GitHub puppet-nftables
Puppet Module to manage nftables firewall rules.

Repo Checks ( 16 of 20 successfull )
Metadata Valid
No translation
passed
Correct Puppet Version Range
Supported Puppet version range is %{PUPPET_SUPPORT_RANGE}
passed
With Puppet Version Range
Puppet version range is present in requirements in metadata.json
passed
With Operatingsystem Support
No translation
passed
Operatingsystems
No translation
passed
Supports Only Current Centos
No translation
passed
Supports Latest Centos
No translation
passed
Supports Only Current Oraclelinux
No translation
passed
Supports Latest Oraclelinux
No translation
failed
Supports Only Current Redhat
No translation
passed
Supports Latest Redhat
No translation
passed
Supports Only Current Archlinux
No translation
failed
Supports Latest Archlinux
No translation
failed
In Modulesync Repo
Is listed as a module managed using modulesync_config
passed
Synced
Has a .msync.yml file
passed
Latest Modulesync
Has been synchronized with the latest tagged version of modulesync_config
failed
Has Modulesync
Is present in voxpupuli/modulesync_config/managed_modules.yml
passed
Released
Is in modulesync_config and in forge releases.
passed
Valid Sync File
If a (optional) sync file is present, it must not contain a `.travis.yml` entry.
passed
Reference Dot Md
The repository has a REFERENCE.md. It needs to be generated / puppet-strings documentation is missing.
passed

Open Pull Requests

modulesync 9.2.0
modulesync

modulesync 9.1.0

Open PR in GitHub
Allow netdev as table family in defined type nftables::chain

<!--
Thank you for contributing to this project!

-->

Allow netdev as table family in defined type nftables::chain

Hi all, we would like to use this module in combination with the netdev table family type.

Are there any objections?

This Pull Request (PR) fixes the following issues

n/a.

Open PR in GitHub
Fix: Regex for bridge names

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

Correction of a too general regex concerning bridge names.

Some bridges could be tagged, for example br123:0, and then could be taken by the regexp, generating an invalid config and dropping error : syntax error, unexpected colon, expecting newline or semicolon.

This Pull Request (PR) fixes the following issues

n/a

Open PR in GitHub
Do not drop invalid packets by default

This could be considered a breaking change. I don't mind keeping it open until the next major release.

Open PR in GitHub
Add rule for filtering outgoing DNS server traffic
enhancement

<!--
Thank you for contributing to this project!

-->

Pull Request (PR) description

<!--
Replace this comment with a description of your pull request.
-->

This Pull Request (PR) fixes the following issues

<!--
Replace this comment with the list of issues or n/a.
Use format:
Fixes #123
Fixes #124
-->

Open PR in GitHub
rule: Add snat6
tests-fail

Pull Request (PR) description

I know the whole concept of nat and IPv6 can seem a bit odd, but I am indeed using it. Having a source nat rule that parallels the snat4 rule would suit me well.

Warning: This is mostly a copy and paste job, so there may be some comedy hiding somewhere.

This Pull Request (PR) fixes the following issues

n/a

Open PR in GitHub
Provide a mechanism to flush un-managed rules
enhancement
skip-changelog

This patchset adds a new parameter to the main class to activate a mechanism that will invoke systemctl reload nftables during the Puppet run if manual changes to the in-memory ruleset are detected.

To accomplish this, the systemd unit in charge of nftables is configured to write a hash of the in-memory ruleset right after starting/reloading. During the Puppet run, the hash of the current rule set is compared to the one previously stored. If the hash differs then systemctl reload nftables is executed to flush manual changes.

Fixes #113

Open PR in GitHub
add icinga2 rule for outgoing traffic
Support logging to NFLOG group

With specified nftables::log_group log messages will be send to appropriate NFLOG group.

The options flags and group are mutually exclusive.

with
yaml
nftables::log_group: 1

the rule should look like this:

limit rate 3/minute log prefix "[nftables] OUTPUT Rejected: " group 1

Open PR in GitHub