/puppet/type/firewalldrichrulespec.rb[1:4:10:2]' # Puppet::Type::Firewalldrichrule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" creates
rspec './spec/unit/puppet/type/firewalldrichrulespec.rb[1:4:10:3]' # Puppet::Type::Firewalldrich_rule provider for rule rule family="ipv4" source address="10.0.1.2/24" service name="ssh" log level="debug" reject type="tcp-reset" destroys
```