All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v8.0.2 - 2024-05-22
v8.0.1 - 2024-03-20
- fix typos in documentation #1195 (corporate-gadfly)
v8.0.0 - 2024-02-08
- [CAT-1425] : Removing RedHat/Scientific/OracleLinux 6 #1163 (rajat-puppet)
- (GH-1164) Only common jump values should be enforced as upcase #1165 (david22swan)
v7.0.2 - 2023-09-14
- (GH-1158) Fix for
dport/sport/state/ctstate/ctstatuscomparisons #1160 (david22swan)
v7.0.1 - 2023-09-14
- (GH-1156) Fix for jump/goto attributes #1157 (david22swan)
v7.0.0 - 2023-09-13
- (CAT-376) Rework firewall module to use the resource_api #1145 (david22swan)
- (maint) Update all README.md mentions of
actiontojump#1151 (david22swan) - (RUBOCOP) Resolve Rubocop Issues #1149 (david22swan)
v6.0.0 - 2023-07-25
- (CONT-242) Fix duplicate rule detection #1140 (david22swan)
- pdksync - (MAINT) - Require Stdlib 9.x only #1135 (LukasAud)
- Add support for parsing and using --tcp-option #1126 (greatflyingsteve)
- disable firewalld for RedHat 9 #1142 (robertc99)
- Change ip6tables_version to constant in provider. #1134 (pjakubcz)
- Fix SELinux context on newer CentOS #1123 (tobias-urdin)
- Force firewall chain delete #1104 (cruelsmith)
v5.0.0 - 2023-03-31
- (Cont 779) Add Support for Puppet 8 / Drop Support for Puppet 6 #1118 (david22swan)
v4.1.0 - 2023-03-31
- Ignore OpenBSD, similarly to FreeBSD #1107 (buzzdeee)
- redhat9 needs iptables service #1103 (robertc99)
- debian: service: fix
ensureparameter usage #1095 (damonbreeden)
v4.0.1 - 2022-12-07
- (GH-1097) Bumping back required puppet version #1098 (LukasAud)
- support --nflog-size as replacement for --nflog-range #1096 (kjetilho)
- (1093) - Fix unresolved fact error #1094 (jordanbreen28)
- package "iptables" has been replaced by "iptables-nft" on EL9 #1085 (kjetilho)
v4.0.0 - 2022-11-22
- (CONT-173) - Updating deprecated facter instances #1079 (jordanbreen28)
- pdksync - (CONT-189) Remove support for RedHat6 / OracleLinux6 / Scientific6 #1078 (david22swan)
- pdksync - (CONT-130) - Dropping Support for Debian 9 #1075 (jordanbreen28)
- fix service port number lookup to use protocol #1023 (kjetilho)
v3.6.0 - 2022-10-03
- pdksync - (GH-cat-11) Certify Support for Ubuntu 22.04 #1063 (david22swan)
- pdksync - (GH-cat-12) Add Support for Redhat 9 #1054 (david22swan)
- allow persistence of firewall rules for Suse #1061 (corporate-gadfly)
- (GH-1055) Fix for
--random-fully#1058 (david22swan)
v3.5.0 - 2022-05-17
- pdksync - (GH-iac-334) Remove Support for Ubuntu 14.04/16.04 #1038 (david22swan)
- Fix rpfilter parameter #1013 (onyxmaster)
v3.4.0 - 2022-02-28
- pdksync - (IAC-1787) Remove Support for CentOS 6 #1027 (david22swan)
v3.3.0 - 2021-12-15
- pdksync - (IAC-1753) - Add Support for AlmaLinux 8 #1020 (david22swan)
- pdksync - (IAC-1751) - Add Support for Rocky 8 #1017 (david22swan)
- Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range #1019 (cmd-ntrf)
- Fedora 34 and iptables-compat fix; properly utilising iptables param. #1018 (adamboutcher)
- pdksync - (IAC-1598) - Remove Support for Debian 8 #1015 (david22swan)
- Add carp protocol to :proto property #1014 (adrianiurca)
- (MODULES-6876) lib/puppet/provider/firewall/iptables.rb - comments cleanup for parsing #981 (tskirvin)
v3.2.0 - 2021-09-06
- pdksync - (IAC-1709) - Add Support for Debian 11 #1005 (david22swan)
- Fix "undefined method `gsub' for nil:NilClass" when changing existing rule UID from absent to any present #1010 (onyxmaster)
v3.1.0 - 2021-07-26
- (MODULES-11138) - Fix mac_source Facter.fact().value() issue with Facter 3 #1002 (adrianiurca)
v3.0.2 - 2021-07-19
- sles-15: mac_source is downcased by iptables #997 (adrianiurca)
- fix: parsing random_fully in ip6tables #996 (scoiatael)
v3.0.1 - 2021-06-21
v3.0.0 - 2021-03-01
- pdksync - (MAINT) Remove SLES 11 support #977 (sanfrancrisko)
- pdksync - (MAINT) Remove RHEL 5 family support #976 (sanfrancrisko)
- pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 #972 (carabasdaniel)
v2.8.1 - 2021-02-09
- [MODULES-10907] Do not remove spaces from hex string with ! #967 (adrianiurca)
v2.8.0 - 2020-12-14
- pdksync - (feat) - Add support for Puppet 7 #959 (daianamezdrea)
- (IAC-966) - MODULES-10522: Add support for the --condition parameter #941 (adrianiurca)
v2.7.0 - 2020-10-15
v2.6.0 - 2020-10-05
- pdksync - (IAC-973) - Update travis/appveyor to run on new default branch main #933 (david22swan)
- Add carp protocol to :proto property #945 (pellisesol)
- Fix extra quotes in firewall string matching #944 (IBBoard)
- (IAC-987) - Removal of inappropriate terminology #942 (david22swan)
v2.5.0 - 2020-07-28
- Add acceptance and unit test #931 (adrianiurca)
- [IAC-899] - Add acceptance test for string_hex parameter #930 (adrianiurca)
- Add support for NFLOG options to ip6tables #921 (frh)
v2.4.0 - 2020-05-13
- Add support for u32 module in iptables #917 (sanfrancrisko)
- Add support for cgroup arg #916 (akerl-unpriv)
- Extend LOG options #914 (martialblog)
v2.3.0 - 2020-03-26
- Add iptables --hex-string support to firewall resource #907 (alexconrey)
- Add random_fully and rpfilter support #892 (treydock)
- (MODULES-7800) Add the ability to specify iptables connection tracking helpers. #890 (jimmyt86)
- Support conntrack module #872 (haught)
- (maint) Use fact.flush only when available #906 (Filipovici-Andrei)
- (MODULES-10358) - Clarification added to Boolean validation checks #886 (david22swan)
- Merge and remove duplicate README file, lint code snippets #878 (runejuhl)
v2.2.0 - 2019-12-09
- Add support for Debian Unstable #876 (martialblog)
- (FM-8673) - Support added for CentOS 8 #873 (david22swan)
- FM-8400 - add debian10 support #862 (lionce)
- FM-8219 - Convert to litmus #855 (lionce)
- Change - Avoid puppet failures on windows nodes #874 (blackknight36)
- Fix parsing iptables rules with hyphen in comments #861 (Hexta)
v2.1.0 - 2019-09-25
- (MODULES-6136) Add zone property of CT target. #852 (rwf14f)
- (FM-8025) Add RedHat 8 support #847 (eimlav)
v2.0.0 - 2019-05-15
- pdksync - (MODULES-8444) - Raise lower Puppet bound #841 (david22swan)
- (FM-7903) - Implement Puppet Strings #838 (david22swan)
1.15.3 - 2019-04-05
- (MODULES-8855) Move ipvs test to exception spec #834 (eimlav)
- (MODULES-8842) Fix ipvs not idempotent #833 (eimlav)
1.15.2 - 2019-03-26
- (MODULES-8615) Fix rules with ipvs not parsing #828 (eimlav)
- (MODULES-7333) - Change hashing method from MD5 to SHA256 #827 (david22swan)
- (MODULES-6547) Fix existing rules with --dport not parsing #826 (eimlav)
- (MODULES-8648) - Fix for failures on SLES 11 #816 (david22swan)
- (MODULES-8584) Handle multiple escaped quotes in comments properly #815 (mateusz-gozdek-sociomantic)
- External control for iptables-persistent #795 (identw)
1.15.1 - 2019-02-01
- (DOC-3056) Remove mention of rules ordering #809 (clairecadman)
- (FM-7712) - Remove Gentoo 1.0 testing/support for Firewall module #808 (david22swan)
- (MODULES-8360) Fix IPv6 bug relating to Bugzilla 1015 #804 (alexharv074)
1.15.0 - 2019-01-18
- (MODULES-8143) - Add SLES 15 support #798 (eimlav)
- Add nftables wrapper support for RHEL8 #794 (mwhahaha)
- Changed regex for iniface and outiface to allow '@' in interface names #791 (GeorgeCox)
- (MODULES-8214) Handle src_type and dst_type as array #790 (mateusz-gozdek-sociomantic)
- (MODULES-7990) Merge multiple comments into one while parsing rules #789 (mateusz-gozdek-sociomantic)
- add -g flag handling in ip6tables.rb provider #788 (cestith)
- (MODULES-7681) Add support for bytecode property #771 (baurmatt)
- pdksync - (FM-7655) Fix rubygems-update for ruby < 2.3 #801 (tphoney)
- (MODULES-6340) - Address failure when name begins with 9XXX #796 (eimlav)
- Amazon linux 2 changed its major version to 2 with the last update... #793 (erik-frontify)
1.14.0 - 2018-09-27
- pdksync - (MODULES-6805) metadata.json shows support for puppet 6 #782 (tphoney)
- (FM-7399) - Prepare for changelog generator #780 (pmcmaw)
1.13.0 - 2018-09-19
- pdksync - (MODULES-7705) - Bumping stdlib dependency from < 5.0.0 to < 6.0.0 #775 (pmcmaw)
- Add support for Amazon Linux 2 #768 (erik-frontify)
- (FM-7232) - Update firewall to support Ubuntu 18.04 #767 (david22swan)
- [FM-7044] Addition of Debian 9 support to firewall #765 (david22swan)
- [FM-6961] Removal of unsupported OS from firewall #764 (david22swan)
- (MODULES-7627) - Update README Limitations section #769 (eimlav)
- �Corrections to readme #766 (alexharv074)
- (MODULES-6129) negated option with address mask bugfix #756 (mirekys)
- (MODULES-2119) iptables delete -p all exception #749 (mikkergimenez)
1.12.0 - 2018-01-25
- MODULES-6261: Fix error parsing rules with dashes in the chain name #744 (hantona)
- (MODULES-6092) Set correct seluser for CentOS/RHEL 5.x #737 (mihall-primus)
1.11.0 - 2017-11-30
1.10.0 - 2017-11-14
- (MODULES-5501) - Remove unsupported Ubuntu #715 (pmcmaw)
- (Modules-1141) No longer accepts an array for icmp types #puppethack #705 (spynappels)
- (MODULES-5144) Prep for puppet 5 #709 (hunner)
- MODULE-1805 Add hashlimit-module #708 (jtruestedt)
- (MODULES-5111) Support UNTRACKED in state and ctstate rules #707 (spynappels)
- MODULES-4828 version_requirement updated #puppethack #704 (neilbinney)
- Add gid lookup #682 (crispygoth)
- [MODULES-5924] Fix unmanaged rule regex when updating a iptable. #729 (sathlan)
- (MODULES-5692) Match more than a single space #727 (hunner)
- (MODULES-5645) Choose correct IP version for hostname resolution #721 (kpengboy)
- allow ip6tables to be disabled #694 (knackaron)
- (MODULES-4200) Add simple sanity check for the rule to hash parser #666 (comel)
- (MODULES-5340) Understand negated match sets #713 (nbarrientos)
1.9.0 - 2017-05-19
- (FM-4896) add NFLOG support #697 (eputnam)
- (MODULES-4234) Add support for --physdev-is-{in,out} #685 (mhutter)
- Allow managing ebtables #684 (hunner)
- MODULES-4279 Add support for the geoip module #680 (jg-development)
- (maint) modify to account for spaces in iptables-save output #700 (eputnam)
- Change - Ensure that firewalld is stopped before iptables starts #695 (blackknight36)
- Properly handle negated
--physdev-is-...rules #693 (mhutter) - MODULES-4279 use complete option for geoip #690 (jg-development)
1.8.2 - 2017-01-10
- Add RHEL7 SELinux support for new service_name_v6 param, subsequently fix puppet lint error #671 (wilson208)
- [#puppethack] MODULES-1222 - added containment #667 (genebean)
- Add --wait to iptables commands #647 (mwhahaha)
- Fixes SELinux compatibility with EL6 #664 (bmjen)
- Re-add RHEL7 SELinux support for puppet3 #660 (bmjen)
- Fixing issue with double quotes being removed when part of the comment #646 (kindred)
- Implemented paramters for NFQUEUE jump target #644 (pid1co)
- (MODULES-3572) Ip6tables service is not managed in the redhat family. #641 (marcofl)
1.8.1 - 2016-05-17
- (Modules 3329) Add support for iptables length and string extensions #630 (shumbert)
- Add VirtuozzoLinux to the RedHat family #617 (jpnc)
- support for multiple ipsets in a rule #615 (nabam)
- Add 'ip' and 'pim' to proto #610 (lunkwill42)
- allow FreeBSD when dependencies require this class #624 (rcalixte)
- match rules with -m ttl #612 (pulecp)
1.8.0 - 2016-02-17
- (MODULES-3079) Add support for goto argument. #606 (aequitas)
- allow iptables package to be updated #583 (cristifalcas)
- Support IPv6 NAT on Linux 3.7+ #576 (nward)
- Made Facter flushing specific to a single fact. #604 (jonnytdevops)
- (MODULES 3932) - We need to call Facter.flush to clear Facter cache #603 (jonnytdevops)
- (MODULES-2159) ignore the --connlimit-saddr switch when parsing rules #602 (paulseward)
- Adding in log_uid boolean for LOG #593 (mlosapio)
- (MODULES-2836) Fix handling of chains that contain '-f' #579 (maxvozeler)
- (MODULES-2783) Missing ip6tables service name #578 (abednarik)
1.7.2 - 2015-12-07
- Add: sctp-protocol to "proto"-Parameter #589 (DavidS)
- MODULES-2769 - Add security table for iptables. #575 (werekraken)
- (MODULES-1341) Recover when deleting absent rules #577 (reidmv)
- (MAINT) RedHat 6 also uses unconfined_t #574 (DavidS)
- MODULES-2487 Improve port deprecation warning #572 (roman-mueller)
1.7.1 - 2015-08-24
1.7.0 - 2015-07-27
- add set_dscp and set_dscp_class #560 (estonfer)
- Compatibility with Puppet 4 and Facter 3 #559 (Jmeyering)
- Makes all the services autorequired by the firewall and firewallchain types. #556 (jonnytdevops)
- MODULES-2186 - iptables rules with -A in comment #555 (TJM)
- Fix for physdev idempotency on EL5 #551 (jonnytdevops)
- Fix addrtype inversion #543 (jonnytdevops)
- (MODULES-1976) Revise rule name validation for ruby 1.9 #517 (karmix)
- (MODULES-1967) Parse escape sequences from iptables #513 (karmix)
1.6.0 - 2015-05-19
- add match_mark #527 (jonnytdevops)
- Tee Support #525 (jonnytdevops)
- MSS feature #524 (jonnytdevops)
- Added support for time ipt_module #522 (jonnytdevops)
- Add support for ICMPv6 types neighbour-{solicitation,advertisement} #515 (peikk0)
- Add support for ICMPv6 type too-big (2) #514 (peikk0)
- Added ipv{4,6} to protocol list #505 (jpds-zz)
- Fix Arch Linux support #526 (elyscape)
- Added iptables-persistent fix for Debian 8 and Ubuntu 14.10 #523 (jonnytdevops)
- Fixed idempotency bug relating to MODULES-1984 #520 (jonnytdevops)
- (MODULES-1984) Perform daemon-reload on systemd #518 (johnduarte)
1.5.0 - 2015-03-31
- MODULES-1832 - add Gentoo support #498 (derdanne)
- MODULES-1636: Add --checksum-fill support. #460 (Zlo)
- MODULES-1808 - Implemented code for resource map munging to allow a single ipt module to be used multiple times in a single rule #496 (jonnytdevops)
- Added code for physdev_is_bridged #491 (jonnytdevops)
1.4.0 - 2015-01-27
- Added support for iptables physdev_in and physdev_out parameters #473 (jonnytdevops)
- MODULES-1612 - sync mask #469 (underscorgan)
- MODULES-1612 - sync ipset #468 (underscorgan)
- MODULES-1612 - sync set_mark #464 (underscorgan)
- MODULES-1612 - Sync ipsec_dir and ipsec_policy #459 (underscorgan)
- MODULES-1612 - sync mac_source #454 (underscorgan)
- MODULES-1612 - sync src_type and dst_type #453 (underscorgan)
- MODULES-1612 - sync src_range and dst_range #452 (underscorgan)
- MODUELES-1355 - support dport/sport in ip6tables provider #451 (underscorgan)
- (MODULES-464) Add netmap feature #421 (patrobinson)
- MODULES-1453 - overly aggressive gsub #479 (underscorgan)
- Uid negation fix #474 (jonnytdevops)
- QENG-1678 - Need to stop iptables to install ipset #472 (underscorgan)
- Fixing regressions for Amazon Linux since RH7 support was added #471 (mlehner616)
- MODULES-1612 - mask isn't supported on deb7 #470 (underscorgan)
- MODULES-1552 - Issues parsing
-m (tcp|udp)rules #462 (underscorgan)
1.3.0 - 2014-12-16
- MODULES-556: tcp_flags support for ip6tables #442 (underscorgan)
- MODULES-1309 - Make package and service names configurable #436 (underscorgan)
- MODULES-1469 MODULES-1470 Support alias (eth0:0), negation for iniface, ... #435 (underscorgan)
- FM-2022 Add SLES 12 to metadata #434 (cyberious)
- MODULES-1572 - Fix logic broken from MODULES-1309 #441 (underscorgan)
- MODULES-1565 - Fix regexes for EL5 #438 (underscorgan)
- Don't arbitrarily limit set_mark to certain chains #427 (stesie)
1.2.0 - 2014-11-04
- Doesn't actually support OEL5 #418 (underscorgan)
- Update to support PE3.x #420 (underscorgan)
- Support netfilter-persistent for later versions #403 (rra)
- (MODULES-450) Enable rule inversion #394 (hunner)
- Add cbt protocol, to be able to mitigate some DDoS attacks #388 (thias)
- add ipset support #383 (vzctl)
- Add support for mac address source rules pt2 #337 (damjanek)
- ip6tables isn't supported on EL5 #428 (underscorgan)
- Fixed firewalld package issue #426 (paramite)
- (MODULES-41) Change source for ip6tables provider #422 (hunner)
- (MODULES-1086) toports is not reqired with jump == REDIRECT #407 (hunner)
- Bugfix stat_prob -> stat_probability #402 (hunner)
- Improve support for EL7 and other related fixes #393 (hunner)
- Fixed bug which arbitrarily limited iniface and outiface parameters #374 (lejonet)
1.1.3 - 2014-07-14
1.1.2 - 2014-06-05
1.1.1 - 2014-05-16
1.1.0 - 2014-05-13
- Fix access to distmoduledir #354 (hunner)
- Fix support for Fedora Rawhide #350 (xbezdick)
- Fix failing persist_iptables test on RHEL7 and Fedora #341 (jeckersb)
- --reap flag is not added to iptables command #340 (simon-martin)
- Fix typo in SNAT error message #339 (cure)
- Treat RHEL 7 and later like Fedora w/r/t iptables #338 (larsks)
1.0.2 - 2014-03-04
1.0.1 - 2014-03-03
- Change OEL limitation description #326 (hunner)
- Socket owner sles madness #324 (apenney)
- Fix logic for supported socket platforms #322 (hunner)
- Bugfix: Account for rules sorted after unmanaged rules #321 (hunner)
- Fix various differences for rhel5 #314 (hunner)
- Use iptables-save and parse the output #311 (hunner)
1.0.0 - 2014-02-11
0.5.0 - 2014-02-10
- Add --random support as per #141 comment #298 (hunner)
- (MODULES-31) add support for iptables recent #296 (hunner)
- Add purge support to firewallchain #287 (hunner)
- allow input chain in nat table #270 (phemmer)
- add ipsec policy matching #268 (phemmer)
- Negation support #267 (phemmer)
- Support conntrack stateful firewall matching #257 (nogweii)
- Add support for IPv6 hop limiting #208 (georgkoester)
- Add ipv6 frag matchers2 and generify known_boolean handling. #207 (georgkoester)
- Fix for #286 for pre-existing rules at the start of a chain #303 (hunner)
- Fix #300 for match extension protocol #302 (hunner)
- (MODULES-451) Match extension protocol for multiport #300 (hunner)
- (MODULES-16) Correct src_range dst_range ordering #293 (hunner)
- (MODULES-442) Correct boolean properties behavior #291 (hunner)
- (MODULES-441) Helpfully fail when modifying chains #288 (hunner)
- (MODULES-439) Work around existing rules #286 (hunner)
- fix handling of builtin chains #271 (phemmer)
- Remove redundant
includecall in system spec helper. #253 (stefanozanella) - Generate parser list #248 (senax)
- No firewallchain autorequire for INPUT, OUTPUT and FORWARD when table is :filter to enable DROP policy without blocking #240 (doc75)
0.4.2 - 2013-09-10
0.4.1 - 2013-08-12
0.4.0 - 2013-07-12
list - 2013-07-09
- Add SL and SLC cases for operatingsystem #220 (traylenator)
- Add support for --src-type and --dst-type #212 (nickstenning)
- Update providers to use expect syntax #217 (hunner)
- Fix #188: -f in comment leads to puppet resource firewall failing. #204 (georgkoester)
0.3.1 - 2013-06-10
- Ensure all services have 'hasstatus => true' for Puppet 2.6 #197 (kbarber)
- Accept pre-existing rule with invalid name #192 (joejulian)
- Swap log_prefix and log_level order to match the way it's saved #191 (joejulian)
- (#20912) Split argments while maintaining quoted strings #189 (joejulian)
0.3.0 - 2013-04-25
- (#171) Added ensure parameter to firewall class #172 (cr3)
- (20096) Support systemd on Fedora 15 and up #145 (ecbypi)
0.2.1 - 2013-03-13
0.2.0 - 2013-03-03
0.1.1 - 2013-02-28
0.1.0 - 2013-02-24
- (#15556) Support for ICMP6 type code resolutions #87 (dcarley)
- (#15038) add gre protocol to list of acceptable protocols #85 (jasonhancock)
- Ticket/11305 support vlan interface #70 (kbarber)
- Ticket/10162 firewallchain support for merge #62 (kbarber)
- Mock Resolv.getaddress in #host_to_ip #110 (dcarley)
- ip6tables provider allways execute /sbin/iptables command #105 (wuwx)
- (#10322) Insert order hash included chains from different tables #89 (kbarber)
- (#10274) Nullify addresses with zero prefixlen #80 (dcarley)
- Ticket/10619 unable to purge rules #69 (kbarber)
- (#13201) Firewall autorequire Firewallchains #67 (dcarley)
- (#13192) Fix allvalidchain iteration #63 (kbarber)
- Improved Puppet DSL style as per the guidelines. #61 (adamgibbins)
- (#10164) Reject and document icmp => "any" #60 (dcarley)
- (#11443) simple fix of the error message for allowed values of the jump property #50 (grooverdan)
v0.0.4 - 2011-12-05
- (#10690) add port property support to ip6tables #33 (saysjonathan)
v0.0.3 - 2011-11-12
- (#10700) allow additional characters in comment string #30 (saysjonathan)
v0.0.2 - 2011-10-26
- (#10295) Work around bug #4248 whereby the puppet/util paths are not bein #22 (kbarber)
- (#10002) Change to dport and sport to handle ranges, and fix handling of #21 (kbarber)