puppet nftables

# allow forwarding traffic on bridges

  Enum['present','absent']

  Regexp

) {

  if $ensure == 'present' {

    $interfaces = keys($facts['networking']['interfaces'])

# manage a chain

  Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]

  Pattern[/^[a-zA-Z0-9_]+$/]

  Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]

  Optional[String]

  Optional[String]

  $concat_name = "nftables-${table}-chain-${chain}"

    $concat_name:

      path           => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",

      owner          => root,

      mode           => '0640',

      ensure_newline => true,

      require        => Package['nftables'],

    "/etc/nftables/puppet/${table}-chain-${chain}.nft":

  } ~> Service['nftables']

    default:

      target => $concat_name;

    "${concat_name}-header":

      undef => '',

      default => "oifname ${inject_oif} ",

    }

      order   => $data[0],

      content => "${iif}${oif}jump ${chain}",

    }

# manage a config snippet

  Optional[String]

  Optional[Variant[String,Array[String,1]]]

  $concat_name = "nftables-${name}"

    $concat_name:

      path           => "/etc/nftables/puppet-preflight/${name}.nft",

      ensure_newline => true,

      owner          => root,

      group          => root,

      mode           => '0640',

    "/etc/nftables/puppet/${name}.nft":

  } ~> Service['nftables']

  $data = split($name, '-')

# manage basic chains in table inet filter

class nftables::inet_filter inherits nftables {

  $_reject_rule = epp('nftables/reject_rule.epp',

    {

      'log_prefix' => sprintf($nftables::log_prefix, { 'chain' => '%<chain>s', 'comment' => 'Rejected: ' }),

    }

  )

    'inet-filter':

      source => 'puppet:///modules/nftables/config/puppet-inet-filter.nft';

  }

    [

      'INPUT',

      'OUTPUT',

    ]:;

  }

    'default_in':

      inject => '10-INPUT';

    'default_out':

  }

  # inet-filter-chain-INPUT

    'INPUT-type':

      order   => '01',

      content => 'type filter hook input priority 0';

      content => sprintf($_reject_rule, { 'chain' => 'INPUT' }),

  }

  if $nftables::reject_with {

      'INPUT-reject':

        order   => '98',

        content => "reject with ${$nftables::reject_with}";

    }

  }

  if $nftables::in_out_conntrack {

      'INPUT-accept_established_related':

        order   => '05',

        content => 'ct state established,related accept';

  }

  # inet-filter-chain-OUTPUT

    'OUTPUT-type':

      order   => '01',

      content => 'type filter hook output priority 0';

      content => sprintf($_reject_rule, { 'chain' => 'OUTPUT' }),

  }

  if $nftables::reject_with {

      'OUTPUT-reject':

        order   => '98',

        content => "reject with ${$nftables::reject_with}";

    }

  }

  if $nftables::in_out_conntrack {

      'OUTPUT-accept_established_related':

        order   => '05',

        content => 'ct state established,related accept';

  }

  # inet-filter-chain-FORWARD

    'FORWARD-type':

      order   => '01',

      content => 'type filter hook forward priority 0';

      content => sprintf($_reject_rule, { 'chain' => 'FORWARD' });

  }

  if $nftables::reject_with {

      'FORWARD-reject':

        order   => '98',

        content => "reject with ${$nftables::reject_with}";

    }

  }

  if $nftables::fwd_conntrack {

      'FORWARD-accept_established_related':

        order   => '05',

        content => 'ct state established,related accept';

  Hash $sets                     = {},

  String $log_prefix             = '[nftables] %<chain>s %<comment>s',

  Variant[Boolean[false], String]

  Variant[Boolean[false], Pattern[

  Variant[Boolean[false], Enum['mask']]

  Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]

) {

    ensure => installed,

    'enable_nftables':

      line   => 'include "/etc/nftables/puppet.nft"',

      path   => '/etc/sysconfig/nftables.conf',

      notify => Service['nftables'],

    default:

      owner => 'root',

      group => 'root',

    '/etc/nftables/puppet-preflight.nft':

      ensure  => file,

      content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });

    'nft validate':

      refreshonly => true,

      command     => '/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( /usr/bin/echo "#CONFIG BROKEN" >> /etc/nftables/puppet-preflight.nft && /bin/false)';

    default:

      owner => 'root',

      group => 'root',

      purge   => true,

      force   => true,

      recurse => true;

    ensure     => running,

    enable     => true,

    hasrestart => true,

    restart    => '/usr/bin/systemctl reload nftables',

  }

    ensure  => present,

    unit    => 'nftables.service',

    content => epp('nftables/systemd/puppet_nft.conf.epp', { 'noflush' => $noflush_tables }),

    notify  => Service['nftables'],

  }

    ensure => stopped,

    enable => $firewalld_enable,

  }

  # inject custom rules e.g. from hiera

  $rules.each |$n,$v| {

      $n:

    }

  }

  # inject custom sets e.g. from hiera

  $sets.each |$n,$v| {

      $n:

    }

  }

}

# manage basic chains in table ip nat

class nftables::ip_nat inherits nftables {

    'ip-nat':

      source => 'puppet:///modules/nftables/config/puppet-ip-nat.nft';

    'ip6-nat':

      source => 'puppet:///modules/nftables/config/puppet-ip6-nat.nft';

  }

    [

      'PREROUTING',

      'POSTROUTING',

      table => 'ip-nat';

  }

    [

      'PREROUTING6',

      'POSTROUTING6',

  }

  # ip-nat-chain-PREROUTING

    'PREROUTING-type':

      table   => 'ip-nat',

      order   => '01',

  }

  # ip-nat-chain-POSTROUTING

    'POSTROUTING-type':

      table   => 'ip-nat',

      order   => '01',

# manage a chain rule

# Name should be:

#   CHAIN_NAME-rulename

  Enum['present','absent']

  Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]

  Pattern[/^\d\d$/]

  Optional[String]

  Optional[String]

  Optional[Variant[String,Array[String,1]]]

  if $ensure == 'present' {

    $data = split($rulename, '-')

      $fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}"

    }

      content => "#   Start of fragment order:${order} rulename:${rulename}",

      order   => "${order}-${fragment}-a",

      target  => "nftables-${table}-chain-${data[0]}",

    }

      $fragment:

        order  => "${order}-${fragment}-b",

        target => "nftables-${table}-chain-${data[0]}",

    }

    if $content {

        content => "  ${content}",

      }

    } else {

        source => $source,

      }

    }

class nftables::rules::afs3_callback (

  Array[Stdlib::IP::Address::V4,1] $saddr = ['0.0.0.0/0'],

) {

  }

}

# Enable this to support Ceph's Object Storage Daemons (OSD),

# Metadata Server Daemons (MDS), or Manager Daemons (MGR).

class nftables::rules::ceph {

    'default_in-ceph':

      content => 'tcp dport 6800-7300 accept comment "Accept Ceph OSD, MDS, MGR"',

  }

# Ceph is a distributed object store and file system.

# Enable this option to support Ceph's Monitor Daemon.

  Array[Integer,1] $ports = [3300, 6789],

    'default_in-ceph_mon':

      content => "tcp dport {${$ports.join(', ')}} accept comment \"Accept Ceph MON\"",

  }

class nftables::rules::dhcpv6_client {

    'default_in-dhcpv6_client':

      content => 'ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept',

  }

# manage a ipv4 dnat rule

  Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]

  Variant[String,Integer[1,65535]]

  Pattern[/^[a-zA-Z0-9_]+$/]

  Pattern[/^\d\d$/]

  String[1]

  Optional[String[1]]

  Enum['tcp','udp']

  Optional[Variant[String,Integer[1,65535]]]

  Enum['present','absent']

) {

  $iifname = $iif ? {

    undef   => '',

    default => "iifname ${iif} ",

    default => ":${dport}",

  }

    default:

      ensure => $ensure,

      order  => $order;

# manage in dns

  Array[Integer,1]

) {

    'default_in-dns_tcp':

      content => "tcp dport {${join($ports,', ')}} accept";

    'default_in-dns_udp':

# manage in http

class nftables::rules::http {

    'default_in-http':

      content => 'tcp dport 80 accept',

  }

# manage in https

class nftables::rules::https {

    'default_in-https':

      content => 'tcp dport 443 accept',

  }

# manage in icinga2

  Array[Integer,1]

) {

    'default_in-icinga2':

      content => "tcp dport {${join($ports,', ')}} accept",

  }

) {

  if $v4_types {

    $v4_types.each | String $icmp_type | {

        "default_in-accept_icmpv4_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":

          content => "ip protocol icmp icmp type ${icmp_type} accept",

          order   => $order,

      }

    }

  } else {

      'default_in-accept_icmpv4':

        content => 'ip protocol icmp accept',

        order   => $order,

  }

  if $v6_types {

    $v6_types.each | String $icmp_type | {

        "default_in-accept_icmpv6_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":

          content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",

          order   => $order,

      }

    }

  } else {

      'default_in-accept_icmpv6':

        content => 'ip6 nexthdr ipv6-icmp accept',

        order   => $order,

  }

}

# masquerade all outgoing traffic

  Pattern[/^[a-zA-Z0-9_]+$/]

  Pattern[/^\d\d$/]

  String[1]

  Optional[String[1]]

  Optional[String[1]]

  Optional[String[1]]

  Optional[Enum['tcp','udp']]

  Optional[Variant[String,Integer[1,65535]]]

  Enum['present','absent']

) {

  $oifname = $oif ? {

    undef   => '',

    default => "oifname ${oif} ",

    $port     = ''

  }

    "${chain}-${rulename}":

      ensure  => $ensure,

      table   => 'ip-nat',

# manage in nfs4

class nftables::rules::nfs {

    'default_in-nfs4':

      content => 'tcp dport nfs accept comment "Accept NFS4"',

  }

# manage in nfs3

class nftables::rules::nfs3 {

    'default_in-nfs3':

      content => 'meta l4proto { tcp, udp } dport nfs accept comment "Accept NFS3"',

  }

# manage in node exporter

  Optional[Variant[String,Array[String,1]]]

  Integer

) {

  if $prometheus_server {

    any2array($prometheus_server).each |$index,$prom| {

        "default_in-node_exporter-${index}":

      }

      if $prom =~ /:/ {

          content => "ip6 saddr ${prom} tcp dport ${port} accept",

        }

      } else {

          content => "ip saddr ${prom} tcp dport ${port} accept",

        }

      }

    }

  } else {

      'default_in-node_exporter':

        content => "tcp dport ${port} accept";

    }

# manage in ospf

class nftables::rules::ospf {

    'default_in-ospf':

      content => 'ip daddr { 224.0.0.5, 224.0.0.6 } meta l4proto ospf accept',

  }

# manage in ospf3

class nftables::rules::ospf3 {

    'default_in-ospf3':

      content => 'ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto ospf accept',

  }

# allow all outbound

class nftables::rules::out::all {

    'default_out-all':

      order   => '90',

      content => 'accept',

  }

}

# Enable this to be a client of Ceph's Monitor (MON),

# Object Storage Daemons (OSD), Metadata Server Daemons (MDS),

# and Manager Daemons (MGR).

  Array[Integer,1] $ports = [3300, 6789],

    'default_out-ceph_client':

      content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept comment \"Accept Ceph MON, OSD, MDS, MGR\"",

  }

# manage out chrony

class nftables::rules::out::chrony {

    'default_out-chrony':

      content => 'udp dport 123 accept',

  }

# manage out dhcp

class nftables::rules::out::dhcp {

    'default_out-dhcpc':

      content => 'udp sport {67, 68} udp dport {67, 68} accept';

  }

class nftables::rules::out::dhcpv6_client {

    'default_out-dhcpv6_client':

      content => 'ip6 saddr fe80::/10 udp sport 546 udp dport 547 accept',

  }

# manage out dns

class nftables::rules::out::dns (

  Optional[Variant[String,Array[String,1]]]

) {

  if $dns_server {

    any2array($dns_server).each |$index,$dns| {

        "default_out-dnsudp-${index}":

      }

      if $dns =~ /:/ {

          content => "ip6 daddr ${dns} udp dport 53 accept",

        }

      } else {

          content => "ip daddr ${dns} udp dport 53 accept",

        }

      }

        "default_out-dnstcp-${index}":

      }

      if $dns =~ /:/ {

          content => "ip6 daddr ${dns} tcp dport 53 accept",

        }

      } else {

          content => "ip daddr ${dns} tcp dport 53 accept",

        }

      }

    }

  } else {

      'default_out-dnsudp':

        content => 'udp dport 53 accept';

      'default_out-dnstcp':

# manage out http

class nftables::rules::out::http {

    'default_out-http':

      content => 'tcp dport 80 accept';

  }

# manage out https

class nftables::rules::out::https {

    'default_out-https':

      content => 'tcp dport 443 accept';

  }

) {

  if $v4_types {

    $v4_types.each | String $icmp_type | {

        'default_out-accept_icmpv4':

          content => "ip protocol icmp icmp type ${icmp_type} accept",

          order   => $order,

      }

    }

  } else {

      'default_out-accept_icmpv4':

        content => 'ip protocol icmp accept',

        order   => $order,

  }

  if $v6_types {

    $v6_types.each | String $icmp_type | {

        'default_out-accept_icmpv6':

          content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",

          order   => $order,

      }

    }

  } else {

      'default_out-accept_icmpv6':

        content => 'ip6 nexthdr ipv6-icmp accept',

        order   => $order,

  }

}

# @summary allows outbound access for kerberos

class nftables::rules::out::kerberos {

    'default_out-kerberos_udp':

    'default_out-kerberos_tcp':

  }

}

# manage out mysql

class nftables::rules::out::mysql {

    'default_out-mysql':

      content => 'tcp dport 3306 accept';

  }

# manage out nfs

class nftables::rules::out::nfs {

    'default_out-nfs4':

      content => 'tcp dport nfs accept comment "Accept NFS4"',

  }

# manage out nfs3

class nftables::rules::out::nfs3 {

    'default_out-nfs3':

      content => 'meta l4proto { tcp, udp } dport nfs accept comment "Accept NFS3"',

  }

#

# @see https://wiki.openafs.org/devel/AFSServicePorts/ AFS Service Ports

#

  Array[Integer,1] $ports = [7000, 7002, 7003],

  include nftables::rules::out::kerberos

    content => "udp dport {${$ports.join(', ')}} accept";

  }

}

# manage out ospf

class nftables::rules::out::ospf {

    'default_out-ospf':

      content => 'ip daddr { 224.0.0.5, 224.0.0.6 } meta l4proto ospf accept',

  }

# manage out ospf3

class nftables::rules::out::ospf3 {

    'default_out-ospf3':

      content => 'ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto ospf accept',

  }

# manage out postgres

class nftables::rules::out::postgres {

    'default_out-postgres':

      content => 'tcp dport 5432 accept';

  }

# manage outgoing puppet

  Variant[String,Array[String,1]]

  Integer

) {

  any2array($puppetmaster).each |$index,$pm| {

      "default_out-puppet-${index}":

    }

    if $pm =~ /:/ {

        content => "ip6 daddr ${pm} tcp dport ${puppetserver_port} accept",

      }

    } else {

        content => "ip daddr ${pm} tcp dport ${puppetserver_port} accept",

      }

    }

# manage out smtp

class nftables::rules::out::smtp {

    'default_out-smtp':

      content => 'tcp dport 25 accept',

  }

# manage out ssh

class nftables::rules::out::ssh {

    'default_out-ssh':

      content => 'tcp dport 22 accept',

  }

# disable outgoing ssh

class nftables::rules::out::ssh::remove inherits nftables::rules::out::ssh {

    ensure => absent,

  }

}

# manage out tor

class nftables::rules::out::tor {

    'default_out-tor':

      content => 'tcp dport 9001 accept',

  }

# manage out wireguard

class nftables::rules::out::wireguard (

  Array[Integer,1]

) {

    'default_out-wireguard':

      content => "udp dport {${join($ports,', ')}} accept",

  }

# manage in puppet

  Array[Integer,1]

) {

    'default_in-puppet':

      content => "tcp dport {${join($ports,', ')}} accept",

  }

# manage in smtp

class nftables::rules::smtp {

    'default_in-smtp':

      content => 'tcp dport 25 accept',

  }

# manage in smtp submission

class nftables::rules::smtp_submission {

    'default_in-smtp_submission':

      content => 'tcp dport 587 accept',

  }

# manage in smtps

class nftables::rules::smtps {

    'default_in-smtps':

      content => 'tcp dport 465 accept',

  }

# manage a ipv4 snat rule

  String[1]

  Pattern[/^[a-zA-Z0-9_]+$/]

  Pattern[/^\d\d$/]

  String[1]

  Optional[String[1]]

  Optional[String[1]]

  Optional[Enum['tcp','udp']]

  Optional[Variant[String,Integer[1,65535]]]

  Enum['present','absent']

) {

  $oifname = $oif ? {

    undef   => '',

    default => "oifname ${oif} ",

    $port     = ''

  }

    "${chain}-${rulename}":

      ensure  => $ensure,

      table   => 'ip-nat',

# manage in ssh

  Array[Integer,1]

) {

    'default_in-ssh':

      content => "tcp dport {${join($ports,', ')}} accept",

  }

# manage in tor

  Array[Integer,1]

) {

    'default_in-tor':

      content => "tcp dport {${join($ports,', ')}} accept",

  }

# manage in wireguard

  Array[Integer,1]

) {

    'default_in-wireguard':

      content => "udp dport {${join($ports,', ')}} accept",

  }

# manage a named set

  Enum['present','absent']

  Pattern[/^[-a-zA-Z0-9_]+$/]

  Pattern[/^\d\d$/]

  Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]

  String

  Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]

  Optional[Integer]

  Optional[Integer]

  Optional[Array[String]]

  Optional[Integer]

  Optional[Enum['performance', 'memory']]

  Boolean

  Optional[String]

  Optional[Variant[String,Array[String,1]]]

  if $size and $elements {

    if length($elements) > $size {

      fail("Max size of set ${setname} of ${size} is not being respected")

  }

  if $ensure == 'present' {

      "nftables-${table}-set-${setname}":

        order  => $order,

        target => "nftables-${table}",

    }

    if $content {

        content => "  ${content}",

      }

    } elsif $source {

        source => $source,

      }

    } else {

      if $type == undef {

        fail('The way the resource is configured must have a type set')

      }

        content => epp('nftables/set.epp',

          {

            'name'        => $setname,