/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 020842af

Historique | Voir | Annoter | Télécharger (53,3 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
28	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
29	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
30	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
31	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
32			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
33			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
34			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
35			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
36	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
37	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
38			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
39	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
40			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
41			and Manager Daemons (MGR).
42	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
43			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
44			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
45			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
46			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
47			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
48			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
49			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
50	020842af	Tim Meusel	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outcoming IGMP messages
51	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
52			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
53	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
54	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
55			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
56			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
57			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
58	09cba182	Steve Traylen	7000 - afs3-fileserver
59			7002 - afs3-ptserver
60			7003 - vlserver
61	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
62			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
63			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
64			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
65			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
66			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
67			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
68			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
69			* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
70			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
71			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
72			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
73			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
74			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
75			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
76			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
77			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
78			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
79			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
80			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
81	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
82	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
83			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
84			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
85			* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
86			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
87	e17693e3	Steve Traylen
88			### Defined types
89
90	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
91			* [`nftables::config`](#nftables--config): manage a config snippet
92			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
93			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
94			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
95			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
96			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
97			* [`nftables::set`](#nftables--set): manage a named set
98			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
99	4d63adda	Nacho Barrientos
100			### Data types
101
102	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
103			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
104			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
105			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
106			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
107	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
108			add the rule to, the second the rule name and the (optional) third a number.
109			Ex: 'default_in-sshd', 'default_out-my_service-2'.
110	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
111	e17693e3	Steve Traylen
112			## Classes
113
114	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
115	e17693e3	Steve Traylen
116			Configure nftables
117
118			#### Examples
119
120	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
121	e17693e3	Steve Traylen
122			```puppet
123	2063deaf	hashworks	class{ 'nftables':
124			out_ntp => false,
125			out_dns => true,
126	e17693e3	Steve Traylen	}
127			```
128
129	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
130
131			```puppet
132	2063deaf	hashworks	class{ 'nftables':
133			noflush_tables => ['inet-f2b-table'],
134	b9785000	Steve Traylen	}
135			```
136
137	e17693e3	Steve Traylen	#### Parameters
138
139	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
140
141	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
142			* [`out_ntp`](#-nftables--out_ntp)
143			* [`out_http`](#-nftables--out_http)
144			* [`out_dns`](#-nftables--out_dns)
145			* [`out_https`](#-nftables--out_https)
146			* [`out_icmp`](#-nftables--out_icmp)
147			* [`in_ssh`](#-nftables--in_ssh)
148			* [`in_icmp`](#-nftables--in_icmp)
149			* [`inet_filter`](#-nftables--inet_filter)
150			* [`nat`](#-nftables--nat)
151			* [`nat_table_name`](#-nftables--nat_table_name)
152			* [`sets`](#-nftables--sets)
153			* [`log_prefix`](#-nftables--log_prefix)
154			* [`log_limit`](#-nftables--log_limit)
155			* [`reject_with`](#-nftables--reject_with)
156			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
157			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
158			* [`firewalld_enable`](#-nftables--firewalld_enable)
159			* [`noflush_tables`](#-nftables--noflush_tables)
160			* [`rules`](#-nftables--rules)
161			* [`configuration_path`](#-nftables--configuration_path)
162			* [`nft_path`](#-nftables--nft_path)
163			* [`echo`](#-nftables--echo)
164			* [`default_config_mode`](#-nftables--default_config_mode)
165
166			##### <a name="-nftables--out_all"></a>`out_all`
167	e17693e3	Steve Traylen
168			Data type: `Boolean`
169
170			Allow all outbound connections. If `true` then all other
171			out parameters `out_ntp`, `out_dns`, ... will be assuemed
172			false.
173
174	c24d3118	Tim Meusel	Default value: `false`
175	e17693e3	Steve Traylen
176	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
177	e17693e3	Steve Traylen
178			Data type: `Boolean`
179
180			Allow outbound to ntp servers.
181
182	c24d3118	Tim Meusel	Default value: `true`
183	e17693e3	Steve Traylen
184	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
185	e17693e3	Steve Traylen
186			Data type: `Boolean`
187
188			Allow outbound to http servers.
189
190	c24d3118	Tim Meusel	Default value: `true`
191	e17693e3	Steve Traylen
192	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
193	e17693e3	Steve Traylen
194			Data type: `Boolean`
195
196	09cba182	Steve Traylen	Allow outbound to dns servers.
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	Default value: `true`
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
201	09cba182	Steve Traylen
202			Data type: `Boolean`
203	e17693e3	Steve Traylen
204			Allow outbound to https servers.
205
206	c24d3118	Tim Meusel	Default value: `true`
207	e17693e3	Steve Traylen
208	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
209	7f6cacc5	Steve Traylen
210			Data type: `Boolean`
211
212			Allow outbound ICMPv4/v6 traffic.
213
214	c24d3118	Tim Meusel	Default value: `true`
215	7f6cacc5	Steve Traylen
216	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
217	e17693e3	Steve Traylen
218			Data type: `Boolean`
219
220			Allow inbound to ssh servers.
221
222	c24d3118	Tim Meusel	Default value: `true`
223	e17693e3	Steve Traylen
224	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
225	7f6cacc5	Steve Traylen
226			Data type: `Boolean`
227
228			Allow inbound ICMPv4/v6 traffic.
229
230	c24d3118	Tim Meusel	Default value: `true`
231	7f6cacc5	Steve Traylen
232	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
233	7b9d6ffc	Nacho Barrientos
234			Data type: `Boolean`
235
236			Add default tables, chains and rules to process traffic.
237
238	c24d3118	Tim Meusel	Default value: `true`
239	7b9d6ffc	Nacho Barrientos
240	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
241	7f6cacc5	Steve Traylen
242			Data type: `Boolean`
243
244			Add default tables and chains to process NAT traffic.
245
246	c24d3118	Tim Meusel	Default value: `true`
247	7f6cacc5	Steve Traylen
248	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
249	b02d6ea9	Nacho Barrientos
250			Data type: `String[1]`
251
252			The name of the 'nat' table.
253
254			Default value: `'nat'`
255
256	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
257	b9785000	Steve Traylen
258			Data type: `Hash`
259
260			Allows sourcing set definitions directly from Hiera.
261
262			Default value: `{}`
263
264	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
265	7f6cacc5	Steve Traylen
266			Data type: `String`
267
268			String that will be used as prefix when logging packets. It can contain
269			two variables using standard sprintf() string-formatting:
270			* chain: Will be replaced by the name of the chain.
271			* comment: Allows chains to add extra comments.
272
273			Default value: `'[nftables] %<chain>s %<comment>s'`
274
275	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
276	b9785000	Steve Traylen
277			Data type: `Variant[Boolean[false], String]`
278
279			String with the content of a limit statement to be applied
280			to the rules that log discarded traffic. Set to false to
281			disable rate limiting.
282
283			Default value: `'3/minute burst 5 packets'`
284
285	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
286	7f6cacc5	Steve Traylen
287	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
288	7f6cacc5	Steve Traylen
289			How to discard packets not matching any rule. If `false`, the
290			fate of the packet will be defined by the chain policy (normally
291			drop), otherwise the packet will be rejected with the REJECT_WITH
292			policy indicated by the value of this parameter.
293
294			Default value: `'icmpx type port-unreachable'`
295
296	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
297	7f6cacc5	Steve Traylen
298			Data type: `Boolean`
299
300			Adds INPUT and OUTPUT rules to allow traffic that's part of an
301			established connection and also to drop invalid packets.
302
303	c24d3118	Tim Meusel	Default value: `true`
304	7f6cacc5	Steve Traylen
305	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
306	b9785000	Steve Traylen
307			Data type: `Boolean`
308
309			Adds FORWARD rules to allow traffic that's part of an
310			established connection and also to drop invalid packets.
311
312	c24d3118	Tim Meusel	Default value: `false`
313	b9785000	Steve Traylen
314	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
315	7f6cacc5	Steve Traylen
316			Data type: `Variant[Boolean[false], Enum['mask']]`
317
318			Configures how the firewalld systemd service unit is enabled. It might be
319			useful to set this to false if you're externaly removing firewalld from
320			the system completely.
321
322			Default value: `'mask'`
323
324	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
325	b9785000	Steve Traylen
326	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
327	b9785000	Steve Traylen
328			If specified only other existings tables will be flushed.
329			If left unset all tables will be flushed via a `flush ruleset`
330
331	c24d3118	Tim Meusel	Default value: `undef`
332	b9785000	Steve Traylen
333	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
334	7f6cacc5	Steve Traylen
335			Data type: `Hash`
336
337	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
338	7f6cacc5	Steve Traylen
339			Default value: `{}`
340
341	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
342	d0a1ffef	hashworks
343			Data type: `Stdlib::Unixpath`
344
345			The absolute path to the principal nftables configuration file. The default
346			varies depending on the system, and is set in the module's data.
347
348	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
349	8842a597	Tim Meusel
350			Data type: `Stdlib::Unixpath`
351
352			Path to the nft binary
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
355	821ec83a	Tim Meusel
356			Data type: `Stdlib::Unixpath`
357
358			Path to the echo binary
359
360	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
361	7030bde0	Luis Fernández Álvarez
362			Data type: `Stdlib::Filemode`
363
364			The default file & dir mode for configuration files and directories. The
365			default varies depending on the system, and is set in the module's data.
366
367	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
368	7f6cacc5	Steve Traylen
369			allow forwarding traffic on bridges
370
371			#### Parameters
372
373	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
374	7f6cacc5	Steve Traylen
375	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
376			* [`bridgenames`](#-nftables--bridges--bridgenames)
377	09cba182	Steve Traylen
378	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
379	7f6cacc5	Steve Traylen
380			Data type: `Enum['present','absent']`
381
382
383
384			Default value: `'present'`
385
386	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
387	7f6cacc5	Steve Traylen
388			Data type: `Regexp`
389
390
391
392			Default value: `/^br.+/`
393
394	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
395	e17693e3	Steve Traylen
396			manage basic chains in table inet filter
397
398	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
399	a1f09048	Tim Meusel
400			enable conntrack for fwd
401
402	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
403	a1f09048	Tim Meusel
404			manage input & output conntrack
405
406	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
407	e17693e3	Steve Traylen
408			manage basic chains in table ip nat
409
410	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
411	771b3256	Nacho Barrientos
412			Provides input rules for Apache ActiveMQ
413
414			#### Parameters
415
416			The following parameters are available in the `nftables::rules::activemq` class:
417
418	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
419			* [`udp`](#-nftables--rules--activemq--udp)
420			* [`port`](#-nftables--rules--activemq--port)
421	771b3256	Nacho Barrientos
422	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
423	771b3256	Nacho Barrientos
424			Data type: `Boolean`
425
426			Create the rule for TCP traffic.
427
428	c24d3118	Tim Meusel	Default value: `true`
429	771b3256	Nacho Barrientos
430	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
431	771b3256	Nacho Barrientos
432			Data type: `Boolean`
433
434			Create the rule for UDP traffic.
435
436	c24d3118	Tim Meusel	Default value: `true`
437	771b3256	Nacho Barrientos
438	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
439	771b3256	Nacho Barrientos
440			Data type: `Stdlib::Port`
441
442			The port number for the ActiveMQ daemon.
443
444			Default value: `61616`
445
446	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
447	09cba182	Steve Traylen
448			Open call back port for AFS clients
449	7f6cacc5	Steve Traylen
450	09cba182	Steve Traylen	#### Examples
451
452			##### allow call backs from particular hosts
453
454			```puppet
455	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
456			saddr => ['192.168.0.0/16', '10.0.0.222']
457			}
458	09cba182	Steve Traylen	```
459	7f6cacc5	Steve Traylen
460			#### Parameters
461
462	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
463
464	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
465	7f6cacc5	Steve Traylen
466	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
467	7f6cacc5	Steve Traylen
468			Data type: `Array[Stdlib::IP::Address::V4,1]`
469
470			list of source network ranges to a
471
472			Default value: `['0.0.0.0/0']`
473
474	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
475	b9785000	Steve Traylen
476			Ceph is a distributed object store and file system.
477			Enable this to support Ceph's Object Storage Daemons (OSD),
478			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
479
480	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
481	b9785000	Steve Traylen
482			Ceph is a distributed object store and file system.
483			Enable this option to support Ceph's Monitor Daemon.
484
485			#### Parameters
486
487	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
488	b9785000	Steve Traylen
489	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
490	b9785000	Steve Traylen
491	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
492	b9785000	Steve Traylen
493	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
494	b9785000	Steve Traylen
495	09cba182	Steve Traylen	specify ports for ceph service
496	b9785000	Steve Traylen
497			Default value: `[3300, 6789]`
498
499	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
500	7f6cacc5	Steve Traylen
501	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
502	7f6cacc5	Steve Traylen
503	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
504	7f6cacc5	Steve Traylen
505			manage in dns
506
507			#### Parameters
508
509	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
510	7f6cacc5	Steve Traylen
511	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
512	7f6cacc5	Steve Traylen
513	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
514	7f6cacc5	Steve Traylen
515	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
516	7f6cacc5	Steve Traylen
517	09cba182	Steve Traylen	Specify ports for dns.
518	7f6cacc5	Steve Traylen
519			Default value: `[53]`
520
521	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
522	804b96e4	Nacho Barrientos
523			The configuration distributed in this class represents the default firewall
524			configuration done by docker-ce when the iptables integration is enabled.
525
526			This class is needed as the default docker-ce rules added to ip-filter conflict
527			with the inet-filter forward rules set by default in this module.
528
529			When using this class 'docker::iptables: false' should be set.
530
531			#### Parameters
532
533			The following parameters are available in the `nftables::rules::docker_ce` class:
534
535	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
536			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
537			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
538			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
539	804b96e4	Nacho Barrientos
540	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
541	804b96e4	Nacho Barrientos
542			Data type: `String[1]`
543
544			Interface name used by docker.
545
546			Default value: `'docker0'`
547
548	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
549	804b96e4	Nacho Barrientos
550			Data type: `Stdlib::IP::Address::V4::CIDR`
551
552			The address space used by docker.
553
554			Default value: `'172.17.0.0/16'`
555
556	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
557	804b96e4	Nacho Barrientos
558			Data type: `Boolean`
559
560			Flag to control whether the class should create the docker related chains.
561
562	c24d3118	Tim Meusel	Default value: `true`
563	804b96e4	Nacho Barrientos
564	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
565	804b96e4	Nacho Barrientos
566			Data type: `Boolean`
567
568			Flag to control whether the class should create the base common chains.
569
570	c24d3118	Tim Meusel	Default value: `true`
571	804b96e4	Nacho Barrientos
572	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
573	e17693e3	Steve Traylen
574			manage in http
575
576	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
577	e17693e3	Steve Traylen
578			manage in https
579
580	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
581	e17693e3	Steve Traylen
582			manage in icinga2
583
584			#### Parameters
585
586	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
587	e17693e3	Steve Traylen
588	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
589	e17693e3	Steve Traylen
590	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
591	e17693e3	Steve Traylen
592	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
593	e17693e3	Steve Traylen
594	8db66304	Steve Traylen	Specify ports for icinga2
595	e17693e3	Steve Traylen
596			Default value: `[5665]`
597
598	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
599	7f6cacc5	Steve Traylen
600			The nftables::rules::icmp class.
601
602			#### Parameters
603
604	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
605
606	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
607			* [`v6_types`](#-nftables--rules--icmp--v6_types)
608			* [`order`](#-nftables--rules--icmp--order)
609	7f6cacc5	Steve Traylen
610	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
611	7f6cacc5	Steve Traylen
612			Data type: `Optional[Array[String]]`
613
614
615
616	c24d3118	Tim Meusel	Default value: `undef`
617	7f6cacc5	Steve Traylen
618	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
619	7f6cacc5	Steve Traylen
620			Data type: `Optional[Array[String]]`
621
622
623
624	c24d3118	Tim Meusel	Default value: `undef`
625	7f6cacc5	Steve Traylen
626	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
627	7f6cacc5	Steve Traylen
628			Data type: `String`
629
630
631
632			Default value: `'10'`
633
634	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
635
636			allow incoming IGMP messages
637
638	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
639
640			manage in ldap
641
642			#### Parameters
643
644			The following parameters are available in the `nftables::rules::ldap` class:
645
646			* [`ports`](#-nftables--rules--ldap--ports)
647
648			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
649
650			Data type: `Array[Integer,1]`
651
652			ldap server ports
653
654			Default value: `[389, 636]`
655
656	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
657
658			allow incoming multicast DNS
659
660	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
661
662			allow incoming multicast traffic
663
664	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
665	b9785000	Steve Traylen
666			manage in nfs4
667
668	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
669	b9785000	Steve Traylen
670			manage in nfs3
671
672	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
673	7f6cacc5	Steve Traylen
674			manage in node exporter
675
676			#### Parameters
677
678	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
679	7f6cacc5	Steve Traylen
680	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
681			* [`port`](#-nftables--rules--node_exporter--port)
682	7f6cacc5	Steve Traylen
683	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
684	7f6cacc5	Steve Traylen
685	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
686	7f6cacc5	Steve Traylen
687	09cba182	Steve Traylen	Specify server name
688	7f6cacc5	Steve Traylen
689	c24d3118	Tim Meusel	Default value: `undef`
690	7f6cacc5	Steve Traylen
691	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
692	7f6cacc5	Steve Traylen
693	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
694	7f6cacc5	Steve Traylen
695	09cba182	Steve Traylen	Specify port to open
696	7f6cacc5	Steve Traylen
697			Default value: `9100`
698
699	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
700	e17693e3	Steve Traylen
701			manage in ospf
702
703	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
704	e17693e3	Steve Traylen
705			manage in ospf3
706
707	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
708
709			manage outgoing active diectory
710
711			#### Parameters
712
713			The following parameters are available in the `nftables::rules::out::active_directory` class:
714
715			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
716			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
717
718			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
719
720			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
721
722			adserver IPs
723
724			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
725
726			Data type: `Array[Stdlib::Port,1]`
727
728			adserver ports
729
730			Default value: `[389, 636, 3268, 3269]`
731
732	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
733	e17693e3	Steve Traylen
734			allow all outbound
735
736	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
737	b9785000	Steve Traylen
738			Ceph is a distributed object store and file system.
739			Enable this to be a client of Ceph's Monitor (MON),
740			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
741			and Manager Daemons (MGR).
742
743			#### Parameters
744
745	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
746	b9785000	Steve Traylen
747	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
748	b9785000	Steve Traylen
749	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
750	b9785000	Steve Traylen
751	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
752	b9785000	Steve Traylen
753	09cba182	Steve Traylen	Specify ports to open
754	b9785000	Steve Traylen
755			Default value: `[3300, 6789]`
756
757	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
758	e17693e3	Steve Traylen
759			manage out chrony
760
761	7937a13b	Tim Meusel	#### Parameters
762
763			The following parameters are available in the `nftables::rules::out::chrony` class:
764
765	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
766	7937a13b	Tim Meusel
767	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
768	7937a13b	Tim Meusel
769			Data type: `Array[Stdlib::IP::Address]`
770
771			single IP-Address or array of IP-addresses from NTP servers
772
773			Default value: `[]`
774
775	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
776	e17693e3	Steve Traylen
777			manage out dhcp
778
779	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
780	7f6cacc5	Steve Traylen
781	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
782	7f6cacc5	Steve Traylen
783	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
784	e17693e3	Steve Traylen
785			manage out dns
786
787			#### Parameters
788
789	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
790	e17693e3	Steve Traylen
791	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
792	e17693e3	Steve Traylen
793	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
794	e17693e3	Steve Traylen
795	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
796	e17693e3	Steve Traylen
797	09cba182	Steve Traylen	specify dns_server name
798	e17693e3	Steve Traylen
799	c24d3118	Tim Meusel	Default value: `undef`
800	e17693e3	Steve Traylen
801	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
802	a1f09048	Tim Meusel
803			allow outgoing hkp connections to gpg keyservers
804
805	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
806	e17693e3	Steve Traylen
807			manage out http
808
809	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
810	e17693e3	Steve Traylen
811			manage out https
812
813	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
814	7f6cacc5	Steve Traylen
815	09cba182	Steve Traylen	control outbound icmp packages
816	7f6cacc5	Steve Traylen
817			#### Parameters
818
819	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
820
821	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
822			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
823			* [`order`](#-nftables--rules--out--icmp--order)
824	7f6cacc5	Steve Traylen
825	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
826	7f6cacc5	Steve Traylen
827			Data type: `Optional[Array[String]]`
828
829
830
831	c24d3118	Tim Meusel	Default value: `undef`
832	7f6cacc5	Steve Traylen
833	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
834	7f6cacc5	Steve Traylen
835			Data type: `Optional[Array[String]]`
836
837
838
839	c24d3118	Tim Meusel	Default value: `undef`
840	7f6cacc5	Steve Traylen
841	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
842	7f6cacc5	Steve Traylen
843			Data type: `String`
844
845
846
847			Default value: `'10'`
848
849	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
850
851			allow outcoming IGMP messages
852
853	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
854	19908f41	mh
855			allow outgoing imap
856
857	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
858	7f6cacc5	Steve Traylen
859			allows outbound access for kerberos
860
861	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
862
863			manage outgoing ldap
864
865			#### Parameters
866
867			The following parameters are available in the `nftables::rules::out::ldap` class:
868
869			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
870			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
871
872			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
873
874			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
875
876			ldapserver IPs
877
878			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
879
880			Data type: `Array[Stdlib::Port,1]`
881
882			ldapserver ports
883
884			Default value: `[389, 636]`
885
886	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
887	e17693e3	Steve Traylen
888			manage out mysql
889
890	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
891	b9785000	Steve Traylen
892			manage out nfs
893
894	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
895	b9785000	Steve Traylen
896			manage out nfs3
897
898	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
899	7f6cacc5	Steve Traylen
900	09cba182	Steve Traylen	allows outbound access for afs clients
901	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
902			7002 - afs3-ptserver
903			7003 - vlserver
904
905			* See also
906			* https://wiki.openafs.org/devel/AFSServicePorts/
907			* AFS Service Ports
908
909			#### Parameters
910
911	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
912	7f6cacc5	Steve Traylen
913	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
914	7f6cacc5	Steve Traylen
915	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
916	7f6cacc5	Steve Traylen
917	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
918	7f6cacc5	Steve Traylen
919	09cba182	Steve Traylen	port numbers to use
920	7f6cacc5	Steve Traylen
921			Default value: `[7000, 7002, 7003]`
922
923	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
924	e17693e3	Steve Traylen
925			manage out ospf
926
927	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
928	e17693e3	Steve Traylen
929			manage out ospf3
930
931	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
932	19908f41	mh
933			allow outgoing pop3
934
935	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
936	e17693e3	Steve Traylen
937			manage out postgres
938
939	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
940	e17693e3	Steve Traylen
941			manage outgoing puppet
942
943			#### Parameters
944
945	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
946	e17693e3	Steve Traylen
947	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
948			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
949	e17693e3	Steve Traylen
950	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
951	e17693e3	Steve Traylen
952	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
953	e17693e3	Steve Traylen
954	09cba182	Steve Traylen	puppetserver hostname
955	e17693e3	Steve Traylen
956	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
957	e17693e3	Steve Traylen
958	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
959	e17693e3	Steve Traylen
960	09cba182	Steve Traylen	puppetserver port
961	e17693e3	Steve Traylen
962			Default value: `8140`
963
964	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
965	194e05d5	Tim Meusel
966			manage outgoing pxp-agent
967
968			* See also
969			* also
970			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
971
972			#### Parameters
973
974			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
975
976	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
977			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
978	194e05d5	Tim Meusel
979	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
980	194e05d5	Tim Meusel
981			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
982
983			PXP broker IP(s)
984
985	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
986	194e05d5	Tim Meusel
987			Data type: `Stdlib::Port`
988
989			PXP broker port
990
991			Default value: `8142`
992
993	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
994	e17693e3	Steve Traylen
995	19908f41	mh	allow outgoing smtp
996
997	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
998	19908f41	mh
999			allow outgoing smtp client
1000	e17693e3	Steve Traylen
1001	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1002	e17693e3	Steve Traylen
1003			manage out ssh
1004
1005	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1006	e17693e3	Steve Traylen
1007			disable outgoing ssh
1008
1009	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1010	e17693e3	Steve Traylen
1011			manage out tor
1012
1013	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1014	2b1896c1	Tim Meusel
1015			allow clients to query remote whois server
1016
1017	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1018	e17693e3	Steve Traylen
1019			manage out wireguard
1020
1021			#### Parameters
1022
1023	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1024	e17693e3	Steve Traylen
1025	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1026	e17693e3	Steve Traylen
1027	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1028	e17693e3	Steve Traylen
1029	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1030	e17693e3	Steve Traylen
1031	09cba182	Steve Traylen	specify wireguard ports
1032	e17693e3	Steve Traylen
1033			Default value: `[51820]`
1034
1035	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1036	e17693e3	Steve Traylen
1037			manage in puppet
1038
1039			#### Parameters
1040
1041	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1042	e17693e3	Steve Traylen
1043	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1044	e17693e3	Steve Traylen
1045	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1046	e17693e3	Steve Traylen
1047	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1048	e17693e3	Steve Traylen
1049	09cba182	Steve Traylen	puppet server ports
1050	e17693e3	Steve Traylen
1051			Default value: `[8140]`
1052
1053	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1054	7f74df2e	Tim Meusel
1055			manage in pxp-agent
1056
1057			#### Parameters
1058
1059			The following parameters are available in the `nftables::rules::pxp_agent` class:
1060
1061	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1062	7f74df2e	Tim Meusel
1063	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1064	7f74df2e	Tim Meusel
1065	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1066	7f74df2e	Tim Meusel
1067			pxp server ports
1068
1069			Default value: `[8142]`
1070
1071	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1072	cd2a3cbf	Nacho Barrientos
1073			This class configures the typical firewall setup that libvirt
1074			creates. Depending on your requirements you can switch on and off
1075			several aspects, for instance if you don't do DHCP to your guests
1076			you can disable the rules that accept DHCP traffic on the host or if
1077			you don't want your guests to talk to hosts outside you can disable
1078			forwarding and/or masquerading for IPv4 traffic.
1079
1080			#### Parameters
1081
1082			The following parameters are available in the `nftables::rules::qemu` class:
1083
1084	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1085			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1086			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1087			* [`dns`](#-nftables--rules--qemu--dns)
1088			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1089			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1090			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1091			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1092	cd2a3cbf	Nacho Barrientos
1093	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1094	cd2a3cbf	Nacho Barrientos
1095			Data type: `String[1]`
1096
1097			Interface name used by the bridge.
1098
1099			Default value: `'virbr0'`
1100
1101	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1102	cd2a3cbf	Nacho Barrientos
1103			Data type: `Stdlib::IP::Address::V4::CIDR`
1104
1105			The IPv4 network prefix used in the virtual network.
1106
1107			Default value: `'192.168.122.0/24'`
1108
1109	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1110	cd2a3cbf	Nacho Barrientos
1111			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1112
1113			The IPv6 network prefix used in the virtual network.
1114
1115	c24d3118	Tim Meusel	Default value: `undef`
1116	cd2a3cbf	Nacho Barrientos
1117	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1118	cd2a3cbf	Nacho Barrientos
1119			Data type: `Boolean`
1120
1121			Allow DNS traffic from the guests to the host.
1122
1123	c24d3118	Tim Meusel	Default value: `true`
1124	cd2a3cbf	Nacho Barrientos
1125	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1126	cd2a3cbf	Nacho Barrientos
1127			Data type: `Boolean`
1128
1129			Allow DHCPv4 traffic from the guests to the host.
1130
1131	c24d3118	Tim Meusel	Default value: `true`
1132	cd2a3cbf	Nacho Barrientos
1133	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1134	cd2a3cbf	Nacho Barrientos
1135			Data type: `Boolean`
1136
1137			Allow forwarded traffic (out all, in related/established)
1138			generated by the virtual network.
1139
1140	c24d3118	Tim Meusel	Default value: `true`
1141	cd2a3cbf	Nacho Barrientos
1142	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1143	cd2a3cbf	Nacho Barrientos
1144			Data type: `Boolean`
1145
1146			Allow guests in the virtual network to talk to each other.
1147
1148	c24d3118	Tim Meusel	Default value: `true`
1149	cd2a3cbf	Nacho Barrientos
1150	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1151	cd2a3cbf	Nacho Barrientos
1152			Data type: `Boolean`
1153
1154			Do NAT masquerade on all IPv4 traffic generated by guests
1155			to external networks.
1156
1157	c24d3118	Tim Meusel	Default value: `true`
1158	cd2a3cbf	Nacho Barrientos
1159	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1160	19908f41	mh
1161			manage Samba, the suite to allow Windows file sharing on Linux resources.
1162
1163			#### Parameters
1164
1165			The following parameters are available in the `nftables::rules::samba` class:
1166
1167	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1168	19908f41	mh
1169	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1170	19908f41	mh
1171			Data type: `Boolean`
1172
1173			Enable ctdb-driven clustered Samba setups.
1174
1175	c24d3118	Tim Meusel	Default value: `false`
1176	19908f41	mh
1177	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1178	e17693e3	Steve Traylen
1179			manage in smtp
1180
1181	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1182	e17693e3	Steve Traylen
1183			manage in smtp submission
1184
1185	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1186	e17693e3	Steve Traylen
1187			manage in smtps
1188
1189	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1190
1191			allow incoming spotify
1192
1193	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1194	e17693e3	Steve Traylen
1195			manage in ssh
1196
1197			#### Parameters
1198
1199	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1200	e17693e3	Steve Traylen
1201	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1202	e17693e3	Steve Traylen
1203	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1204	e17693e3	Steve Traylen
1205	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1206	e17693e3	Steve Traylen
1207	09cba182	Steve Traylen	ssh ports
1208	e17693e3	Steve Traylen
1209			Default value: `[22]`
1210
1211	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1212	e17693e3	Steve Traylen
1213			manage in tor
1214
1215			#### Parameters
1216
1217	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1218	e17693e3	Steve Traylen
1219	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1220	e17693e3	Steve Traylen
1221	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1222	e17693e3	Steve Traylen
1223	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1224	e17693e3	Steve Traylen
1225	09cba182	Steve Traylen	ports for tor
1226	e17693e3	Steve Traylen
1227			Default value: `[9001]`
1228
1229	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1230	e17693e3	Steve Traylen
1231			manage in wireguard
1232
1233			#### Parameters
1234
1235	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1236	e17693e3	Steve Traylen
1237	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1238	e17693e3	Steve Traylen
1239	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1240	e17693e3	Steve Traylen
1241	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1242	e17693e3	Steve Traylen
1243	09cba182	Steve Traylen	wiregueard port
1244	e17693e3	Steve Traylen
1245			Default value: `[51820]`
1246
1247	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1248	7f6cacc5	Steve Traylen
1249	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1250	7f6cacc5	Steve Traylen
1251	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1252	7f6cacc5	Steve Traylen
1253	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1254	7f6cacc5	Steve Traylen
1255	e17693e3	Steve Traylen	## Defined types
1256
1257	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1258	e17693e3	Steve Traylen
1259			manage a chain
1260
1261			#### Parameters
1262
1263	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1264
1265	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1266			* [`chain`](#-nftables--chain--chain)
1267			* [`inject`](#-nftables--chain--inject)
1268			* [`inject_iif`](#-nftables--chain--inject_iif)
1269			* [`inject_oif`](#-nftables--chain--inject_oif)
1270	e17693e3	Steve Traylen
1271	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1272	e17693e3	Steve Traylen
1273	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1274	e17693e3	Steve Traylen
1275
1276
1277			Default value: `'inet-filter'`
1278
1279	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1280	e17693e3	Steve Traylen
1281			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1282
1283
1284
1285			Default value: `$title`
1286
1287	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1288	e17693e3	Steve Traylen
1289			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1290
1291
1292
1293	c24d3118	Tim Meusel	Default value: `undef`
1294	e17693e3	Steve Traylen
1295	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1296	e17693e3	Steve Traylen
1297			Data type: `Optional[String]`
1298
1299
1300
1301	c24d3118	Tim Meusel	Default value: `undef`
1302	e17693e3	Steve Traylen
1303	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1304	e17693e3	Steve Traylen
1305			Data type: `Optional[String]`
1306
1307
1308
1309	c24d3118	Tim Meusel	Default value: `undef`
1310	e17693e3	Steve Traylen
1311	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1312	e17693e3	Steve Traylen
1313			manage a config snippet
1314
1315			#### Parameters
1316
1317	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1318	e17693e3	Steve Traylen
1319	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1320			* [`content`](#-nftables--config--content)
1321			* [`source`](#-nftables--config--source)
1322			* [`prefix`](#-nftables--config--prefix)
1323	09cba182	Steve Traylen
1324	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1325	13f4e4c6	Steve Traylen
1326			Data type: `Pattern[/^\w+-\w+$/]`
1327
1328
1329
1330			Default value: `$title`
1331
1332	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1333	e17693e3	Steve Traylen
1334			Data type: `Optional[String]`
1335
1336
1337
1338	c24d3118	Tim Meusel	Default value: `undef`
1339	e17693e3	Steve Traylen
1340	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1341	e17693e3	Steve Traylen
1342			Data type: `Optional[Variant[String,Array[String,1]]]`
1343
1344
1345
1346	c24d3118	Tim Meusel	Default value: `undef`
1347	e17693e3	Steve Traylen
1348	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1349	13f4e4c6	Steve Traylen
1350			Data type: `String`
1351
1352
1353
1354			Default value: `'custom-'`
1355
1356	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1357	331b8d85	Steve Traylen
1358			Insert a file into the nftables configuration
1359
1360			#### Examples
1361
1362			##### Include a file that includes other files
1363
1364			```puppet
1365			nftables::file{'geoip':
1366			content => @(EOT)
1367			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1368			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1369			\|EOT,
1370			}
1371			```
1372
1373			#### Parameters
1374
1375			The following parameters are available in the `nftables::file` defined type:
1376
1377	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1378			* [`content`](#-nftables--file--content)
1379			* [`source`](#-nftables--file--source)
1380			* [`prefix`](#-nftables--file--prefix)
1381	331b8d85	Steve Traylen
1382	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1383	331b8d85	Steve Traylen
1384			Data type: `String[1]`
1385
1386			Unique name to include in filename.
1387
1388			Default value: `$title`
1389
1390	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1391	331b8d85	Steve Traylen
1392			Data type: `Optional[String]`
1393
1394			The content to place in the file.
1395
1396	c24d3118	Tim Meusel	Default value: `undef`
1397	331b8d85	Steve Traylen
1398	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1399	331b8d85	Steve Traylen
1400			Data type: `Optional[Variant[String,Array[String,1]]]`
1401
1402			A source to obtain the file content from.
1403
1404	c24d3118	Tim Meusel	Default value: `undef`
1405	331b8d85	Steve Traylen
1406	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1407	331b8d85	Steve Traylen
1408			Data type: `String`
1409
1410			Prefix of file name to be created, if left as `file-` it will be
1411			auto included in the main nft configuration
1412
1413			Default value: `'file-'`
1414
1415	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1416	e17693e3	Steve Traylen
1417	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1418
1419			#### Examples
1420
1421			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1422
1423			```puppet
1424			nftables::rule {
1425			'default_in-myhttp':
1426			content => 'tcp dport 80 accept',
1427			}
1428			```
1429
1430			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1431
1432			```puppet
1433			nftables::rule {
1434			'PREROUTING6-count':
1435			content => 'counter',
1436			table => 'ip6-nat'
1437			}
1438			```
1439	e17693e3	Steve Traylen
1440			#### Parameters
1441
1442	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1443
1444	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1445			* [`rulename`](#-nftables--rule--rulename)
1446			* [`order`](#-nftables--rule--order)
1447			* [`table`](#-nftables--rule--table)
1448			* [`content`](#-nftables--rule--content)
1449			* [`source`](#-nftables--rule--source)
1450	e17693e3	Steve Traylen
1451	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1452	e17693e3	Steve Traylen
1453			Data type: `Enum['present','absent']`
1454
1455	13f26dfc	Nacho Barrientos	Should the rule be created.
1456	e17693e3	Steve Traylen
1457			Default value: `'present'`
1458
1459	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1460	e17693e3	Steve Traylen
1461	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1462	e17693e3	Steve Traylen
1463	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1464			format is defined by the Nftables::RuleName type.
1465	e17693e3	Steve Traylen
1466			Default value: `$title`
1467
1468	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1469	e17693e3	Steve Traylen
1470			Data type: `Pattern[/^\d\d$/]`
1471
1472	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1473	e17693e3	Steve Traylen
1474			Default value: `'50'`
1475
1476	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1477	e17693e3	Steve Traylen
1478	b02d6ea9	Nacho Barrientos	Data type: `String`
1479	e17693e3	Steve Traylen
1480	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1481	e17693e3	Steve Traylen
1482			Default value: `'inet-filter'`
1483
1484	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1485	e17693e3	Steve Traylen
1486			Data type: `Optional[String]`
1487
1488	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1489			language.
1490	e17693e3	Steve Traylen
1491	c24d3118	Tim Meusel	Default value: `undef`
1492	e17693e3	Steve Traylen
1493	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1494	e17693e3	Steve Traylen
1495			Data type: `Optional[Variant[String,Array[String,1]]]`
1496
1497	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1498	e17693e3	Steve Traylen
1499	c24d3118	Tim Meusel	Default value: `undef`
1500	e17693e3	Steve Traylen
1501	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1502	e17693e3	Steve Traylen
1503			manage a ipv4 dnat rule
1504
1505			#### Parameters
1506
1507	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1508
1509	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1510			* [`port`](#-nftables--rules--dnat4--port)
1511			* [`rulename`](#-nftables--rules--dnat4--rulename)
1512			* [`order`](#-nftables--rules--dnat4--order)
1513			* [`chain`](#-nftables--rules--dnat4--chain)
1514			* [`iif`](#-nftables--rules--dnat4--iif)
1515			* [`proto`](#-nftables--rules--dnat4--proto)
1516			* [`dport`](#-nftables--rules--dnat4--dport)
1517			* [`ensure`](#-nftables--rules--dnat4--ensure)
1518	e17693e3	Steve Traylen
1519	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1520	e17693e3	Steve Traylen
1521			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1522
1523
1524
1525	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1526	e17693e3	Steve Traylen
1527	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1528	e17693e3	Steve Traylen
1529
1530
1531	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1532	e17693e3	Steve Traylen
1533			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1534
1535
1536
1537			Default value: `$title`
1538
1539	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1540	e17693e3	Steve Traylen
1541			Data type: `Pattern[/^\d\d$/]`
1542
1543
1544
1545			Default value: `'50'`
1546
1547	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1548	e17693e3	Steve Traylen
1549			Data type: `String[1]`
1550
1551
1552
1553			Default value: `'default_fwd'`
1554
1555	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1556	e17693e3	Steve Traylen
1557			Data type: `Optional[String[1]]`
1558
1559
1560
1561	c24d3118	Tim Meusel	Default value: `undef`
1562	e17693e3	Steve Traylen
1563	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1564	e17693e3	Steve Traylen
1565			Data type: `Enum['tcp','udp']`
1566
1567
1568
1569			Default value: `'tcp'`
1570
1571	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1572	e17693e3	Steve Traylen
1573	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1574	e17693e3	Steve Traylen
1575
1576
1577	c24d3118	Tim Meusel	Default value: `undef`
1578	e17693e3	Steve Traylen
1579	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1580	e17693e3	Steve Traylen
1581			Data type: `Enum['present','absent']`
1582
1583
1584
1585			Default value: `'present'`
1586
1587	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1588	e17693e3	Steve Traylen
1589			masquerade all outgoing traffic
1590
1591			#### Parameters
1592
1593	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1594	e17693e3	Steve Traylen
1595	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1596			* [`order`](#-nftables--rules--masquerade--order)
1597			* [`chain`](#-nftables--rules--masquerade--chain)
1598			* [`oif`](#-nftables--rules--masquerade--oif)
1599			* [`saddr`](#-nftables--rules--masquerade--saddr)
1600			* [`daddr`](#-nftables--rules--masquerade--daddr)
1601			* [`proto`](#-nftables--rules--masquerade--proto)
1602			* [`dport`](#-nftables--rules--masquerade--dport)
1603			* [`ensure`](#-nftables--rules--masquerade--ensure)
1604	09cba182	Steve Traylen
1605	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1606	e17693e3	Steve Traylen
1607			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1608
1609
1610
1611			Default value: `$title`
1612
1613	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1614	e17693e3	Steve Traylen
1615			Data type: `Pattern[/^\d\d$/]`
1616
1617
1618
1619			Default value: `'70'`
1620
1621	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1622	e17693e3	Steve Traylen
1623			Data type: `String[1]`
1624
1625
1626
1627			Default value: `'POSTROUTING'`
1628
1629	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1630	e17693e3	Steve Traylen
1631			Data type: `Optional[String[1]]`
1632
1633
1634
1635	c24d3118	Tim Meusel	Default value: `undef`
1636	e17693e3	Steve Traylen
1637	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1638	e17693e3	Steve Traylen
1639			Data type: `Optional[String[1]]`
1640
1641
1642
1643	c24d3118	Tim Meusel	Default value: `undef`
1644	e17693e3	Steve Traylen
1645	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1646	e17693e3	Steve Traylen
1647			Data type: `Optional[String[1]]`
1648
1649
1650
1651	c24d3118	Tim Meusel	Default value: `undef`
1652	e17693e3	Steve Traylen
1653	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1654	e17693e3	Steve Traylen
1655			Data type: `Optional[Enum['tcp','udp']]`
1656
1657
1658
1659	c24d3118	Tim Meusel	Default value: `undef`
1660	e17693e3	Steve Traylen
1661	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1662	e17693e3	Steve Traylen
1663	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1664	e17693e3	Steve Traylen
1665
1666
1667	c24d3118	Tim Meusel	Default value: `undef`
1668	e17693e3	Steve Traylen
1669	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1670	e17693e3	Steve Traylen
1671			Data type: `Enum['present','absent']`
1672
1673
1674
1675			Default value: `'present'`
1676
1677	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1678	e17693e3	Steve Traylen
1679			manage a ipv4 snat rule
1680
1681			#### Parameters
1682
1683	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1684
1685	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1686			* [`rulename`](#-nftables--rules--snat4--rulename)
1687			* [`order`](#-nftables--rules--snat4--order)
1688			* [`chain`](#-nftables--rules--snat4--chain)
1689			* [`oif`](#-nftables--rules--snat4--oif)
1690			* [`saddr`](#-nftables--rules--snat4--saddr)
1691			* [`proto`](#-nftables--rules--snat4--proto)
1692			* [`dport`](#-nftables--rules--snat4--dport)
1693			* [`ensure`](#-nftables--rules--snat4--ensure)
1694	e17693e3	Steve Traylen
1695	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1696	e17693e3	Steve Traylen
1697			Data type: `String[1]`
1698
1699
1700
1701	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1702	e17693e3	Steve Traylen
1703			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1704
1705
1706
1707			Default value: `$title`
1708
1709	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1710	e17693e3	Steve Traylen
1711			Data type: `Pattern[/^\d\d$/]`
1712
1713
1714
1715			Default value: `'70'`
1716
1717	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1718	e17693e3	Steve Traylen
1719			Data type: `String[1]`
1720
1721
1722
1723			Default value: `'POSTROUTING'`
1724
1725	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1726	e17693e3	Steve Traylen
1727			Data type: `Optional[String[1]]`
1728
1729
1730
1731	c24d3118	Tim Meusel	Default value: `undef`
1732	e17693e3	Steve Traylen
1733	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1734	e17693e3	Steve Traylen
1735			Data type: `Optional[String[1]]`
1736
1737
1738
1739	c24d3118	Tim Meusel	Default value: `undef`
1740	e17693e3	Steve Traylen
1741	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1742	e17693e3	Steve Traylen
1743			Data type: `Optional[Enum['tcp','udp']]`
1744
1745
1746
1747	c24d3118	Tim Meusel	Default value: `undef`
1748	e17693e3	Steve Traylen
1749	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1750	e17693e3	Steve Traylen
1751	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1752	e17693e3	Steve Traylen
1753
1754
1755	c24d3118	Tim Meusel	Default value: `undef`
1756	e17693e3	Steve Traylen
1757	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1758	e17693e3	Steve Traylen
1759			Data type: `Enum['present','absent']`
1760
1761
1762
1763			Default value: `'present'`
1764
1765	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1766	7f6cacc5	Steve Traylen
1767			manage a named set
1768
1769	13f4e4c6	Steve Traylen	#### Examples
1770
1771			##### simple set
1772
1773			```puppet
1774			nftables::set{'my_set':
1775			type => 'ipv4_addr',
1776			flags => ['interval'],
1777			elements => ['192.168.0.1/24', '10.0.0.2'],
1778			auto_merge => true,
1779			}
1780			```
1781
1782	7f6cacc5	Steve Traylen	#### Parameters
1783
1784	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1785
1786	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1787			* [`setname`](#-nftables--set--setname)
1788			* [`order`](#-nftables--set--order)
1789			* [`type`](#-nftables--set--type)
1790			* [`table`](#-nftables--set--table)
1791			* [`flags`](#-nftables--set--flags)
1792			* [`timeout`](#-nftables--set--timeout)
1793			* [`gc_interval`](#-nftables--set--gc_interval)
1794			* [`elements`](#-nftables--set--elements)
1795			* [`size`](#-nftables--set--size)
1796			* [`policy`](#-nftables--set--policy)
1797			* [`auto_merge`](#-nftables--set--auto_merge)
1798			* [`content`](#-nftables--set--content)
1799			* [`source`](#-nftables--set--source)
1800
1801			##### <a name="-nftables--set--ensure"></a>`ensure`
1802	7f6cacc5	Steve Traylen
1803			Data type: `Enum['present','absent']`
1804
1805	13f4e4c6	Steve Traylen	should the set be created.
1806	7f6cacc5	Steve Traylen
1807			Default value: `'present'`
1808
1809	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1810	7f6cacc5	Steve Traylen
1811			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
1812
1813	13f4e4c6	Steve Traylen	name of set, equal to to title.
1814	7f6cacc5	Steve Traylen
1815			Default value: `$title`
1816
1817	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
1818	7f6cacc5	Steve Traylen
1819			Data type: `Pattern[/^\d\d$/]`
1820
1821	13f4e4c6	Steve Traylen	concat ordering.
1822	7f6cacc5	Steve Traylen
1823			Default value: `'10'`
1824
1825	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
1826	7f6cacc5	Steve Traylen
1827			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
1828
1829	13f4e4c6	Steve Traylen	type of set.
1830	7f6cacc5	Steve Traylen
1831	c24d3118	Tim Meusel	Default value: `undef`
1832	7f6cacc5	Steve Traylen
1833	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
1834	7f6cacc5	Steve Traylen
1835	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
1836	7f6cacc5	Steve Traylen
1837	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
1838	7f6cacc5	Steve Traylen
1839			Default value: `'inet-filter'`
1840
1841	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
1842	7f6cacc5	Steve Traylen
1843			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
1844
1845	13f4e4c6	Steve Traylen	specify flags for set
1846	7f6cacc5	Steve Traylen
1847			Default value: `[]`
1848
1849	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
1850	7f6cacc5	Steve Traylen
1851			Data type: `Optional[Integer]`
1852
1853	13f4e4c6	Steve Traylen	timeout in seconds
1854	7f6cacc5	Steve Traylen
1855	c24d3118	Tim Meusel	Default value: `undef`
1856	7f6cacc5	Steve Traylen
1857	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
1858	7f6cacc5	Steve Traylen
1859			Data type: `Optional[Integer]`
1860
1861	13f4e4c6	Steve Traylen	garbage collection interval.
1862	7f6cacc5	Steve Traylen
1863	c24d3118	Tim Meusel	Default value: `undef`
1864	7f6cacc5	Steve Traylen
1865	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
1866	7f6cacc5	Steve Traylen
1867			Data type: `Optional[Array[String]]`
1868
1869	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
1870	7f6cacc5	Steve Traylen
1871	c24d3118	Tim Meusel	Default value: `undef`
1872	7f6cacc5	Steve Traylen
1873	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
1874	7f6cacc5	Steve Traylen
1875			Data type: `Optional[Integer]`
1876
1877	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
1878	7f6cacc5	Steve Traylen
1879	c24d3118	Tim Meusel	Default value: `undef`
1880	7f6cacc5	Steve Traylen
1881	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
1882	7f6cacc5	Steve Traylen
1883			Data type: `Optional[Enum['performance', 'memory']]`
1884
1885	13f4e4c6	Steve Traylen	determines set selection policy.
1886	7f6cacc5	Steve Traylen
1887	c24d3118	Tim Meusel	Default value: `undef`
1888	7f6cacc5	Steve Traylen
1889	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
1890	7f6cacc5	Steve Traylen
1891			Data type: `Boolean`
1892
1893	13f4e4c6	Steve Traylen	?
1894	7f6cacc5	Steve Traylen
1895	c24d3118	Tim Meusel	Default value: `false`
1896	7f6cacc5	Steve Traylen
1897	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
1898	7f6cacc5	Steve Traylen
1899			Data type: `Optional[String]`
1900
1901	13f4e4c6	Steve Traylen	specify content of set.
1902	7f6cacc5	Steve Traylen
1903	c24d3118	Tim Meusel	Default value: `undef`
1904	7f6cacc5	Steve Traylen
1905	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
1906	7f6cacc5	Steve Traylen
1907			Data type: `Optional[Variant[String,Array[String,1]]]`
1908
1909	13f4e4c6	Steve Traylen	specify source of set.
1910	7f6cacc5	Steve Traylen
1911	c24d3118	Tim Meusel	Default value: `undef`
1912	7f6cacc5	Steve Traylen
1913	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
1914	4d63adda	Nacho Barrientos
1915	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
1916	4d63adda	Nacho Barrientos
1917	b46c9ce9	Nacho Barrientos	#### Examples
1918	4d63adda	Nacho Barrientos
1919	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
1920	4d63adda	Nacho Barrientos
1921	b46c9ce9	Nacho Barrientos	```puppet
1922			nftables::simplerule{'my_service_in':
1923			action => 'accept',
1924			comment => 'allow traffic to port 543',
1925			counter => true,
1926			proto => 'tcp',
1927			dport => 543,
1928			daddr => '2001:1458::/32',
1929			sport => 541,
1930			}
1931			```
1932	4d63adda	Nacho Barrientos
1933	b46c9ce9	Nacho Barrientos	#### Parameters
1934	4d63adda	Nacho Barrientos
1935	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
1936
1937	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
1938			* [`rulename`](#-nftables--simplerule--rulename)
1939			* [`order`](#-nftables--simplerule--order)
1940			* [`chain`](#-nftables--simplerule--chain)
1941			* [`table`](#-nftables--simplerule--table)
1942			* [`action`](#-nftables--simplerule--action)
1943			* [`comment`](#-nftables--simplerule--comment)
1944			* [`dport`](#-nftables--simplerule--dport)
1945			* [`proto`](#-nftables--simplerule--proto)
1946			* [`daddr`](#-nftables--simplerule--daddr)
1947			* [`set_type`](#-nftables--simplerule--set_type)
1948			* [`sport`](#-nftables--simplerule--sport)
1949			* [`saddr`](#-nftables--simplerule--saddr)
1950			* [`counter`](#-nftables--simplerule--counter)
1951
1952			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
1953	13f4e4c6	Steve Traylen
1954			Data type: `Enum['present','absent']`
1955
1956			Should the rule be created.
1957
1958			Default value: `'present'`
1959
1960	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
1961	4d63adda	Nacho Barrientos
1962	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
1963	4d63adda	Nacho Barrientos
1964	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
1965	4d63adda	Nacho Barrientos
1966			Default value: `$title`
1967
1968	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
1969	4d63adda	Nacho Barrientos
1970			Data type: `Pattern[/^\d\d$/]`
1971
1972	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
1973	4d63adda	Nacho Barrientos
1974			Default value: `'50'`
1975
1976	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
1977	4d63adda	Nacho Barrientos
1978			Data type: `String`
1979
1980	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
1981	4d63adda	Nacho Barrientos
1982			Default value: `'default_in'`
1983
1984	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
1985	4d63adda	Nacho Barrientos
1986			Data type: `String`
1987
1988	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
1989	4d63adda	Nacho Barrientos
1990			Default value: `'inet-filter'`
1991
1992	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
1993	4d63adda	Nacho Barrientos
1994			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
1995
1996	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
1997	4d63adda	Nacho Barrientos
1998			Default value: `'accept'`
1999
2000	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2001	4d63adda	Nacho Barrientos
2002			Data type: `Optional[String]`
2003
2004	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2005	4d63adda	Nacho Barrientos
2006	c24d3118	Tim Meusel	Default value: `undef`
2007	4d63adda	Nacho Barrientos
2008	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2009	4d63adda	Nacho Barrientos
2010			Data type: `Optional[Nftables::Port]`
2011
2012	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2013	4d63adda	Nacho Barrientos
2014	c24d3118	Tim Meusel	Default value: `undef`
2015	4d63adda	Nacho Barrientos
2016	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2017	4d63adda	Nacho Barrientos
2018			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2019
2020	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2021	4d63adda	Nacho Barrientos
2022	c24d3118	Tim Meusel	Default value: `undef`
2023	4d63adda	Nacho Barrientos
2024	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2025	4d63adda	Nacho Barrientos
2026			Data type: `Optional[Nftables::Addr]`
2027
2028	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2029	4d63adda	Nacho Barrientos
2030	c24d3118	Tim Meusel	Default value: `undef`
2031	4d63adda	Nacho Barrientos
2032	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2033	4d63adda	Nacho Barrientos
2034			Data type: `Enum['ip', 'ip6']`
2035
2036	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2037			Use `ip` for sets of type `ipv4_addr`.
2038	4d63adda	Nacho Barrientos
2039			Default value: `'ip6'`
2040
2041	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2042	4d63adda	Nacho Barrientos
2043			Data type: `Optional[Nftables::Port]`
2044
2045	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2046	4d63adda	Nacho Barrientos
2047	c24d3118	Tim Meusel	Default value: `undef`
2048	4d63adda	Nacho Barrientos
2049	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2050	4d63adda	Nacho Barrientos
2051			Data type: `Optional[Nftables::Addr]`
2052
2053	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2054	4d63adda	Nacho Barrientos
2055	c24d3118	Tim Meusel	Default value: `undef`
2056	4d63adda	Nacho Barrientos
2057	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2058	4d63adda	Nacho Barrientos
2059			Data type: `Boolean`
2060
2061	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2062	4d63adda	Nacho Barrientos
2063	c24d3118	Tim Meusel	Default value: `false`
2064	4d63adda	Nacho Barrientos
2065			## Data types
2066
2067	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2068	4d63adda	Nacho Barrientos
2069			Represents an address expression to be used within a rule.
2070
2071	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2072	09cba182	Steve Traylen
2073	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2074	4d63adda	Nacho Barrientos
2075			Represents a set expression to be used within a rule.
2076
2077	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2078	4d63adda	Nacho Barrientos
2079	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2080	4d63adda	Nacho Barrientos
2081			Represents a port expression to be used within a rule.
2082
2083	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2084	4d63adda	Nacho Barrientos
2085	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2086	4d63adda	Nacho Barrientos
2087			Represents a port range expression to be used within a rule.
2088
2089	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2090	4d63adda	Nacho Barrientos
2091	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2092	8c00b818	Nacho Barrientos
2093			Represents a rule name to be used in a raw rule created via nftables::rule.
2094			It's a dash separated string. The first component describes the chain to
2095			add the rule to, the second the rule name and the (optional) third a number.
2096			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2097
2098	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2099	09cba182	Steve Traylen
2100	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2101	8c00b818	Nacho Barrientos
2102			Represents a simple rule name to be used in a rule created via nftables::simplerule
2103
2104	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 020842af