compatibility with firewall 2.x module, refined

data/common.yaml

@@ -7,14 +7,17 @@ lookup_options:
 
 # ipv4 default rules
 iptables::rules_pre:
-  '100 ipv4':
-    proto: icmp
+  accept_icmp:
+    name: "100 ipv4"
     action: accept
-  '110 ipv4':
+    proto: icmp
+  accept_lo:
+    name: "110 ipv4"
     proto: 'all'
     iniface: 'lo'
-    action: accept
-  '120 ipv4':
+    action: 'accept'
+  accept_related_established:
+    name: "120 ipv4"
     proto: 'all'
     ctstate: 
       - 'RELATED'
@@ -22,13 +25,15 @@ iptables::rules_pre:
     action: accept
 
 iptables::rules_post:
-  '998 ipv4':
+  reject_remaining_tcp:
+    name: "998 ipv4"
     chain: INPUT
     proto: tcp
     action: reject
     reject: 'tcp-reset'
     tcp_flags: 'FIN,SYN,RST,ACK SYN'
-  '999 ipv4':
+  reject_remaining_udp:
+    name: "999 ipv4"
     chain: INPUT
     proto: udp
     action: reject

manifests/init.pp

@@ -53,11 +53,11 @@ class iptables (
     # create a hash with the parameters of the class to
     # merge with the hiera lookup, which takes precedence
     $opts = {
-      '100 log hits' => {
+      log_attempts => {
         rseconds  => $ssh_defence_secs,
         rhitcount => $ssh_defence_limit,
       },
-      '110 drop attacker' => {
+      drop_connections => {
         rseconds  => $ssh_defence_secs,
         rhitcount => $ssh_defence_limit,
       }
@@ -71,11 +71,11 @@ class iptables (
     # engage ssh defence for ipv6
     if $public_ipv6 {
       $opts_ipv6 = {
-        '100 log ipv6 attempts' => {
+        log_ipv6_attempts => {
           rseconds  => $ssh_defence_secs,
           rhitcount => $ssh_defence_limit,
         },
-        '110 drop ipv6 attacker' => {
+        drop_ipv6_connections => {
           rseconds  => $ssh_defence_secs,
           rhitcount => $ssh_defence_limit,
         }