(CAT-1260) Addition of tests for firewall provider private set methods

- Further clarification of validation errors
- Type doc clarification clarification
- REFERENCE.md update to match current types
README.md corrections made

Author: david22swan

README.md

@@ -170,15 +170,7 @@ resources { 'firewallchain':
 Internal chains can not be deleted. In order to avoid all the confusing
 Warning/Notice messages when using `purge => true`, like these ones:
 
-    Notice: Compiled catalog for blonde-height.delivery.puppetlabs.net in environment production in 0.05 seconds
-    Warning: Firewallchain[INPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain INPUT:mangle:IPv4
-    Notice: /Stage[main]/Main/Firewallchain[INPUT:mangle:IPv4]/ensure: removed
-    Warning: Firewallchain[FORWARD:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain FORWARD:mangle:IPv4
-    Notice: /Stage[main]/Main/Firewallchain[FORWARD:mangle:IPv4]/ensure: removed
-    Warning: Firewallchain[OUTPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain OUTPUT:mangle:IPv4
-    Notice: /Stage[main]/Main/Firewallchain[OUTPUT:mangle:IPv4]/ensure: removed
-    Warning: Firewallchain[POSTROUTING:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain POSTROUTING:mangle:IPv4
-    Notice: /Stage[main]/Main/Firewallchain[POSTROUTING:mangle:IPv4]/ensure: removed
+  Warning: Inbuilt Chains may not be deleted. Chain `POSTROUTING:mangle:IPv6` will be flushed and have it's policy reverted to default.
 
   Please create firewallchains for every internal chain. Here is an example:
 
@@ -248,7 +240,7 @@ firewall { '006 Allow inbound SSH (v6)':
   dport    => 22,
   proto    => 'tcp',
   action   => 'accept',
-  provider => 'ip6tables',
+  protocol => 'ip6tables',
 }
 ```
 
@@ -280,7 +272,7 @@ class profile::apache {
 
 ### Rule inversion
 
-Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.
+Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then the first value of the array must be prefixed in order to invert them all.
 
 Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range and src\_type.
 
@@ -297,12 +289,23 @@ firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN u
   state     => 'NEW',
   action    => 'drop',
   proto     => 'tcp',
-  sport     => ['! http', '! 443'],
+  sport     => ['! http', '443'],
   source    => '! 10.0.0.0/8',
   tcp_flags => '! FIN,SYN,RST,ACK SYN',
 }
 ```
 
+There are exceptions to this however, with attributes such as src\_type, dst\_type and ipset allowing the user to negate any passed values seperately.
+
+Examples:
+
+```puppet
+firewall { '001 allow local disallow anycast':
+  action   => 'accept',
+  src_type => ['LOCAL', '! ANYCAST'],
+}
+```
+
 ### Additional uses for the firewall module
 
 You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows: