diff --git a/CHANGELOG b/CHANGELOG index 4b7a245..7d7a964 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +* Thu Jan 18 2024 Mike Riddle - 0.10.0 +- Made the 99_simp zone purge parameters toggle-able + * Thu Nov 30 2023 Sean Peterson <________@gmail.com> - 0.9.0 - Add $simp_zone_masquerade parameter diff --git a/REFERENCE.md b/REFERENCE.md index 4906f77..aa6b582 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -62,6 +62,9 @@ The following parameters are available in the `simp_firewalld` class: * [`tidy_dirs`](#-simp_firewalld--tidy_dirs) * [`tidy_prefix`](#-simp_firewalld--tidy_prefix) * [`tidy_minutes`](#-simp_firewalld--tidy_minutes) +* [`simp_zone_purge_rich_rules`](#-simp_firewalld--simp_zone_purge_rich_rules) +* [`simp_zone_purge_services`](#-simp_firewalld--simp_zone_purge_services) +* [`simp_zone_purge_ports`](#-simp_firewalld--simp_zone_purge_ports) * [`simp_zone_interfaces`](#-simp_firewalld--simp_zone_interfaces) * [`simp_zone_target`](#-simp_firewalld--simp_zone_target) * [`simp_zone_masquerade`](#-simp_firewalld--simp_zone_masquerade) @@ -158,10 +161,10 @@ Default value: ```puppet [ - '/etc/firewalld/icmptypes', - '/etc/firewalld/ipsets', - '/etc/firewalld/services', - ] + '/etc/firewalld/icmptypes', + '/etc/firewalld/ipsets', + '/etc/firewalld/services', + ] ``` ##### `tidy_prefix` @@ -181,6 +184,30 @@ purposes of tidying. Default value: `10` +##### `simp_zone_purge_rich_rules` + +Data type: `Boolean` + +If true, any unmanaged rich rules will be removed from the zone + +Default value: `true` + +##### `simp_zone_purge_services` + +Data type: `Boolean` + +If true, any unmanaged services will be removed from the zone + +Default value: `true` + +##### `simp_zone_purge_ports` + +Data type: `Boolean` + +If true, any unmanaged ports will be removed from the zone + +Default value: `true` + ##### `simp_zone_interfaces` Data type: `Array[Optional[String[1]]]` diff --git a/manifests/init.pp b/manifests/init.pp index bec910a..6c15c69 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -70,6 +70,15 @@ # Number of **minutes** to consider a configuration file 'stale' for the # purposes of tidying. # +# @param simp_zone_purge_rich_rules +# If true, any unmanaged rich rules will be removed from the zone +# +# @param simp_zone_purge_services +# If true, any unmanaged services will be removed from the zone +# +# @param simp_zone_purge_ports +# If true, any unmanaged ports will be removed from the zone +# # @param simp_zone_interfaces # The network interfaces to which the underlying 99_simp zone should apply # @@ -82,27 +91,30 @@ # @param package_ensure # The 'ensure' value for package resources class simp_firewalld ( - Hash $rules, # data in module - Enum['iptables','nftables'] $firewall_backend, # data in module - Boolean $enable = 'firewalld' in pick($facts['simplib__firewalls'], 'none'), - Boolean $complete_reload = false, - Boolean $lockdown = true, - String[1] $default_zone = '99_simp', - Enum['off', 'all','unicast','broadcast','multicast'] $log_denied = 'unicast', - Boolean $enable_tidy = true, + Hash $rules, # data in module + Enum['iptables','nftables'] $firewall_backend, # data in module + Boolean $enable = 'firewalld' in pick($facts['simplib__firewalls'], 'none'), + Boolean $complete_reload = false, + Boolean $lockdown = true, + String[1] $default_zone = '99_simp', + Enum['off', 'all','unicast','broadcast','multicast'] $log_denied = 'unicast', + Boolean $enable_tidy = true, # lint:ignore:2sp_soft_tabs - Array[Stdlib::Absolutepath] $tidy_dirs = [ - '/etc/firewalld/icmptypes', - '/etc/firewalld/ipsets', - '/etc/firewalld/services', - ], + Array[Stdlib::Absolutepath] $tidy_dirs = [ + '/etc/firewalld/icmptypes', + '/etc/firewalld/ipsets', + '/etc/firewalld/services', + ], # lint:endignore - String[1] $tidy_prefix = 'simp_', - Integer[1] $tidy_minutes = 10, - Array[Optional[String[1]]] $simp_zone_interfaces = [], - Enum['default', 'ACCEPT', 'REJECT', 'DROP'] $simp_zone_target = 'DROP', - Boolean $simp_zone_masquerade = false, - String[1] $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }), + String[1] $tidy_prefix = 'simp_', + Integer[1] $tidy_minutes = 10, + Boolean $simp_zone_purge_rich_rules = true, + Boolean $simp_zone_purge_services = true, + Boolean $simp_zone_purge_ports = true, + Array[Optional[String[1]]] $simp_zone_interfaces = [], + Enum['default', 'ACCEPT', 'REJECT', 'DROP'] $simp_zone_target = 'DROP', + Boolean $simp_zone_masquerade = false, + String[1] $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }), ) { if $enable { Exec { path => '/usr/bin:/bin' } @@ -135,9 +147,9 @@ firewalld_zone { '99_simp': ensure => 'present', - purge_rich_rules => true, - purge_services => true, - purge_ports => true, + purge_rich_rules => $simp_zone_purge_rich_rules, + purge_services => $simp_zone_purge_services, + purge_ports => $simp_zone_purge_ports, interfaces => $simp_zone_interfaces, target => $simp_zone_target, masquerade => $simp_zone_masquerade, diff --git a/metadata.json b/metadata.json index bfacbf5..f9718b2 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-simp_firewalld", - "version": "0.9.0", + "version": "0.10.0", "author": "SIMP Team", "summary": "SIMP-oriented firewalld management", "license": "Apache-2.0",