/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 08b9f1d0

Historique | Voir | Annoter | Télécharger (60,1 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27			* [`nftables::rules::icmp`](#nftables--rules--icmp)
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
172			* [`firewalld_enable`](#-nftables--firewalld_enable)
173			* [`noflush_tables`](#-nftables--noflush_tables)
174			* [`rules`](#-nftables--rules)
175			* [`configuration_path`](#-nftables--configuration_path)
176			* [`nft_path`](#-nftables--nft_path)
177			* [`echo`](#-nftables--echo)
178			* [`default_config_mode`](#-nftables--default_config_mode)
179
180			##### <a name="-nftables--out_all"></a>`out_all`
181	e17693e3	Steve Traylen
182			Data type: `Boolean`
183
184			Allow all outbound connections. If `true` then all other
185			out parameters `out_ntp`, `out_dns`, ... will be assuemed
186			false.
187
188	c24d3118	Tim Meusel	Default value: `false`
189	e17693e3	Steve Traylen
190	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
191	e17693e3	Steve Traylen
192			Data type: `Boolean`
193
194			Allow outbound to ntp servers.
195
196	c24d3118	Tim Meusel	Default value: `true`
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
199	e17693e3	Steve Traylen
200			Data type: `Boolean`
201
202			Allow outbound to http servers.
203
204	c24d3118	Tim Meusel	Default value: `true`
205	e17693e3	Steve Traylen
206	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
207	e17693e3	Steve Traylen
208			Data type: `Boolean`
209
210	09cba182	Steve Traylen	Allow outbound to dns servers.
211	e17693e3	Steve Traylen
212	c24d3118	Tim Meusel	Default value: `true`
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
215	09cba182	Steve Traylen
216			Data type: `Boolean`
217	e17693e3	Steve Traylen
218			Allow outbound to https servers.
219
220	c24d3118	Tim Meusel	Default value: `true`
221	e17693e3	Steve Traylen
222	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
223	7f6cacc5	Steve Traylen
224			Data type: `Boolean`
225
226			Allow outbound ICMPv4/v6 traffic.
227
228	c24d3118	Tim Meusel	Default value: `true`
229	7f6cacc5	Steve Traylen
230	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
231	e17693e3	Steve Traylen
232			Data type: `Boolean`
233
234			Allow inbound to ssh servers.
235
236	c24d3118	Tim Meusel	Default value: `true`
237	e17693e3	Steve Traylen
238	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
239	7f6cacc5	Steve Traylen
240			Data type: `Boolean`
241
242			Allow inbound ICMPv4/v6 traffic.
243
244	c24d3118	Tim Meusel	Default value: `true`
245	7f6cacc5	Steve Traylen
246	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
247	7b9d6ffc	Nacho Barrientos
248			Data type: `Boolean`
249
250			Add default tables, chains and rules to process traffic.
251
252	c24d3118	Tim Meusel	Default value: `true`
253	7b9d6ffc	Nacho Barrientos
254	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
255	7f6cacc5	Steve Traylen
256			Data type: `Boolean`
257
258			Add default tables and chains to process NAT traffic.
259
260	c24d3118	Tim Meusel	Default value: `true`
261	7f6cacc5	Steve Traylen
262	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
263	b02d6ea9	Nacho Barrientos
264			Data type: `String[1]`
265
266			The name of the 'nat' table.
267
268			Default value: `'nat'`
269
270	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
271	b9785000	Steve Traylen
272			Data type: `Hash`
273
274			Allows sourcing set definitions directly from Hiera.
275
276			Default value: `{}`
277
278	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
279	7f6cacc5	Steve Traylen
280			Data type: `String`
281
282			String that will be used as prefix when logging packets. It can contain
283			two variables using standard sprintf() string-formatting:
284			* chain: Will be replaced by the name of the chain.
285			* comment: Allows chains to add extra comments.
286
287			Default value: `'[nftables] %<chain>s %<comment>s'`
288
289	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
290
291			Data type: `Boolean`
292
293			Allow to log discarded packets
294
295			Default value: `true`
296
297	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
298	b9785000	Steve Traylen
299			Data type: `Variant[Boolean[false], String]`
300
301			String with the content of a limit statement to be applied
302			to the rules that log discarded traffic. Set to false to
303			disable rate limiting.
304
305			Default value: `'3/minute burst 5 packets'`
306
307	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
308	7f6cacc5	Steve Traylen
309	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
310	7f6cacc5	Steve Traylen
311			How to discard packets not matching any rule. If `false`, the
312			fate of the packet will be defined by the chain policy (normally
313			drop), otherwise the packet will be rejected with the REJECT_WITH
314			policy indicated by the value of this parameter.
315
316			Default value: `'icmpx type port-unreachable'`
317
318	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
319	7f6cacc5	Steve Traylen
320			Data type: `Boolean`
321
322			Adds INPUT and OUTPUT rules to allow traffic that's part of an
323			established connection and also to drop invalid packets.
324
325	c24d3118	Tim Meusel	Default value: `true`
326	7f6cacc5	Steve Traylen
327	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
328	b9785000	Steve Traylen
329			Data type: `Boolean`
330
331			Adds FORWARD rules to allow traffic that's part of an
332			established connection and also to drop invalid packets.
333
334	c24d3118	Tim Meusel	Default value: `false`
335	b9785000	Steve Traylen
336	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
337	7f6cacc5	Steve Traylen
338			Data type: `Variant[Boolean[false], Enum['mask']]`
339
340			Configures how the firewalld systemd service unit is enabled. It might be
341			useful to set this to false if you're externaly removing firewalld from
342			the system completely.
343
344			Default value: `'mask'`
345
346	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
347	b9785000	Steve Traylen
348	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
349	b9785000	Steve Traylen
350			If specified only other existings tables will be flushed.
351			If left unset all tables will be flushed via a `flush ruleset`
352
353	c24d3118	Tim Meusel	Default value: `undef`
354	b9785000	Steve Traylen
355	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
356	7f6cacc5	Steve Traylen
357			Data type: `Hash`
358
359	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
360	7f6cacc5	Steve Traylen
361			Default value: `{}`
362
363	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
364	d0a1ffef	hashworks
365			Data type: `Stdlib::Unixpath`
366
367			The absolute path to the principal nftables configuration file. The default
368			varies depending on the system, and is set in the module's data.
369
370	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
371	8842a597	Tim Meusel
372			Data type: `Stdlib::Unixpath`
373
374			Path to the nft binary
375
376	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
377	821ec83a	Tim Meusel
378			Data type: `Stdlib::Unixpath`
379
380			Path to the echo binary
381
382	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
383	7030bde0	Luis Fernández Álvarez
384			Data type: `Stdlib::Filemode`
385
386			The default file & dir mode for configuration files and directories. The
387			default varies depending on the system, and is set in the module's data.
388
389	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
390	7f6cacc5	Steve Traylen
391			allow forwarding traffic on bridges
392
393			#### Parameters
394
395	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
396	7f6cacc5	Steve Traylen
397	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
398			* [`bridgenames`](#-nftables--bridges--bridgenames)
399	09cba182	Steve Traylen
400	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
401	7f6cacc5	Steve Traylen
402			Data type: `Enum['present','absent']`
403
404
405
406			Default value: `'present'`
407
408	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
409	7f6cacc5	Steve Traylen
410			Data type: `Regexp`
411
412
413
414			Default value: `/^br.+/`
415
416	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
417	e17693e3	Steve Traylen
418			manage basic chains in table inet filter
419
420	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
421	a1f09048	Tim Meusel
422			enable conntrack for fwd
423
424	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
425	a1f09048	Tim Meusel
426			manage input & output conntrack
427
428	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
429	e17693e3	Steve Traylen
430			manage basic chains in table ip nat
431
432	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
433	771b3256	Nacho Barrientos
434			Provides input rules for Apache ActiveMQ
435
436			#### Parameters
437
438			The following parameters are available in the `nftables::rules::activemq` class:
439
440	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
441			* [`udp`](#-nftables--rules--activemq--udp)
442			* [`port`](#-nftables--rules--activemq--port)
443	771b3256	Nacho Barrientos
444	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
445	771b3256	Nacho Barrientos
446			Data type: `Boolean`
447
448			Create the rule for TCP traffic.
449
450	c24d3118	Tim Meusel	Default value: `true`
451	771b3256	Nacho Barrientos
452	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
453	771b3256	Nacho Barrientos
454			Data type: `Boolean`
455
456			Create the rule for UDP traffic.
457
458	c24d3118	Tim Meusel	Default value: `true`
459	771b3256	Nacho Barrientos
460	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
461	771b3256	Nacho Barrientos
462			Data type: `Stdlib::Port`
463
464			The port number for the ActiveMQ daemon.
465
466			Default value: `61616`
467
468	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
469	09cba182	Steve Traylen
470			Open call back port for AFS clients
471	7f6cacc5	Steve Traylen
472	09cba182	Steve Traylen	#### Examples
473
474			##### allow call backs from particular hosts
475
476			```puppet
477	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
478			saddr => ['192.168.0.0/16', '10.0.0.222']
479			}
480	09cba182	Steve Traylen	```
481	7f6cacc5	Steve Traylen
482			#### Parameters
483
484	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
485
486	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
487	7f6cacc5	Steve Traylen
488	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
489	7f6cacc5	Steve Traylen
490			Data type: `Array[Stdlib::IP::Address::V4,1]`
491
492			list of source network ranges to a
493
494			Default value: `['0.0.0.0/0']`
495
496	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
497	b9785000	Steve Traylen
498			Ceph is a distributed object store and file system.
499			Enable this to support Ceph's Object Storage Daemons (OSD),
500			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
501
502	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
503	b9785000	Steve Traylen
504			Ceph is a distributed object store and file system.
505			Enable this option to support Ceph's Monitor Daemon.
506
507			#### Parameters
508
509	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
510	b9785000	Steve Traylen
511	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
512	b9785000	Steve Traylen
513	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
514	b9785000	Steve Traylen
515	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
516	b9785000	Steve Traylen
517	09cba182	Steve Traylen	specify ports for ceph service
518	b9785000	Steve Traylen
519			Default value: `[3300, 6789]`
520
521	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
522	7f6cacc5	Steve Traylen
523	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
524	7f6cacc5	Steve Traylen
525	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
526	7f6cacc5	Steve Traylen
527			manage in dns
528
529			#### Parameters
530
531	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
532	7f6cacc5	Steve Traylen
533	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
534	7f6cacc5	Steve Traylen
535	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
536	7f6cacc5	Steve Traylen
537	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
538	7f6cacc5	Steve Traylen
539	09cba182	Steve Traylen	Specify ports for dns.
540	7f6cacc5	Steve Traylen
541			Default value: `[53]`
542
543	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
544	804b96e4	Nacho Barrientos
545			The configuration distributed in this class represents the default firewall
546			configuration done by docker-ce when the iptables integration is enabled.
547
548			This class is needed as the default docker-ce rules added to ip-filter conflict
549			with the inet-filter forward rules set by default in this module.
550
551			When using this class 'docker::iptables: false' should be set.
552
553			#### Parameters
554
555			The following parameters are available in the `nftables::rules::docker_ce` class:
556
557	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
558			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
559			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
560			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
561	804b96e4	Nacho Barrientos
562	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
563	804b96e4	Nacho Barrientos
564			Data type: `String[1]`
565
566			Interface name used by docker.
567
568			Default value: `'docker0'`
569
570	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
571	804b96e4	Nacho Barrientos
572			Data type: `Stdlib::IP::Address::V4::CIDR`
573
574			The address space used by docker.
575
576			Default value: `'172.17.0.0/16'`
577
578	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
579	804b96e4	Nacho Barrientos
580			Data type: `Boolean`
581
582			Flag to control whether the class should create the docker related chains.
583
584	c24d3118	Tim Meusel	Default value: `true`
585	804b96e4	Nacho Barrientos
586	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
587	804b96e4	Nacho Barrientos
588			Data type: `Boolean`
589
590			Flag to control whether the class should create the base common chains.
591
592	c24d3118	Tim Meusel	Default value: `true`
593	804b96e4	Nacho Barrientos
594	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
595
596			manage in ftp (with conntrack helper)
597
598			#### Parameters
599
600			The following parameters are available in the `nftables::rules::ftp` class:
601
602			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
603			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
604
605			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
606
607			Data type: `Boolean`
608
609			Enable FTP passive mode support
610
611			Default value: `true`
612
613			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
614
615			Data type: `Nftables::Port::Range`
616
617			Set the FTP passive mode port range
618
619			Default value: `'10090-10100'`
620
621	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
622	e17693e3	Steve Traylen
623			manage in http
624
625	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
626	e17693e3	Steve Traylen
627			manage in https
628
629	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
630	e17693e3	Steve Traylen
631			manage in icinga2
632
633			#### Parameters
634
635	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
636	e17693e3	Steve Traylen
637	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
638	e17693e3	Steve Traylen
639	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
640	e17693e3	Steve Traylen
641	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
642	e17693e3	Steve Traylen
643	8db66304	Steve Traylen	Specify ports for icinga2
644	e17693e3	Steve Traylen
645			Default value: `[5665]`
646
647	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
648	7f6cacc5	Steve Traylen
649			The nftables::rules::icmp class.
650
651			#### Parameters
652
653	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
654
655	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
656			* [`v6_types`](#-nftables--rules--icmp--v6_types)
657			* [`order`](#-nftables--rules--icmp--order)
658	7f6cacc5	Steve Traylen
659	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
660	7f6cacc5	Steve Traylen
661			Data type: `Optional[Array[String]]`
662
663
664
665	c24d3118	Tim Meusel	Default value: `undef`
666	7f6cacc5	Steve Traylen
667	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
668	7f6cacc5	Steve Traylen
669			Data type: `Optional[Array[String]]`
670
671
672
673	c24d3118	Tim Meusel	Default value: `undef`
674	7f6cacc5	Steve Traylen
675	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
676	7f6cacc5	Steve Traylen
677			Data type: `String`
678
679
680
681			Default value: `'10'`
682
683	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
684
685			allow incoming IGMP messages
686
687	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
688
689			manage in ldap
690
691			#### Parameters
692
693			The following parameters are available in the `nftables::rules::ldap` class:
694
695			* [`ports`](#-nftables--rules--ldap--ports)
696
697			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
698
699			Data type: `Array[Integer,1]`
700
701			ldap server ports
702
703			Default value: `[389, 636]`
704
705	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
706
707			allow incoming Link-Local Multicast Name Resolution
708
709			* See also
710			* https://datatracker.ietf.org/doc/html/rfc4795
711
712			#### Parameters
713
714			The following parameters are available in the `nftables::rules::llmnr` class:
715
716			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
717			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
718
719			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
720
721			Data type: `Boolean`
722
723			Allow LLMNR over IPv4
724
725			Default value: `true`
726
727			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
728
729			Data type: `Boolean`
730
731			Allow LLMNR over IPv6
732
733			Default value: `true`
734
735	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
736
737			allow incoming multicast DNS
738
739	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
740
741			The following parameters are available in the `nftables::rules::mdns` class:
742
743			* [`ipv4`](#-nftables--rules--mdns--ipv4)
744			* [`ipv6`](#-nftables--rules--mdns--ipv6)
745
746			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
747
748			Data type: `Boolean`
749
750			Allow mdns over IPv4
751
752			Default value: `true`
753
754			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
755
756			Data type: `Boolean`
757
758			Allow mdns over IPv6
759
760			Default value: `true`
761
762	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
763
764			allow incoming multicast traffic
765
766	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
767	b9785000	Steve Traylen
768			manage in nfs4
769
770	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
771	b9785000	Steve Traylen
772			manage in nfs3
773
774	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
775	7f6cacc5	Steve Traylen
776			manage in node exporter
777
778			#### Parameters
779
780	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
781	7f6cacc5	Steve Traylen
782	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
783			* [`port`](#-nftables--rules--node_exporter--port)
784	7f6cacc5	Steve Traylen
785	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
786	7f6cacc5	Steve Traylen
787	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
788	7f6cacc5	Steve Traylen
789	09cba182	Steve Traylen	Specify server name
790	7f6cacc5	Steve Traylen
791	c24d3118	Tim Meusel	Default value: `undef`
792	7f6cacc5	Steve Traylen
793	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
794	7f6cacc5	Steve Traylen
795	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
796	7f6cacc5	Steve Traylen
797	09cba182	Steve Traylen	Specify port to open
798	7f6cacc5	Steve Traylen
799			Default value: `9100`
800
801	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
802	e17693e3	Steve Traylen
803			manage in ospf
804
805	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
806	e17693e3	Steve Traylen
807			manage in ospf3
808
809	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
810
811			manage outgoing active diectory
812
813			#### Parameters
814
815			The following parameters are available in the `nftables::rules::out::active_directory` class:
816
817			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
818			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
819
820			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
821
822			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
823
824			adserver IPs
825
826			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
827
828			Data type: `Array[Stdlib::Port,1]`
829
830			adserver ports
831
832			Default value: `[389, 636, 3268, 3269]`
833
834	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
835	e17693e3	Steve Traylen
836			allow all outbound
837
838	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
839	b9785000	Steve Traylen
840			Ceph is a distributed object store and file system.
841			Enable this to be a client of Ceph's Monitor (MON),
842			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
843			and Manager Daemons (MGR).
844
845			#### Parameters
846
847	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
848	b9785000	Steve Traylen
849	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
850	b9785000	Steve Traylen
851	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
852	b9785000	Steve Traylen
853	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
854	b9785000	Steve Traylen
855	09cba182	Steve Traylen	Specify ports to open
856	b9785000	Steve Traylen
857			Default value: `[3300, 6789]`
858
859	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
860	e17693e3	Steve Traylen
861			manage out chrony
862
863	7937a13b	Tim Meusel	#### Parameters
864
865			The following parameters are available in the `nftables::rules::out::chrony` class:
866
867	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
868	7937a13b	Tim Meusel
869	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
870	7937a13b	Tim Meusel
871			Data type: `Array[Stdlib::IP::Address]`
872
873			single IP-Address or array of IP-addresses from NTP servers
874
875			Default value: `[]`
876
877	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
878	e17693e3	Steve Traylen
879			manage out dhcp
880
881	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
882	7f6cacc5	Steve Traylen
883	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
884	7f6cacc5	Steve Traylen
885	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
886	e17693e3	Steve Traylen
887			manage out dns
888
889			#### Parameters
890
891	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
892	e17693e3	Steve Traylen
893	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
894	e17693e3	Steve Traylen
895	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
896	e17693e3	Steve Traylen
897	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
898	e17693e3	Steve Traylen
899	09cba182	Steve Traylen	specify dns_server name
900	e17693e3	Steve Traylen
901	c24d3118	Tim Meusel	Default value: `undef`
902	e17693e3	Steve Traylen
903	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
904	a1f09048	Tim Meusel
905			allow outgoing hkp connections to gpg keyservers
906
907	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
908	e17693e3	Steve Traylen
909			manage out http
910
911	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
912	e17693e3	Steve Traylen
913			manage out https
914
915	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
916	7f6cacc5	Steve Traylen
917	09cba182	Steve Traylen	control outbound icmp packages
918	7f6cacc5	Steve Traylen
919			#### Parameters
920
921	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
922
923	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
924			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
925			* [`order`](#-nftables--rules--out--icmp--order)
926	7f6cacc5	Steve Traylen
927	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
928	7f6cacc5	Steve Traylen
929			Data type: `Optional[Array[String]]`
930
931
932
933	c24d3118	Tim Meusel	Default value: `undef`
934	7f6cacc5	Steve Traylen
935	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
936	7f6cacc5	Steve Traylen
937			Data type: `Optional[Array[String]]`
938
939
940
941	c24d3118	Tim Meusel	Default value: `undef`
942	7f6cacc5	Steve Traylen
943	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
944	7f6cacc5	Steve Traylen
945			Data type: `String`
946
947
948
949			Default value: `'10'`
950
951	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
952
953	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
954	020842af	Tim Meusel
955	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
956	19908f41	mh
957			allow outgoing imap
958
959	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
960	7f6cacc5	Steve Traylen
961			allows outbound access for kerberos
962
963	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
964
965			manage outgoing ldap
966
967			#### Parameters
968
969			The following parameters are available in the `nftables::rules::out::ldap` class:
970
971			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
972			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
973
974			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
975
976			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
977
978			ldapserver IPs
979
980			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
981
982			Data type: `Array[Stdlib::Port,1]`
983
984			ldapserver ports
985
986			Default value: `[389, 636]`
987
988	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
989
990			allow outgoing multicast DNS
991
992			#### Parameters
993
994			The following parameters are available in the `nftables::rules::out::mdns` class:
995
996			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
997			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
998
999			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1000
1001			Data type: `Boolean`
1002
1003			Allow mdns over IPv4
1004
1005			Default value: `true`
1006
1007			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1008
1009			Data type: `Boolean`
1010
1011			Allow mdns over IPv6
1012
1013			Default value: `true`
1014
1015	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1016
1017			allow multicast listener requests
1018
1019	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1020	e17693e3	Steve Traylen
1021			manage out mysql
1022
1023	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1024	b9785000	Steve Traylen
1025			manage out nfs
1026
1027	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1028	b9785000	Steve Traylen
1029			manage out nfs3
1030
1031	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1032	7f6cacc5	Steve Traylen
1033	09cba182	Steve Traylen	allows outbound access for afs clients
1034	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1035			7002 - afs3-ptserver
1036			7003 - vlserver
1037
1038			* See also
1039			* https://wiki.openafs.org/devel/AFSServicePorts/
1040			* AFS Service Ports
1041
1042			#### Parameters
1043
1044	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1045	7f6cacc5	Steve Traylen
1046	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1047	7f6cacc5	Steve Traylen
1048	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1049	7f6cacc5	Steve Traylen
1050	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1051	7f6cacc5	Steve Traylen
1052	09cba182	Steve Traylen	port numbers to use
1053	7f6cacc5	Steve Traylen
1054			Default value: `[7000, 7002, 7003]`
1055
1056	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1057	e17693e3	Steve Traylen
1058			manage out ospf
1059
1060	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1061	e17693e3	Steve Traylen
1062			manage out ospf3
1063
1064	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1065	19908f41	mh
1066			allow outgoing pop3
1067
1068	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1069	e17693e3	Steve Traylen
1070			manage out postgres
1071
1072	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1073	e17693e3	Steve Traylen
1074			manage outgoing puppet
1075
1076			#### Parameters
1077
1078	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1079	e17693e3	Steve Traylen
1080	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1081			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1082	e17693e3	Steve Traylen
1083	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1084	e17693e3	Steve Traylen
1085	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1086	e17693e3	Steve Traylen
1087	09cba182	Steve Traylen	puppetserver hostname
1088	e17693e3	Steve Traylen
1089	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1090	e17693e3	Steve Traylen
1091	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1092	e17693e3	Steve Traylen
1093	09cba182	Steve Traylen	puppetserver port
1094	e17693e3	Steve Traylen
1095			Default value: `8140`
1096
1097	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1098	194e05d5	Tim Meusel
1099			manage outgoing pxp-agent
1100
1101			* See also
1102			* also
1103			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1104
1105			#### Parameters
1106
1107			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1108
1109	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1110			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1111	194e05d5	Tim Meusel
1112	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1113	194e05d5	Tim Meusel
1114			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1115
1116			PXP broker IP(s)
1117
1118	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1119	194e05d5	Tim Meusel
1120			Data type: `Stdlib::Port`
1121
1122			PXP broker port
1123
1124			Default value: `8142`
1125
1126	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1127	e17693e3	Steve Traylen
1128	19908f41	mh	allow outgoing smtp
1129
1130	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1131	19908f41	mh
1132			allow outgoing smtp client
1133	e17693e3	Steve Traylen
1134	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1135
1136			allow outgoing SSDP
1137
1138			* See also
1139			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1140
1141			#### Parameters
1142
1143			The following parameters are available in the `nftables::rules::out::ssdp` class:
1144
1145			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1146			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1147
1148			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1149
1150			Data type: `Boolean`
1151
1152			Allow SSDP over IPv4
1153
1154			Default value: `true`
1155
1156			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1157
1158			Data type: `Boolean`
1159
1160			Allow SSDP over IPv6
1161
1162			Default value: `true`
1163
1164	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1165	e17693e3	Steve Traylen
1166			manage out ssh
1167
1168	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1169	e17693e3	Steve Traylen
1170			disable outgoing ssh
1171
1172	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1173	e17693e3	Steve Traylen
1174			manage out tor
1175
1176	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1177	2b1896c1	Tim Meusel
1178			allow clients to query remote whois server
1179
1180	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1181	e17693e3	Steve Traylen
1182			manage out wireguard
1183
1184			#### Parameters
1185
1186	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1187	e17693e3	Steve Traylen
1188	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1189	e17693e3	Steve Traylen
1190	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1191	e17693e3	Steve Traylen
1192	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1193	e17693e3	Steve Traylen
1194	09cba182	Steve Traylen	specify wireguard ports
1195	e17693e3	Steve Traylen
1196			Default value: `[51820]`
1197
1198	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1199
1200			Rules for Podman, a tool for managing OCI containers and pods.
1201			This class defines additional forwarding rules to let root containers
1202			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1203			At the time of writing, Podman supports automatic configuration
1204			of firewall rules with iptables and firewalld only.
1205
1206	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1207	e17693e3	Steve Traylen
1208			manage in puppet
1209
1210			#### Parameters
1211
1212	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1213	e17693e3	Steve Traylen
1214	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1215	e17693e3	Steve Traylen
1216	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1217	e17693e3	Steve Traylen
1218	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1219	e17693e3	Steve Traylen
1220	09cba182	Steve Traylen	puppet server ports
1221	e17693e3	Steve Traylen
1222			Default value: `[8140]`
1223
1224	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1225	7f74df2e	Tim Meusel
1226			manage in pxp-agent
1227
1228			#### Parameters
1229
1230			The following parameters are available in the `nftables::rules::pxp_agent` class:
1231
1232	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1233	7f74df2e	Tim Meusel
1234	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1235	7f74df2e	Tim Meusel
1236	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1237	7f74df2e	Tim Meusel
1238			pxp server ports
1239
1240			Default value: `[8142]`
1241
1242	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1243	cd2a3cbf	Nacho Barrientos
1244			This class configures the typical firewall setup that libvirt
1245			creates. Depending on your requirements you can switch on and off
1246			several aspects, for instance if you don't do DHCP to your guests
1247			you can disable the rules that accept DHCP traffic on the host or if
1248			you don't want your guests to talk to hosts outside you can disable
1249			forwarding and/or masquerading for IPv4 traffic.
1250
1251			#### Parameters
1252
1253			The following parameters are available in the `nftables::rules::qemu` class:
1254
1255	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1256			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1257			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1258			* [`dns`](#-nftables--rules--qemu--dns)
1259			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1260			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1261			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1262			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1263	cd2a3cbf	Nacho Barrientos
1264	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1265	cd2a3cbf	Nacho Barrientos
1266			Data type: `String[1]`
1267
1268			Interface name used by the bridge.
1269
1270			Default value: `'virbr0'`
1271
1272	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1273	cd2a3cbf	Nacho Barrientos
1274			Data type: `Stdlib::IP::Address::V4::CIDR`
1275
1276			The IPv4 network prefix used in the virtual network.
1277
1278			Default value: `'192.168.122.0/24'`
1279
1280	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1281	cd2a3cbf	Nacho Barrientos
1282			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1283
1284			The IPv6 network prefix used in the virtual network.
1285
1286	c24d3118	Tim Meusel	Default value: `undef`
1287	cd2a3cbf	Nacho Barrientos
1288	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1289	cd2a3cbf	Nacho Barrientos
1290			Data type: `Boolean`
1291
1292			Allow DNS traffic from the guests to the host.
1293
1294	c24d3118	Tim Meusel	Default value: `true`
1295	cd2a3cbf	Nacho Barrientos
1296	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1297	cd2a3cbf	Nacho Barrientos
1298			Data type: `Boolean`
1299
1300			Allow DHCPv4 traffic from the guests to the host.
1301
1302	c24d3118	Tim Meusel	Default value: `true`
1303	cd2a3cbf	Nacho Barrientos
1304	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1305	cd2a3cbf	Nacho Barrientos
1306			Data type: `Boolean`
1307
1308			Allow forwarded traffic (out all, in related/established)
1309			generated by the virtual network.
1310
1311	c24d3118	Tim Meusel	Default value: `true`
1312	cd2a3cbf	Nacho Barrientos
1313	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1314	cd2a3cbf	Nacho Barrientos
1315			Data type: `Boolean`
1316
1317			Allow guests in the virtual network to talk to each other.
1318
1319	c24d3118	Tim Meusel	Default value: `true`
1320	cd2a3cbf	Nacho Barrientos
1321	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1322	cd2a3cbf	Nacho Barrientos
1323			Data type: `Boolean`
1324
1325			Do NAT masquerade on all IPv4 traffic generated by guests
1326			to external networks.
1327
1328	c24d3118	Tim Meusel	Default value: `true`
1329	cd2a3cbf	Nacho Barrientos
1330	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1331	19908f41	mh
1332			manage Samba, the suite to allow Windows file sharing on Linux resources.
1333
1334			#### Parameters
1335
1336			The following parameters are available in the `nftables::rules::samba` class:
1337
1338	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1339	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1340	19908f41	mh
1341	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1342	19908f41	mh
1343			Data type: `Boolean`
1344
1345	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1346	19908f41	mh
1347	c24d3118	Tim Meusel	Default value: `false`
1348	19908f41	mh
1349	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1350
1351			Data type: `Enum['accept', 'drop']`
1352
1353			if the traffic should be allowed or dropped
1354
1355			Default value: `'accept'`
1356
1357	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1358	e17693e3	Steve Traylen
1359			manage in smtp
1360
1361	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1362	e17693e3	Steve Traylen
1363			manage in smtp submission
1364
1365	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1366	e17693e3	Steve Traylen
1367			manage in smtps
1368
1369	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1370
1371			allow incoming spotify
1372
1373	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1374
1375			allow incoming SSDP
1376
1377			* See also
1378			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1379
1380			#### Parameters
1381
1382			The following parameters are available in the `nftables::rules::ssdp` class:
1383
1384			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1385			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1386
1387			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1388
1389			Data type: `Boolean`
1390
1391			Allow SSDP over IPv4
1392
1393			Default value: `true`
1394
1395			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1396
1397			Data type: `Boolean`
1398
1399			Allow SSDP over IPv6
1400
1401			Default value: `true`
1402
1403	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1404	e17693e3	Steve Traylen
1405			manage in ssh
1406
1407			#### Parameters
1408
1409	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1410	e17693e3	Steve Traylen
1411	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1412	e17693e3	Steve Traylen
1413	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1414	e17693e3	Steve Traylen
1415	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1416	e17693e3	Steve Traylen
1417	09cba182	Steve Traylen	ssh ports
1418	e17693e3	Steve Traylen
1419			Default value: `[22]`
1420
1421	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1422	e17693e3	Steve Traylen
1423			manage in tor
1424
1425			#### Parameters
1426
1427	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1428	e17693e3	Steve Traylen
1429	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1430	e17693e3	Steve Traylen
1431	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1432	e17693e3	Steve Traylen
1433	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1434	e17693e3	Steve Traylen
1435	09cba182	Steve Traylen	ports for tor
1436	e17693e3	Steve Traylen
1437			Default value: `[9001]`
1438
1439	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1440	e17693e3	Steve Traylen
1441			manage in wireguard
1442
1443			#### Parameters
1444
1445	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1446	e17693e3	Steve Traylen
1447	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1448	e17693e3	Steve Traylen
1449	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1450	e17693e3	Steve Traylen
1451	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1452	e17693e3	Steve Traylen
1453	09cba182	Steve Traylen	wiregueard port
1454	e17693e3	Steve Traylen
1455			Default value: `[51820]`
1456
1457	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1458
1459			allow incoming webservice discovery
1460
1461			* See also
1462			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1463
1464			#### Parameters
1465
1466			The following parameters are available in the `nftables::rules::wsd` class:
1467
1468			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1469			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1470
1471			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1472
1473			Data type: `Boolean`
1474
1475			Allow ws-discovery over IPv4
1476
1477			Default value: `true`
1478
1479			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1480
1481			Data type: `Boolean`
1482
1483			Allow ws-discovery over IPv6
1484
1485			Default value: `true`
1486
1487	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1488	7f6cacc5	Steve Traylen
1489	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1490	7f6cacc5	Steve Traylen
1491	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1492	7f6cacc5	Steve Traylen
1493	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1494	7f6cacc5	Steve Traylen
1495	e17693e3	Steve Traylen	## Defined types
1496
1497	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1498	e17693e3	Steve Traylen
1499			manage a chain
1500
1501			#### Parameters
1502
1503	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1504
1505	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1506			* [`chain`](#-nftables--chain--chain)
1507			* [`inject`](#-nftables--chain--inject)
1508			* [`inject_iif`](#-nftables--chain--inject_iif)
1509			* [`inject_oif`](#-nftables--chain--inject_oif)
1510	e17693e3	Steve Traylen
1511	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1512	e17693e3	Steve Traylen
1513	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1514	e17693e3	Steve Traylen
1515
1516
1517			Default value: `'inet-filter'`
1518
1519	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1520	e17693e3	Steve Traylen
1521			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1522
1523
1524
1525			Default value: `$title`
1526
1527	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1528	e17693e3	Steve Traylen
1529			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1530
1531
1532
1533	c24d3118	Tim Meusel	Default value: `undef`
1534	e17693e3	Steve Traylen
1535	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1536	e17693e3	Steve Traylen
1537			Data type: `Optional[String]`
1538
1539
1540
1541	c24d3118	Tim Meusel	Default value: `undef`
1542	e17693e3	Steve Traylen
1543	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1544	e17693e3	Steve Traylen
1545			Data type: `Optional[String]`
1546
1547
1548
1549	c24d3118	Tim Meusel	Default value: `undef`
1550	e17693e3	Steve Traylen
1551	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1552	e17693e3	Steve Traylen
1553			manage a config snippet
1554
1555			#### Parameters
1556
1557	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1558	e17693e3	Steve Traylen
1559	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1560			* [`content`](#-nftables--config--content)
1561			* [`source`](#-nftables--config--source)
1562			* [`prefix`](#-nftables--config--prefix)
1563	09cba182	Steve Traylen
1564	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1565	13f4e4c6	Steve Traylen
1566			Data type: `Pattern[/^\w+-\w+$/]`
1567
1568
1569
1570			Default value: `$title`
1571
1572	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1573	e17693e3	Steve Traylen
1574			Data type: `Optional[String]`
1575
1576
1577
1578	c24d3118	Tim Meusel	Default value: `undef`
1579	e17693e3	Steve Traylen
1580	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1581	e17693e3	Steve Traylen
1582			Data type: `Optional[Variant[String,Array[String,1]]]`
1583
1584
1585
1586	c24d3118	Tim Meusel	Default value: `undef`
1587	e17693e3	Steve Traylen
1588	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1589	13f4e4c6	Steve Traylen
1590			Data type: `String`
1591
1592
1593
1594			Default value: `'custom-'`
1595
1596	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1597	331b8d85	Steve Traylen
1598			Insert a file into the nftables configuration
1599
1600			#### Examples
1601
1602			##### Include a file that includes other files
1603
1604			```puppet
1605			nftables::file{'geoip':
1606			content => @(EOT)
1607			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1608			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1609			\|EOT,
1610			}
1611			```
1612
1613			#### Parameters
1614
1615			The following parameters are available in the `nftables::file` defined type:
1616
1617	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1618			* [`content`](#-nftables--file--content)
1619			* [`source`](#-nftables--file--source)
1620			* [`prefix`](#-nftables--file--prefix)
1621	331b8d85	Steve Traylen
1622	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1623	331b8d85	Steve Traylen
1624			Data type: `String[1]`
1625
1626			Unique name to include in filename.
1627
1628			Default value: `$title`
1629
1630	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1631	331b8d85	Steve Traylen
1632			Data type: `Optional[String]`
1633
1634			The content to place in the file.
1635
1636	c24d3118	Tim Meusel	Default value: `undef`
1637	331b8d85	Steve Traylen
1638	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1639	331b8d85	Steve Traylen
1640			Data type: `Optional[Variant[String,Array[String,1]]]`
1641
1642			A source to obtain the file content from.
1643
1644	c24d3118	Tim Meusel	Default value: `undef`
1645	331b8d85	Steve Traylen
1646	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1647	331b8d85	Steve Traylen
1648			Data type: `String`
1649
1650			Prefix of file name to be created, if left as `file-` it will be
1651			auto included in the main nft configuration
1652
1653			Default value: `'file-'`
1654
1655	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1656
1657			manage a conntrack helper
1658
1659			#### Examples
1660
1661			##### FTP helper
1662
1663			```puppet
1664			nftables::helper { 'ftp-standard':
1665			content => 'type "ftp" protocol tcp;',
1666			}
1667			```
1668
1669			#### Parameters
1670
1671			The following parameters are available in the `nftables::helper` defined type:
1672
1673			* [`content`](#-nftables--helper--content)
1674			* [`table`](#-nftables--helper--table)
1675			* [`helper`](#-nftables--helper--helper)
1676
1677			##### <a name="-nftables--helper--content"></a>`content`
1678
1679			Data type: `String`
1680
1681			Conntrack helper definition.
1682
1683			##### <a name="-nftables--helper--table"></a>`table`
1684
1685			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1686
1687			The name of the table to add this helper to.
1688
1689			Default value: `'inet-filter'`
1690
1691			##### <a name="-nftables--helper--helper"></a>`helper`
1692
1693			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1694
1695			The symbolic name for the helper.
1696
1697			Default value: `$title`
1698
1699	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1700	e17693e3	Steve Traylen
1701	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1702
1703			#### Examples
1704
1705			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1706
1707			```puppet
1708			nftables::rule {
1709			'default_in-myhttp':
1710			content => 'tcp dport 80 accept',
1711			}
1712			```
1713
1714			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1715
1716			```puppet
1717			nftables::rule {
1718			'PREROUTING6-count':
1719			content => 'counter',
1720			table => 'ip6-nat'
1721			}
1722			```
1723	e17693e3	Steve Traylen
1724			#### Parameters
1725
1726	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1727
1728	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1729			* [`rulename`](#-nftables--rule--rulename)
1730			* [`order`](#-nftables--rule--order)
1731			* [`table`](#-nftables--rule--table)
1732			* [`content`](#-nftables--rule--content)
1733			* [`source`](#-nftables--rule--source)
1734	e17693e3	Steve Traylen
1735	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1736	e17693e3	Steve Traylen
1737			Data type: `Enum['present','absent']`
1738
1739	13f26dfc	Nacho Barrientos	Should the rule be created.
1740	e17693e3	Steve Traylen
1741			Default value: `'present'`
1742
1743	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1744	e17693e3	Steve Traylen
1745	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1746	e17693e3	Steve Traylen
1747	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1748			format is defined by the Nftables::RuleName type.
1749	e17693e3	Steve Traylen
1750			Default value: `$title`
1751
1752	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1753	e17693e3	Steve Traylen
1754			Data type: `Pattern[/^\d\d$/]`
1755
1756	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1757	e17693e3	Steve Traylen
1758			Default value: `'50'`
1759
1760	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1761	e17693e3	Steve Traylen
1762	b02d6ea9	Nacho Barrientos	Data type: `String`
1763	e17693e3	Steve Traylen
1764	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1765	e17693e3	Steve Traylen
1766			Default value: `'inet-filter'`
1767
1768	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1769	e17693e3	Steve Traylen
1770			Data type: `Optional[String]`
1771
1772	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1773			language.
1774	e17693e3	Steve Traylen
1775	c24d3118	Tim Meusel	Default value: `undef`
1776	e17693e3	Steve Traylen
1777	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1778	e17693e3	Steve Traylen
1779			Data type: `Optional[Variant[String,Array[String,1]]]`
1780
1781	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1782	e17693e3	Steve Traylen
1783	c24d3118	Tim Meusel	Default value: `undef`
1784	e17693e3	Steve Traylen
1785	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1786	e17693e3	Steve Traylen
1787			manage a ipv4 dnat rule
1788
1789			#### Parameters
1790
1791	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1792
1793	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1794			* [`port`](#-nftables--rules--dnat4--port)
1795			* [`rulename`](#-nftables--rules--dnat4--rulename)
1796			* [`order`](#-nftables--rules--dnat4--order)
1797			* [`chain`](#-nftables--rules--dnat4--chain)
1798			* [`iif`](#-nftables--rules--dnat4--iif)
1799			* [`proto`](#-nftables--rules--dnat4--proto)
1800			* [`dport`](#-nftables--rules--dnat4--dport)
1801			* [`ensure`](#-nftables--rules--dnat4--ensure)
1802	e17693e3	Steve Traylen
1803	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1804	e17693e3	Steve Traylen
1805			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1806
1807
1808
1809	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1810	e17693e3	Steve Traylen
1811	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1812	e17693e3	Steve Traylen
1813
1814
1815	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1816	e17693e3	Steve Traylen
1817			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1818
1819
1820
1821			Default value: `$title`
1822
1823	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1824	e17693e3	Steve Traylen
1825			Data type: `Pattern[/^\d\d$/]`
1826
1827
1828
1829			Default value: `'50'`
1830
1831	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1832	e17693e3	Steve Traylen
1833			Data type: `String[1]`
1834
1835
1836
1837			Default value: `'default_fwd'`
1838
1839	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1840	e17693e3	Steve Traylen
1841			Data type: `Optional[String[1]]`
1842
1843
1844
1845	c24d3118	Tim Meusel	Default value: `undef`
1846	e17693e3	Steve Traylen
1847	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1848	e17693e3	Steve Traylen
1849			Data type: `Enum['tcp','udp']`
1850
1851
1852
1853			Default value: `'tcp'`
1854
1855	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1856	e17693e3	Steve Traylen
1857	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1858	e17693e3	Steve Traylen
1859
1860
1861	c24d3118	Tim Meusel	Default value: `undef`
1862	e17693e3	Steve Traylen
1863	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1864	e17693e3	Steve Traylen
1865			Data type: `Enum['present','absent']`
1866
1867
1868
1869			Default value: `'present'`
1870
1871	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1872	e17693e3	Steve Traylen
1873			masquerade all outgoing traffic
1874
1875			#### Parameters
1876
1877	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1878	e17693e3	Steve Traylen
1879	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1880			* [`order`](#-nftables--rules--masquerade--order)
1881			* [`chain`](#-nftables--rules--masquerade--chain)
1882			* [`oif`](#-nftables--rules--masquerade--oif)
1883			* [`saddr`](#-nftables--rules--masquerade--saddr)
1884			* [`daddr`](#-nftables--rules--masquerade--daddr)
1885			* [`proto`](#-nftables--rules--masquerade--proto)
1886			* [`dport`](#-nftables--rules--masquerade--dport)
1887			* [`ensure`](#-nftables--rules--masquerade--ensure)
1888	09cba182	Steve Traylen
1889	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1890	e17693e3	Steve Traylen
1891			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1892
1893
1894
1895			Default value: `$title`
1896
1897	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1898	e17693e3	Steve Traylen
1899			Data type: `Pattern[/^\d\d$/]`
1900
1901
1902
1903			Default value: `'70'`
1904
1905	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1906	e17693e3	Steve Traylen
1907			Data type: `String[1]`
1908
1909
1910
1911			Default value: `'POSTROUTING'`
1912
1913	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1914	e17693e3	Steve Traylen
1915			Data type: `Optional[String[1]]`
1916
1917
1918
1919	c24d3118	Tim Meusel	Default value: `undef`
1920	e17693e3	Steve Traylen
1921	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1922	e17693e3	Steve Traylen
1923			Data type: `Optional[String[1]]`
1924
1925
1926
1927	c24d3118	Tim Meusel	Default value: `undef`
1928	e17693e3	Steve Traylen
1929	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1930	e17693e3	Steve Traylen
1931			Data type: `Optional[String[1]]`
1932
1933
1934
1935	c24d3118	Tim Meusel	Default value: `undef`
1936	e17693e3	Steve Traylen
1937	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1938	e17693e3	Steve Traylen
1939			Data type: `Optional[Enum['tcp','udp']]`
1940
1941
1942
1943	c24d3118	Tim Meusel	Default value: `undef`
1944	e17693e3	Steve Traylen
1945	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1946	e17693e3	Steve Traylen
1947	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1948	e17693e3	Steve Traylen
1949
1950
1951	c24d3118	Tim Meusel	Default value: `undef`
1952	e17693e3	Steve Traylen
1953	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1954	e17693e3	Steve Traylen
1955			Data type: `Enum['present','absent']`
1956
1957
1958
1959			Default value: `'present'`
1960
1961	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1962	e17693e3	Steve Traylen
1963			manage a ipv4 snat rule
1964
1965			#### Parameters
1966
1967	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1968
1969	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1970			* [`rulename`](#-nftables--rules--snat4--rulename)
1971			* [`order`](#-nftables--rules--snat4--order)
1972			* [`chain`](#-nftables--rules--snat4--chain)
1973			* [`oif`](#-nftables--rules--snat4--oif)
1974			* [`saddr`](#-nftables--rules--snat4--saddr)
1975			* [`proto`](#-nftables--rules--snat4--proto)
1976			* [`dport`](#-nftables--rules--snat4--dport)
1977			* [`ensure`](#-nftables--rules--snat4--ensure)
1978	e17693e3	Steve Traylen
1979	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1980	e17693e3	Steve Traylen
1981			Data type: `String[1]`
1982
1983
1984
1985	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1986	e17693e3	Steve Traylen
1987			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1988
1989
1990
1991			Default value: `$title`
1992
1993	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1994	e17693e3	Steve Traylen
1995			Data type: `Pattern[/^\d\d$/]`
1996
1997
1998
1999			Default value: `'70'`
2000
2001	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2002	e17693e3	Steve Traylen
2003			Data type: `String[1]`
2004
2005
2006
2007			Default value: `'POSTROUTING'`
2008
2009	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2010	e17693e3	Steve Traylen
2011			Data type: `Optional[String[1]]`
2012
2013
2014
2015	c24d3118	Tim Meusel	Default value: `undef`
2016	e17693e3	Steve Traylen
2017	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2018	e17693e3	Steve Traylen
2019			Data type: `Optional[String[1]]`
2020
2021
2022
2023	c24d3118	Tim Meusel	Default value: `undef`
2024	e17693e3	Steve Traylen
2025	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2026	e17693e3	Steve Traylen
2027			Data type: `Optional[Enum['tcp','udp']]`
2028
2029
2030
2031	c24d3118	Tim Meusel	Default value: `undef`
2032	e17693e3	Steve Traylen
2033	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2034	e17693e3	Steve Traylen
2035	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2036	e17693e3	Steve Traylen
2037
2038
2039	c24d3118	Tim Meusel	Default value: `undef`
2040	e17693e3	Steve Traylen
2041	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2042	e17693e3	Steve Traylen
2043			Data type: `Enum['present','absent']`
2044
2045
2046
2047			Default value: `'present'`
2048
2049	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2050	7f6cacc5	Steve Traylen
2051			manage a named set
2052
2053	13f4e4c6	Steve Traylen	#### Examples
2054
2055			##### simple set
2056
2057			```puppet
2058			nftables::set{'my_set':
2059			type => 'ipv4_addr',
2060			flags => ['interval'],
2061			elements => ['192.168.0.1/24', '10.0.0.2'],
2062			auto_merge => true,
2063			}
2064			```
2065
2066	7f6cacc5	Steve Traylen	#### Parameters
2067
2068	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2069
2070	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2071			* [`setname`](#-nftables--set--setname)
2072			* [`order`](#-nftables--set--order)
2073			* [`type`](#-nftables--set--type)
2074			* [`table`](#-nftables--set--table)
2075			* [`flags`](#-nftables--set--flags)
2076			* [`timeout`](#-nftables--set--timeout)
2077			* [`gc_interval`](#-nftables--set--gc_interval)
2078			* [`elements`](#-nftables--set--elements)
2079			* [`size`](#-nftables--set--size)
2080			* [`policy`](#-nftables--set--policy)
2081			* [`auto_merge`](#-nftables--set--auto_merge)
2082			* [`content`](#-nftables--set--content)
2083			* [`source`](#-nftables--set--source)
2084
2085			##### <a name="-nftables--set--ensure"></a>`ensure`
2086	7f6cacc5	Steve Traylen
2087			Data type: `Enum['present','absent']`
2088
2089	13f4e4c6	Steve Traylen	should the set be created.
2090	7f6cacc5	Steve Traylen
2091			Default value: `'present'`
2092
2093	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2094	7f6cacc5	Steve Traylen
2095			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2096
2097	13f4e4c6	Steve Traylen	name of set, equal to to title.
2098	7f6cacc5	Steve Traylen
2099			Default value: `$title`
2100
2101	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2102	7f6cacc5	Steve Traylen
2103			Data type: `Pattern[/^\d\d$/]`
2104
2105	13f4e4c6	Steve Traylen	concat ordering.
2106	7f6cacc5	Steve Traylen
2107			Default value: `'10'`
2108
2109	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2110	7f6cacc5	Steve Traylen
2111			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2112
2113	13f4e4c6	Steve Traylen	type of set.
2114	7f6cacc5	Steve Traylen
2115	c24d3118	Tim Meusel	Default value: `undef`
2116	7f6cacc5	Steve Traylen
2117	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2118	7f6cacc5	Steve Traylen
2119	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2120	7f6cacc5	Steve Traylen
2121	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2122	7f6cacc5	Steve Traylen
2123			Default value: `'inet-filter'`
2124
2125	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2126	7f6cacc5	Steve Traylen
2127			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2128
2129	13f4e4c6	Steve Traylen	specify flags for set
2130	7f6cacc5	Steve Traylen
2131			Default value: `[]`
2132
2133	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2134	7f6cacc5	Steve Traylen
2135			Data type: `Optional[Integer]`
2136
2137	13f4e4c6	Steve Traylen	timeout in seconds
2138	7f6cacc5	Steve Traylen
2139	c24d3118	Tim Meusel	Default value: `undef`
2140	7f6cacc5	Steve Traylen
2141	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2142	7f6cacc5	Steve Traylen
2143			Data type: `Optional[Integer]`
2144
2145	13f4e4c6	Steve Traylen	garbage collection interval.
2146	7f6cacc5	Steve Traylen
2147	c24d3118	Tim Meusel	Default value: `undef`
2148	7f6cacc5	Steve Traylen
2149	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2150	7f6cacc5	Steve Traylen
2151			Data type: `Optional[Array[String]]`
2152
2153	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2154	7f6cacc5	Steve Traylen
2155	c24d3118	Tim Meusel	Default value: `undef`
2156	7f6cacc5	Steve Traylen
2157	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2158	7f6cacc5	Steve Traylen
2159			Data type: `Optional[Integer]`
2160
2161	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2162	7f6cacc5	Steve Traylen
2163	c24d3118	Tim Meusel	Default value: `undef`
2164	7f6cacc5	Steve Traylen
2165	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2166	7f6cacc5	Steve Traylen
2167			Data type: `Optional[Enum['performance', 'memory']]`
2168
2169	13f4e4c6	Steve Traylen	determines set selection policy.
2170	7f6cacc5	Steve Traylen
2171	c24d3118	Tim Meusel	Default value: `undef`
2172	7f6cacc5	Steve Traylen
2173	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2174	7f6cacc5	Steve Traylen
2175			Data type: `Boolean`
2176
2177	13f4e4c6	Steve Traylen	?
2178	7f6cacc5	Steve Traylen
2179	c24d3118	Tim Meusel	Default value: `false`
2180	7f6cacc5	Steve Traylen
2181	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2182	7f6cacc5	Steve Traylen
2183			Data type: `Optional[String]`
2184
2185	13f4e4c6	Steve Traylen	specify content of set.
2186	7f6cacc5	Steve Traylen
2187	c24d3118	Tim Meusel	Default value: `undef`
2188	7f6cacc5	Steve Traylen
2189	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2190	7f6cacc5	Steve Traylen
2191			Data type: `Optional[Variant[String,Array[String,1]]]`
2192
2193	13f4e4c6	Steve Traylen	specify source of set.
2194	7f6cacc5	Steve Traylen
2195	c24d3118	Tim Meusel	Default value: `undef`
2196	7f6cacc5	Steve Traylen
2197	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2198	4d63adda	Nacho Barrientos
2199	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2200	4d63adda	Nacho Barrientos
2201	b46c9ce9	Nacho Barrientos	#### Examples
2202	4d63adda	Nacho Barrientos
2203	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2204	4d63adda	Nacho Barrientos
2205	b46c9ce9	Nacho Barrientos	```puppet
2206			nftables::simplerule{'my_service_in':
2207			action => 'accept',
2208			comment => 'allow traffic to port 543',
2209			counter => true,
2210			proto => 'tcp',
2211			dport => 543,
2212			daddr => '2001:1458::/32',
2213			sport => 541,
2214			}
2215			```
2216	4d63adda	Nacho Barrientos
2217	b46c9ce9	Nacho Barrientos	#### Parameters
2218	4d63adda	Nacho Barrientos
2219	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2220
2221	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2222			* [`rulename`](#-nftables--simplerule--rulename)
2223			* [`order`](#-nftables--simplerule--order)
2224			* [`chain`](#-nftables--simplerule--chain)
2225			* [`table`](#-nftables--simplerule--table)
2226			* [`action`](#-nftables--simplerule--action)
2227			* [`comment`](#-nftables--simplerule--comment)
2228			* [`dport`](#-nftables--simplerule--dport)
2229			* [`proto`](#-nftables--simplerule--proto)
2230			* [`daddr`](#-nftables--simplerule--daddr)
2231			* [`set_type`](#-nftables--simplerule--set_type)
2232			* [`sport`](#-nftables--simplerule--sport)
2233			* [`saddr`](#-nftables--simplerule--saddr)
2234			* [`counter`](#-nftables--simplerule--counter)
2235
2236			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2237	13f4e4c6	Steve Traylen
2238			Data type: `Enum['present','absent']`
2239
2240			Should the rule be created.
2241
2242			Default value: `'present'`
2243
2244	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2245	4d63adda	Nacho Barrientos
2246	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2247	4d63adda	Nacho Barrientos
2248	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2249	4d63adda	Nacho Barrientos
2250			Default value: `$title`
2251
2252	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2253	4d63adda	Nacho Barrientos
2254			Data type: `Pattern[/^\d\d$/]`
2255
2256	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2257	4d63adda	Nacho Barrientos
2258			Default value: `'50'`
2259
2260	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2261	4d63adda	Nacho Barrientos
2262			Data type: `String`
2263
2264	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2265	4d63adda	Nacho Barrientos
2266			Default value: `'default_in'`
2267
2268	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2269	4d63adda	Nacho Barrientos
2270			Data type: `String`
2271
2272	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2273	4d63adda	Nacho Barrientos
2274			Default value: `'inet-filter'`
2275
2276	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2277	4d63adda	Nacho Barrientos
2278			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2279
2280	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2281	4d63adda	Nacho Barrientos
2282			Default value: `'accept'`
2283
2284	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2285	4d63adda	Nacho Barrientos
2286			Data type: `Optional[String]`
2287
2288	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2289	4d63adda	Nacho Barrientos
2290	c24d3118	Tim Meusel	Default value: `undef`
2291	4d63adda	Nacho Barrientos
2292	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2293	4d63adda	Nacho Barrientos
2294			Data type: `Optional[Nftables::Port]`
2295
2296	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2297	4d63adda	Nacho Barrientos
2298	c24d3118	Tim Meusel	Default value: `undef`
2299	4d63adda	Nacho Barrientos
2300	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2301	4d63adda	Nacho Barrientos
2302			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2303
2304	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2305	4d63adda	Nacho Barrientos
2306	c24d3118	Tim Meusel	Default value: `undef`
2307	4d63adda	Nacho Barrientos
2308	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2309	4d63adda	Nacho Barrientos
2310			Data type: `Optional[Nftables::Addr]`
2311
2312	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2313	4d63adda	Nacho Barrientos
2314	c24d3118	Tim Meusel	Default value: `undef`
2315	4d63adda	Nacho Barrientos
2316	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2317	4d63adda	Nacho Barrientos
2318			Data type: `Enum['ip', 'ip6']`
2319
2320	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2321			Use `ip` for sets of type `ipv4_addr`.
2322	4d63adda	Nacho Barrientos
2323			Default value: `'ip6'`
2324
2325	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2326	4d63adda	Nacho Barrientos
2327			Data type: `Optional[Nftables::Port]`
2328
2329	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2330	4d63adda	Nacho Barrientos
2331	c24d3118	Tim Meusel	Default value: `undef`
2332	4d63adda	Nacho Barrientos
2333	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2334	4d63adda	Nacho Barrientos
2335			Data type: `Optional[Nftables::Addr]`
2336
2337	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2338	4d63adda	Nacho Barrientos
2339	c24d3118	Tim Meusel	Default value: `undef`
2340	4d63adda	Nacho Barrientos
2341	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2342	4d63adda	Nacho Barrientos
2343			Data type: `Boolean`
2344
2345	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2346	4d63adda	Nacho Barrientos
2347	c24d3118	Tim Meusel	Default value: `false`
2348	4d63adda	Nacho Barrientos
2349			## Data types
2350
2351	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2352	4d63adda	Nacho Barrientos
2353			Represents an address expression to be used within a rule.
2354
2355	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2356	09cba182	Steve Traylen
2357	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2358	4d63adda	Nacho Barrientos
2359			Represents a set expression to be used within a rule.
2360
2361	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2362	4d63adda	Nacho Barrientos
2363	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2364	4d63adda	Nacho Barrientos
2365			Represents a port expression to be used within a rule.
2366
2367	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2368	4d63adda	Nacho Barrientos
2369	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2370	4d63adda	Nacho Barrientos
2371			Represents a port range expression to be used within a rule.
2372
2373	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2374	4d63adda	Nacho Barrientos
2375	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2376	8c00b818	Nacho Barrientos
2377			Represents a rule name to be used in a raw rule created via nftables::rule.
2378			It's a dash separated string. The first component describes the chain to
2379			add the rule to, the second the rule name and the (optional) third a number.
2380			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2381
2382	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2383	09cba182	Steve Traylen
2384	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2385	8c00b818	Nacho Barrientos
2386			Represents a simple rule name to be used in a rule created via nftables::simplerule
2387
2388	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 08b9f1d0