All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v4.0.0 (2024-08-05)
Breaking changes:
- Drop EOL CentOS 8 support #245 (traylenator)
Implemented enhancements:
- add support for conntrack helpers #207
- New parameter purge_unmanaged_rules to reload nftables if configuration does not match reality #253 (canihavethisone)
- Add support Arrays of source/destination IP addresses for nftables::simplerule #252 (phaedriel)
- New clobber_default_config paramater #247 (traylenator)
- update puppet-systemd upper bound to 8.0.0 #242 (TheMeier)
- rules::llmnr: Allow interface filtering #235 (bastelfreak)
- rules::ospf3 & rules::out::ospf3: Allow filtering on outgoing interfaces #234 (bastelfreak)
- rules::out::mdns & rules::mdns: Allow interface filtering #233 (bastelfreak)
Merged pull requests:
- Run default destroying acceptance tests at end #249 (traylenator)
- Accept on Debian 11 nftables::set will fail #246 (traylenator)
v3.7.1 (2023-12-29)
Fixed bugs:
- rules::icmp: Allow ICMP packets with extensions #231 (bastelfreak)
- out::icmp: simplify filtering/fix ICMP bug #230 (bastelfreak)
v3.7.0 (2023-12-27)
Implemented enhancements:
- simplerule: Allow multiple oifname/iifname #228 (bastelfreak)
v3.6.0 (2023-12-20)
Implemented enhancements:
- Make "dropping invalid packets" configureable #225 (bastelfreak)
- simplerule: Add support for outgoing interface filtering #224 (bastelfreak)
- simplerule: Add support for incoming interface filtering #221 (bastelfreak)
Merged pull requests:
- rules::out:dns: refactor for better readability #222 (bastelfreak)
- Document what the 'auto_merge' set parameter does. #219 (Tamerz)
v3.5.0 (2023-11-27)
Implemented enhancements:
- Support input interface specification to dns server #215 (traylenator)
- Additional rules for podman root containers #214 (traylenator)
- nftables::simplerule::dport - takes port ranges as part of the array #189 (tskirvin)
Merged pull requests:
- Example how to redirect one port to another #183 (traylenator)
v3.4.0 (2023-11-17)
Implemented enhancements:
- allow puppet/systemd v6 #213 (vchepkov)
- Add Debian 12 support #211 (bastelfreak)
- provide an option to disable logging rejected packets #209 (vchepkov)
- add ftp helper #208 (vchepkov)
v3.3.0 (2023-08-28)
Implemented enhancements:
- samba: Add option to drop traffic #204 (bastelfreak)
- Add nftables rules for ws-discovery #203 (bastelfreak)
- Add rule for incoming SSDP #202 (bastelfreak)
- Add rule for incoming LLMNR #201 (bastelfreak)
v3.2.0 (2023-08-19)
Implemented enhancements:
- Add rule for outgoing multicast DNS #199 (bastelfreak)
- Add rule for multicast listener requests (MLDv2) #198 (bastelfreak)
- Add rules for IGMP #194 (bastelfreak)
- mDNS: Allow udp port 5353 #193 (bastelfreak)
- Add rule to allow incoming spotify broadcast #192 (bastelfreak)
- Add rule to allow multicast DNS #191 (bastelfreak)
- Add rule to allow incoming multicast traffic #190 (bastelfreak)
- Declare stdlib v9 support #180 (traylenator)
Fixed bugs:
- Add missing unit string for timeout,gc-interval #187 (javier-angulo)
Merged pull requests:
v3.1.0 (2023-07-30)
Implemented enhancements:
- puppetlabs/stdlib: Allow 9.x #182 (bastelfreak)
- Declare puppet v8 support #181 (traylenator)
Merged pull requests:
- puppetlabs/concat: Allow 9.x #185 (bastelfreak)
v3.0.1 (2023-06-20)
Implemented enhancements:
- add ldap and active directory rules #177 (SimonHoenscheid)
Closed issues:
- rspec tests fail on docker again. #167
Merged pull requests:
- Increased puppet/systemd upper limit to < 6.0.0 #176 (canihavethisone)
v3.0.0 (2023-05-25)
Breaking changes:
- Drop puppet 6 support #173 (traylenator)
Implemented enhancements:
- Raise puppetlabs/concat upper limit to < 9.0.0 #170 (canihavethisone)
Merged pull requests:
- Refresh REFERENCE #171 (traylenator)
- Fix typo in icinga2 rule documentation #169 (baldurmen)
v2.6.1 (2023-03-24)
Implemented enhancements:
- Add bridge as a valid family for chain tables #165 (luisfdez)
- Add Rocky 8 and 9 support #161 (bastelfreak)
- Declare AlmaLinux8 and AlmaLinux9 support #160 (nbarrientos)
- bump puppet/systemd to < 5.0.0 #159 (jhoblitt)
- Allow netdev as table family in defined type nftables::chain #149 (hugendudel)
Fixed bugs:
Closed issues:
- failing to setup a basic firewall #158
Merged pull requests:
v2.6.0 (2022-10-25)
Implemented enhancements:
- Add class for outgoing HKP firewalling #153 (bastelfreak)
- Add Ubuntu support #152 (bastelfreak)
- split conntrack management into dedicated classes #148 (duritong)
- New nftables::file type to include raw file #147 (traylenator)
Closed issues:
v2.5.0 (2022-08-26)
Implemented enhancements:
Fixed bugs:
Closed issues:
- nftables::bridges creates invalid rule names when bridge devices have multiple IP addresses #143
v2.4.0 (2022-07-11)
Implemented enhancements:
- Add rule to allow outgoing whois queries #140 (bastelfreak)
- chrony: Allow filtering for outgoing NTP servers #139 (bastelfreak)
- Add class for pxp-agent firewalling #138 (bastelfreak)
v2.3.0 (2022-07-06)
Implemented enhancements:
- systemctl: Use relative path #136 (bastelfreak)
- Add Debian support #134 (bastelfreak)
- make path to echo configureable #133 (bastelfreak)
- make path to
nftbinary configureable #132 (bastelfreak)
v2.2.1 (2022-05-02)
Merged pull requests:
- rspec mock systemd process on docker #128 (traylenator)
v2.2.0 (2022-02-27)
Implemented enhancements:
- Add support for Arch Linux #124 (hashworks)
- Declare support for RHEL9, CentOS9 and OL9 #120 (nbarrientos)
- Rubocop corrections for rubocop 1.22.3 #118 (traylenator)
- Use protocol number instead of label #112 (keachi)
Fixed bugs:
Merged pull requests:
v2.1.0 (2021-09-14)
Implemented enhancements:
- nftables::set can only be assigned to 1 table #100
- support a different table name for 'nat' #107 (figless)
- Allow declaring the same set in several tables #102 (nbarrientos)
Fixed bugs:
- fix datatype for $table and $dport #104 (bastelfreak)
Merged pull requests:
- Allow stdlib 8.0.0 #106 (smortex)
- switch from camptocamp/systemd to voxpupuli/systemd #103 (bastelfreak)
- pull fixtures from git and not forge #99 (bastelfreak)
v2.0.0 (2021-06-03)
Breaking changes:
- Drop Puppet 5, puppetlabs/concat 7.x, puppetlabs/stdlib 7.x, camptocamp/systemd: 3.x #92 (traylenator)
- Drop Puppet 5 support #79 (kenyon)
Implemented enhancements:
- Ability to set base chains #95
- puppetlabs/concat: Allow 7.x #91 (bastelfreak)
- puppetlabs/stdlib: Allow 7.x #90 (bastelfreak)
- camptocamp/systemd: allow 3.x #89 (bastelfreak)
Fixed bugs:
- Fix IPv4 source address type detection #93 (nbarrientos)
Closed issues:
- Class[Nftables::Bridges]['bridgenames'] contains a Regexp value. It will be converted to the String '/^br.+/' #83
Merged pull requests:
- Allow creating a totally empty firewall #96 (nbarrientos)
- Amend link to Yasnippets #88 (nbarrientos)
v1.3.0 (2021-03-25)
Implemented enhancements:
- Add rules for QEMU/libvirt guests (bridged virtual networking) #85 (nbarrientos)
- Add nftables.version to structured fact. #84 (traylenator)
- Add rules for Apache ActiveMQ #82 (nbarrientos)
- Add Docker-CE default rules #80 (luisfdez)
Closed issues:
- Increase puppetlabs/concat version in metadata #78
Merged pull requests:
- Fix sections and add a pointer to code snippets for Emacs #81 (nbarrientos)
v1.2.0 (2021-03-03)
Implemented enhancements:
Fixed bugs:
- nftables service is broken after reboot #74
- fix #74 - ensure table are initialized before flushing them #75 (duritong)
v1.1.1 (2021-01-29)
Fixed bugs:
- Simplerule: wrong IP protocol version filter statement for IPv6 traffic #69
- Fix IP version filter for IPv6 traffic #70 (nbarrientos)
Merged pull requests:
- Improve nftables::rule's documentation #68 (nbarrientos)
v1.1.0 (2021-01-25)
Implemented enhancements:
- Enable parameter_documentation lint #64 (traylenator)
- Add Samba in rules #62 (glpatcern)
- Add some mail related outgoing rules #60 (duritong)
Fixed bugs:
- nftables::simplerule should follow the same rules as nftables::rule #58
- Align simplerule and rule rulename requirements #59 (nbarrientos)
Closed issues:
- Get it under the voxpupuli umbrella #35
Merged pull requests:
- Add badges to README #63 (traylenator)
- Check that all the predefined rules are declared in the all rules acceptance test #53 (nbarrientos)
v1.0.0 (2020-12-15)
Breaking changes:
Implemented enhancements:
- Use Stdlib::Port everywhere in place of Integer #56 (traylenator)
- Enable Puppet 7 support #51 (bastelfreak)
- Several fixes for nftables::config #48 (nbarrientos)
- rubocop corrections #41 (traylenator)
- Add basic configuration validation acceptance test #38 (traylenator)
- Remove duplicate flush on reload #34 (traylenator)
- Add nftables::simplerule #33 (nbarrientos)
- Add Ceph and NFS rules #32 (dvanders)
- New parameter noflush_tables to selectivly skip flush #31 (traylenator)
- Scientific Linux 8 will never exist #30 (traylenator)
- Enable conntrack in FORWARD #29 (keachi)
- Do not test nftables::rules repeatadly #28 (traylenator)
- Allow sourcing sets from Hiera #26 (nbarrientos)
- Allow disabling default NAT tables and chains #25 (nbarrientos)
- Set a customisable rate limit to the logging rules #22 (nbarrientos)
- Make masking Service['firewalld'] optional #20 (nbarrientos)
- Move ICMP stuff to separate classes allowing better customisation #16 (nbarrientos)
- Move conntrack rules from global to INPUT and OUTPUT #14 (nbarrientos)
- Add comments for all the nftable::rules entries #13 (traylenator)
- Allow tables to add comments to $log_prefix #12 (nbarrientos)
- Reload rules atomically and verify rules before deploy #10 (traylenator)
- Allow raw sets and dashes in set names #8 (nbarrientos)
- Add a parameter to control the fate of discarded traffic #7 (nbarrientos)
- Add rules for afs3_callback in and out rules for kerberos and openafs. #6 (traylenator)
- Allow customising the log prefix #5 (nbarrientos)
- Add classes encapsulating rules for DHCPv6 client traffic (in/out) #4 (nbarrientos)
- Add support for named sets #3 (nbarrientos)
- New parameter out_all, default false #1 (traylenator)
Fixed bugs:
- Correct nfs3 invalid udp /tcp matching rule and more tests #50 (traylenator)
- Prefix custom tables with custom- so they're loaded #47 (nbarrientos)
- Correct bad merge #15 (traylenator)
Closed issues:
- deploying custom tables is broken #45
- Switch to Stdlib::Port everywhere #37
- Add set definition from Hiera #24
- Add an option to disable NAT #23
- Add an option to limit the rate of logged messages #19
- Rule API #17
- Publish to forge.puppet.com #11
- The global chain contains INPUT specific rules #9
- The fate of forbidden packets should be configurable #2
Merged pull requests:
- Docs for nftables::set #55 (traylenator)
- Remove a blank separating the doc string and the code #52 (nbarrientos)
- Release 1.0.0 #49 (traylenator)
- Correct layout of ignore table example #44 (traylenator)
- Fix typos and formatting in the README #43 (nbarrientos)
- Comment why firewalld_enable parameter is required #40 (traylenator)
- modulesync 4.0.0 #36 (traylenator)
- Refresh REFERENCE #27 (traylenator)
* This Changelog was automatically generated by github_changelog_generator