Merge branch 'main' into firewallchain-cmd-fix

.github/workflows/mend.yml

@@ -1,9 +1,10 @@
 name: "mend"
 
 on:
-  pull_request:
-    branches:
-      - "main"
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:

CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
+## [v8.0.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v8.0.1) - 2024-03-20
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v8.0.0...v8.0.1)
+
+### Fixed
+
+- (MODULES-11449) - Fix for IPv6 NAT chain [#1201](https://github.com/puppetlabs/puppetlabs-firewall/pull/1201) ([Ramesh7](https://github.com/Ramesh7))
+
+### Other
+
+- fix typos in documentation [#1195](https://github.com/puppetlabs/puppetlabs-firewall/pull/1195) ([corporate-gadfly](https://github.com/corporate-gadfly))
+
 ## [v8.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v8.0.0) - 2024-02-08
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v7.0.2...v8.0.0)

README.md

@@ -568,7 +568,7 @@ As part of this process several breaking changes where made to the code that wil
 * Attributes that allow both arrays and negated values have now been updated.
   * For attributes that require that all passed values be negated as one, you now merely have to negate the first value within the array, rather than all of them, though negating all is still accepted.
   * For attributes that allow passed values to be negated seperately this is not the case. All attributes in this situation are noted within their description.
-* The `sport` and `dport` attributes have been updated so that they will now accept with `:` or `-` as a separator when passing ranges, with `:` being preferred as it matchs what is passed to iptables.
+* The `sport` and `dport` attributes have been updated so that they will now accept with `:` or `-` as a separator when passing ranges, with `:` being preferred as it matches what is passed to iptables.
 
 Two pairs of manifest taken from the tests can be seen below, illustrating the changes that may be required, the first applying a hoplimit on `ip6tables`:
 

REFERENCE.md

@@ -934,7 +934,7 @@ Data type: `Optional[String[1]]`
       * REJECT - the packet is rejected with a suitable ICMP response
       * DROP - the packet is dropped
 
-      But can also be on of the following:
+      But can also be one of the following:
 
       * QUEUE
       * RETURN

lib/puppet/provider/firewallchain/firewallchain.rb

@@ -176,7 +176,6 @@ def self.verify(_is, should)
       raise ArgumentError, 'PREROUTING, POSTROUTING, INPUT, FORWARD and OUTPUT are the only inbuilt chains that can be used in table \'mangle\'' if %r{^(BROUTING)$}.match?(should[:chain])
     when 'nat'
       raise ArgumentError, 'PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table \'nat\'' if %r{^(BROUTING|FORWARD)$}.match?(should[:chain])
-      raise ArgumentError, 'table nat isn\'t valid in IPv6. You must specify \':IPv4\' as the name suffix' if %r{^(IP(v6)?)?$}.match?(should[:protocol])
     when 'raw'
       raise ArgumentError, 'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\'' if %r{^(POSTROUTING|BROUTING|INPUT|FORWARD)$}.match?(should[:chain])
     when 'broute'

lib/puppet/type/firewall.rb

@@ -1002,7 +1002,7 @@
       * REJECT - the packet is rejected with a suitable ICMP response
       * DROP - the packet is dropped
 
-      But can also be on of the following:
+      But can also be one of the following:
 
       * QUEUE
       * RETURN

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-firewall",
-  "version": "8.0.0",
+  "version": "8.0.1",
   "author": "puppetlabs",
   "summary": "Manages Firewalls such as iptables",
   "license": "Apache-2.0",

spec/acceptance/firewallchain_spec.rb

@@ -82,6 +82,18 @@
         end
       end
     end
+
+    context 'with NAT chain' do
+      pp3 = <<-PUPPETCODE
+          firewallchain { 'MY_CHAIN:nat:IPv6':
+            ensure  => present,
+          }
+      PUPPETCODE
+      it 'applies cleanly' do
+        # Run it twice and test for idempotency
+        idempotent_apply(pp3)
+      end
+    end
   end
 
   # XXX purge => false is not yet implemented

spec/acceptance/resource_cmd_spec.rb

@@ -20,7 +20,7 @@
       run_shell('source /etc/profile.d/my-custom.lang.sh')
     end
     run_shell('echo export LC_ALL="C" >> ~/.bashrc')
-    run_shell('source ~/.bashrc')
+    run_shell('source ~/.bashrc || true')
   end
 
   context 'when make sure it returns no errors when executed on a clean machine' do

spec/unit/puppet/provider/firewallchain/firewallchain_spec.rb

@@ -316,10 +316,6 @@
           should: { name: 'FORWARD:nat:IPv4', chain: 'FORWARD', table: 'nat', protocol: 'IPv4', ensure: 'present', policy: 'accept' },
           error: 'PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table \'nat\''
         },
-        {
-          should: { name: 'PREROUTING:nat:IPv6', chain: 'PREROUTING', table: 'nat', protocol: 'IPv6', ensure: 'present', policy: 'accept' },
-          error: 'table nat isn\'t valid in IPv6. You must specify \':IPv4\' as the name suffix'
-        },
         {
           should: { name: 'INPUT:raw:IPv4', chain: 'INPUT', table: 'raw', protocol: 'IPv4', ensure: 'present', policy: 'accept' },
           error: 'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\''