Merge branch 'puppetlabs:main' into main

Author: chrisongthb

.github/workflows/mend.yml

@@ -1,9 +1,10 @@
 name: "mend"
 
 on:
-  pull_request:
-    branches:
-      - "main"
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:

CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
+## [v8.0.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v8.0.1) - 2024-03-20
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v8.0.0...v8.0.1)
+
+### Fixed
+
+- (MODULES-11449) - Fix for IPv6 NAT chain [#1201](https://github.com/puppetlabs/puppetlabs-firewall/pull/1201) ([Ramesh7](https://github.com/Ramesh7))
+
+### Other
+
+- fix typos in documentation [#1195](https://github.com/puppetlabs/puppetlabs-firewall/pull/1195) ([corporate-gadfly](https://github.com/corporate-gadfly))
+
+## [v8.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v8.0.0) - 2024-02-08
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.2...v8.0.0)
+
+### Changed
+- [CAT-1425] : Removing RedHat/Scientific/OracleLinux 6 [#1163](https://github.com/puppetlabs/puppetlabs-firewall/pull/1163) ([rajat-puppet](https://github.com/rajat-puppet))
+
+### Fixed
+
+- (GH-1164) Only common jump values should be enforced as upcase [#1165](https://github.com/puppetlabs/puppetlabs-firewall/pull/1165) ([david22swan](https://github.com/david22swan))
+
 ## [v7.0.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/v7.0.2) - 2023-09-14
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.1...v7.0.2)
@@ -37,14 +60,14 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v5.0.0...v6.0.0)
 
-### Added
-
-- Add support for parsing and using --tcp-option [#1126](https://github.com/puppetlabs/puppetlabs-firewall/pull/1126) ([greatflyingsteve](https://github.com/greatflyingsteve))
-
 ### Changed
 - (CONT-242) Fix duplicate rule detection [#1140](https://github.com/puppetlabs/puppetlabs-firewall/pull/1140) ([david22swan](https://github.com/david22swan))
 - pdksync - (MAINT) - Require Stdlib 9.x only [#1135](https://github.com/puppetlabs/puppetlabs-firewall/pull/1135) ([LukasAud](https://github.com/LukasAud))
 
+### Added
+
+- Add support for parsing and using --tcp-option [#1126](https://github.com/puppetlabs/puppetlabs-firewall/pull/1126) ([greatflyingsteve](https://github.com/greatflyingsteve))
+
 ### Fixed
 
 - disable firewalld for RedHat 9 [#1142](https://github.com/puppetlabs/puppetlabs-firewall/pull/1142) ([robertc99](https://github.com/robertc99))
@@ -88,13 +111,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v3.6.0...v4.0.0)
 
+### Changed
+- (CONT-256) Removing outdated code [#1084](https://github.com/puppetlabs/puppetlabs-firewall/pull/1084) ([LukasAud](https://github.com/LukasAud))
+
 ### Added
 
 - add support for using rpfilter in rules [#1059](https://github.com/puppetlabs/puppetlabs-firewall/pull/1059) ([cmusik](https://github.com/cmusik))
 
-### Changed
-- (CONT-256) Removing outdated code [#1084](https://github.com/puppetlabs/puppetlabs-firewall/pull/1084) ([LukasAud](https://github.com/LukasAud))
-
 ### Fixed
 
 - (CONT-173) - Updating deprecated facter instances [#1079](https://github.com/puppetlabs/puppetlabs-firewall/pull/1079) ([jordanbreen28](https://github.com/jordanbreen28))
@@ -326,13 +349,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.3...v2.0.0)
 
+### Changed
+- pdksync - (MODULES-8444) - Raise lower Puppet bound [#841](https://github.com/puppetlabs/puppetlabs-firewall/pull/841) ([david22swan](https://github.com/david22swan))
+
 ### Added
 
 - (FM-7903) - Implement Puppet Strings [#838](https://github.com/puppetlabs/puppetlabs-firewall/pull/838) ([david22swan](https://github.com/david22swan))
 
-### Changed
-- pdksync - (MODULES-8444) - Raise lower Puppet bound [#841](https://github.com/puppetlabs/puppetlabs-firewall/pull/841) ([david22swan](https://github.com/david22swan))
-
 ### Fixed
 
 - (MODULES-8736) IPtables support on RHEL8 [#824](https://github.com/puppetlabs/puppetlabs-firewall/pull/824) ([EmilienM](https://github.com/EmilienM))
@@ -438,6 +461,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.9.0...1.10.0)
 
+### Changed
+- (MODULES-5501) - Remove unsupported Ubuntu [#715](https://github.com/puppetlabs/puppetlabs-firewall/pull/715) ([pmcmaw](https://github.com/pmcmaw))
+- (Modules-1141) No longer accepts an array for icmp types #puppethack [#705](https://github.com/puppetlabs/puppetlabs-firewall/pull/705) ([spynappels](https://github.com/spynappels))
+
 ### Added
 
 - (MODULES-5144) Prep for puppet 5 [#709](https://github.com/puppetlabs/puppetlabs-firewall/pull/709) ([hunner](https://github.com/hunner))
@@ -446,10 +473,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 - MODULES-4828 version_requirement updated #puppethack [#704](https://github.com/puppetlabs/puppetlabs-firewall/pull/704) ([neilbinney](https://github.com/neilbinney))
 - Add gid lookup [#682](https://github.com/puppetlabs/puppetlabs-firewall/pull/682) ([crispygoth](https://github.com/crispygoth))
 
-### Changed
-- (MODULES-5501) - Remove unsupported Ubuntu [#715](https://github.com/puppetlabs/puppetlabs-firewall/pull/715) ([pmcmaw](https://github.com/pmcmaw))
-- (Modules-1141) No longer accepts an array for icmp types #puppethack [#705](https://github.com/puppetlabs/puppetlabs-firewall/pull/705) ([spynappels](https://github.com/spynappels))
-
 ### Fixed
 
 - [MODULES-5924] Fix unmanaged rule regex when updating a iptable. [#729](https://github.com/puppetlabs/puppetlabs-firewall/pull/729) ([sathlan](https://github.com/sathlan))
@@ -502,16 +525,16 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.8.0...1.8.1)
 
+### Changed
+- (maint) Remove nat flush [#625](https://github.com/puppetlabs/puppetlabs-firewall/pull/625) ([hunner](https://github.com/hunner))
+
 ### Added
 
 - (Modules 3329) Add support for iptables length and string extensions [#630](https://github.com/puppetlabs/puppetlabs-firewall/pull/630) ([shumbert](https://github.com/shumbert))
 - Add VirtuozzoLinux to the RedHat family [#617](https://github.com/puppetlabs/puppetlabs-firewall/pull/617) ([jpnc](https://github.com/jpnc))
 - support for multiple ipsets in a rule [#615](https://github.com/puppetlabs/puppetlabs-firewall/pull/615) ([nabam](https://github.com/nabam))
 - Add 'ip' and 'pim' to proto [#610](https://github.com/puppetlabs/puppetlabs-firewall/pull/610) ([lunkwill42](https://github.com/lunkwill42))
 
-### Changed
-- (maint) Remove nat flush [#625](https://github.com/puppetlabs/puppetlabs-firewall/pull/625) ([hunner](https://github.com/hunner))
-
 ### Fixed
 
 - allow FreeBSD when dependencies require this class [#624](https://github.com/puppetlabs/puppetlabs-firewall/pull/624) ([rcalixte](https://github.com/rcalixte))
@@ -662,6 +685,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.1.3...1.2.0)
 
+### Changed
+- Doesn't actually support OEL5 [#418](https://github.com/puppetlabs/puppetlabs-firewall/pull/418) ([underscorgan](https://github.com/underscorgan))
+
 ### Added
 
 - Update to support PE3.x [#420](https://github.com/puppetlabs/puppetlabs-firewall/pull/420) ([underscorgan](https://github.com/underscorgan))
@@ -671,9 +697,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 - add ipset support [#383](https://github.com/puppetlabs/puppetlabs-firewall/pull/383) ([vzctl](https://github.com/vzctl))
 - Add support for mac address source rules pt2 [#337](https://github.com/puppetlabs/puppetlabs-firewall/pull/337) ([damjanek](https://github.com/damjanek))
 
-### Changed
-- Doesn't actually support OEL5 [#418](https://github.com/puppetlabs/puppetlabs-firewall/pull/418) ([underscorgan](https://github.com/underscorgan))
-
 ### Fixed
 
 - ip6tables isn't supported on EL5 [#428](https://github.com/puppetlabs/puppetlabs-firewall/pull/428) ([underscorgan](https://github.com/underscorgan))
@@ -704,13 +727,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.0.2...1.1.0)
 
+### Changed
+- Apply firewall resources alphabetically [#342](https://github.com/puppetlabs/puppetlabs-firewall/pull/342) ([mcanevet](https://github.com/mcanevet))
+
 ### Added
 
 - (MODULES-689) Add support for connlimit and connmark [#344](https://github.com/puppetlabs/puppetlabs-firewall/pull/344) ([csschwe](https://github.com/csschwe))
 
-### Changed
-- Apply firewall resources alphabetically [#342](https://github.com/puppetlabs/puppetlabs-firewall/pull/342) ([mcanevet](https://github.com/mcanevet))
-
 ### Fixed
 
 - Fix access to distmoduledir [#354](https://github.com/puppetlabs/puppetlabs-firewall/pull/354) ([hunner](https://github.com/hunner))
@@ -779,11 +802,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.4.1...0.4.2)
 
-### Fixed
-
-- Only workaround if we're using the old package. [#233](https://github.com/puppetlabs/puppetlabs-firewall/pull/233) ([mrwacky42](https://github.com/mrwacky42))
-- 22090 - Use list of RedHat OSes from newer facter. [#232](https://github.com/puppetlabs/puppetlabs-firewall/pull/232) ([mrwacky42](https://github.com/mrwacky42))
-
 ## [0.4.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/0.4.1) - 2013-08-12
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/0.4.0...0.4.1)
@@ -870,26 +888,21 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 - Mock Resolv.getaddress in #host_to_ip [#110](https://github.com/puppetlabs/puppetlabs-firewall/pull/110) ([dcarley](https://github.com/dcarley))
 - ip6tables provider allways execute /sbin/iptables command [#105](https://github.com/puppetlabs/puppetlabs-firewall/pull/105) ([wuwx](https://github.com/wuwx))
-- (#16004) array_matching is contraindicated. [#100](https://github.com/puppetlabs/puppetlabs-firewall/pull/100) ([mrwacky42](https://github.com/mrwacky42))
 - (#10322) Insert order hash included chains from different tables [#89](https://github.com/puppetlabs/puppetlabs-firewall/pull/89) ([kbarber](https://github.com/kbarber))
 - (#10274) Nullify addresses with zero prefixlen [#80](https://github.com/puppetlabs/puppetlabs-firewall/pull/80) ([dcarley](https://github.com/dcarley))
-- (#14641) Fix for incorrect limit command arguments for ip6tables provider [#79](https://github.com/puppetlabs/puppetlabs-firewall/pull/79) ([cheethoe](https://github.com/cheethoe))
 - Ticket/10619 unable to purge rules [#69](https://github.com/puppetlabs/puppetlabs-firewall/pull/69) ([kbarber](https://github.com/kbarber))
 - (#13201) Firewall autorequire Firewallchains [#67](https://github.com/puppetlabs/puppetlabs-firewall/pull/67) ([dcarley](https://github.com/dcarley))
 - (#13192) Fix allvalidchain iteration [#63](https://github.com/puppetlabs/puppetlabs-firewall/pull/63) ([kbarber](https://github.com/kbarber))
 - Improved Puppet DSL style as per the guidelines. [#61](https://github.com/puppetlabs/puppetlabs-firewall/pull/61) ([adamgibbins](https://github.com/adamgibbins))
 - (#10164) Reject and document icmp => "any" [#60](https://github.com/puppetlabs/puppetlabs-firewall/pull/60) ([dcarley](https://github.com/dcarley))
 - (#11443) simple fix of the error message for allowed values of the jump property [#50](https://github.com/puppetlabs/puppetlabs-firewall/pull/50) ([grooverdan](https://github.com/grooverdan))
-- Initial creation of class firewall for issue #10984 [#34](https://github.com/puppetlabs/puppetlabs-firewall/pull/34) ([mrwacky42](https://github.com/mrwacky42))
 
 ## [v0.0.4](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.4) - 2011-12-05
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v0.0.3...v0.0.4)
 
 ### Added
 
-- (#10997) Add fixtures for ipencap [#39](https://github.com/puppetlabs/puppetlabs-firewall/pull/39) ([mrwacky42](https://github.com/mrwacky42))
-- Add owner-match support [#38](https://github.com/puppetlabs/puppetlabs-firewall/pull/38) ([mrwacky42](https://github.com/mrwacky42))
 - (#10690) add port property support to ip6tables [#33](https://github.com/puppetlabs/puppetlabs-firewall/pull/33) ([saysjonathan](https://github.com/saysjonathan))
 
 ## [v0.0.3](https://github.com/puppetlabs/puppetlabs-firewall/tree/v0.0.3) - 2011-11-12

README.md

@@ -568,7 +568,7 @@ As part of this process several breaking changes where made to the code that wil
 * Attributes that allow both arrays and negated values have now been updated.
   * For attributes that require that all passed values be negated as one, you now merely have to negate the first value within the array, rather than all of them, though negating all is still accepted.
   * For attributes that allow passed values to be negated seperately this is not the case. All attributes in this situation are noted within their description.
-* The `sport` and `dport` attributes have been updated so that they will now accept with `:` or `-` as a separator when passing ranges, with `:` being preferred as it matchs what is passed to iptables.
+* The `sport` and `dport` attributes have been updated so that they will now accept with `:` or `-` as a separator when passing ranges, with `:` being preferred as it matches what is passed to iptables.
 
 Two pairs of manifest taken from the tests can be seen below, illustrating the changes that may be required, the first applying a hoplimit on `ip6tables`:
 

REFERENCE.md

@@ -730,8 +730,7 @@ Data type: `Optional[Variant[String[1], Integer]]`
 
 ##### `goto`
 
-Data type: `Optional[Pattern[/^[a-zA-Z0-9_]+$/]]`
-_*this data type contains a regex that may not be accurately reflected in generated documentation_
+Data type: `Optional[String[1]]`
 
       The value for the iptables --goto parameter. Normal values are:
 
@@ -927,16 +926,15 @@ Data type: `Optional[Boolean]`
 
 ##### `jump`
 
-Data type: `Optional[Pattern[/^[a-zA-Z0-9_]+$/]]`
-_*this data type contains a regex that may not be accurately reflected in generated documentation_
+Data type: `Optional[String[1]]`
 
       This value for the iptables --jump parameter and the action to perform on a match. Common values are:
 
       * ACCEPT - the packet is accepted
       * REJECT - the packet is rejected with a suitable ICMP response
       * DROP - the packet is dropped
 
-      But can also be on of the following:
+      But can also be one of the following:
 
       * QUEUE
       * RETURN

lib/puppet/provider/firewallchain/firewallchain.rb

@@ -172,7 +172,6 @@ def self.verify(_is, should)
       raise ArgumentError, 'PREROUTING, POSTROUTING, INPUT, FORWARD and OUTPUT are the only inbuilt chains that can be used in table \'mangle\'' if %r{^(BROUTING)$}.match?(should[:chain])
     when 'nat'
       raise ArgumentError, 'PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table \'nat\'' if %r{^(BROUTING|FORWARD)$}.match?(should[:chain])
-      raise ArgumentError, 'table nat isn\'t valid in IPv6. You must specify \':IPv4\' as the name suffix' if %r{^(IP(v6)?)?$}.match?(should[:protocol])
     when 'raw'
       raise ArgumentError, 'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\'' if %r{^(POSTROUTING|BROUTING|INPUT|FORWARD)$}.match?(should[:chain])
     when 'broute'

lib/puppet/type/firewall.rb

@@ -1002,7 +1002,7 @@
       * REJECT - the packet is rejected with a suitable ICMP response
       * DROP - the packet is dropped
 
-      But can also be on of the following:
+      But can also be one of the following:
 
       * QUEUE
       * RETURN

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-firewall",
-  "version": "7.0.2",
+  "version": "8.0.1",
   "author": "puppetlabs",
   "summary": "Manages Firewalls such as iptables",
   "license": "Apache-2.0",

spec/acceptance/firewallchain_spec.rb

@@ -82,6 +82,18 @@
         end
       end
     end
+
+    context 'with NAT chain' do
+      pp3 = <<-PUPPETCODE
+          firewallchain { 'MY_CHAIN:nat:IPv6':
+            ensure  => present,
+          }
+      PUPPETCODE
+      it 'applies cleanly' do
+        # Run it twice and test for idempotency
+        idempotent_apply(pp3)
+      end
+    end
   end
 
   # XXX purge => false is not yet implemented

spec/acceptance/resource_cmd_spec.rb

@@ -20,7 +20,7 @@
       run_shell('source /etc/profile.d/my-custom.lang.sh')
     end
     run_shell('echo export LC_ALL="C" >> ~/.bashrc')
-    run_shell('source ~/.bashrc')
+    run_shell('source ~/.bashrc || true')
   end
 
   context 'when make sure it returns no errors when executed on a clean machine' do

spec/unit/puppet/provider/firewallchain/firewallchain_spec.rb

@@ -316,10 +316,6 @@
           should: { name: 'FORWARD:nat:IPv4', chain: 'FORWARD', table: 'nat', protocol: 'IPv4', ensure: 'present', policy: 'accept' },
           error: 'PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table \'nat\''
         },
-        {
-          should: { name: 'PREROUTING:nat:IPv6', chain: 'PREROUTING', table: 'nat', protocol: 'IPv6', ensure: 'present', policy: 'accept' },
-          error: 'table nat isn\'t valid in IPv6. You must specify \':IPv4\' as the name suffix'
-        },
         {
           should: { name: 'INPUT:raw:IPv4', chain: 'INPUT', table: 'raw', protocol: 'IPv4', ensure: 'present', policy: 'accept' },
           error: 'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\''