Upgrade puppetlabs-firewall to 2.8.1

> puppet module upgrade --modulepath 'modules' --version=2.8.1 'puppetlabs-firewall' Fixes kubernetes iptables rule parsing errors https://github.com/puppetlabs/puppetlabs-firewall/blob/main/CHANGELOG.md
2 years ago · 157346f2db
parent 5d29272303
commit 157346f2db
124 changed files with 3821 additions and 12231 deletions
--- a/2
+++ b/2
@ -3,7 +3,7 @@ moduledir 'modules'

 mod "puppetlabs/stdlib",                     "5.1.0"
 mod "puppetlabs/apt",                        "6.2.1"
-mod "puppetlabs/firewall",                   "1.15.1"
+mod "puppetlabs/firewall",                   "2.8.1"
 mod "camptocamp/openldap",                   "1.17.0"
 mod "herculesteam/augeasproviders_core"      "2.2.0"
 mod "herculesteam/augeasproviders_shellvar"  "2.2.4"
--- a/modules/firewall/.devcontainer/Dockerfile
+++ b/modules/firewall/.devcontainer/Dockerfile
@ -0,0 +1,6 @@
+FROM puppet/pdk:latest
+
+# [Optional] Uncomment this section to install additional packages.
+# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+#     && apt-get -y install --no-install-recommends <your-package-list-here>
+
--- a/modules/firewall/.devcontainer/devcontainer.json
+++ b/modules/firewall/.devcontainer/devcontainer.json
@ -0,0 +1,23 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/puppet
+{
+	"name": "Puppet Development Kit (Community)",
+	"dockerFile": "Dockerfile",
+
+	// Set *default* container specific settings.json values on container create.
+	"settings": {
+		"terminal.integrated.shell.linux": "/bin/bash"
+	},
+
+	// Add the IDs of extensions you want installed when the container is created.
+	"extensions": [
+		"puppet.puppet-vscode",
+		"rebornix.Ruby"
+	]
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "pdk --version",
+}
--- a/modules/firewall/.github/workflows/nightly.yml
+++ b/modules/firewall/.github/workflows/nightly.yml
@ -0,0 +1,194 @@
+name: "nightly"
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+env:
+  HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6
+  HONEYCOMB_DATASET: litmus tests
+
+jobs:
+  setup_matrix:
+    name: "Setup Test Matrix"
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix }}
+
+    steps:
+    - name: "Honeycomb: Start recording"
+      uses: puppetlabs/kvrhdn-gha-buildevents@pdk-templates-v1
+      with:
+        apikey: ${{ env.HONEYCOMB_WRITEKEY }}
+        dataset: ${{ env.HONEYCOMB_DATASET }}
+        job-status: ${{ job.status }}
+
+    - name: "Honeycomb: Start first step"
+      run: |
+        echo STEP_ID=setup-environment >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Checkout Source
+      uses: actions/checkout@v2
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+
+    - name: Activate Ruby 2.7
+      uses: ruby/setup-ruby@v1
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+      with:
+        ruby-version: "2.7"
+        bundler-cache: true
+
+    - name: Print bundle environment
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+      run: |
+        echo ::group::bundler environment
+        buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
+        echo ::endgroup::
+
+    - name: "Honeycomb: Record Setup Environment time"
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Environment'
+        echo STEP_ID=Setup-Acceptance-Test-Matrix >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Setup Acceptance Test Matrix
+      id: get-matrix
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+      run: |
+        if [ '${{ github.repository_owner }}' == 'puppetlabs' ]; then
+          buildevents cmd $TRACE_ID $STEP_ID matrix_from_metadata -- bundle exec matrix_from_metadata
+        else
+          echo  "::set-output name=matrix::{}"
+        fi
+
+    - name: "Honeycomb: Record Setup Test Matrix time"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Test Matrix'
+
+  Acceptance:
+    needs:
+      - setup_matrix
+
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJson(needs.setup_matrix.outputs.matrix)}}
+
+    env:
+      BUILDEVENT_FILE: '../buildevents.txt'
+
+    steps:
+    - run: |
+        echo 'platform=${{ matrix.platform }}' >> $BUILDEVENT_FILE
+        echo 'collection=${{ matrix.collection }}' >> $BUILDEVENT_FILE
+
+    - name: "Honeycomb: Start recording"
+      uses: puppetlabs/kvrhdn-gha-buildevents@pdk-templates-v1
+      with:
+        apikey: ${{ env.HONEYCOMB_WRITEKEY }}
+        dataset: ${{ env.HONEYCOMB_DATASET }}
+        job-status: ${{ job.status }}
+        matrix-key: ${{ matrix.platform }}-${{ matrix.collection }}
+
+    - name: "Honeycomb: start first step"
+      run: |
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-1 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Checkout Source
+      uses: actions/checkout@v2
+
+    - name: Activate Ruby 2.7
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: "2.7"
+        bundler-cache: true
+
+    - name: Print bundle environment
+      run: |
+        echo ::group::bundler environment
+        buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
+        echo ::endgroup::
+
+    - name: "Honeycomb: Record Setup Environment time"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Environment'
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-2 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Provision test environment
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:provision ${{ matrix.platform }}' -- bundle exec rake 'litmus:provision[provision::provision_service,${{ matrix.platform }}]'
+        echo ::group::=== REQUEST ===
+        cat request.json || true
+        echo
+        echo ::endgroup::
+        echo ::group::=== INVENTORY ===
+        sed -e 's/password: .*/password: "[redacted]"/' < inventory.yaml || true
+        echo ::endgroup::
+
+    - name: Install agent
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_agent ${{ matrix.collection }}' -- bundle exec rake 'litmus:install_agent[${{ matrix.collection }}]'
+
+    - name: Install module
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_module' -- bundle exec rake 'litmus:install_module'
+
+    - name: "Honeycomb: Record deployment times"
+      if: ${{ always() }}
+      run: |
+        echo ::group::honeycomb step
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Deploy test system'
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-3 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+        echo ::endgroup::
+
+    - name: Run acceptance tests
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:acceptance:parallel' -- bundle exec rake 'litmus:acceptance:parallel'
+
+    - name: "Honeycomb: Record acceptance testing times"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Run acceptance tests'
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-4 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Remove test environment
+      if: ${{ always() }}
+      continue-on-error: true
+      run: |
+        if [ -f inventory.yaml ]; then
+          buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:tear_down' -- bundle exec rake 'litmus:tear_down'
+          echo ::group::=== REQUEST ===
+          cat request.json || true
+          echo
+          echo ::endgroup::
+        fi
+
+    - name: "Honeycomb: Record removal times"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Remove test environment'
+
+  slack-workflow-status:
+    if: always()
+    name: Post Workflow Status To Slack
+    needs:
+      - Acceptance
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Slack Workflow Notification
+        uses: puppetlabs/Gamesight-slack-workflow-status@pdk-templates-v1
+        with:
+          # Required Input
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          slack_webhook_url: ${{ secrets.SLACK_WEBHOOK }}
+          # Optional Input
+          channel: '#team-ia-bots'
+          name: 'GABot'
--- a/modules/firewall/.github/workflows/pr_test.yml
+++ b/modules/firewall/.github/workflows/pr_test.yml
@ -0,0 +1,175 @@
+name: "PR Testing"
+
+on: [pull_request]
+
+env:
+  HONEYCOMB_WRITEKEY: 7f3c63a70eecc61d635917de46bea4e6
+  HONEYCOMB_DATASET: litmus tests
+
+jobs:
+  setup_matrix:
+    name: "Setup Test Matrix"
+    runs-on: ubuntu-20.04
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix }}
+
+    steps:
+    - name: "Honeycomb: Start recording"
+      uses: puppetlabs/kvrhdn-gha-buildevents@pdk-templates-v1
+      with:
+        apikey: ${{ env.HONEYCOMB_WRITEKEY }}
+        dataset: ${{ env.HONEYCOMB_DATASET }}
+        job-status: ${{ job.status }}
+
+    - name: "Honeycomb: Start first step"
+      run: |
+        echo STEP_ID=setup-environment >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Checkout Source
+      uses: actions/checkout@v2
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+
+    - name: Activate Ruby 2.7
+      uses: ruby/setup-ruby@v1
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+      with:
+        ruby-version: "2.7"
+        bundler-cache: true
+
+    - name: Print bundle environment
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+      run: |
+        echo ::group::bundler environment
+        buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
+        echo ::endgroup::
+
+    - name: "Honeycomb: Record Setup Environment time"
+      if: ${{ github.repository_owner == 'puppetlabs' }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Environment'
+        echo STEP_ID=Setup-Acceptance-Test-Matrix >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Setup Acceptance Test Matrix
+      id: get-matrix
+      run: |
+        if [ '${{ github.repository_owner }}' == 'puppetlabs' ]; then
+          buildevents cmd $TRACE_ID $STEP_ID matrix_from_metadata -- bundle exec matrix_from_metadata
+        else
+          echo  "::set-output name=matrix::{}"
+        fi
+
+    - name: "Honeycomb: Record Setup Test Matrix time"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Test Matrix'
+
+  Acceptance:
+    needs:
+      - setup_matrix
+    if: ${{ needs.setup_matrix.outputs.matrix != '{}' }}
+
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJson(needs.setup_matrix.outputs.matrix)}}
+
+    env:
+      BUILDEVENT_FILE: '../buildevents.txt'
+
+    steps:
+    - run: |
+        echo 'platform=${{ matrix.platform }}' >> $BUILDEVENT_FILE
+        echo 'collection=${{ matrix.collection }}' >> $BUILDEVENT_FILE
+
+    - name: "Honeycomb: Start recording"
+      uses: puppetlabs/kvrhdn-gha-buildevents@pdk-templates-v1
+      with:
+        apikey: ${{ env.HONEYCOMB_WRITEKEY }}
+        dataset: ${{ env.HONEYCOMB_DATASET }}
+        job-status: ${{ job.status }}
+        matrix-key: ${{ matrix.platform }}-${{ matrix.collection }}
+
+    - name: "Honeycomb: start first step"
+      run: |
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-1 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Checkout Source
+      uses: actions/checkout@v2
+
+    - name: Activate Ruby 2.7
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: "2.7"
+        bundler-cache: true
+
+    - name: Print bundle environment
+      run: |
+        echo ::group::bundler environment
+        buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
+        echo ::endgroup::
+
+    - name: "Honeycomb: Record Setup Environment time"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Environment'
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-2 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Provision test environment
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:provision ${{ matrix.platform }}' -- bundle exec rake 'litmus:provision[provision::provision_service,${{ matrix.platform }}]'
+        echo ::group::=== REQUEST ===
+        cat request.json || true
+        echo
+        echo ::endgroup::
+        echo ::group::=== INVENTORY ===
+        sed -e 's/password: .*/password: "[redacted]"/' < inventory.yaml || true
+        echo ::endgroup::
+
+    - name: Install agent
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_agent ${{ matrix.collection }}' -- bundle exec rake 'litmus:install_agent[${{ matrix.collection }}]'
+
+    - name: Install module
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_module' -- bundle exec rake 'litmus:install_module'
+
+    - name: "Honeycomb: Record deployment times"
+      if: ${{ always() }}
+      run: |
+        echo ::group::honeycomb step
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Deploy test system'
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-3 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+        echo ::endgroup::
+
+    - name: Run acceptance tests
+      run: |
+        buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:acceptance:parallel' -- bundle exec rake 'litmus:acceptance:parallel'
+
+    - name: "Honeycomb: Record acceptance testing times"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Run acceptance tests'
+        echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-4 >> $GITHUB_ENV
+        echo STEP_START=$(date +%s) >> $GITHUB_ENV
+
+    - name: Remove test environment
+      if: ${{ always() }}
+      continue-on-error: true
+      run: |
+        if [ -f inventory.yaml ]; then
+          buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:tear_down' -- bundle exec rake 'litmus:tear_down'
+          echo ::group::=== REQUEST ===
+          cat request.json || true
+          echo
+          echo ::endgroup::
+        fi
+
+    - name: "Honeycomb: Record removal times"
+      if: ${{ always() }}
+      run: |
+        buildevents step $TRACE_ID $STEP_ID $STEP_START 'Remove test environment'
--- a/modules/firewall/.gitpod.Dockerfile
+++ b/modules/firewall/.gitpod.Dockerfile
@ -0,0 +1,18 @@
+FROM gitpod/workspace-full
+RUN sudo wget https://apt.puppet.com/puppet-tools-release-bionic.deb && \
+    wget https://apt.puppetlabs.com/puppet6-release-bionic.deb && \
+    sudo dpkg -i puppet6-release-bionic.deb && \
+    sudo dpkg -i puppet-tools-release-bionic.deb && \
+    sudo apt-get update && \
+    sudo apt-get install -y pdk zsh puppet-agent && \
+    sudo apt-get clean && \
+    sudo rm -rf /var/lib/apt/lists/*
+RUN sudo usermod -s $(which zsh) gitpod && \
+    sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" && \
+    echo "plugins=(git gitignore github gem pip bundler python ruby docker docker-compose)" >> /home/gitpod/.zshrc && \
+    echo 'PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin"'  >> /home/gitpod/.zshrc && \
+    sudo /opt/puppetlabs/puppet/bin/gem install puppet-debugger hub -N && \
+    mkdir -p /home/gitpod/.config/puppet && \
+    /opt/puppetlabs/puppet/bin/ruby -r yaml -e "puts ({'disabled' => true}).to_yaml" > /home/gitpod/.config/puppet/analytics.yml
+RUN rm -f puppet6-release-bionic.deb  puppet-tools-release-bionic.deb
+ENTRYPOINT /usr/bin/zsh
--- a/modules/firewall/.gitpod.yml
+++ b/modules/firewall/.gitpod.yml
@ -0,0 +1,9 @@
+image:
+  file: .gitpod.Dockerfile
+
+tasks:
+  - init: pdk bundle install
+
+vscode:
+  extensions:
+    - puppet.puppet-vscode@1.0.0:oSzfTkDf6Cmc1jOjgW33VA==
--- a/modules/firewall/.nodeset.yml
+++ b/modules/firewall/.nodeset.yml
@ -0,0 +1,31 @@
+---
+default_set: 'centos-64-x64'
+sets:
+  'centos-59-x64':
+    nodes:
+      "main.foo.vm":
+        prefab: 'centos-59-x64'
+  'centos-64-x64':
+    nodes:
+      "main.foo.vm":
+        prefab: 'centos-64-x64'
+  'fedora-18-x64':
+    nodes:
+      "main.foo.vm":
+        prefab: 'fedora-18-x64'
+  'debian-607-x64':
+    nodes:
+      "main.foo.vm":
+        prefab: 'debian-607-x64'
+  'debian-70rc1-x64':
+    nodes:
+      "main.foo.vm":
+        prefab: 'debian-70rc1-x64'
+  'ubuntu-server-10044-x64':
+    nodes:
+      "main.foo.vm":
+        prefab: 'ubuntu-server-10044-x64'
+  'ubuntu-server-12042-x64':
+    nodes:
+      "main.foo.vm":
+        prefab: 'ubuntu-server-12042-x64'
--- a/modules/firewall/CHANGELOG.md
+++ b/modules/firewall/CHANGELOG.md
@ -2,6 +2,156 @@

 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).

+## [v2.8.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.1) (2021-02-08)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.8.0...v2.8.1)
+
+### Fixed
+
+- \[MODULES-10907\] Do not remove spaces from hex string with ! [\#967](https://github.com/puppetlabs/puppetlabs-firewall/pull/967) ([adrianiurca](https://github.com/adrianiurca))
+
+## [v2.8.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.0) (2020-12-14)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.7.0...v2.8.0)
+
+### Added
+
+- pdksync - \(feat\) - Add support for Puppet 7 [\#959](https://github.com/puppetlabs/puppetlabs-firewall/pull/959) ([daianamezdrea](https://github.com/daianamezdrea))
+- \(IAC-966\) - MODULES-10522: Add support for the --condition parameter [\#941](https://github.com/puppetlabs/puppetlabs-firewall/pull/941) ([adrianiurca](https://github.com/adrianiurca))
+
+### Fixed
+
+- Restore copyright names [\#951](https://github.com/puppetlabs/puppetlabs-firewall/pull/951) ([hunner](https://github.com/hunner))
+
+## [v2.7.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.7.0) (2020-10-15)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.6.0...v2.7.0)
+
+### Added
+
+- \(IAC-1190\) add `ignore\_foreign` when purging firewallchains [\#948](https://github.com/puppetlabs/puppetlabs-firewall/pull/948) ([DavidS](https://github.com/DavidS))
+
+## [v2.6.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.6.0) (2020-10-01)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.5.0...v2.6.0)
+
+### Added
+
+- pdksync - \(IAC-973\) - Update travis/appveyor to run on new default branch main [\#933](https://github.com/puppetlabs/puppetlabs-firewall/pull/933) ([david22swan](https://github.com/david22swan))
+
+### Fixed
+
+- Fix extra quotes in firewall string matching [\#944](https://github.com/puppetlabs/puppetlabs-firewall/pull/944) ([IBBoard](https://github.com/IBBoard))
+- \(IAC-987\) - Removal of inappropriate terminology [\#942](https://github.com/puppetlabs/puppetlabs-firewall/pull/942) ([david22swan](https://github.com/david22swan))
+
+## [v2.5.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.5.0) (2020-07-28)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.4.0...v2.5.0)
+
+### Added
+
+- Add acceptance and unit test [\#931](https://github.com/puppetlabs/puppetlabs-firewall/pull/931) ([adrianiurca](https://github.com/adrianiurca))
+- \[IAC-899\] - Add acceptance test for string\_hex parameter [\#930](https://github.com/puppetlabs/puppetlabs-firewall/pull/930) ([adrianiurca](https://github.com/adrianiurca))
+- Add support for NFLOG options to ip6tables [\#921](https://github.com/puppetlabs/puppetlabs-firewall/pull/921) ([frh](https://github.com/frh))
+
+## [v2.4.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.4.0) (2020-05-13)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.3.0...v2.4.0)
+
+### Added
+
+- Add support for u32 module in iptables [\#917](https://github.com/puppetlabs/puppetlabs-firewall/pull/917) ([sanfrancrisko](https://github.com/sanfrancrisko))
+- Add support for cgroup arg [\#916](https://github.com/puppetlabs/puppetlabs-firewall/pull/916) ([akerl-unpriv](https://github.com/akerl-unpriv))
+- Extend LOG options [\#914](https://github.com/puppetlabs/puppetlabs-firewall/pull/914) ([martialblog](https://github.com/martialblog))
+
+### Fixed
+
+- \(MODULES-8543\) Remove nftables' backend warning from iptables\_save outtput [\#911](https://github.com/puppetlabs/puppetlabs-firewall/pull/911) ([NITEMAN](https://github.com/NITEMAN))
+
+## [v2.3.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.3.0) (2020-03-26)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.2.0...v2.3.0)
+
+### Added
+
+- Add iptables --hex-string support to firewall resource [\#907](https://github.com/puppetlabs/puppetlabs-firewall/pull/907) ([alexconrey](https://github.com/alexconrey))
+- Add random\_fully and rpfilter support [\#892](https://github.com/puppetlabs/puppetlabs-firewall/pull/892) ([treydock](https://github.com/treydock))
+- \(MODULES-7800\) Add the ability to specify iptables connection tracking helpers. [\#890](https://github.com/puppetlabs/puppetlabs-firewall/pull/890) ([jimmyt86](https://github.com/jimmyt86))
+- Support conntrack module [\#872](https://github.com/puppetlabs/puppetlabs-firewall/pull/872) ([haught](https://github.com/haught))
+
+### Fixed
+
+- \(maint\) Use fact.flush only when available [\#906](https://github.com/puppetlabs/puppetlabs-firewall/pull/906) ([Filipovici-Andrei](https://github.com/Filipovici-Andrei))
+- Merge and remove duplicate README file, lint code snippets [\#878](https://github.com/puppetlabs/puppetlabs-firewall/pull/878) ([runejuhl](https://github.com/runejuhl))
+
+## [v2.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.2.0) (2019-12-09)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.1.0...v2.2.0)
+
+### Added
+
+- Add support for Debian Unstable [\#876](https://github.com/puppetlabs/puppetlabs-firewall/pull/876) ([martialblog](https://github.com/martialblog))
+- \(FM-8673\) - Support added for CentOS 8 [\#873](https://github.com/puppetlabs/puppetlabs-firewall/pull/873) ([david22swan](https://github.com/david22swan))
+- FM-8400 - add debian10 support [\#862](https://github.com/puppetlabs/puppetlabs-firewall/pull/862) ([lionce](https://github.com/lionce))
+- FM-8219 - Convert to litmus [\#855](https://github.com/puppetlabs/puppetlabs-firewall/pull/855) ([lionce](https://github.com/lionce))
+
+### Fixed
+
+- \(MODULES-10358\) - Clarification added to Boolean validation checks [\#886](https://github.com/puppetlabs/puppetlabs-firewall/pull/886) ([david22swan](https://github.com/david22swan))
+- Change - Avoid puppet failures on windows nodes [\#874](https://github.com/puppetlabs/puppetlabs-firewall/pull/874) ([blackknight36](https://github.com/blackknight36))
+- Fix parsing iptables rules with hyphen in comments [\#861](https://github.com/puppetlabs/puppetlabs-firewall/pull/861) ([Hexta](https://github.com/Hexta))
+
+## [v2.1.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.1.0) (2019-09-24)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.0.0...v2.1.0)
+
+### Added
+
+- \(MODULES-6136\) Add zone property of CT target. [\#852](https://github.com/puppetlabs/puppetlabs-firewall/pull/852) ([rwf14f](https://github.com/rwf14f))
+- \(FM-8025\) Add RedHat 8 support [\#847](https://github.com/puppetlabs/puppetlabs-firewall/pull/847) ([eimlav](https://github.com/eimlav))
+
+### Fixed
+
+- MODULES-9801 - fix negated physdev [\#858](https://github.com/puppetlabs/puppetlabs-firewall/pull/858) ([lionce](https://github.com/lionce))
+
+## [v2.0.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.0.0) (2019-05-14)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.3...v2.0.0)
+
+### Changed
+
+- pdksync - \(MODULES-8444\) - Raise lower Puppet bound [\#841](https://github.com/puppetlabs/puppetlabs-firewall/pull/841) ([david22swan](https://github.com/david22swan))
+
+### Added
+
+- \(FM-7903\) - Implement Puppet Strings [\#838](https://github.com/puppetlabs/puppetlabs-firewall/pull/838) ([david22swan](https://github.com/david22swan))
+
+### Fixed
+
+- \(MODULES-8736\) IPtables support on RHEL8 [\#824](https://github.com/puppetlabs/puppetlabs-firewall/pull/824) ([EmilienM](https://github.com/EmilienM))
+
+## [1.15.3](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.3) (2019-04-04)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.2...1.15.3)
+
+### Fixed
+
+- \(MODULES-8855\) Move ipvs test to exception spec [\#834](https://github.com/puppetlabs/puppetlabs-firewall/pull/834) ([eimlav](https://github.com/eimlav))
+- \(MODULES-8842\) Fix ipvs not idempotent [\#833](https://github.com/puppetlabs/puppetlabs-firewall/pull/833) ([eimlav](https://github.com/eimlav))
+
+## [1.15.2](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.2) (2019-03-26)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.1...1.15.2)
+
+### Fixed
+
+- \(MODULES-8615\) Fix rules with ipvs not parsing [\#828](https://github.com/puppetlabs/puppetlabs-firewall/pull/828) ([eimlav](https://github.com/eimlav))
+- \(MODULES-7333\) - Change hashing method from MD5 to SHA256 [\#827](https://github.com/puppetlabs/puppetlabs-firewall/pull/827) ([david22swan](https://github.com/david22swan))
+- \(MODULES-6547\) Fix existing rules with --dport not parsing [\#826](https://github.com/puppetlabs/puppetlabs-firewall/pull/826) ([eimlav](https://github.com/eimlav))
+- \(MODULES-8648\) - Fix for failures on SLES 11 [\#816](https://github.com/puppetlabs/puppetlabs-firewall/pull/816) ([david22swan](https://github.com/david22swan))
+- \(MODULES-8584\) Handle multiple escaped quotes in comments properly [\#815](https://github.com/puppetlabs/puppetlabs-firewall/pull/815) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic))
+- External control for iptables-persistent [\#795](https://github.com/puppetlabs/puppetlabs-firewall/pull/795) ([identw](https://github.com/identw))
+
 ## [1.15.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/1.15.1) (2019-02-01)

 [Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/1.15.0...1.15.1)
@ -722,7 +872,7 @@ specify ranges of ports in the sport/dport parameter:

 ##### Changes

-* (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster
+* (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppet server
 * (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port
 * (#10263) Fix tests on Puppet 2.6.x
 * (#10163) Cleanup some of the inline documentation and README file to align with general forge usage
@ -749,4 +899,4 @@ Initial release.
 \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*


-\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
--- a/modules/firewall/CODEOWNERS
+++ b/modules/firewall/CODEOWNERS
@ -0,0 +1,2 @@
+# Setting ownership to the modules team
+* @puppetlabs/modules
--- a/modules/firewall/CONTRIBUTING.md
+++ b/modules/firewall/CONTRIBUTING.md
@ -108,7 +108,7 @@ process as easy as possible.

      To submit your changes via a GitHub pull request, we _highly_
      recommend that you have them on a topic branch, instead of
-      directly on "master".
+      directly on "main".
      It makes things much easier to keep track of, especially if
      you decide to work on another thing before your first change
      is merged in.
--- a/modules/firewall/Gemfile
+++ b/modules/firewall/Gemfile
@ -1,76 +0,0 @@
-source ENV['GEM_SOURCE'] || 'https://rubygems.org'
-
-def location_for(place_or_version, fake_version = nil)
-  git_url_regex = %r{\A(?<url>(https?|git)[:@][^#]*)(#(?<branch>.*))?}
-  file_url_regex = %r{\Afile:\/\/(?<path>.*)}
-
-  if place_or_version && (git_url = place_or_version.match(git_url_regex))
-    [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact
-  elsif place_or_version && (file_url = place_or_version.match(file_url_regex))
-    ['>= 0', { path: File.expand_path(file_url[:path]), require: false }]
-  else
-    [place_or_version, { require: false }]
-  end
-end
-
-ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
-minor_version = ruby_version_segments[0..1].join('.')
-
-group :development do
-  gem "fast_gettext", '1.1.0',                         require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
-  gem "fast_gettext",                                  require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
-  gem "json_pure", '<= 2.0.1',                         require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
-  gem "json", '= 1.8.1',                               require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9')
-  gem "json", '= 2.0.4',                               require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.1.0',                               require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby]
-  gem "puppet-module-posix-dev-r#{minor_version}",     require: false, platforms: [:ruby]
-  gem "puppet-module-win-default-r#{minor_version}",   require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "puppet-module-win-dev-r#{minor_version}",       require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "github_changelog_generator",                    require: false, git: 'https://github.com/skywinder/github-changelog-generator', ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018' if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')
-end
-group :system_tests do
-  gem "puppet-module-posix-system-r#{minor_version}", require: false, platforms: [:ruby]
-  gem "puppet-module-win-system-r#{minor_version}",   require: false, platforms: [:mswin, :mingw, :x64_mingw]
-end
-
-puppet_version = ENV['PUPPET_GEM_VERSION']
-facter_version = ENV['FACTER_GEM_VERSION']
-hiera_version = ENV['HIERA_GEM_VERSION']
-
-gems = {}
-
-gems['puppet'] = location_for(puppet_version)
-
-# If facter or hiera versions have been specified via the environment
-# variables
-
-gems['facter'] = location_for(facter_version) if facter_version
-gems['hiera'] = location_for(hiera_version) if hiera_version
-
-if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)}
-  # If we're using a Puppet gem on Windows which handles its own win32-xxx gem
-  # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445).
-  gems['win32-dir'] =      ['<= 0.4.9', require: false]
-  gems['win32-eventlog'] = ['<= 0.6.5', require: false]
-  gems['win32-process'] =  ['<= 0.7.5', require: false]
-  gems['win32-security'] = ['<= 0.2.5', require: false]
-  gems['win32-service'] =  ['0.8.8', require: false]
-end
-
-gems.each do |gem_name, gem_params|
-  gem gem_name, *gem_params
-end
-
-# Evaluate Gemfile.local and ~/.gemfile if they exist
-extra_gemfiles = [
-  "#{__FILE__}.local",
-  File.join(Dir.home, '.gemfile'),
-]
-
-extra_gemfiles.each do |gemfile|
-  if File.file?(gemfile) && File.readable?(gemfile)
-    eval(File.read(gemfile), binding)
-  end
-end
-# vim: syntax=ruby
--- a/modules/firewall/HISTORY.md
+++ b/modules/firewall/HISTORY.md
@ -679,7 +679,7 @@ specify ranges of ports in the sport/dport parameter:

 ##### Changes

-* (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster
+* (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppet server
 * (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port
 * (#10263) Fix tests on Puppet 2.6.x
 * (#10163) Cleanup some of the inline documentation and README file to align with general forge usage
--- a/modules/firewall/MAINTAINERS.md
+++ b/modules/firewall/MAINTAINERS.md
@ -1,6 +0,0 @@
-## Maintenance
-
-Maintainers:
-  - Puppet Forge Modules Team `forge-modules |at| puppet |dot| com`
-
-Tickets: https://tickets.puppet.com/browse/MODULES. Make sure to set component to `firewall`.
--- a/modules/firewall/NOTICE
+++ b/modules/firewall/NOTICE
@ -1,6 +1,14 @@
 Puppet Module - puppetlabs-firewall

 Copyright 2018 Puppet, Inc.
+Copyright 2011 Jonathan Boyett
+Copyright 2011 Media Temple, Inc.
+
+Some of the iptables code was taken from puppet-iptables which was:
+
+Copyright 2011 Bob.sh Limited
+Copyright 2008 Camptocamp Association
+Copyright 2007 Dmitri Priimak

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -12,4 +20,4 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
+limitations under the License.
--- a/modules/firewall/README.markdown
+++ b/modules/firewall/README.markdown
--- a/modules/firewall/README.md
+++ b/modules/firewall/README.md
@ -0,0 +1,535 @@
+# firewall
+
+[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-firewall.png?branch=main)](https://travis-ci.org/puppetlabs/puppetlabs-firewall)
+
+#### Table of Contents
+
+1. [Overview - What is the firewall module?](#overview)
+2. [Module description - What does the module do?](#module-description)
+3. [Setup - The basics of getting started with firewall](#setup)
+    * [What firewall affects](#what-firewall-affects)
+    * [Setup requirements](#setup-requirements)
+    * [Beginning with firewall](#beginning-with-firewall)
+    * [Upgrading](#upgrading)
+4. [Usage - Configuration and customization options](#usage)
+    * [Default rules - Setting up general configurations for all firewalls](#default-rules)
+    * [Application-specific rules - Options for configuring and managing firewalls across applications](#application-specific-rules)
+    * [Additional ses for the firewall module](#other-rules)
+5. [Reference - An under-the-hood peek at what the module is doing](#reference)
+6. [Limitations - OS compatibility, etc.](#limitations)
+7. [Firewall_multi - Arrays for certain parameters](#firewall_multi)
+8. [Development - Guide for contributing to the module](#development)
+    * [Tests - Testing your configuration](#tests)
+
+## Overview
+
+The firewall module lets you manage firewall rules with Puppet.
+
+## Module description
+
+PuppetLabs' firewall module introduces the `firewall` resource, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables and ip6tables. The module also introduces the `firewallchain` resource, which allows you to manage chains or firewall lists and ebtables for bridging support. At the moment, only iptables and ip6tables chains are supported.
+
+The firewall module acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you to provide global defaults for your hosts before and after any custom rules. Defining `pre` and `post` rules is also necessary to help you avoid locking yourself out of your own boxes when Puppet runs.
+
+## Setup
+
+### What firewall affects
+
+* Every node running a firewall
+* Firewall settings in your system
+* Connection settings for managed nodes
+* Unmanaged resources (get purged)
+
+
+### Setup requirements
+
+Firewall uses Ruby-based providers, so you must enable [pluginsync](http://docs.puppetlabs.com/guides/plugins_in_modules.html#enabling-pluginsync).
+
+### Beginning with firewall
+
+In the following two sections, you create new classes and then create firewall rules related to those classes. These steps are optional but provide a framework for firewall rules, which is helpful if you’re just starting to create them.
+
+If you already have rules in place, then you don’t need to do these two sections. However, be aware of the ordering of your firewall rules. The module will dynamically apply rules in the order they appear in the catalog, meaning a deny rule could be applied before the allow rules. This might mean the module hasn’t established some of the important connections, such as the connection to the Puppet server.
+
+The following steps are designed to ensure that you keep your SSH and other connections, primarily your connection to your Puppet server. If you create the `pre` and `post` classes described in the first section, then you also need to create the rules described in the second section.
+
+#### Create the `my_fw::pre` and `my_fw::post` Classes
+
+This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.
+
+The code in this section does the following:
+
+* The 'require' parameter in `firewall {}` ensures `my_fw::pre` is run before any other rules.
+* In the `my_fw::post` class declaration, the 'before' parameter ensures `my_fw::post` is run after any other rules.
+
+The rules in the `pre` and `post` classes are fairly general. These two classes ensure that you retain connectivity and that you drop unmatched packets appropriately. The rules you define in your manifests are likely to be specific to the applications you run.
+
+1. Add the `pre` class to `my_fw/manifests/pre.pp`, and any default rules to your pre.pp file first — in the order you want them to run.
+
+```puppet
+class my_fw::pre {
+  Firewall {
+    require => undef,
+  }
+
+  # Default firewall rules
+  firewall { '000 accept all icmp':
+    proto  => 'icmp',
+    action => 'accept',
+  }
+  -> firewall { '001 accept all to lo interface':
+    proto   => 'all',
+    iniface => 'lo',
+    action  => 'accept',
+  }
+  -> firewall { '002 reject local traffic not on loopback interface':
+    iniface     => '! lo',
+    proto       => 'all',
+    destination => '127.0.0.1/8',
+    action      => 'reject',
+  }
+  -> firewall { '003 accept related established rules':
+    proto  => 'all',
+    state  => ['RELATED', 'ESTABLISHED'],
+    action => 'accept',
+  }
+}
+```
+
+The rules in `pre` allow basic networking (such as ICMP and TCP) and ensure that
+existing connections are not closed.
+
+2. Add the `post` class to `my_fw/manifests/post.pp` and include any default rules — apply these last.
+
+```puppet
+class my_fw::post {
+  firewall { '999 drop all':
+    proto  => 'all',
+    action => 'drop',
+    before => undef,
+  }
+}
+```
+
+Alternatively, the [firewallchain](#type-firewallchain) type can be used to set the default policy:
+
+```puppet
+firewallchain { 'INPUT:filter:IPv4':
+  ensure => present,
+  policy => drop,
+  before => undef,
+}
+```
+
+#### Create firewall rules
+
+The rules you create here are helpful if you don’t have any existing rules; they help you order your firewall configurations so you don’t lock yourself out of your box.
+
+Rules are persisted automatically between reboots, although there are known issues with ip6tables on older Debian/Ubuntu distributions. There are also known issues with ebtables.
+
+1. Use the following code to set up the default parameters for all of the firewall rules that you will establish later. These defaults will ensure that the `pre` and `post` classes are run in the correct order and avoid locking you out of your box during the first Puppet run.
+
+```puppet
+Firewall {
+  before  => Class['my_fw::post'],
+  require => Class['my_fw::pre'],
+}
+```
+
+2. Declare the `my_fw::pre` and `my_fw::post` classes to satisfy dependencies. You can declare these classes using an external node classifier or the following code:
+
+```puppet
+class { ['my_fw::pre', 'my_fw::post']: }
+```
+
+3. Include the `firewall` class to ensure the correct packages are installed:
+
+```puppet
+class { 'firewall': }
+```
+
+4. If you want to remove unmanaged firewall rules, add the following code to set up a metatype to purge unmanaged firewall resources in your site.pp or another top-scope file. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
+
+```puppet
+resources { 'firewall':
+  purge => true,
+}
+```
+
+  To purge unmanaged firewall chains, add:
+
+```puppet
+resources { 'firewallchain':
+  purge => true,
+}
+```
+
+Internal chains can not be deleted. In order to avoid all the confusing
+Warning/Notice messages when using `purge => true`, like these ones:
+
+    Notice: Compiled catalog for blonde-height.delivery.puppetlabs.net in environment production in 0.05 seconds
+    Warning: Firewallchain[INPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain INPUT:mangle:IPv4
+    Notice: /Stage[main]/Main/Firewallchain[INPUT:mangle:IPv4]/ensure: removed
+    Warning: Firewallchain[FORWARD:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain FORWARD:mangle:IPv4
+    Notice: /Stage[main]/Main/Firewallchain[FORWARD:mangle:IPv4]/ensure: removed
+    Warning: Firewallchain[OUTPUT:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain OUTPUT:mangle:IPv4
+    Notice: /Stage[main]/Main/Firewallchain[OUTPUT:mangle:IPv4]/ensure: removed
+    Warning: Firewallchain[POSTROUTING:mangle:IPv4](provider=iptables_chain): Attempting to destroy internal chain POSTROUTING:mangle:IPv4
+    Notice: /Stage[main]/Main/Firewallchain[POSTROUTING:mangle:IPv4]/ensure: removed
+
+  Please create firewallchains for every internal chain. Here is an example:
+
+```puppet
+firewallchain { 'POSTROUTING:mangle:IPv6':
+  ensure  => present,
+}
+
+resources { 'firewallchain':
+  purge => true,
+}
+```
+
+> **Note:** If there are unmanaged rules in unmanaged chains, it will take a second Puppet run for the firewall chain to be purged.
+
+> **Note:** If you need more fine-grained control about which unmananged rules get removed, investigate the `purge` and `ignore_foreign` parameters available in `firewallchain`.
+
+### Upgrading
+
+Use these steps if you already have a version of the firewall module installed.
+
+#### From version 0.2.0 and more recent
+
+Upgrade the module with the puppet module tool as normal:
+
+    puppet module upgrade puppetlabs/firewall
+
+## Usage
+
+There are two kinds of firewall rules you can use with firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings for a specific application, node, etc.
+
+All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. _000_ runs first, _999_ runs last.
+
+**Note:** The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range.
+
+### Default rules
+
+You can place default rules in either `my_fw::pre` or `my_fw::post`, depending on when you would like them to run. Rules placed in the `pre` class will run first, and rules in the `post` class, last.
+
+In iptables, the title of the rule is stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'.
+
+#### Examples of default rules
+
+Basic accept ICMP request example:
+
+```puppet
+firewall { '000 accept all icmp requests':
+  proto  => 'icmp',
+  action => 'accept',
+}
+```
+
+Drop all:
+
+```puppet
+firewall { '999 drop all other requests':
+  action => 'drop',
+}
+```
+
+#### Example of an IPv6 rule
+
+IPv6 rules can be specified using the _ip6tables_ provider:
+
+```puppet
+firewall { '006 Allow inbound SSH (v6)':
+  dport    => 22,
+  proto    => 'tcp',
+  action   => 'accept',
+  provider => 'ip6tables',
+}
+```
+
+### Application-specific rules
+
+Puppet doesn't care where you define rules, and this means that you can place
+your firewall resources as close to the applications and services that you
+manage as you wish. If you use the [roles and profiles
+pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it
+makes sense to create your firewall rules in the profiles, so they
+remain close to the services managed by the profile.
+
+This is an example of firewall rules in a profile:
+
+```puppet
+class profile::apache {
+  include apache
+  apache::vhost { 'mysite':
+    ensure => present,
+  }
+
+  firewall { '100 allow http and https access':
+    dport  => [80, 443],
+    proto  => 'tcp',
+    action => 'accept',
+  }
+}
+```
+
+### Rule inversion
+
+Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.
+
+Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range, src\_type, and state.
+
+Examples:
+
+```puppet
+firewall { '001 disallow esp protocol':
+  action => 'accept',
+  proto  => '! esp',
+}
+
+firewall { '002 drop NEW external website packets with FIN/RST/ACK set and SYN unset':
+  chain     => 'INPUT',
+  state     => 'NEW',
+  action    => 'drop',
+  proto     => 'tcp',
+  sport     => ['! http', '! 443'],
+  source    => '! 10.0.0.0/8',
+  tcp_flags => '! FIN,SYN,RST,ACK SYN',
+}
+```
+
+### Additional uses for the firewall module
+
+You can apply firewall rules to specific nodes. Usually, you should put the firewall rule in another class and apply that class to a node. Apply a rule to a node as follows:
+
+```puppet
+node 'some.node.com' {
+  firewall { '111 open port 111':
+    dport => 111,
+  }
+}
+```
+
+You can also do more complex things with the `firewall` resource. This example sets up static NAT for the source network 10.1.2.0/24:
+
+```puppet
+firewall { '100 snat for network foo2':
+  chain    => 'POSTROUTING',
+  jump     => 'MASQUERADE',
+  proto    => 'all',
+  outiface => 'eth0',
+  source   => '10.1.2.0/24',
+  table    => 'nat',
+}
+```
+
+
+You can also change the TCP MSS value for VPN client traffic:
+
+```puppet
+firewall { '110 TCPMSS for VPN clients':
+  chain     => 'FORWARD',
+  table     => 'mangle',
+  source    => '10.0.2.0/24',
+  proto     => 'tcp',
+  tcp_flags => 'SYN,RST SYN',
+  mss       => '1361:1541',
+  set_mss   => '1360',
+  jump      => 'TCPMSS',
+}
+```
+
+The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:
+
+```puppet
+firewall { '503 Mirror traffic to IDS':
+  proto   => 'all',
+  jump    => 'TEE',
+  gateway => '10.0.0.2',
+  chain   => 'PREROUTING',
+  table   => 'mangle',
+}
+```
+
+The following example creates a new chain and forwards any port 5000 access to it.
+
+```puppet
+firewall { '100 forward to MY_CHAIN':
+  chain   => 'INPUT',
+  jump    => 'MY_CHAIN',
+}
+
+# The namevar here is in the format chain_name:table:protocol
+firewallchain { 'MY_CHAIN:filter:IPv4':
+  ensure  => present,
+}
+
+firewall { '100 my rule':
+  chain   => 'MY_CHAIN',
+  action  => 'accept',
+  proto   => 'tcp',
+  dport   => 5000,
+}
+```
+
+Setup NFLOG for a rule.
+
+```puppet
+firewall {'666 for NFLOG':
+  proto           => 'all',
+  jump            => 'NFLOG',
+  nflog_group     => 3,
+  nflog_prefix    => 'nflog-test',
+  nflog_range     => 256,
+  nflog_threshold => 1,
+}
+```
+
+### Additional information
+
+Access the inline documentation:
+
+    puppet describe firewall
+
+Or
+
+    puppet doc -r type
+    (and search for firewall)
+
+## Reference
+
+For information on the classes and types, see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-firewall/blob//REFERENCE.md). For information on the facts, see below.
+
+Facts:
+
+* [ip6tables_version](#fact-ip6tablesversion)
+* [iptables_version](#fact-iptablesversion)
+* [iptables_persistent_version](#fact-iptablespersistentversion)
+
+### Fact: ip6tables_version
+
+A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.
+
+### Fact: iptables_version
+
+A Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution.
+
+### Fact: iptables_persistent_version
+
+Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.
+
+## Limitations
+
+For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-firewall/blob/main/metadata.json)
+
+### SLES
+
+The `socket` parameter is not supported on SLES.  In this release it will cause
+the catalog to fail with iptables failures, rather than correctly warn you that
+the features are unusable.
+
+### Oracle Enterprise Linux
+
+The `socket` and `owner` parameters are unsupported on Oracle Enterprise Linux
+when the "Unbreakable" kernel is used. These may function correctly when using
+the stock RedHat kernel instead. Declaring either of these parameters on an
+unsupported system will result in iptable rules failing to apply.
+
+## Passing firewall parameter values as arrays with `firewall_multi` module
+
+You might sometimes need to pass arrays, such as arrays of source or destination addresses, to some parameters in contexts where iptables itself does not allow arrays.
+
+A community module, [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi), provides a defined type wrapper to spawn firewall resources for arrays of certain inputs.
+
+For example:
+
+```puppet
+firewall_multi { '100 allow http and https access':
+  source => [
+    '10.0.10.0/24',
+    '10.0.12.0/24',
+    '10.1.1.128',
+  ],
+  dport  => [80, 443],
+  proto  => 'tcp',
+  action => 'accept',
+}
+```
+
+For more information see the documentation at [alexharvey-firewall_multi](https://forge.puppet.com/alexharvey/firewall_multi).
+
+### Known issues
+
+#### MCollective causes PE to reverse firewall rule order
+
+Firewall rules appear in reverse order if you use MCollective to run Puppet in Puppet Enterprise 2016.1, 2015.3, 2015.2, or 3.8.x.
+
+If you use MCollective to kick off Puppet runs (`mco puppet runonce -I agent.example.com`) while also using the [`puppetlabs/firewall`](https://forge.puppet.com/puppetlabs/firewall) module, your firewall rules might be listed in reverse order.
+
+In many firewall configurations, the last rule drops all packets. If the rule order is reversed, this rule is listed first and network connectivity fails.
+
+To prevent this issue, do not use MCollective to kick off Puppet runs. Use any of the following instead:
+
+* Run `puppet agent -t` on the command line.
+* Use a cron job.
+* Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console.
+
+### condition parameter
+
+The `condition` parameter requires `xtables-addons` to be installed locally.
+For ubuntu distributions `xtables-addons-common` package can be installed by running command: `apt-get install xtables-addons-common` or
+running a manifest:
+
+```puppet
+package { 'xtables-addons-common':
+  ensure => 'latest',
+}
+```
+
+For other distributions (RedHat, Debian, Centos etc) manual installation of the `xtables-addons` package is required.
+
+#### Reporting Issues
+
+Please report any bugs in the Puppetlabs JIRA issue tracker:
+
+<https://tickets.puppetlabs.com/projects/MODULES/issues>
+
+## Development
+
+Acceptance tests for this module leverage [puppet_litmus](https://github.com/puppetlabs/puppet_litmus).
+To run the acceptance tests follow the instructions [here](https://github.com/puppetlabs/puppet_litmus/wiki/Tutorial:-use-Litmus-to-execute-acceptance-tests-with-a-sample-module-(MoTD)#install-the-necessary-gems-for-the-module).
+You can also find a tutorial and walkthrough of using Litmus and the PDK on [YouTube](https://www.youtube.com/watch?v=FYfR7ZEGHoE).
+
+If you run into an issue with this module, or if you would like to request a feature, please [file a ticket](https://tickets.puppetlabs.com/browse/MODULES/).
+Every Monday the Puppet IA Content Team has [office hours](https://puppet.com/community/office-hours) in the [Puppet Community Slack](http://slack.puppet.com/), alternating between an EMEA friendly time (1300 UTC) and an Americas friendly time (0900 Pacific, 1700 UTC).
+
+If you have problems getting this module up and running, please [contact Support](http://puppetlabs.com/services/customer-support).
+
+If you submit a change to this module, be sure to regenerate the reference documentation as follows:
+
+```bash
+puppet strings generate --format markdown --out REFERENCE.md
+```
+
+### Testing
+
+Make sure you have:
+
+* rake
+* bundler
+
+Install the necessary gems:
+
+```text
+bundle install
+```
+
+And run the tests from the root of the source code:
+
+```text
+bundle exec rake parallel_spec
+```
+
+See also `.travis.yml` for information on running the acceptance and other tests.
--- a/modules/firewall/REFERENCE.md
+++ b/modules/firewall/REFERENCE.md
--- a/modules/firewall/Rakefile
+++ b/modules/firewall/Rakefile
@ -1,76 +0,0 @@
-require 'puppetlabs_spec_helper/rake_tasks'
-require 'puppet-syntax/tasks/puppet-syntax'
-require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any?
-require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any?
-require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any?
-
-def changelog_user
-  return unless Rake.application.top_level_tasks.include? "changelog"
-  returnVal = nil || JSON.load(File.read('metadata.json'))['author']
-  raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil?
-  puts "GitHubChangelogGenerator user:#{returnVal}"
-  returnVal
-end
-
-def changelog_project
-  return unless Rake.application.top_level_tasks.include? "changelog"
-  returnVal = nil || JSON.load(File.read('metadata.json'))['name']
-  raise "unable to find the changelog_project in .sync.yml or the name in metadata.json" if returnVal.nil?
-  puts "GitHubChangelogGenerator project:#{returnVal}"
-  returnVal
-end
-
-def changelog_future_release
-  return unless Rake.application.top_level_tasks.include? "changelog"
-  returnVal = JSON.load(File.read('metadata.json'))['version']
-  raise "unable to find the future_release (version) in metadata.json" if returnVal.nil?
-  puts "GitHubChangelogGenerator future_release:#{returnVal}"
-  returnVal
-end
-
-PuppetLint.configuration.send('disable_relative')
-
-if Bundler.rubygems.find_name('github_changelog_generator').any?
-  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
-    raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?
-    config.user = "#{changelog_user}"
-    config.project = "#{changelog_project}"
-    config.future_release = "#{changelog_future_release}"
-    config.exclude_labels = ['maintenance']
-    config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
-    config.add_pr_wo_labels = true
-    config.issues = false
-    config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM"
-    config.configure_sections = {
-      "Changed" => {
-        "prefix" => "### Changed",
-        "labels" => ["backwards-incompatible"],
-      },
-      "Added" => {
-        "prefix" => "### Added",
-        "labels" => ["feature", "enhancement"],
-      },
-      "Fixed" => {
-        "prefix" => "### Fixed",
-        "labels" => ["bugfix"],
-      },
-    }
-  end
-else
-  desc 'Generate a Changelog from GitHub'
-  task :changelog do
-    raise <<EOM
-The changelog tasks depends on unreleased features of the github_changelog_generator gem.
-Please manually add it to your .sync.yml for now, and run `pdk update`:
---
-Gemfile:
-  optional:
-    ':development':
-      - gem: 'github_changelog_generator'
-        git: 'https://github.com/skywinder/github-changelog-generator'
-        ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018'
-        condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')"
-EOM
-  end
-end
-
--- a/modules/firewall/checksums.json
+++ b/modules/firewall/checksums.json
@ -1,113 +0,0 @@
-{
-  "CHANGELOG.md": "cb6c848763ede8fb8c501be56abc7b40",
-  "CONTRIBUTING.md": "4d17f3c942e7c93d1577cc4438a231e4",
-  "Gemfile": "3864447c01e8ca140685b2f085f2d262",
-  "HISTORY.md": "78554cf4cff5c350fbf7c87cfe18e812",
-  "LICENSE": "3b83ef96387f14655fc854ddc3c6bd57",
-  "MAINTAINERS.md": "04aaaf05e794f325fd498880858fbd0f",
-  "NOTICE": "16e399d242da32229321f743a0b27d8c",
-  "README.markdown": "6ad59e0d04eabd191778dccad288b4b6",
-  "Rakefile": "5d8e4cae0fbd65b3b3e3ca59e759182b",
-  "lib/facter/ip6tables_version.rb": "4ea8934f4329ab0133f803f801b61db6",
-  "lib/facter/iptables_persistent_version.rb": "6c634cb505e167ad088946e042450bff",
-  "lib/facter/iptables_version.rb": "146e4e8b3655df1b77988e835ac3ba44",
-  "lib/puppet/provider/firewall/ip6tables.rb": "ab6284070585007668d05abb4b8e179c",
-  "lib/puppet/provider/firewall/iptables.rb": "02dc34698877d31475bd281718796579",
-  "lib/puppet/provider/firewall.rb": "d94d0ca1ac01e546fb9e0ff591f09aaf",
-  "lib/puppet/provider/firewallchain/iptables_chain.rb": "292a7126bb9ead563ee3e1c635aeff67",
-  "lib/puppet/type/firewall.rb": "cd167451737b8fc156abf89a24b6ca7c",
-  "lib/puppet/type/firewallchain.rb": "96c7597a988c59dd358c2998e4ed8ab2",
-  "lib/puppet/util/firewall.rb": "556272947eb178b0edd6df855629c301",
-  "lib/puppet/util/ipcidr.rb": "45fcb84e1cc295c432737e46e6a02a98",
-  "locales/config.yaml": "92a513534d781a27f58da8e200b87b49",
-  "manifests/init.pp": "69c22e13d3c82568f5acc5249f0c21b5",
-  "manifests/linux/archlinux.pp": "692a236965597cfba264a2e361aa3522",
-  "manifests/linux/debian.pp": "687dd3e1d08bb1ec28be119c73e095dd",
-  "manifests/linux/gentoo.pp": "225a291a80afacc8d5f01a21825c0c5a",
-  "manifests/linux/redhat.pp": "a3eecd996dec9c352daf71836107ad89",
-  "manifests/linux.pp": "391cfe691e648bcb3ce0aa97c84c6076",
-  "manifests/params.pp": "894542ad50db0bb2378964090492289d",
-  "metadata.json": "bfa99736f5f007b5d9050bade73766f4",
-  "spec/acceptance/bytecode_spec.rb": "ea195558d5add8256b53f155647fd3f6",
-  "spec/acceptance/change_source_spec.rb": "fbe2df21ec95bc0d3ce47c5550cfab00",
-  "spec/acceptance/class_spec.rb": "6a4f8fc845b2ec5124c7ce0733943065",
-  "spec/acceptance/connlimit_spec.rb": "d83757e4ee5f5ad867bcb5b92b7e8da3",
-  "spec/acceptance/connmark_spec.rb": "63fd07132fb6081cacc81ba9fe43e3fa",
-  "spec/acceptance/firewall_bridging_spec.rb": "1175abff7112aac80c9f1cbedb9254c3",
-  "spec/acceptance/firewall_clusterip_spec.rb": "3f0031074e4a8f9ebde62d271ec68dda",
-  "spec/acceptance/firewall_dscp_spec.rb": "39ff30237976b17ffb44c0592dcb8665",
-  "spec/acceptance/firewall_gid_spec.rb": "9975e8be6147d3ec463d19138ce1f17f",
-  "spec/acceptance/firewall_iptmodules_spec.rb": "ca0dca3a818b1e8abe01485ac0e75683",
-  "spec/acceptance/firewall_mss_spec.rb": "3588a6bcadecd45b5bee49ea4978ac6f",
-  "spec/acceptance/firewall_spec.rb": "811e725908f7ef38ac9aa8409d18c392",
-  "spec/acceptance/firewall_tee_spec.rb": "29867df95e3673b1c2bcfe7ca13b7b9b",
-  "spec/acceptance/firewall_time_spec.rb": "8617912ec2bd1194b91003e2fcce13d1",
-  "spec/acceptance/firewall_uid_spec.rb": "ab334d700b8c6b507baf7094a561303a",
-  "spec/acceptance/firewallchain_spec.rb": "62bf213945c854de341182db0ea27c90",
-  "spec/acceptance/hashlimit_spec.rb": "49128462e5310265291b1538fd95a5db",
-  "spec/acceptance/invert_spec.rb": "77718842cefb6366202ca25b3b0cf86c",
-  "spec/acceptance/ip6_fragment_spec.rb": "db0155bccef5cc7957140f191766576a",
-  "spec/acceptance/isfragment_spec.rb": "8c75b500412ccbb64284ea15c0b19803",
-  "spec/acceptance/match_mark_spec.rb": "a7027fbac841de492b26789b2d986f98",
-  "spec/acceptance/nflog_spec.rb": "96a3d9bdf12920da77732fe62fe178df",
-  "spec/acceptance/nodesets/centos-7-x64.yml": "a713f3abd3657f0ae2878829badd23cd",
-  "spec/acceptance/nodesets/debian-8-x64.yml": "d2d2977900989f30086ad251a14a1f39",
-  "spec/acceptance/nodesets/default.yml": "b42da5a1ea0c964567ba7495574b8808",
-  "spec/acceptance/nodesets/docker/centos-7.yml": "8a3892807bdd62306ae4774f41ba11ae",
-  "spec/acceptance/nodesets/docker/debian-8.yml": "ac8e871d1068c96de5e85a89daaec6df",
-  "spec/acceptance/nodesets/docker/ubuntu-14.04.yml": "dc42ee922a96908d85b8f0f08203ce58",
-  "spec/acceptance/nodesets/new/aio/debian-8-64mda.yml": "3cb5b076f8ff1ce0123f7002d1132aa1",
-  "spec/acceptance/nodesets/new/aio/redhat-6-64mda.yml": "2da8ffed4efeb44fb78b686a06195116",
-  "spec/acceptance/nodesets/new/aio/redhat-7-64mda.yml": "200ba1439bddf26dd611b5f315e3b955",
-  "spec/acceptance/nodesets/new/aio/ubuntu-1404-64mda.yml": "41256594850e488f033ec30327139162",
-  "spec/acceptance/nodesets/new/aio/ubuntu-1604-64mda.yml": "9c79b040697c25f1170feaf3ea3d9700",
-  "spec/acceptance/nodesets/new/pe/centos-5-64mda.yml": "192e4434be158fb238b8088f5d9adce0",
-  "spec/acceptance/nodesets/new/pe/centos-6-64mda.yml": "13947041961996723a56bfa35289919a",
-  "spec/acceptance/nodesets/new/pe/centos-7-64mda.yml": "5ff3e38e023c75ce2ace69a5ccadbf33",
-  "spec/acceptance/nodesets/new/pe/debian-6-64mda.yml": "ff79b672c5a532409c492ad0d45dc0ad",
-  "spec/acceptance/nodesets/new/pe/debian-7-64mda.yml": "63fefd7c9395781748a8b63d08dfd86c",
-  "spec/acceptance/nodesets/new/pe/debian-8-64mda.yml": "ed8e721a3d96556d92a9a1806171987b",
-  "spec/acceptance/nodesets/new/pe/oracle-5-64mda.yml": "64adf2da3fff9a6cf4b28c638f568a43",
-  "spec/acceptance/nodesets/new/pe/oracle-6-64mda.yml": "3e0fbe6f9516023816c85884f0fdc839",
-  "spec/acceptance/nodesets/new/pe/oracle-7-64mda.yml": "b5f568cf11baafdf98f0127220527219",
-  "spec/acceptance/nodesets/new/pe/redhat-5-64mda.yml": "3c07dc9d83607f0f04a6903a77f5825d",
-  "spec/acceptance/nodesets/new/pe/redhat-6-64mda.yml": "886858b5f4ddcd484da013eca85d996e",
-  "spec/acceptance/nodesets/new/pe/redhat-7-64mda.yml": "199c73bd7860987d5af932164b5603e7",
-  "spec/acceptance/nodesets/new/pe/scientific-5-64mda.yml": "4d23f6b5aa75033ddd9077588ee605a9",
-  "spec/acceptance/nodesets/new/pe/scientific-6-64mda.yml": "342a75a0f2a8e45b7f317d34a35fdb77",
-  "spec/acceptance/nodesets/new/pe/scientific-7-64mda.yml": "5952c337b5dfd11ddbc28cd7936630db",
-  "spec/acceptance/nodesets/new/pe/sles-10-64mda.yml": "6b71985abd427432bdb2f9e8b76087fe",
-  "spec/acceptance/nodesets/new/pe/sles-11-64mda.yml": "5ed55d2324395308cab72ec6e0545967",
-  "spec/acceptance/nodesets/new/pe/sles-12-64mda.yml": "bc2fc9c59161c30b69fe907d65a138dc",
-  "spec/acceptance/nodesets/new/pe/ubuntu-1004-64mda.yml": "07bef5f739c27a6a62945adbd2e8813e",
-  "spec/acceptance/nodesets/new/pe/ubuntu-1204-64mda.yml": "c689063fd68a3c3ba3c47ced3016fa0e",
-  "spec/acceptance/nodesets/new/pe/ubuntu-1404-64mda.yml": "d0f11e054810e240ba4efdf3d08de815",
-  "spec/acceptance/nodesets/new/pe/ubuntu-1604-64mda.yml": "c66b70cd33f4e338ddfb54ff46f35c8e",
-  "spec/acceptance/params_spec.rb": "f60f1a7fc8a3220452f8be9a8f75dff5",
-  "spec/acceptance/purge_spec.rb": "dbed2bd663e16c7ec342f8c6043cf27f",
-  "spec/acceptance/resource_cmd_spec.rb": "42646dfe47ea26f6d7c503c1d59b9820",
-  "spec/acceptance/rules_spec.rb": "9178056223e997f9209c6e0d545efbb7",
-  "spec/acceptance/socket_spec.rb": "faa8314766a5f45b722542aad70119e0",
-  "spec/acceptance/standard_usage_spec.rb": "4a4fadac8e277d1380d481d07041ff08",
-  "spec/default_facts.yml": "d4442f09ee2f33f2d55f078d0ee2634f",
-  "spec/fixtures/ip6tables/conversion_hash.rb": "ac76867b62fd635a85dcc7a565324491",
-  "spec/fixtures/iptables/conversion_hash.rb": "6fd7863c8b2b57b100a57e3f9fa6f6e2",
-  "spec/spec_helper.rb": "5976c9433c30e42380aa21cbf108c388",
-  "spec/spec_helper_acceptance.rb": "126f3d90ff51283b902e8d017cd0016d",
-  "spec/spec_helper_local.rb": "3fd478f37f68db2879ca92bf1237202b",
-  "spec/unit/classes/firewall_linux_archlinux_spec.rb": "fd9ffeddd563b1030597e8289f5ba81f",
-  "spec/unit/classes/firewall_linux_debian_spec.rb": "d08f4b8df0ee201ba81dba58cae4ce2b",
-  "spec/unit/classes/firewall_linux_redhat_spec.rb": "af2f3b4b98d7b098e42f36f4543beac6",
-  "spec/unit/classes/firewall_linux_spec.rb": "f005992268d40b739e7cafa3b0f703e4",
-  "spec/unit/classes/firewall_spec.rb": "9f843d1b925a806f5480e9a882da1477",
-  "spec/unit/documentation/readme_spec.rb": "ebe547b0051099281904dad3c5413de8",
-  "spec/unit/facter/iptables_persistent_version_spec.rb": "b5c32d4e2fa97cba4b20008924a2a45b",
-  "spec/unit/facter/iptables_spec.rb": "ee1ee01c6fcacdc23f9a85a3b147ee98",
-  "spec/unit/puppet/provider/ip6tables_spec.rb": "ceee1675b92d9b391d23379064d6a343",
-  "spec/unit/puppet/provider/iptables_chain_spec.rb": "0fca1374172197039fcdf5e50531257a",
-  "spec/unit/puppet/provider/iptables_spec.rb": "879515cd209fe4ba45bbf776fcc224a0",
-  "spec/unit/puppet/type/firewall_spec.rb": "b8cf31b88d7b4f692e8fc4dca8b31be4",
-  "spec/unit/puppet/type/firewallchain_spec.rb": "67b78ef4df1e4868adb87b2cb7e19e20",
-  "spec/unit/puppet/util/firewall_spec.rb": "4480171573cff443782a9f2e39ec64d7",
-  "spec/unit/puppet/util/ipcidr_spec.rb": "c6c8097b4779aae250e38d8d8492ca32"
-}
--- a/modules/firewall/data/common.yaml
+++ b/modules/firewall/data/common.yaml
@ -0,0 +1 @@
+--- {}
--- a/modules/firewall/hiera.yaml
+++ b/modules/firewall/hiera.yaml
@ -0,0 +1,21 @@
+---
+version: 5
+
+defaults:  # Used for any hierarchy level that omits these keys.
+  datadir: data         # This path is relative to hiera.yaml's directory.
+  data_hash: yaml_data  # Use the built-in YAML backend.
+
+hierarchy:
+  - name: "osfamily/major release"
+    paths:
+        # Used to distinguish between Debian and Ubuntu
+      - "os/%{facts.os.name}/%{facts.os.release.major}.yaml"
+      - "os/%{facts.os.family}/%{facts.os.release.major}.yaml"
+        # Used for Solaris
+      - "os/%{facts.os.family}/%{facts.kernelrelease}.yaml"
+  - name: "osfamily"
+    paths:
+      - "os/%{facts.os.name}.yaml"
+      - "os/%{facts.os.family}.yaml"
+  - name: 'common'
+    path: 'common.yaml'
--- a/modules/firewall/lib/facter/ip6tables_version.rb
+++ b/modules/firewall/lib/facter/ip6tables_version.rb
@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Facter.add(:ip6tables_version) do
  confine kernel: :Linux
  setcode do
--- a/modules/firewall/lib/facter/iptables_persistent_version.rb
+++ b/modules/firewall/lib/facter/iptables_persistent_version.rb
@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Facter.add(:iptables_persistent_version) do
  confine operatingsystem: ['Debian', 'Ubuntu']
  setcode do
@ -6,7 +8,8 @@ Facter.add(:iptables_persistent_version) do