mlibrary · rrotter · Mar 6, 2024
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -30,7 +30,7 @@ fixtures:
     cron_core:           {"repo": "puppetlabs/cron_core",       "ref": "1.3.0" }
     docker:              {"repo": "puppetlabs/docker",          "ref": "10.0.1" }
     # TODO: Upgrading to 7 requires nuking PuppetDB. https://forge.puppet.com/modules/puppetlabs/firewall/8.0.3/changelog
-    firewall:            {"repo": "puppetlabs/firewall",        "ref": "6.0.0" }
+    firewall:            {"repo": "puppetlabs/firewall",        "ref": "8.0.0" }
     host_core:           {"repo": "puppetlabs/host_core",       "ref": "1.3.0" }
     inifile:             {"repo": "puppetlabs/inifile",         "ref": "6.1.1" }
     lvm:                 {"repo": "puppetlabs/lvm",             "ref": "2.3.0" }

diff --git a/manifests/exposed_port.pp b/manifests/exposed_port.pp
@@ -66,7 +66,7 @@
       dport  => $port,
       source => $cidr['block'],
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 }
diff --git a/manifests/firewall_allow.pp b/manifests/firewall_allow.pp
@@ -76,7 +76,7 @@
       dport  => $port,
       source => $cidr,
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 }
diff --git a/manifests/profile/fulcrum/nginx.pp b/manifests/profile/fulcrum/nginx.pp
@@ -197,6 +197,6 @@
     proto  => 'tcp',
     dport  => 443,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
   }
 }
diff --git a/manifests/profile/haproxy.pp b/manifests/profile/haproxy.pp
@@ -135,7 +135,7 @@
     dport  => [80, 443],
     source => $::ipaddress,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
     tag    => 'haproxy'
   }
 

diff --git a/manifests/profile/hathitrust/rsync.pp b/manifests/profile/hathitrust/rsync.pp
@@ -48,7 +48,7 @@
         dport  => 873,
         source => $user['ip'],
         state  => 'NEW',
-        action => 'accept'
+        jump   => 'accept'
       }
     }
   }

diff --git a/manifests/profile/hathitrust/secure_rsync.pp b/manifests/profile/hathitrust/secure_rsync.pp
@@ -69,7 +69,7 @@
       source    => $network['block'],
       src_range => $network['range'],
       state     => 'NEW',
-      action    => 'accept',
+      jump      => 'accept',
     }
   }
 }
diff --git a/manifests/profile/kubernetes/dns_server.pp b/manifests/profile/kubernetes/dns_server.pp
@@ -76,7 +76,7 @@
       dport  => 53,
       source => $node_cidr,
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     ;
 
     '200 Nameserver (TCP)':

diff --git a/manifests/profile/kubernetes/haproxy.pp b/manifests/profile/kubernetes/haproxy.pp
@@ -52,7 +52,7 @@
     default:
       proto  => 'tcp',
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     ;
 
     '200 private api':

diff --git a/manifests/profile/kubernetes/kubelet.pp b/manifests/profile/kubernetes/kubelet.pp
@@ -53,7 +53,7 @@
       proto  => 'tcp',
       source => $node_cidr,
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     ;
 
     '200 Cluster ssh':

diff --git a/manifests/profile/kubernetes/router.pp b/manifests/profile/kubernetes/router.pp
@@ -20,7 +20,7 @@
   firewall { '001 Do not NAT internal requests':
     table       => 'nat',
     chain       => 'POSTROUTING',
-    action      => 'accept',
+    jump        => 'accept',
     proto       => 'all',
     source      => $node_cidr,
     destination => $node_cidr,

diff --git a/manifests/profile/letsencrypt.pp b/manifests/profile/letsencrypt.pp
@@ -22,6 +22,6 @@
     proto  => 'tcp',
     dport  => 80,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
   }
 }
diff --git a/manifests/profile/networking/firewall.pp b/manifests/profile/networking/firewall.pp
@@ -144,7 +144,7 @@
   $firewall_defaults = {
     proto  => 'tcp',
     state  => 'NEW',
-    action => 'accept'
+    jump   => 'accept'
   }
 
   create_resources(firewall,$rules,$firewall_defaults)
@@ -154,41 +154,41 @@
   firewall { '001 accept related established rules':
     proto  => 'all',
     state  => ['RELATED', 'ESTABLISHED'],
-    action => 'accept',
+    jump   => 'accept',
   }
 
   firewall { '001 accept all to lo interface':
     proto   => 'all',
     iniface => 'lo',
-    action  => 'accept',
+    jump    => 'accept',
   }
 
   firewall { '999 drop all':
     proto  => 'all',
-    action => 'drop',
+    jump   => 'drop',
     before => undef,
   }
 
   # Default IPv6 items, sorted by title
   firewall { '001 accept related established rules (v6)':
     proto    => 'all',
     state    => ['RELATED', 'ESTABLISHED'],
-    action   => 'accept',
-    provider => 'ip6tables',
+    jump     => 'accept',
+    protocol => 'ip6tables',
   }
 
   firewall { '001 accept all to lo interface (v6)':
     proto    => 'all',
     iniface  => 'lo',
-    action   => 'accept',
-    provider => 'ip6tables',
+    jump     => 'accept',
+    protocol => 'ip6tables',
   }
 
   firewall { '999 drop all (v6)':
     proto    => 'all',
-    action   => 'drop',
+    jump     => 'drop',
     before   => undef,
-    provider => 'ip6tables',
+    protocol => 'ip6tables',
   }
 
 }
diff --git a/manifests/profile/networking/firewall/http_datacenters.pp b/manifests/profile/networking/firewall/http_datacenters.pp
@@ -16,7 +16,7 @@
     proto  => 'tcp',
     dport  => [80, 443],
     state  => 'NEW',
-    action => 'accept'
+    jump   => 'accept'
   }
 
   $networks.flatten.each |$network| {

diff --git a/manifests/profile/prometheus.pp b/manifests/profile/prometheus.pp
@@ -188,7 +188,7 @@
     dport  => 9100,
     source => $::ipaddress,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
   }
 
   case $facts["mlibrary_ip_addresses"] {
@@ -229,7 +229,7 @@
         proto  => 'tcp',
         source => $address,
         state  => 'NEW',
-        action => 'accept',
+        jump   => 'accept',
       ;
 
       "010 prometheus public node exporter ${::hostname} ${address}":
@@ -250,7 +250,7 @@
         proto  => 'tcp',
         source => $address,
         state  => 'NEW',
-        action => 'accept',
+        jump   => 'accept',
       ;
 
       "010 prometheus private node exporter ${::hostname} ${address}":
@@ -271,7 +271,7 @@
     dport  => 9101,
     source => $::ipaddress,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
   }
 
   @@firewall { "010 prometheus mysql exporter ${::hostname}":
@@ -280,7 +280,7 @@
     dport  => 9104,
     source => $::ipaddress,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
   }
 
   Firewall <<| tag == "${::datacenter}_pushgateway_node" |>>

diff --git a/manifests/profile/prometheus/exporter/node.pp b/manifests/profile/prometheus/exporter/node.pp
@@ -155,7 +155,7 @@
       dport  => 9091,
       source => $address,
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 

diff --git a/manifests/role/webhost/htvm/test.pp b/manifests/role/webhost/htvm/test.pp
@@ -13,7 +13,7 @@
       dport  => [80,443],
       source => $network['block'],
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 

diff --git a/manifests/unison/client.pp b/manifests/unison/client.pp
@@ -39,7 +39,7 @@
     dport  => [$port],
     source => $::ipaddress,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
     tag    =>  "unison-client-${title}"
   }
 

diff --git a/metadata.json b/metadata.json
@@ -20,7 +20,7 @@
     {"name": "puppetlabs/concat",          "version_requirement": ">= 9.0.2  < 10.0.0"},
     {"name": "puppetlabs/cron_core",       "version_requirement": ">= 1.3.0  < 2.0.0" },
     {"name": "puppetlabs/docker",          "version_requirement": ">= 10.0.1 < 11.0.0"},
-    {"name": "puppetlabs/firewall",        "version_requirement": "6.0.0"},
+    {"name": "puppetlabs/firewall",        "version_requirement": ">= 8.0.0  < 9.0.0" },
     {"name": "puppetlabs/host_core",       "version_requirement": ">= 1.3.0  < 2.0.0" },
     {"name": "puppetlabs/inifile",         "version_requirement": ">= 6.1.1  < 7.0.0" },
     {"name": "puppetlabs/lvm",             "version_requirement": ">= 2.3.0  < 3.0.0" },

diff --git a/spec/classes/profile/kubernetes/dns_server_spec.rb b/spec/classes/profile/kubernetes/dns_server_spec.rb
@@ -36,7 +36,7 @@
               .with_dport(53)
               .with_source('172.28.0.0/14')
               .with_state('NEW')
-              .with_action('accept')
+              .with_jump('accept')
           end
         end
 

diff --git a/spec/classes/profile/kubernetes/haproxy_spec.rb b/spec/classes/profile/kubernetes/haproxy_spec.rb
@@ -66,7 +66,7 @@
                 is_expected.to contain_firewall("200 public #{service}")
                   .with_proto('tcp')
                   .with_state('NEW')
-                  .with_action('accept')
+                  .with_jump('accept')
                   .with_dport(port)
                   .without_source
               end
@@ -81,7 +81,7 @@
                 is_expected.to contain_firewall("200 private #{service}")
                   .with_proto('tcp')
                   .with_state('NEW')
-                  .with_action('accept')
+                  .with_jump('accept')
                   .with_dport(port)
                   .with_source('172.28.0.0/14')
               end

diff --git a/spec/classes/profile/kubernetes/kubelet_spec.rb b/spec/classes/profile/kubernetes/kubelet_spec.rb
@@ -102,7 +102,7 @@
               .with_dport(ports)
               .with_source('172.28.0.0/14')
               .with_state('NEW')
-              .with_action('accept')
+              .with_jump('accept')
           end
         end
       end

diff --git a/spec/classes/profile/kubernetes/router_spec.rb b/spec/classes/profile/kubernetes/router_spec.rb
@@ -23,7 +23,7 @@
         is_expected.to contain_firewall('001 Do not NAT internal requests')
           .with_table('nat')
           .with_chain('POSTROUTING')
-          .with_action('accept')
+          .with_jump('accept')
           .with_proto('all')
           .with_source('172.28.0.0/14')
           .with_destination('172.28.0.0/14')

diff --git a/spec/classes/profile/networking/firewall_spec.rb b/spec/classes/profile/networking/firewall_spec.rb
@@ -16,33 +16,33 @@
         is_expected.to contain_firewall('001 accept related established rules').with(
           proto: 'all',
           state: %w[RELATED ESTABLISHED],
-          action: 'accept',
+          jump: 'accept',
         )
       end
 
       it do
         is_expected.to contain_firewall('001 accept related established rules (v6)').with(
           proto: 'all',
           state: %w[RELATED ESTABLISHED],
-          action: 'accept',
-          provider: 'ip6tables',
+          jump: 'accept',
+          protocol: 'ip6tables',
         )
       end
 
       it do
         is_expected.to contain_firewall('001 accept all to lo interface').with(
           proto: 'all',
           iniface: 'lo',
-          action: 'accept',
+          jump: 'accept',
         )
       end
 
       it do
         is_expected.to contain_firewall('001 accept all to lo interface (v6)').with(
           proto: 'all',
           iniface: 'lo',
-          action: 'accept',
-          provider: 'ip6tables',
+          jump: 'accept',
+          protocol: 'ip6tables',
         )
       end
 
@@ -53,7 +53,7 @@
           dport: %w[8081 8082],
           source: '10.2.3.4',
           state: 'NEW',
-          action: 'accept',
+          jump: 'accept',
         )
       end
 
@@ -63,7 +63,7 @@
           dport: 123,
           source: '10.4.5.6',
           state: 'NEW',
-          action: 'accept',
+          jump: 'accept',
         )
       end
 
@@ -77,23 +77,23 @@
           toports: '1234',
         )
         is_expected.not_to contain_firewall('900 port forwarding: an advanced rule').with(
-          action: 'accept',
+          jump: 'accept',
           state: 'NEW',
         )
       end
 
       it do
         is_expected.to contain_firewall('999 drop all').with(
           proto: 'all',
-          action: 'drop',
+          jump: 'drop',
         )
       end
 
       it do
         is_expected.to contain_firewall('999 drop all (v6)').with(
           proto: 'all',
-          action: 'drop',
-          provider: 'ip6tables',
+          jump: 'drop',
+          protocol: 'ip6tables',
         )
       end
 

diff --git a/spec/classes/profile/prometheus/exporter/node_spec.rb b/spec/classes/profile/prometheus/exporter/node_spec.rb
@@ -117,7 +117,7 @@
           .with_dport(9091)
           .with_source(facts[:ipaddress])
           .with_state('NEW')
-          .with_action('accept')
+          .with_jump('accept')
       end
 
       context 'with both public and private mlibrary_ip_addresses' do