upgrade to puppetlabs/firewall 8.1.1

.fixtures.yml

@@ -28,9 +28,8 @@ fixtures:
     augeas_core:         {"repo": "puppetlabs/augeas_core",     "ref": "1.5.0" }
     concat:              {"repo": "puppetlabs/concat",          "ref": "9.0.2" }
     cron_core:           {"repo": "puppetlabs/cron_core",       "ref": "1.3.0" }
-    docker:              {"repo": "puppetlabs/docker",          "ref": "10.0.1" }
-    # TODO: Upgrading to 7 requires nuking PuppetDB. https://forge.puppet.com/modules/puppetlabs/firewall/8.0.3/changelog
-    firewall:            {"repo": "puppetlabs/firewall",        "ref": "6.0.0" }
+    docker:              {"repo": "puppetlabs/docker",          "ref": "10.0.1"}
+    firewall:            {"repo": "puppetlabs/firewall",        "ref": "8.1.1" }
     host_core:           {"repo": "puppetlabs/host_core",       "ref": "1.3.0" }
     inifile:             {"repo": "puppetlabs/inifile",         "ref": "6.1.1" }
     lvm:                 {"repo": "puppetlabs/lvm",             "ref": "2.3.0" }

manifests/exposed_port.pp

@@ -66,7 +66,7 @@
       dport  => $port,
       source => $cidr['block'],
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 }

manifests/firewall_allow.pp

@@ -76,7 +76,7 @@
       dport  => $port,
       source => $cidr,
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 }

manifests/profile/fulcrum/nginx.pp

@@ -197,6 +197,6 @@
     proto  => 'tcp',
     dport  => 443,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
   }
 }

manifests/profile/haproxy.pp

@@ -139,15 +139,6 @@
     tag    => "${::datacenter}_haproxy"
   }
 
-  @@firewall { "200 HTTP firewall6: HAProxy ${::hostname}":
-    proto  => 'tcp',
-    dport  => [80, 443],
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-    tag    => 'firewall6-haproxy'
-  }
-
   # HAProxy should listen for kubernetes connections.
   nebula::exposed_port { '200 kubectl':
     port  => 6443,

manifests/profile/hathitrust/rsync.pp

@@ -48,7 +48,7 @@
         dport  => 873,
         source => $user['ip'],
         state  => 'NEW',
-        action => 'accept'
+        jump   => 'accept'
       }
     }
   }

manifests/profile/hathitrust/secure_rsync.pp

@@ -69,7 +69,7 @@
       source    => $network['block'],
       src_range => $network['range'],
       state     => 'NEW',
-      action    => 'accept',
+      jump      => 'accept',
     }
   }
 }

manifests/profile/kubernetes/dns_server.pp

@@ -76,7 +76,7 @@
       dport  => 53,
       source => $node_cidr,
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     ;
 
     '200 Nameserver (TCP)':

manifests/profile/kubernetes/haproxy.pp

@@ -52,7 +52,7 @@
     default:
       proto  => 'tcp',
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     ;
 
     '200 private api':

manifests/profile/kubernetes/kubelet.pp

@@ -53,7 +53,7 @@
       proto  => 'tcp',
       source => $node_cidr,
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     ;
 
     '200 Cluster ssh':

manifests/profile/kubernetes/router.pp

@@ -20,7 +20,7 @@
   firewall { '001 Do not NAT internal requests':
     table       => 'nat',
     chain       => 'POSTROUTING',
-    action      => 'accept',
+    jump        => 'accept',
     proto       => 'all',
     source      => $node_cidr,
     destination => $node_cidr,

manifests/profile/letsencrypt.pp

@@ -22,6 +22,6 @@
     proto  => 'tcp',
     dport  => 80,
     state  => 'NEW',
-    action => 'accept',
+    jump   => 'accept',
   }
 }

manifests/profile/networking/firewall.pp

@@ -144,7 +144,7 @@
   $firewall_defaults = {
     proto  => 'tcp',
     state  => 'NEW',
-    action => 'accept'
+    jump   => 'accept'
   }
 
   create_resources(firewall,$rules,$firewall_defaults)
@@ -154,41 +154,41 @@
   firewall { '001 accept related established rules':
     proto  => 'all',
     state  => ['RELATED', 'ESTABLISHED'],
-    action => 'accept',
+    jump   => 'accept',
   }
 
   firewall { '001 accept all to lo interface':
     proto   => 'all',
     iniface => 'lo',
-    action  => 'accept',
+    jump    => 'accept',
   }
 
   firewall { '999 drop all':
     proto  => 'all',
-    action => 'drop',
+    jump   => 'drop',
     before => undef,
   }
 
   # Default IPv6 items, sorted by title
   firewall { '001 accept related established rules (v6)':
     proto    => 'all',
     state    => ['RELATED', 'ESTABLISHED'],
-    action   => 'accept',
-    provider => 'ip6tables',
+    jump     => 'accept',
+    protocol => 'ip6tables',
   }
 
   firewall { '001 accept all to lo interface (v6)':
     proto    => 'all',
     iniface  => 'lo',
-    action   => 'accept',
-    provider => 'ip6tables',
+    jump     => 'accept',
+    protocol => 'ip6tables',
   }
 
   firewall { '999 drop all (v6)':
     proto    => 'all',
-    action   => 'drop',
+    jump     => 'drop',
     before   => undef,
-    provider => 'ip6tables',
+    protocol => 'ip6tables',
   }
 
 }

manifests/profile/networking/firewall/http.pp

@@ -14,7 +14,7 @@
 # @example
 #   include nebula::profile::networking::firewall::http
 class nebula::profile::networking::firewall::http () {
-  Firewall <<| tag == 'firewall6-haproxy' |>>
+  Firewall <<| tag == "${::datacenter}_haproxy" |>>
 }
 
 

manifests/profile/networking/firewall/http_datacenters.pp

@@ -16,7 +16,7 @@
     proto  => 'tcp',
     dport  => [80, 443],
     state  => 'NEW',
-    action => 'accept'
+    jump   => 'accept'
   }
 
   $networks.flatten.each |$network| {

manifests/profile/networking/firewall/private_ssh.pp

@@ -9,7 +9,7 @@
   $cidrs.each |$cidr| {
     firewall { "100 Private SSH: ${cidr}":
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
       dport  => $port,
       source => $cidr,
       proto  => 'tcp'

manifests/profile/prometheus.pp

@@ -176,23 +176,10 @@
       proto  => 'tcp',
       dport  => [443],
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 
-  # Delete this once nothing is importing it. It's only here for the
-  # sake of hosts that aren't in production.
-  # Referenced in branches: fulcrum_demo, tdx_7298538
-  # ** intentionally retains puppetlabs/firewall v6.0.0 semantics **
-  @@firewall { "010 prometheus legacy node exporter ${::hostname}":
-    tag    => "${::datacenter}_prometheus_node_exporter",
-    proto  => 'tcp',
-    dport  => 9100,
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-  }
-
   case $facts["mlibrary_ip_addresses"] {
     Hash[String, Array[String]]: {
       $all_public_addresses = $facts["mlibrary_ip_addresses"]["public"]
@@ -244,25 +231,6 @@
         dport => 9290,
       ;
     }
-
-    @@firewall {
-      default:
-        proto  => 'tcp',
-        source => $address,
-        state  => 'NEW',
-        action => 'accept',
-      ;
-
-      "010 prometheus public node exporter firewall6 ${::hostname} ${address}":
-        tag    => "firewall6-${::datacenter}_prometheus_public_node_exporter",
-        dport  => 9100,
-      ;
-
-      "010 prometheus public ipmi exporter firewall6 ${::hostname} ${address}":
-        tag    => "firewall6-${::datacenter}_prometheus_public_ipmi_exporter",
-        dport  => 9290,
-      ;
-    }
   }
 
   $all_private_addresses.each |$address| {
@@ -284,25 +252,6 @@
         dport => 9290,
       ;
     }
-
-    @@firewall {
-      default:
-        proto  => 'tcp',
-        source => $address,
-        state  => 'NEW',
-        action => 'accept',
-      ;
-
-      "010 prometheus firewall6 private node exporter ${::hostname} ${address}":
-        tag   => "firewall6-${::datacenter}_prometheus_private_node_exporter",
-        dport => 9100,
-      ;
-
-      "010 prometheus firewall6 private ipmi exporter ${::hostname} ${address}":
-        tag   => "firewall6-${::datacenter}_prometheus_private_ipmi_exporter",
-        dport => 9290,
-      ;
-    }
   }
 
   @@firewall { "010 prometheus haproxy exporter ${::hostname}":
@@ -314,15 +263,6 @@
     jump   => 'accept',
   }
 
-  @@firewall { "010 prometheus firewall6 haproxy exporter ${::hostname}":
-    tag    => "firewall6-${::datacenter}_prometheus_haproxy_exporter",
-    proto  => 'tcp',
-    dport  => 9101,
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-  }
-
   @@firewall { "010 prometheus mysql exporter ${::hostname}":
     tag    => "${::datacenter}_prometheus_mysql_exporter",
     proto  => 'tcp',
@@ -332,14 +272,5 @@
     jump   => 'accept',
   }
 
-  @@firewall { "010 prometheus firewall6 mysql exporter ${::hostname}":
-    tag    => "firewall6-${::datacenter}_prometheus_mysql_exporter",
-    proto  => 'tcp',
-    dport  => 9104,
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-  }
-
-  Firewall <<| tag == "firewall6-${::datacenter}_pushgateway_node" |>>
+  Firewall <<| tag == "${::datacenter}_pushgateway_node" |>>
 }

manifests/profile/prometheus/exporter/haproxy.pp

@@ -32,6 +32,6 @@
     content => template('nebula/profile/prometheus/exporter/haproxy/target.yaml.erb')
   }
 
-  Firewall <<| tag == "firewall6-${::datacenter}_prometheus_haproxy_exporter" |>>
+  Firewall <<| tag == "${::datacenter}_prometheus_haproxy_exporter" |>>
 
 }

manifests/profile/prometheus/exporter/ipmi.pp

@@ -33,10 +33,10 @@
       fail('Host cannot be scraped without a public or private IP address')
     } elsif $all_private_addresses != [] {
       $ipaddress = $all_private_addresses[0]
-      Firewall <<| tag == "firewall6-${::datacenter}_prometheus_private_ipmi_exporter" |>>
+      Firewall <<| tag == "${::datacenter}_prometheus_private_ipmi_exporter" |>>
     } else {
       $ipaddress = $all_public_addresses[0]
-      Firewall <<| tag == "firewall6-${::datacenter}_prometheus_public_ipmi_exporter" |>>
+      Firewall <<| tag == "${::datacenter}_prometheus_public_ipmi_exporter" |>>
     }
 
     @@concat_fragment { "prometheus ipmi scrape config ${::hostname}":

manifests/profile/prometheus/exporter/mysql.pp

@@ -30,7 +30,7 @@
     content => template('nebula/profile/prometheus/exporter/mysql/target.yaml.erb')
   }
 
-  Firewall <<| tag == "firewall6-${::datacenter}_prometheus_mysql_exporter" |>>
+  Firewall <<| tag == "${::datacenter}_prometheus_mysql_exporter" |>>
 
   $role = lookup_role()
 

manifests/profile/prometheus/exporter/node.pp

@@ -139,11 +139,11 @@
     fail("${datacenter} host cannot be scraped by ${monitoring_datacenter} prometheus server without a public IP address")
   } elsif $all_private_addresses != [] and $monitoring_datacenter == $datacenter {
     $ipaddresses = $all_private_addresses
-    Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_private_node_exporter" |>>
+    Firewall <<| tag == "${monitoring_datacenter}_prometheus_private_node_exporter" |>>
     Concat_fragment <<| title == "02 pushgateway advanced private url ${monitoring_datacenter}" |>>
   } else {
     $ipaddresses = $all_public_addresses
-    Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_public_node_exporter" |>>
+    Firewall <<| tag == "${monitoring_datacenter}_prometheus_public_node_exporter" |>>
     Concat_fragment <<| title == "02 pushgateway advanced public url ${monitoring_datacenter}" |>>
   }
 
@@ -157,15 +157,6 @@
       state  => 'NEW',
       jump   => 'accept',
     }
-
-    @@firewall { "300 pushgateway firewall6 ${::hostname} ${address}":
-      tag    => "firewall6-${monitoring_datacenter}_pushgateway_node",
-      proto  => 'tcp',
-      dport  => 9091,
-      source => $address,
-      state  => 'NEW',
-      action => 'accept',
-    }
   }
 
   ensure_packages(['curl', 'jq'])

manifests/role/webhost/htvm/test.pp

@@ -13,7 +13,7 @@
       dport  => [80,443],
       source => $network['block'],
       state  => 'NEW',
-      action => 'accept',
+      jump   => 'accept',
     }
   }
 

manifests/unison/client.pp

@@ -42,13 +42,4 @@
     jump   => 'accept',
     tag    =>  "unison-client-${title}"
   }
-
-  @@firewall { "200 Unison firewall6: ${title} ${::hostname}":
-    proto  => 'tcp',
-    dport  => [$port],
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-    tag    =>  "firewall6-unison-client-${title}"
-  }
 }