freighthop 0.3.3 → 0.4.0

data/modules/firewall/lib/puppet/type/firewallchain.rb

@@ -56,8 +56,8 @@ Puppet::Type.newtype(:firewallchain) do
             raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, FORWARD and OUTPUT are the only inbuilt chains that can be used in table 'mangle'"
           end
         when 'nat'
-          if chain =~ /^(BROUTING|INPUT|FORWARD)$/
-            raise ArgumentError, "PREROUTING, POSTROUTING and OUTPUT are the only inbuilt chains that can be used in table 'nat'"
+          if chain =~ /^(BROUTING|FORWARD)$/
+            raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table 'nat'"
           end
           if protocol =~/^(IP(v6)?)?$/
             raise ArgumentError, "table nat isn't valid in IPv6. You must specify ':IPv4' as the name suffix"
@@ -105,6 +105,47 @@ Puppet::Type.newtype(:firewallchain) do
     end
   end
 
+  newparam(:purge, :boolean => true) do
+    desc <<-EOS
+      Purge unmanaged firewall rules in this chain
+    EOS
+    newvalues(:false, :true)
+    defaultto :false
+  end
+
+  newparam(:ignore) do
+    desc <<-EOS
+      Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
+      This is matched against the output of `iptables-save`.
+
+      This can be a single regex, or an array of them.
+      To support flags, use the ruby inline flag mechanism.
+      Meaning a regex such as
+        /foo/i
+      can be written as
+        '(?i)foo' or '(?i:foo)'
+
+      Full example:
+      firewallchain { 'INPUT:filter:IPv4':
+        purge => true,
+        ignore => [
+          '-j fail2ban-ssh', # ignore the fail2ban jump rule
+          '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
+        ],
+      }
+    EOS
+
+    validate do |value|
+      unless value.is_a?(Array) or value.is_a?(String) or value == false
+        self.devfail "Ignore must be a string or an Array"
+      end
+    end
+    munge do |patterns| # convert into an array of {Regex}es
+      patterns = [patterns] if patterns.is_a?(String)
+      patterns.map{|p| Regexp.new(p)}
+    end
+  end
+
   # Classes would be a better abstraction, pending:
   # http://projects.puppetlabs.com/issues/19001
   autorequire(:package) do
@@ -148,4 +189,34 @@ Puppet::Type.newtype(:firewallchain) do
       self.fail 'The "nat" table is not intended for filtering, the use of DROP is therefore inhibited'
     end
   end
+
+  def generate
+    return [] unless self.purge?
+
+    value(:name).match(Nameformat)
+    chain = $1
+    table = $2
+    protocol = $3
+
+    provider = case protocol
+               when 'IPv4'
+                 :iptables
+               when 'IPv6'
+                 :ip6tables
+               end
+
+    # gather a list of all rules present on the system
+    rules_resources = Puppet::Type.type(:firewall).instances
+
+    # Keep only rules in this chain
+    rules_resources.delete_if { |res| (res[:provider] != provider or res.provider.properties[:table].to_s != table or res.provider.properties[:chain] != chain) }
+
+    # Remove rules which match our ignore filter
+    rules_resources.delete_if {|res| value(:ignore).find_index{|f| res.provider.properties[:line].match(f)}} if value(:ignore)
+
+    # We mark all remaining rules for deletion, and then let the catalog override us on rules which should be present
+    rules_resources.each {|res| res[:ensure] = :absent}
+
+    rules_resources
+  end
 end

data/modules/firewall/lib/puppet/util/firewall.rb

@@ -116,6 +116,20 @@ module Puppet::Util::Firewall
     value.cidr
   end
 
+  # Takes an address mask and converts the host portion to CIDR notation.
+  #
+  # This takes into account you can negate a mask but follows all rules
+  # defined in host_to_ip for the host/address part.
+  #
+  def host_to_mask(value)
+    match = value.match /(!)\s?(.*)$/
+    return host_to_ip(value) unless match
+
+    cidr = host_to_ip(match[2])
+    return nil if cidr == nil
+    "#{match[1]} #{cidr}"
+  end
+
   # Validates the argument is int or hex, and returns valid hex
   # conversion of the value or nil otherwise.
   def to_hex32(value)

data/modules/firewall/metadata.json

@@ -1,251 +1,356 @@
 {
   "name": "puppetlabs-firewall",
-  "version": "0.4.2",
+  "version": "1.0.0",
+  "summary": "Firewall Module",
   "source": "git://github.com/puppetlabs/puppetlabs-firewall.git",
+  "project_page": "http://forge.puppetlabs.com/puppetlabs/firewall",
   "author": "puppetlabs",
   "license": "ASL 2.0",
-  "summary": "Firewall Module",
-  "description": "Manages Firewalls such as iptables",
-  "project_page": "http://forge.puppetlabs.com/puppetlabs/firewall",
+  "operatingsystem_support": [
+    "RedHat",
+    "Debian",
+    "Ubuntu",
+    "SuSE",
+    "SLED"
+  ],
+  "puppet_version": [
+    2.7,
+    3.0,
+    3.1,
+    3.2,
+    3.3
+  ],
   "dependencies": [
 
   ],
+  "description": "Manages Firewalls such as iptables",
   "types": [
     {
       "name": "firewall",
-      "doc": "    This type provides the capability to manage firewall rules within\n    puppet.\n\n    **Autorequires:**\n\n    If Puppet is managing the iptables or ip6tables chains specified in the\n    `chain` or `jump` parameters, the firewall resource will autorequire\n    those firewallchain resources.\n\n    If Puppet is managing the iptables or iptables-persistent packages, and\n    the provider is iptables or ip6tables, the firewall resource will\n    autorequire those packages to ensure that any required binaries are\n    installed.\n",
+      "doc": "This type provides the capability to manage firewall rules within\npuppet.\n\n**Autorequires:**\n\nIf Puppet is managing the iptables or ip6tables chains specified in the\n`chain` or `jump` parameters, the firewall resource will autorequire\nthose firewallchain resources.\n\nIf Puppet is managing the iptables or iptables-persistent packages, and\nthe provider is iptables or ip6tables, the firewall resource will\nautorequire those packages to ensure that any required binaries are\ninstalled.",
       "properties": [
         {
           "name": "ensure",
-          "doc": "      Manage the state of this rule. The default action is *present*.\n  Valid values are `present`, `absent`."
+          "doc": "      Manage the state of this rule. The default action is *present*.\n\nValid values are `present`, `absent`. "
         },
         {
           "name": "action",
-          "doc": "      This is the action to perform on a match. Can be one of:\n\n      * accept - the packet is accepted\n      * reject - the packet is rejected with a suitable ICMP response\n      * drop - the packet is dropped\n\n      If you specify no value it will simply match the rule but perform no\n      action unless you provide a provider specific parameter (such as *jump*).\n  Valid values are `accept`, `reject`, `drop`."
+          "doc": "This is the action to perform on a match. Can be one of:\n\n* accept - the packet is accepted\n* reject - the packet is rejected with a suitable ICMP response\n* drop - the packet is dropped\n\nIf you specify no value it will simply match the rule but perform no\naction unless you provide a provider specific parameter (such as *jump*).\n\nValid values are `accept`, `reject`, `drop`. "
         },
         {
           "name": "source",
-          "doc": "      The source address. For example:\n\n          source => '192.168.2.0/24'\n\n      The source can also be an IPv6 address if your provider supports it.\n"
+          "doc": "The source address. For example:\n\n    source => '192.168.2.0/24'\n\nYou can also negate a mask by putting ! in front. For example:\n\n    source => '! 192.168.2.0/24'\n\nThe source can also be an IPv6 address if your provider supports it.\n\n"
         },
         {
           "name": "src_range",
-          "doc": "      The source IP range. For example:\n\n          src_range => '192.168.1.1-192.168.1.10'\n\n      The source IP range is must in 'IP1-IP2' format.\n  Values can match `/^((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)-((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)/`.  Requires features iprange."
+          "doc": "The source IP range. For example:\n\n    src_range => '192.168.1.1-192.168.1.10'\n\nThe source IP range is must in 'IP1-IP2' format.\n\nValues can match `/^((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)-((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)/`.\n\nRequires features iprange."
         },
         {
           "name": "destination",
-          "doc": "      The destination address to match. For example:\n\n          destination => '192.168.1.0/24'\n\n      The destination can also be an IPv6 address if your provider supports it.\n"
+          "doc": "The destination address to match. For example:\n\n    destination => '192.168.1.0/24'\n\nYou can also negate a mask by putting ! in front. For example:\n\n    destination  => '! 192.168.2.0/24'\n\nThe destination can also be an IPv6 address if your provider supports it.\n\n"
         },
         {
           "name": "dst_range",
-          "doc": "      The destination IP range. For example:\n\n          dst_range => '192.168.1.1-192.168.1.10'\n\n      The destination IP range is must in 'IP1-IP2' format.\n  Values can match `/^((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)-((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)/`.  Requires features iprange."
+          "doc": "The destination IP range. For example:\n\n    dst_range => '192.168.1.1-192.168.1.10'\n\nThe destination IP range is must in 'IP1-IP2' format.\n\nValues can match `/^((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)-((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)/`.\n\nRequires features iprange."
         },
         {
           "name": "sport",
-          "doc": "      The source port to match for this filter (if the protocol supports\n      ports). Will accept a single element or an array.\n\n      For some firewall providers you can pass a range of ports in the format:\n\n          <start_number>-<ending_number>\n\n      For example:\n\n          1-1024\n\n      This would cover ports 1 to 1024.\n"
+          "doc": "The source port to match for this filter (if the protocol supports\nports). Will accept a single element or an array.\n\nFor some firewall providers you can pass a range of ports in the format:\n\n    <start_number>-<ending_number>\n\nFor example:\n\n    1-1024\n\nThis would cover ports 1 to 1024.\n\n"
         },
         {
           "name": "dport",
-          "doc": "      The destination port to match for this filter (if the protocol supports\n      ports). Will accept a single element or an array.\n\n      For some firewall providers you can pass a range of ports in the format:\n\n          <start_number>-<ending_number>\n\n      For example:\n\n          1-1024\n\n      This would cover ports 1 to 1024.\n"
+          "doc": "The destination port to match for this filter (if the protocol supports\nports). Will accept a single element or an array.\n\nFor some firewall providers you can pass a range of ports in the format:\n\n    <start_number>-<ending_number>\n\nFor example:\n\n    1-1024\n\nThis would cover ports 1 to 1024.\n\n"
         },
         {
           "name": "port",
-          "doc": "      The destination or source port to match for this filter (if the protocol\n      supports ports). Will accept a single element or an array.\n\n      For some firewall providers you can pass a range of ports in the format:\n\n          <start_number>-<ending_number>\n\n      For example:\n\n          1-1024\n\n      This would cover ports 1 to 1024.\n"
+          "doc": "The destination or source port to match for this filter (if the protocol\nsupports ports). Will accept a single element or an array.\n\nFor some firewall providers you can pass a range of ports in the format:\n\n    <start_number>-<ending_number>\n\nFor example:\n\n    1-1024\n\nThis would cover ports 1 to 1024.\n\n"
         },
         {
           "name": "dst_type",
-          "doc": "      The destination address type. For example:\n\n          dst_type => 'LOCAL'\n\n      Can be one of:\n\n      * UNSPEC - an unspecified address\n      * UNICAST - a unicast address\n      * LOCAL - a local address\n      * BROADCAST - a broadcast address\n      * ANYCAST - an anycast packet\n      * MULTICAST - a multicast address\n      * BLACKHOLE - a blackhole address\n      * UNREACHABLE - an unreachable address\n      * PROHIBIT - a prohibited address\n      * THROW - undocumented\n      * NAT - undocumented\n      * XRESOLVE - undocumented\n  Valid values are `UNSPEC`, `UNICAST`, `LOCAL`, `BROADCAST`, `ANYCAST`, `MULTICAST`, `BLACKHOLE`, `UNREACHABLE`, `PROHIBIT`, `THROW`, `NAT`, `XRESOLVE`.  Requires features address_type."
+          "doc": "The destination address type. For example:\n\n    dst_type => 'LOCAL'\n\nCan be one of:\n\n* UNSPEC - an unspecified address\n* UNICAST - a unicast address\n* LOCAL - a local address\n* BROADCAST - a broadcast address\n* ANYCAST - an anycast packet\n* MULTICAST - a multicast address\n* BLACKHOLE - a blackhole address\n* UNREACHABLE - an unreachable address\n* PROHIBIT - a prohibited address\n* THROW - undocumented\n* NAT - undocumented\n* XRESOLVE - undocumented\n\nValid values are `UNSPEC`, `UNICAST`, `LOCAL`, `BROADCAST`, `ANYCAST`, `MULTICAST`, `BLACKHOLE`, `UNREACHABLE`, `PROHIBIT`, `THROW`, `NAT`, `XRESOLVE`. \n\nRequires features address_type."
         },
         {
           "name": "src_type",
-          "doc": "      The source address type. For example:\n\n          src_type => 'LOCAL'\n\n      Can be one of:\n\n      * UNSPEC - an unspecified address\n      * UNICAST - a unicast address\n      * LOCAL - a local address\n      * BROADCAST - a broadcast address\n      * ANYCAST - an anycast packet\n      * MULTICAST - a multicast address\n      * BLACKHOLE - a blackhole address\n      * UNREACHABLE - an unreachable address\n      * PROHIBIT - a prohibited address\n      * THROW - undocumented\n      * NAT - undocumented\n      * XRESOLVE - undocumented\n  Valid values are `UNSPEC`, `UNICAST`, `LOCAL`, `BROADCAST`, `ANYCAST`, `MULTICAST`, `BLACKHOLE`, `UNREACHABLE`, `PROHIBIT`, `THROW`, `NAT`, `XRESOLVE`.  Requires features address_type."
+          "doc": "The source address type. For example:\n\n    src_type => 'LOCAL'\n\nCan be one of:\n\n* UNSPEC - an unspecified address\n* UNICAST - a unicast address\n* LOCAL - a local address\n* BROADCAST - a broadcast address\n* ANYCAST - an anycast packet\n* MULTICAST - a multicast address\n* BLACKHOLE - a blackhole address\n* UNREACHABLE - an unreachable address\n* PROHIBIT - a prohibited address\n* THROW - undocumented\n* NAT - undocumented\n* XRESOLVE - undocumented\n\nValid values are `UNSPEC`, `UNICAST`, `LOCAL`, `BROADCAST`, `ANYCAST`, `MULTICAST`, `BLACKHOLE`, `UNREACHABLE`, `PROHIBIT`, `THROW`, `NAT`, `XRESOLVE`. \n\nRequires features address_type."
         },
         {
           "name": "proto",
-          "doc": "      The specific protocol to match for this rule. By default this is\n      *tcp*.\n  Valid values are `tcp`, `udp`, `icmp`, `ipv6-icmp`, `esp`, `ah`, `vrrp`, `igmp`, `ipencap`, `ospf`, `gre`, `all`."
+          "doc": "The specific protocol to match for this rule. By default this is\n*tcp*.\n\nValid values are `tcp`, `udp`, `icmp`, `ipv6-icmp`, `esp`, `ah`, `vrrp`, `igmp`, `ipencap`, `ospf`, `gre`, `all`. "
         },
         {
           "name": "tcp_flags",
-          "doc": "      Match when the TCP flags are as specified.\n      Is a string with a list of comma-separated flag names for the mask,\n      then a space, then a comma-separated list of flags that should be set.\n      The flags are: SYN ACK FIN RST URG PSH ALL NONE\n      Note that you specify them in the order that iptables --list-rules\n      would list them to avoid having puppet think you changed the flags.\n      Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the\n\t       ACK,RST and FIN bits cleared.  Such packets are used to request\n               TCP  connection initiation.\n  Requires features tcp_flags."
+          "doc": "      Match when the TCP flags are as specified.\n      Is a string with a list of comma-separated flag names for the mask,\n      then a space, then a comma-separated list of flags that should be set.\n      The flags are: SYN ACK FIN RST URG PSH ALL NONE\n      Note that you specify them in the order that iptables --list-rules\n      would list them to avoid having puppet think you changed the flags.\n      Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the\nACK,RST and FIN bits cleared.  Such packets are used to request\n               TCP  connection initiation.\n\n\n\nRequires features tcp_flags."
         },
         {
           "name": "chain",
-          "doc": "      Name of the chain to use. Can be one of the built-ins:\n\n      * INPUT\n      * FORWARD\n      * OUTPUT\n      * PREROUTING\n      * POSTROUTING\n\n      Or you can provide a user-based chain.\n\n      The default value is 'INPUT'.\n  Values can match `/^[a-zA-Z0-9\\-_]+$/`.  Requires features iptables."
+          "doc": "Name of the chain to use. Can be one of the built-ins:\n\n* INPUT\n* FORWARD\n* OUTPUT\n* PREROUTING\n* POSTROUTING\n\nOr you can provide a user-based chain.\n\nThe default value is 'INPUT'.\n\nValues can match `/^[a-zA-Z0-9\\-_]+$/`.\n\nRequires features iptables."
         },
         {
           "name": "table",
-          "doc": "      Table to use. Can be one of:\n\n      * nat\n      * mangle\n      * filter\n      * raw\n      * rawpost\n\n      By default the setting is 'filter'.\n  Valid values are `nat`, `mangle`, `filter`, `raw`, `rawpost`.  Requires features iptables."
+          "doc": "Table to use. Can be one of:\n\n* nat\n* mangle\n* filter\n* raw\n* rawpost\n\nBy default the setting is 'filter'.\n\nValid values are `nat`, `mangle`, `filter`, `raw`, `rawpost`. \n\nRequires features iptables."
         },
         {
           "name": "jump",
-          "doc": "      The value for the iptables --jump parameter. Normal values are:\n\n      * QUEUE\n      * RETURN\n      * DNAT\n      * SNAT\n      * LOG\n      * MASQUERADE\n      * REDIRECT\n      * MARK\n\n      But any valid chain name is allowed.\n\n      For the values ACCEPT, DROP and REJECT you must use the generic\n      'action' parameter. This is to enfore the use of generic parameters where\n      possible for maximum cross-platform modelling.\n\n      If you set both 'accept' and 'jump' parameters, you will get an error as\n      only one of the options should be set.\n  Requires features iptables."
+          "doc": "The value for the iptables --jump parameter. Normal values are:\n\n* QUEUE\n* RETURN\n* DNAT\n* SNAT\n* LOG\n* MASQUERADE\n* REDIRECT\n* MARK\n\nBut any valid chain name is allowed.\n\nFor the values ACCEPT, DROP and REJECT you must use the generic\n'action' parameter. This is to enfore the use of generic parameters where\npossible for maximum cross-platform modelling.\n\nIf you set both 'accept' and 'jump' parameters, you will get an error as\nonly one of the options should be set.\n\n\n\nRequires features iptables."
         },
         {
           "name": "iniface",
-          "doc": "      Input interface to filter on.\n  Values can match `/^[a-zA-Z0-9\\-\\._\\+]+$/`.  Requires features interface_match."
+          "doc": "      Input interface to filter on.\n\nValues can match `/^[a-zA-Z0-9\\-\\._\\+]+$/`.\n\nRequires features interface_match."
         },
         {
           "name": "outiface",
-          "doc": "      Output interface to filter on.\n  Values can match `/^[a-zA-Z0-9\\-\\._\\+]+$/`.  Requires features interface_match."
+          "doc": "      Output interface to filter on.\n\nValues can match `/^[a-zA-Z0-9\\-\\._\\+]+$/`.\n\nRequires features interface_match."
         },
         {
           "name": "tosource",
-          "doc": "      When using jump => \"SNAT\" you can specify the new source address using\n      this parameter.\n  Requires features snat."
+          "doc": "When using jump => \"SNAT\" you can specify the new source address using\nthis parameter.\n\n\n\nRequires features snat."
         },
         {
           "name": "todest",
-          "doc": "      When using jump => \"DNAT\" you can specify the new destination address\n      using this paramter.\n  Requires features dnat."
+          "doc": "When using jump => \"DNAT\" you can specify the new destination address\nusing this paramter.\n\n\n\nRequires features dnat."
         },
         {
           "name": "toports",
-          "doc": "      For DNAT this is the port that will replace the destination port.\n  Requires features dnat."
+          "doc": "      For DNAT this is the port that will replace the destination port.\n\n\n\nRequires features dnat."
+        },
+        {
+          "name": "random",
+          "doc": "When using a jump value of \"MASQUERADE\", \"DNAT\", \"REDIRECT\", or \"SNAT\"\nthis boolean will enable randomized port mapping.\n\nValid values are `true`, `false`. \n\nRequires features dnat."
         },
         {
           "name": "reject",
-          "doc": "      When combined with jump => \"REJECT\" you can specify a different icmp\n      response to be sent back to the packet sender.\n  Requires features reject_type."
+          "doc": "When combined with jump => \"REJECT\" you can specify a different icmp\nresponse to be sent back to the packet sender.\n\n\n\nRequires features reject_type."
         },
         {
           "name": "log_level",
-          "doc": "      When combined with jump => \"LOG\" specifies the system log level to log\n      to.\n  Requires features log_level."
+          "doc": "When combined with jump => \"LOG\" specifies the system log level to log\nto.\n\n\n\nRequires features log_level."
         },
         {
           "name": "log_prefix",
-          "doc": "      When combined with jump => \"LOG\" specifies the log prefix to use when\n      logging.\n  Requires features log_prefix."
+          "doc": "When combined with jump => \"LOG\" specifies the log prefix to use when\nlogging.\n\n\n\nRequires features log_prefix."
         },
         {
           "name": "icmp",
-          "doc": "      When matching ICMP packets, this is the type of ICMP packet to match.\n\n      A value of \"any\" is not supported. To achieve this behaviour the\n      parameter should simply be omitted or undefined.\n  Requires features icmp_match."
+          "doc": "When matching ICMP packets, this is the type of ICMP packet to match.\n\nA value of \"any\" is not supported. To achieve this behaviour the\nparameter should simply be omitted or undefined.\n\n\n\nRequires features icmp_match."
         },
         {
           "name": "state",
-          "doc": "      Matches a packet based on its state in the firewall stateful inspection\n      table. Values can be:\n\n      * INVALID\n      * ESTABLISHED\n      * NEW\n      * RELATED\n  Valid values are `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`.  Requires features state_match."
+          "doc": "Matches a packet based on its state in the firewall stateful inspection\ntable. Values can be:\n\n* INVALID\n* ESTABLISHED\n* NEW\n* RELATED\n\nValid values are `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`. \n\nRequires features state_match."
+        },
+        {
+          "name": "ctstate",
+          "doc": "Matches a packet based on its state in the firewall stateful inspection\ntable, using the conntrack module. Values can be:\n\n* INVALID\n* ESTABLISHED\n* NEW\n* RELATED\n\nValid values are `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`. \n\nRequires features state_match."
+        },
+        {
+          "name": "hop_limit",
+          "doc": "      Hop limiting value for matched packets.\n\nValues can match `/^\\d+$/`.\n\nRequires features hop_limiting."
         },
         {
           "name": "limit",
-          "doc": "      Rate limiting value for matched packets. The format is:\n      rate/[/second/|/minute|/hour|/day].\n\n      Example values are: '50/sec', '40/min', '30/hour', '10/day'.\"\n  Requires features rate_limiting."
+          "doc": "Rate limiting value for matched packets. The format is:\nrate/[/second/|/minute|/hour|/day].\n\nExample values are: '50/sec', '40/min', '30/hour', '10/day'.\"\n\n\n\nRequires features rate_limiting."
         },
         {
           "name": "burst",
-          "doc": "      Rate limiting burst value (per second) before limit checks apply.\n  Values can match `/^\\d+$/`.  Requires features rate_limiting."
+          "doc": "      Rate limiting burst value (per second) before limit checks apply.\n\nValues can match `/^\\d+$/`.\n\nRequires features rate_limiting."
         },
         {
           "name": "uid",
-          "doc": "      UID or Username owner matching rule.  Accepts a string argument\n      only, as iptables does not accept multiple uid in a single\n      statement.\n  Requires features owner."
+          "doc": "UID or Username owner matching rule.  Accepts a string argument\nonly, as iptables does not accept multiple uid in a single\nstatement.\n\n\n\nRequires features owner."
         },
         {
           "name": "gid",
-          "doc": "      GID or Group owner matching rule.  Accepts a string argument\n      only, as iptables does not accept multiple gid in a single\n      statement.\n  Requires features owner."
+          "doc": "GID or Group owner matching rule.  Accepts a string argument\nonly, as iptables does not accept multiple gid in a single\nstatement.\n\n\n\nRequires features owner."
         },
         {
           "name": "set_mark",
-          "doc": "      Set the Netfilter mark value associated with the packet.  Accepts either of:\n      mark/mask or mark.  These will be converted to hex if they are not already.\n  Requires features mark."
+          "doc": "Set the Netfilter mark value associated with the packet.  Accepts either of:\nmark/mask or mark.  These will be converted to hex if they are not already.\n\n\n\nRequires features mark."
         },
         {
           "name": "pkttype",
-          "doc": "      Sets the packet type to match.\n  Valid values are `unicast`, `broadcast`, `multicast`.  Requires features pkttype."
+          "doc": "      Sets the packet type to match.\n\nValid values are `unicast`, `broadcast`, `multicast`. \n\nRequires features pkttype."
         },
         {
           "name": "isfragment",
-          "doc": "      Set to true to match tcp fragments (requires type to be set to tcp)\n  Valid values are `true`, `false`.  Requires features isfragment."
+          "doc": "      Set to true to match tcp fragments (requires type to be set to tcp)\n\nValid values are `true`, `false`. \n\nRequires features isfragment."
+        },
+        {
+          "name": "recent",
+          "doc": "Enable the recent module. Takes as an argument one of set, update,\nrcheck or remove. For example:\n\n  # If anyone's appeared on the 'badguy' blacklist within\n  # the last 60 seconds, drop their traffic, and update the timestamp.\n  firewall { '100 Drop badguy traffic':\n    recent   => 'update',\n    rseconds => 60,\n    rsource  => true,\n    rname    => 'badguy',\n    action   => 'DROP',\n    chain    => 'FORWARD',\n  }\n  # No-one should be sending us traffic on eth0 from localhost\n  # Blacklist them\n  firewall { '101 blacklist strange traffic':\n    recent      => 'set',\n    rsource     => true,\n    rname       => 'badguy',\n    destination => '127.0.0.0/8',\n    iniface     => 'eth0',\n    action      => 'DROP',\n    chain       => 'FORWARD',\n  }\n\nValid values are `set`, `update`, `rcheck`, `remove`. \n\nRequires features recent_limiting."
+        },
+        {
+          "name": "rdest",
+          "doc": "Recent module; add the destination IP address to the list.\nMust be boolean true.\n\nValid values are `true`, `false`. \n\nRequires features recent_limiting."
+        },
+        {
+          "name": "rsource",
+          "doc": "Recent module; add the source IP address to the list.\nMust be boolean true.\n\nValid values are `true`, `false`. \n\nRequires features recent_limiting."
+        },
+        {
+          "name": "rname",
+          "doc": "      Recent module; The name of the list. Takes a string argument.\n\n\n\nRequires features recent_limiting."
+        },
+        {
+          "name": "rseconds",
+          "doc": "Recent module; used in conjunction with one of `recent => 'rcheck'` or\n`recent => 'update'`. When used, this will narrow the match to only\nhappen when the address is in the list and was seen within the last given\nnumber of seconds.\n\n\n\nRequires features recent_limiting."
+        },
+        {
+          "name": "reap",
+          "doc": "Recent module; can only be used in conjunction with the `rseconds`\nattribute. When used, this will cause entries older than 'seconds' to be\npurged.  Must be boolean true.\n\n\n\nRequires features recent_limiting."
+        },
+        {
+          "name": "rhitcount",
+          "doc": "Recent module; used in conjunction with `recent => 'update'` or `recent\n=> 'rcheck'. When used, this will narrow the match to only happen when\nthe address is in the list and packets had been received greater than or\nequal to the given value.\n\n\n\nRequires features recent_limiting."
+        },
+        {
+          "name": "rttl",
+          "doc": "Recent module; may only be used in conjunction with one of `recent =>\n'rcheck'` or `recent => 'update'`. When used, this will narrow the match\nto only happen when the address is in the list and the TTL of the current\npacket matches that of the packet which hit the `recent => 'set'` rule.\nThis may be useful if you have problems with people faking their source\naddress in order to DoS you via this module by disallowing others access\nto your site by sending bogus packets to you.  Must be boolean true.\n\nValid values are `true`, `false`. \n\nRequires features recent_limiting."
         },
         {
           "name": "socket",
-          "doc": "      If true, matches if an open socket can be found by doing a coket lookup\n      on the packet.\n  Valid values are `true`, `false`.  Requires features socket."
+          "doc": "If true, matches if an open socket can be found by doing a coket lookup\non the packet.\n\nValid values are `true`, `false`. \n\nRequires features socket."
+        },
+        {
+          "name": "ishasmorefrags",
+          "doc": "      If true, matches if the packet has it's 'more fragments' bit set. ipv6.\n\nValid values are `true`, `false`. \n\nRequires features ishasmorefrags."
+        },
+        {
+          "name": "islastfrag",
+          "doc": "      If true, matches if the packet is the last fragment. ipv6.\n\nValid values are `true`, `false`. \n\nRequires features islastfrag."
+        },
+        {
+          "name": "isfirstfrag",
+          "doc": "If true, matches if the packet is the first fragment.\nSadly cannot be negated. ipv6.\n\nValid values are `true`, `false`. \n\nRequires features isfirstfrag."
+        },
+        {
+          "name": "ipsec_policy",
+          "doc": "\t  \t Sets the ipsec policy type\n\nValid values are `none`, `ipsec`. \n\nRequires features ipsec_policy."
+        },
+        {
+          "name": "ipsec_dir",
+          "doc": "\t  \t Sets the ipsec policy direction\n\nValid values are `in`, `out`. \n\nRequires features ipsec_dir."
         }
       ],
       "parameters": [
         {
           "name": "name",
-          "doc": "      The canonical name of the rule. This name is also used for ordering\n      so make sure you prefix the rule with a number:\n\n          000 this runs first\n          999 this runs last\n\n      Depending on the provider, the name of the rule can be stored using\n      the comment feature of the underlying firewall subsystem.\n  Values can match `/^\\d+[[:alpha:][:digit:][:punct:][:space:]]+$/`."
+          "doc": "The canonical name of the rule. This name is also used for ordering\nso make sure you prefix the rule with a number:\n\n    000 this runs first\n    999 this runs last\n\nDepending on the provider, the name of the rule can be stored using\nthe comment feature of the underlying firewall subsystem.\n\nValues can match `/^\\d+[[:alpha:][:digit:][:punct:][:space:]]+$/`."
         },
         {
           "name": "line",
-          "doc": "      Read-only property for caching the rule line.\n"
+          "doc": "      Read-only property for caching the rule line.\n\n"
         }
       ],
       "providers": [
         {
           "name": "ip6tables",
-          "doc": "Ip6tables type provider\n\nRequired binaries: `ip6tables`, `ip6tables-save`.  Supported features: `dnat`, `icmp_match`, `interface_match`, `iptables`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `reject_type`, `snat`, `state_match`, `tcp_flags`."
+          "doc": "Ip6tables type provider\n\n* Required binaries: `ip6tables-save`, `ip6tables`.\n* Supported features: `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `state_match`, `tcp_flags`."
         },
         {
           "name": "iptables",
-          "doc": "Iptables type provider\n\nRequired binaries: `iptables`, `iptables-save`.  Default for `kernel` == `linux`.  Supported features: `address_type`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`."
+          "doc": "Iptables type provider\n\n* Required binaries: `iptables-save`, `iptables`.\n* Default for `kernel` == `linux`.\n* Supported features: `address_type`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`."
         }
       ]
     },
     {
       "name": "firewallchain",
-      "doc": "    This type provides the capability to manage rule chains for firewalls.\n\n    Currently this supports only iptables, ip6tables and ebtables on Linux. And\n    provides support for setting the default policy on chains and tables that\n    allow it.\n\n    **Autorequires:**\n    If Puppet is managing the iptables or iptables-persistent packages, and\n    the provider is iptables_chain, the firewall resource will autorequire\n    those packages to ensure that any required binaries are installed.\n",
+      "doc": "This type provides the capability to manage rule chains for firewalls.\n\nCurrently this supports only iptables, ip6tables and ebtables on Linux. And\nprovides support for setting the default policy on chains and tables that\nallow it.\n\n**Autorequires:**\nIf Puppet is managing the iptables or iptables-persistent packages, and\nthe provider is iptables_chain, the firewall resource will autorequire\nthose packages to ensure that any required binaries are installed.",
       "properties": [
         {
           "name": "ensure",
-          "doc": "The basic property that the resource should be in.  Valid values are `present`, `absent`."
+          "doc": "The basic property that the resource should be in.\n\nValid values are `present`, `absent`. "
         },
         {
           "name": "policy",
-          "doc": "      This is the action to when the end of the chain is reached.\n      It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,\n      PREROUTING, POSTROUTING) and can be one of:\n\n      * accept - the packet is accepted\n      * drop - the packet is dropped\n      * queue - the packet is passed userspace\n      * return - the packet is returned to calling (jump) queue\n                 or the default of inbuilt chains\n  Valid values are `accept`, `drop`, `queue`, `return`."
+          "doc": "This is the action to when the end of the chain is reached.\nIt can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,\nPREROUTING, POSTROUTING) and can be one of:\n\n* accept - the packet is accepted\n* drop - the packet is dropped\n* queue - the packet is passed userspace\n* return - the packet is returned to calling (jump) queue\n           or the default of inbuilt chains\n\nValid values are `accept`, `drop`, `queue`, `return`. "
         }
       ],
       "parameters": [
         {
           "name": "name",
-          "doc": "      The canonical name of the chain.\n\n      For iptables the format must be {chain}:{table}:{protocol}.\n"
+          "doc": "The canonical name of the chain.\n\nFor iptables the format must be {chain}:{table}:{protocol}.\n\n"
+        },
+        {
+          "name": "purge",
+          "doc": "      Purge unmanaged firewall rules in this chain\n\nValid values are `false`, `true`. "
+        },
+        {
+          "name": "ignore",
+          "doc": "Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).\nThis is matched against the output of `iptables-save`.\n\nThis can be a single regex, or an array of them.\nTo support flags, use the ruby inline flag mechanism.\nMeaning a regex such as\n  /foo/i\ncan be written as\n  '(?i)foo' or '(?i:foo)'\n\nFull example:\nfirewallchain { 'INPUT:filter:IPv4':\n  purge => true,\n  ignore => [\n    '-j fail2ban-ssh', # ignore the fail2ban jump rule\n    '--comment \"[^\"]*(?i:ignore)[^\"]*\"', # ignore any rules with \"ignore\" (case insensitive) in the comment in the rule\n  ],\n}\n\n"
         }
       ],
       "providers": [
         {
           "name": "iptables_chain",
-          "doc": "Iptables chain provider\n\nRequired binaries: `iptables`, `iptables-save`, `ip6tables`, `ip6tables-save`, `ebtables`, `ebtables-save`.  Default for `kernel` == `linux`.  Supported features: `iptables_chain`, `policy`."
+          "doc": "Iptables chain provider\n\n* Required binaries: `ebtables-save`, `ebtables`, `ip6tables-save`, `ip6tables`, `iptables-save`, `iptables`.\n* Default for `kernel` == `linux`.\n* Supported features: `iptables_chain`, `policy`."
         }
       ]
     }
   ],
   "checksums": {
     "CONTRIBUTING.md": "346969b756bc432a2a2fab4307ebb93a",
-    "Changelog": "1de1691b4ab10ee354f761a1f4c6f443",
-    "Gemfile": "cbdce086f4dbabe5394121e2281b739f",
-    "Gemfile.lock": "df949ce515d5c06d6ed31b9d7e5e3391",
+    "Changelog": "c5dd3154e7017a9b48e0a61c23681648",
+    "Gemfile": "450446f9b88dab151cab2cdf1690b1a6",
+    "Gemfile.lock": "7f852ff968e33f8b6c08f0e6660e151e",
     "LICENSE": "ade7f2bb88b5b4f034152822222ec314",
-    "Modulefile": "5e06a785cd9bce7b53f95c23eba506d2",
-    "README.markdown": "41df885b5286abc9ba27f054c5ff6dbf",
-    "Rakefile": "35d0261289b65faa09bef45b888d40ae",
+    "Modulefile": "098d56d405b4e949f3bf431942a4ae73",
+    "README.markdown": "2c2661559368753804318e39bbea9fc5",
+    "Rakefile": "f939a830f3e97bea4ebfa5773af890d2",
     "lib/facter/ip6tables_version.rb": "091123ad703f1706686bca4398c5b06f",
     "lib/facter/iptables_persistent_version.rb": "b7a47827cd3d3bb1acbd526a31da3acb",
     "lib/facter/iptables_version.rb": "facbd760223f236538b731c1d1f6cf8f",
-    "lib/puppet/provider/firewall/ip6tables.rb": "e9579ae3afdf8b1392cbdc0335ef5464",
-    "lib/puppet/provider/firewall/iptables.rb": "bb7ea2c54c60c1047e68745f3b370c6f",
+    "lib/puppet/provider/firewall/ip6tables.rb": "5ad995b85053fba4576aca96e6d0dc9d",
+    "lib/puppet/provider/firewall/iptables.rb": "74c89e3b2032478d8ba793cb75096b07",
     "lib/puppet/provider/firewall.rb": "32d2f5e5dcc082986b82ef26a119038b",
-    "lib/puppet/provider/firewallchain/iptables_chain.rb": "e98592c22901792305e0d20376c9a281",
-    "lib/puppet/type/firewall.rb": "2a591254b2df7528eafaa6dff5459ace",
-    "lib/puppet/type/firewallchain.rb": "91ebccecff290a9ab2116867a74080c7",
-    "lib/puppet/util/firewall.rb": "a9f0057c1b16a51a0bace5d4a8cc4ea4",
+    "lib/puppet/provider/firewallchain/iptables_chain.rb": "194bde3d3992a37aa7d76e431d251178",
+    "lib/puppet/type/firewall.rb": "1c37cfa054b0640aa4febfdc76c402c8",
+    "lib/puppet/type/firewallchain.rb": "548676cc7da53598eb24268ebac38a0d",
+    "lib/puppet/util/firewall.rb": "1200b76a24e3d7bc1520e39005e6848e",
     "lib/puppet/util/ipcidr.rb": "e1160dfd6e73fc5ef2bb8abc291f6fd5",
     "manifests/init.pp": "ba3e697f00fc3d4e7e5b9c7fdbc6a89d",
     "manifests/linux/archlinux.pp": "1257fe335ecafa0629b285dc8621cf75",
     "manifests/linux/debian.pp": "626f0fd23f2f451ca14e2b7f690675fe",
     "manifests/linux/redhat.pp": "44ce25057ae8d814465260767b39c414",
     "manifests/linux.pp": "7380519131fa8daae0ef45f9a162aff7",
-    "spec/fixtures/iptables/conversion_hash.rb": "012d92a358cc0c74304de14657bf9a23",
+    "spec/acceptance/basic_spec.rb": "9c19898ff3922fe12eec3d7276d46543",
+    "spec/acceptance/change_source_spec.rb": "0be26a6f0f3550e8b12049fe6c21ae35",
+    "spec/acceptance/class_spec.rb": "43e3c4d143cb01df17425aff51e6a164",
+    "spec/acceptance/firewall_spec.rb": "de2d52e24052c2d71da2c960b39a6671",
+    "spec/acceptance/firewallchain_spec.rb": "9a7128911aa17cfeed5fa5c8062138d9",
+    "spec/acceptance/ip6_fragment_spec.rb": "3b5e3a751e82f5771ec560174beb5d24",
+    "spec/acceptance/isfragment_spec.rb": "d4e986141f671cc59a05b6fb91a04a9e",
+    "spec/acceptance/nodesets/centos-59-x64.yml": "879c50ab100b927bdbbc130f23baaff7",
+    "spec/acceptance/nodesets/centos-64-x64-fusion.yml": "f5da18ffa623c6a13d9f48521b1bfa39",
+    "spec/acceptance/nodesets/centos-64-x64-pe.yml": "ec075d95760df3d4702abea1ce0a829b",
+    "spec/acceptance/nodesets/centos-64-x64.yml": "092dd2c588a9f87fa1fb12997c0723ef",
+    "spec/acceptance/nodesets/debian-607-x64.yml": "d566bf76f534e2af7c9a4605316d232c",
+    "spec/acceptance/nodesets/debian-70rc1-x64.yml": "31ccca73af7b74e1cc2fb0035c230b2c",
+    "spec/acceptance/nodesets/default.yml": "092dd2c588a9f87fa1fb12997c0723ef",
+    "spec/acceptance/nodesets/fedora-18-x64.yml": "acc126fa764c39a3b1df36e9224a21d9",
+    "spec/acceptance/nodesets/sles-11sp1-x64.yml": "fa0046bd89c1ab4ba9521ad79db234cd",
+    "spec/acceptance/nodesets/ubuntu-server-10044-x64.yml": "dc0da2d2449f66c8fdae16593811504f",
+    "spec/acceptance/nodesets/ubuntu-server-12042-x64.yml": "d30d73e34cd50b043c7d14e305955269",
+    "spec/acceptance/params_spec.rb": "8c2719621c3c352e78417d966f971b9a",
+    "spec/acceptance/purge_spec.rb": "dc9f999d810f5e069c1ca6287aa1b2a2",
+    "spec/acceptance/resource_cmd_spec.rb": "b3d0aa09125e13b0d0bf56d0faa437e2",
+    "spec/acceptance/rules_spec.rb": "4bb277a8121c33ea34fad8e900ba8ba9",
+    "spec/acceptance/socket_spec.rb": "ddb67978e37956f42f56535f6312f0a4",
+    "spec/acceptance/standard_usage_spec.rb": "66d7bae5a3dd4b595c1aa236c1a7b8b0",
+    "spec/fixtures/ip6tables/conversion_hash.rb": "0d88a4226fdf28dd55e30f7e6d4a1cb7",
+    "spec/fixtures/iptables/conversion_hash.rb": "4875f7b75948746063c8be8d8af05fa8",
     "spec/spec_helper.rb": "faae8467928b93bd251a1a66e1eedbe5",
-    "spec/spec_helper_system.rb": "4981e0b995c12996e628d004ffdcc9f4",
-    "spec/system/basic_spec.rb": "34a22dedba01b8239024137bda8ab3f8",
-    "spec/system/class_spec.rb": "04d89039312c3b9293dbb680878101c6",
-    "spec/system/params_spec.rb": "f982f9eb6ecc8d6782b9267b59d321bf",
-    "spec/system/purge_spec.rb": "a336e8a20d4c330606bf5955799a7e35",
-    "spec/system/resource_cmd_spec.rb": "f991d2b7a3e2eb6d28471534cd38b0c8",
-    "spec/system/standard_usage_spec.rb": "f80f86703843775ac14635464e9f7549",
+    "spec/spec_helper_acceptance.rb": "b456214a7299e8cdc9c3c488cf49f398",
     "spec/unit/classes/firewall_linux_archlinux_spec.rb": "1c600a9852ec328b14cb15b0630ed5ff",
     "spec/unit/classes/firewall_linux_debian_spec.rb": "6334936fb16223cf15f637083c67850e",
     "spec/unit/classes/firewall_linux_redhat_spec.rb": "f41b21caf6948f3ac08f42c1bc59ba1b",
     "spec/unit/classes/firewall_linux_spec.rb": "b934ab4e0a806f29bfdabd2369e41d0e",
-    "spec/unit/classes/firewall_spec.rb": "14fc76eeb702913159661c01125baabb",
-    "spec/unit/facter/iptables_persistent_version_spec.rb": "98aa337aae2ae8a2ac7f70586351e928",
-    "spec/unit/facter/iptables_spec.rb": "ebb008f0e01530a49007228ca1a81097",
-    "spec/unit/puppet/provider/iptables_chain_spec.rb": "6265dbb6be5af74f056d32c7e7236d0a",
-    "spec/unit/puppet/provider/iptables_spec.rb": "b1e92084c8595b7e2ef21aa0800ea084",
-    "spec/unit/puppet/type/firewall_spec.rb": "f229613c1bec34b6f84b544e021dc856",
-    "spec/unit/puppet/type/firewallchain_spec.rb": "49157d8703daf8776e414ef9ea9e5cb3",
-    "spec/unit/puppet/util/firewall_spec.rb": "3d7858f46ea3c97617311b7a5cebbae1",
+    "spec/unit/classes/firewall_spec.rb": "65e27f1c85066641d65d52c35c1d46cf",
+    "spec/unit/facter/iptables_persistent_version_spec.rb": "e08c68b6400c51735a3ac1cc4acf2d15",
+    "spec/unit/facter/iptables_spec.rb": "5265be1e6ec652184de8b314ae396d1a",
+    "spec/unit/puppet/provider/iptables_chain_spec.rb": "5b5dbc4cea409f6f40ef3f18e46fa270",
+    "spec/unit/puppet/provider/iptables_spec.rb": "3b922db8c897ed158da202e71105de82",
+    "spec/unit/puppet/type/firewall_spec.rb": "a57dc53289de01f80611292f5367b4ae",
+    "spec/unit/puppet/type/firewallchain_spec.rb": "ea82405b12b9c0069a6b38a48a6a544a",
+    "spec/unit/puppet/util/firewall_spec.rb": "fc2679265def001f3531817c1f34d4b9",
     "spec/unit/puppet/util/ipcidr_spec.rb": "1a6eeb2dd7c9634fcfb60d8ead6e1d79"
   }
 }

data/modules/firewall/spec/acceptance/basic_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper_acceptance'
+
+# Here we put the more basic fundamental tests, ultra obvious stuff.
+describe "basic tests:" do
+  it 'make sure we have copied the module across' do
+    shell('ls /etc/puppet/modules/firewall/Modulefile', {:acceptable_exit_codes => 0})
+  end
+end