Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / REFERENCE.md @ 3016d428

Historique | Voir | Annoter | Télécharger (63,5 ko)

# Date Auteur Commentaire
a528bf59 2024-06-27 06:33 Steve Traylen

New clobber_default_config paramter

Certain OSes namely Debian and Archlinux provide default rules
with the OS.

This module has always respected those rules and appended all of
its own rules to the end of the existing rules.

The new parameter `clobber_default_config` if set `true` (default `false`)...
1ef7d5c4 2023-12-31 08:42 Tim Meusel

rules::llmnr: Allow interface filtering
3e2b5119 2023-12-31 08:11 Tim Meusel

rules::ospf3: Allow filtering on incoming interfaces
925c358d 2023-12-31 08:11 Tim Meusel

rules::out::ospf3: Allow filtering on outgoing interfaces
4c3d5d6b 2023-12-31 07:57 Tim Meusel

rules::mdns: Allow interface filtering
51850192 2023-12-31 07:57 Tim Meusel

rules::out::mdns: Allow interface filtering
8cdd24a5 2023-12-29 10:23 Tim Meusel

rules::icmp: Allow ICMP packets with extensions
5d554e75 2023-12-29 07:32 Tim Meusel

out::icmp: Add parameter documentation
e846c98b 2023-12-27 06:02 Tim Meusel

simplerule: Allow multiple oifname/iifname
eac19d14 2023-12-20 14:51 Tim Meusel

Make "dropping invalid packets" configureable

It doesn't make sense to explicitly drop those pakets when the default
policy is already `DROP`. Also some applications, like ceph, are known
to send packets that might be marked as invalid.
d7d6d5d3 2023-12-20 13:31 Tim Meusel

simplerule: Add support for outgoing interface filtering
9d1ee648 2023-12-20 04:41 Tim Meusel

rules::out:dns: refactor for better readability
25b3f3f4 2023-12-19 12:36 Tim Meusel

simplerule: Add support for incoming interface filtering
f1d50c1e 2023-12-18 16:40 Tim Meusel

Regenerate REFERENCE.md
67cdcf15 2023-11-24 02:52 Steve Traylen

Support input interface specification to dns server

Useful when you want to allow docker/podman containers
access to a hosts dns stub resolver.

```puppet
class{'nftables::rules::dns':
iifname => ['docker0'],
}
```
b5633532 2023-11-23 02:46 Tim Meusel

Merge pull request #189 from tskirvin/master

nftables::simplerule::dport - takes port ranges as part of the array
a7cb6803 2023-11-23 02:38 Steve Traylen

Merge pull request #214 from traylenator/podman

Additional rules for podman root containers
94285e5f 2023-11-22 04:40 Steve Traylen

Example how to redirect one port to another

Add example how to redirect traffic from one port to another.
08b9f1d0 2023-11-22 03:53 Steve Traylen

Additional rules for podman root containers

This class defines additional forwarding rules to let root containers
reach external networks when using Netavark (since v4.0) or CNI (deprecated).
At the time of writing, Podman supports automatic configuration...
baad986e 2023-11-16 19:10 Vadym Chepkov

add ftp helper

This adds ability to enable a connection tracker helper and provides typical ftp rules

Co-authored-by: Vadym Chepkov <>
Co-authored-by: Yury Bushmelev <>
5a7b1fc1 2023-11-07 17:27 Tim Skirvin

Merge branch 'voxpupuli:master' into master
a9bbb10d 2023-10-28 09:05 Vadym Chepkov

provide an option to disable logging rejected packets
64404839 2023-08-27 05:09 Tim Meusel

samba: Add option to drop traffic
ffc8b86f 2023-08-26 18:20 Tim Meusel

Add nftables rules for ws-discovery
50a5be8b 2023-08-26 18:05 Tim Meusel

Add rule for incoming SSDP
3b26826f 2023-08-25 19:07 Tim Meusel

Add rule for incoming LLMNR
fbe7e2b4 2023-08-21 12:07 Tim Skirvin

Merge branch 'master' into master
6b350264 2023-08-19 16:22 Tim Meusel

Add rule for outgoing multicast DNS
e499cece 2023-08-19 15:52 Tim Meusel

Add rule for multicast listener requests (MLDv2)
ad3dbd7d 2023-08-18 10:40 Ewoud Kohl van Wijngaarden

Rewrite mdns rules to limit to multicast and allow IPv6

This limits the mdns listener to only listen on multicast addresses with
port 5353. One rule for IPv4 and one for IPv6, each controllable with a
parameter.

The generic 5353 to 5353 rule is dropped since it's redundant when I...
a8bf4ad5 2023-08-17 22:02 Romain Tartière

Regenerate REFERENCE.md
4acda787 2023-08-10 12:13 Tim Skirvin

REFERENCE.md changes to match
020842af 2023-08-09 20:00 Tim Meusel

Add rules for IGMP
5ffd0328 2023-08-09 19:11 Tim Meusel

Add rule to allow multicast DNS
8b131276 2023-08-09 18:53 Tim Meusel

Add rule to allow incoming spotify broadcast
80b384c8 2023-08-09 17:57 Tim Meusel

Add rule to allow incoming multicast traffic
ea29e235 2023-06-19 12:58 Simon Hoenscheid

add ldap and active directory rules
8db66304 2023-05-10 02:54 Steve Traylen

Refresh REFERENCE
c24d3118 2023-03-23 09:15 Tim Meusel

Regenerate REFERENCE.md
7030bde0 2023-03-23 05:28 Luis Fernández Álvarez

Add bridge as a valid family for chain tables
a1f09048 2022-10-24 16:59 Tim Meusel

Add class for outgoing HKP firewalling
331b8d85 2022-09-01 05:22 Steve Traylen

New nftables::file type to include raw file

For example:

```puppet
nftables::file{'geoip':
content => "include \"/files/geoipsets/dbip/*.ipv4\"\n",
}
```

will right a file or content into the nftables configuration.

The file written will be included in configuration....
3b8f5945 2022-08-26 08:33 Steve Traylen

Release 2.5.0
7937a13b 2022-07-11 04:18 Tim Meusel

chrony: Allow filtering for outgoing NTP servers
2b1896c1 2022-07-10 06:42 Tim Meusel

Add rule to allow outgoing whois queries
194e05d5 2022-07-07 08:53 Tim Meusel

Add class for outgoing PXP connections
7f74df2e 2022-07-07 08:10 Tim Meusel

Add class for pxp-agent firewalling
821ec83a 2022-07-06 08:37 Tim Meusel

Release 2.3.0
8842a597 2022-07-05 08:23 Tim Meusel

make path to `nft` binary configureable
d0a1ffef 2022-02-27 12:03 hashworks

Prepare release 2.2.0
2063deaf 2022-02-26 09:19 hashworks

Fix typos in initial reference examples
b02d6ea9 2021-09-14 02:57 Nacho Barrientos

Prepare release 2.1.0
c94658e1 2021-07-06 11:46 Nacho Barrientos

Allow declaring the same set in several tables

Closes #100
7b9d6ffc 2021-05-31 04:42 Nacho Barrientos

Allow creating a totally empty firewall

By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.

The default skeleton for inet-filter, ip-nat and ip6-nat is kept...
804b96e4 2021-03-25 07:53 Nacho Barrientos

Prepare release 1.3.0
cd2a3cbf 2021-03-25 03:30 Nacho Barrientos

Add rules for QEMU/libvirt guests
771b3256 2021-03-15 09:59 Nacho Barrientos

Add rules for Apache ActiveMQ
13f26dfc 2021-01-26 07:17 Nacho Barrientos

Improve nftables::rule's documentation (#68)
19908f41 2021-01-18 14:07 mh

add some mail related outgoing rules
09cba182 2021-01-18 10:36 Steve Traylen

Enable parameter_documentation lint

The linter checks that every parameter has been documented.

While corrections have been made to great many classes some more
complicated examples have been left for now. Should be updated
as the files get touched.

https://github.com/domcleal/puppet-lint-param-docs
8c00b818 2021-01-18 07:37 Nacho Barrientos

Pull up rule regexp to type aliases
6a4ffead 2021-01-13 11:10 Nacho Barrientos

Align simplerule and rule rulename requirements
bc1b0f1a 2020-12-15 05:07 Steve Traylen

Release 1.0.0 (#49)

  • Release 1.0.0

Co-authored-by: duritong <>
13f4e4c6 2020-12-14 03:06 Steve Traylen

Docs for nftables::set
b46c9ce9 2020-12-10 06:53 Nacho Barrientos

Remove a blank separating the doc string and the code

Otherwise the generator of the docs does not do the job :/
4d63adda 2020-12-09 11:45 Nacho Barrientos

Refresh REFERENCE
b9785000 2020-12-09 09:42 Steve Traylen

Correct layout of ignore chain example
7f6cacc5 2020-11-27 04:01 Steve Traylen

Refresh REFERENCE
e17693e3 2020-10-20 08:29 Steve Traylen

New parameter out_all, default false

In order to allow all outbound traffic a parameter is
added to enable a simple `allow` entry on the out chain.

Default is false so backwards compatible.

If true all the other out_bound rules (ntp, ...) will be disabled...