puppet nftables

# Reference

<!-- DO NOT EDIT: This document was generated by Puppet Strings -->

## Table of Contents

### Classes

* [`nftables`](#nftables): Configure nftables

* [`nftables::bridges`](#nftablesbridges): allow forwarding traffic on bridges

* [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter

* [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat

* [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients

* [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)

* [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system.

Enable this option to support Ceph's Monitor Daemon.

* [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client): allow DHCPv6 requests in to a host

* [`nftables::rules::dns`](#nftablesrulesdns): manage in dns

* [`nftables::rules::http`](#nftablesruleshttp): manage in http

* [`nftables::rules::https`](#nftablesruleshttps): manage in https

* [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2

* [`nftables::rules::icmp`](#nftablesrulesicmp)

* [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4

* [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3

* [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter

* [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf

* [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3

* [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound

* [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system.

Enable this to be a client of Ceph's Monitor (MON),

Object Storage Daemons (OSD), Metadata Server Daemons (MDS),

and Manager Daemons (MGR).

* [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony

* [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp

* [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client): Allow DHCPv6 requests out of a host

* [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns

* [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http

* [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https

* [`nftables::rules::out::icmp`](#nftablesrulesouticmp): control outbound icmp packages

* [`nftables::rules::out::imap`](#nftablesrulesoutimap): allow outgoing imap

* [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos

* [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql

* [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs

* [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3

* [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients

7000 - afs3-fileserver

7002 - afs3-ptserver

7003 - vlserver

* [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf

* [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3

* [`nftables::rules::out::pop3`](#nftablesrulesoutpop3): allow outgoing pop3

* [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres

* [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet

* [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): allow outgoing smtp

* [`nftables::rules::out::smtp_client`](#nftablesrulesoutsmtp_client): allow outgoing smtp client

* [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh

* [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh

* [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor

* [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard

* [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet

* [`nftables::rules::samba`](#nftablesrulessamba): manage Samba, the suite to allow Windows file sharing on Linux resources.

* [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp

* [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission

* [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps

* [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh

* [`nftables::rules::tor`](#nftablesrulestor): manage in tor

* [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard

* [`nftables::services::dhcpv6_client`](#nftablesservicesdhcpv6_client): Allow in and outbound traffic for DHCPv6 server

* [`nftables::services::openafs_client`](#nftablesservicesopenafs_client): Open inbound and outbound ports for an AFS client

### Defined types

* [`nftables::chain`](#nftableschain): manage a chain

* [`nftables::config`](#nftablesconfig): manage a config snippet

* [`nftables::rule`](#nftablesrule): Provides an interface to create a firewall rule

* [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule

* [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic

* [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule

* [`nftables::set`](#nftablesset): manage a named set

* [`nftables::simplerule`](#nftablessimplerule): Provides a simplified interface to nftables::rule

### Data types

* [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule.

* [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule.

* [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule.

* [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule.

* [`Nftables::RuleName`](#nftablesrulename): Represents a rule name to be used in a raw rule created via nftables::rule.

It's a dash separated string. The first component describes the chain to

add the rule to, the second the rule name and the (optional) third a number.

Ex: 'default_in-sshd', 'default_out-my_service-2'.

* [`Nftables::SimpleRuleName`](#nftablessimplerulename): Represents a simple rule name to be used in a rule created via nftables::simplerule

## Classes

### <a name="nftables"></a>`nftables`

Configure nftables

#### Examples

##### allow dns out and do not allow ntp out

```puppet

class{'nftables:

  out_ntp = false,

  out_dns = true,

}

```

##### do not flush particular tables, fail2ban in this case

```puppet

class{'nftables':

  noflush_tables = ['inet-f2b-table'],

}

```

#### Parameters

The following parameters are available in the `nftables` class:

* [`out_all`](#out_all)

* [`out_ntp`](#out_ntp)

* [`out_http`](#out_http)

* [`out_dns`](#out_dns)

* [`out_https`](#out_https)

* [`out_icmp`](#out_icmp)

* [`in_ssh`](#in_ssh)

* [`in_icmp`](#in_icmp)

* [`nat`](#nat)

* [`sets`](#sets)

* [`log_prefix`](#log_prefix)

* [`log_limit`](#log_limit)

* [`reject_with`](#reject_with)

* [`in_out_conntrack`](#in_out_conntrack)

* [`fwd_conntrack`](#fwd_conntrack)

* [`firewalld_enable`](#firewalld_enable)

* [`noflush_tables`](#noflush_tables)

* [`rules`](#rules)

##### <a name="out_all"></a>`out_all`

Data type: `Boolean`

Allow all outbound connections. If `true` then all other

out parameters `out_ntp`, `out_dns`, ... will be assuemed

false.

Default value: ``false``

##### <a name="out_ntp"></a>`out_ntp`

Data type: `Boolean`

Allow outbound to ntp servers.

Default value: ``true``

##### <a name="out_http"></a>`out_http`

Data type: `Boolean`

Allow outbound to http servers.

Default value: ``true``

##### <a name="out_dns"></a>`out_dns`

Data type: `Boolean`

Allow outbound to dns servers.

Default value: ``true``

##### <a name="out_https"></a>`out_https`

Data type: `Boolean`

Allow outbound to https servers.

Default value: ``true``

##### <a name="out_icmp"></a>`out_icmp`

Data type: `Boolean`

Allow outbound ICMPv4/v6 traffic.

Default value: ``true``

##### <a name="in_ssh"></a>`in_ssh`

Data type: `Boolean`

Allow inbound to ssh servers.

Default value: ``true``

##### <a name="in_icmp"></a>`in_icmp`

Data type: `Boolean`

Allow inbound ICMPv4/v6 traffic.

Default value: ``true``

##### <a name="nat"></a>`nat`

Data type: `Boolean`

Add default tables and chains to process NAT traffic.

Default value: ``true``

##### <a name="sets"></a>`sets`

Data type: `Hash`

Allows sourcing set definitions directly from Hiera.

Default value: `{}`

##### <a name="log_prefix"></a>`log_prefix`

Data type: `String`

String that will be used as prefix when logging packets. It can contain

two variables using standard sprintf() string-formatting:

 * chain: Will be replaced by the name of the chain.

 * comment: Allows chains to add extra comments.

Default value: `'[nftables] %<chain>s %<comment>s'`

##### <a name="log_limit"></a>`log_limit`

Data type: `Variant[Boolean[false], String]`

String with the content of a limit statement to be applied

to the rules that log discarded traffic. Set to false to

disable rate limiting.

Default value: `'3/minute burst 5 packets'`

##### <a name="reject_with"></a>`reject_with`

Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`

How to discard packets not matching any rule. If `false`, the

fate of the packet will be defined by the chain policy (normally

drop), otherwise the packet will be rejected with the REJECT_WITH

policy indicated by the value of this parameter.

Default value: `'icmpx type port-unreachable'`

##### <a name="in_out_conntrack"></a>`in_out_conntrack`

Data type: `Boolean`

Adds INPUT and OUTPUT rules to allow traffic that's part of an

established connection and also to drop invalid packets.

Default value: ``true``

##### <a name="fwd_conntrack"></a>`fwd_conntrack`

Data type: `Boolean`

Adds FORWARD rules to allow traffic that's part of an

established connection and also to drop invalid packets.

Default value: ``false``

##### <a name="firewalld_enable"></a>`firewalld_enable`

Data type: `Variant[Boolean[false], Enum['mask']]`

Configures how the firewalld systemd service unit is enabled. It might be

useful to set this to false if you're externaly removing firewalld from

the system completely.

Default value: `'mask'`

##### <a name="noflush_tables"></a>`noflush_tables`

Data type: `Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]`

If specified only other existings tables will be flushed.

If left unset all tables will be flushed via a `flush ruleset`

Default value: ``undef``

##### <a name="rules"></a>`rules`

Data type: `Hash`

Specify hashes of `nftables::rule`s via hiera

Default value: `{}`

### <a name="nftablesbridges"></a>`nftables::bridges`

allow forwarding traffic on bridges

#### Parameters

The following parameters are available in the `nftables::bridges` class:

* [`ensure`](#ensure)

* [`bridgenames`](#bridgenames)

##### <a name="ensure"></a>`ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

##### <a name="bridgenames"></a>`bridgenames`

Data type: `Regexp`

Default value: `/^br.+/`

### <a name="nftablesinet_filter"></a>`nftables::inet_filter`

manage basic chains in table inet filter

### <a name="nftablesip_nat"></a>`nftables::ip_nat`

manage basic chains in table ip nat

### <a name="nftablesrulesafs3_callback"></a>`nftables::rules::afs3_callback`

Open call back port for AFS clients

#### Examples

##### allow call backs from particular hosts

```puppet

class{'nftables::rules::afs3_callback':

  saddr => ['192.168.0.0/16', '10.0.0.222']

}

```

#### Parameters

The following parameters are available in the `nftables::rules::afs3_callback` class:

* [`saddr`](#saddr)

##### <a name="saddr"></a>`saddr`

Data type: `Array[Stdlib::IP::Address::V4,1]`

list of source network ranges to a

Default value: `['0.0.0.0/0']`

### <a name="nftablesrulesceph"></a>`nftables::rules::ceph`

Ceph is a distributed object store and file system.

Enable this to support Ceph's Object Storage Daemons (OSD),

Metadata Server Daemons (MDS), or Manager Daemons (MGR).

### <a name="nftablesrulesceph_mon"></a>`nftables::rules::ceph_mon`

Ceph is a distributed object store and file system.

Enable this option to support Ceph's Monitor Daemon.

#### Parameters

The following parameters are available in the `nftables::rules::ceph_mon` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

specify ports for ceph service

Default value: `[3300, 6789]`

### <a name="nftablesrulesdhcpv6_client"></a>`nftables::rules::dhcpv6_client`

allow DHCPv6 requests in to a host

### <a name="nftablesrulesdns"></a>`nftables::rules::dns`

manage in dns

#### Parameters

The following parameters are available in the `nftables::rules::dns` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

Specify ports for dns.

Default value: `[53]`

### <a name="nftablesruleshttp"></a>`nftables::rules::http`

manage in http

### <a name="nftablesruleshttps"></a>`nftables::rules::https`

manage in https

### <a name="nftablesrulesicinga2"></a>`nftables::rules::icinga2`

manage in icinga2

#### Parameters

The following parameters are available in the `nftables::rules::icinga2` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

Specify ports for icinga1

Default value: `[5665]`

### <a name="nftablesrulesicmp"></a>`nftables::rules::icmp`

The nftables::rules::icmp class.

#### Parameters

The following parameters are available in the `nftables::rules::icmp` class:

* [`v4_types`](#v4_types)

* [`v6_types`](#v6_types)

* [`order`](#order)

##### <a name="v4_types"></a>`v4_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="v6_types"></a>`v6_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="order"></a>`order`

Data type: `String`

Default value: `'10'`

### <a name="nftablesrulesnfs"></a>`nftables::rules::nfs`

manage in nfs4

### <a name="nftablesrulesnfs3"></a>`nftables::rules::nfs3`

manage in nfs3

### <a name="nftablesrulesnode_exporter"></a>`nftables::rules::node_exporter`

manage in node exporter

#### Parameters

The following parameters are available in the `nftables::rules::node_exporter` class:

* [`prometheus_server`](#prometheus_server)

* [`port`](#port)

##### <a name="prometheus_server"></a>`prometheus_server`

Data type: `Optional[Variant[String,Array[String,1]]]`

Specify server name

Default value: ``undef``

##### <a name="port"></a>`port`

Data type: `Stdlib::Port`

Specify port to open

Default value: `9100`

### <a name="nftablesrulesospf"></a>`nftables::rules::ospf`

manage in ospf

### <a name="nftablesrulesospf3"></a>`nftables::rules::ospf3`

manage in ospf3

### <a name="nftablesrulesoutall"></a>`nftables::rules::out::all`

allow all outbound

### <a name="nftablesrulesoutceph_client"></a>`nftables::rules::out::ceph_client`

Ceph is a distributed object store and file system.

Enable this to be a client of Ceph's Monitor (MON),

Object Storage Daemons (OSD), Metadata Server Daemons (MDS),

and Manager Daemons (MGR).

#### Parameters

The following parameters are available in the `nftables::rules::out::ceph_client` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

Specify ports to open

Default value: `[3300, 6789]`

### <a name="nftablesrulesoutchrony"></a>`nftables::rules::out::chrony`

manage out chrony

### <a name="nftablesrulesoutdhcp"></a>`nftables::rules::out::dhcp`

manage out dhcp

### <a name="nftablesrulesoutdhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`

Allow DHCPv6 requests out of a host

### <a name="nftablesrulesoutdns"></a>`nftables::rules::out::dns`

manage out dns

#### Parameters

The following parameters are available in the `nftables::rules::out::dns` class:

* [`dns_server`](#dns_server)

##### <a name="dns_server"></a>`dns_server`

Data type: `Optional[Variant[String,Array[String,1]]]`

specify dns_server name

Default value: ``undef``

### <a name="nftablesrulesouthttp"></a>`nftables::rules::out::http`

manage out http

### <a name="nftablesrulesouthttps"></a>`nftables::rules::out::https`

manage out https

### <a name="nftablesrulesouticmp"></a>`nftables::rules::out::icmp`

control outbound icmp packages

#### Parameters

The following parameters are available in the `nftables::rules::out::icmp` class:

* [`v4_types`](#v4_types)

* [`v6_types`](#v6_types)

* [`order`](#order)

##### <a name="v4_types"></a>`v4_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="v6_types"></a>`v6_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="order"></a>`order`

Data type: `String`

Default value: `'10'`

### <a name="nftablesrulesoutimap"></a>`nftables::rules::out::imap`

allow outgoing imap

### <a name="nftablesrulesoutkerberos"></a>`nftables::rules::out::kerberos`

allows outbound access for kerberos

### <a name="nftablesrulesoutmysql"></a>`nftables::rules::out::mysql`

manage out mysql

### <a name="nftablesrulesoutnfs"></a>`nftables::rules::out::nfs`

manage out nfs

### <a name="nftablesrulesoutnfs3"></a>`nftables::rules::out::nfs3`

manage out nfs3

### <a name="nftablesrulesoutopenafs_client"></a>`nftables::rules::out::openafs_client`

allows outbound access for afs clients

7000 - afs3-fileserver

7002 - afs3-ptserver

7003 - vlserver

* **See also**

  * https://wiki.openafs.org/devel/AFSServicePorts/

    * AFS Service Ports

#### Parameters

The following parameters are available in the `nftables::rules::out::openafs_client` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

port numbers to use

Default value: `[7000, 7002, 7003]`

### <a name="nftablesrulesoutospf"></a>`nftables::rules::out::ospf`

manage out ospf

### <a name="nftablesrulesoutospf3"></a>`nftables::rules::out::ospf3`

manage out ospf3

### <a name="nftablesrulesoutpop3"></a>`nftables::rules::out::pop3`

allow outgoing pop3

### <a name="nftablesrulesoutpostgres"></a>`nftables::rules::out::postgres`

manage out postgres

### <a name="nftablesrulesoutpuppet"></a>`nftables::rules::out::puppet`

manage outgoing puppet

#### Parameters

The following parameters are available in the `nftables::rules::out::puppet` class:

* [`puppetserver`](#puppetserver)

* [`puppetserver_port`](#puppetserver_port)

##### <a name="puppetserver"></a>`puppetserver`

Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`

puppetserver hostname

##### <a name="puppetserver_port"></a>`puppetserver_port`

Data type: `Stdlib::Port`

puppetserver port

Default value: `8140`

### <a name="nftablesrulesoutsmtp"></a>`nftables::rules::out::smtp`

allow outgoing smtp

### <a name="nftablesrulesoutsmtp_client"></a>`nftables::rules::out::smtp_client`

allow outgoing smtp client

### <a name="nftablesrulesoutssh"></a>`nftables::rules::out::ssh`

manage out ssh

### <a name="nftablesrulesoutsshremove"></a>`nftables::rules::out::ssh::remove`

disable outgoing ssh

### <a name="nftablesrulesouttor"></a>`nftables::rules::out::tor`

manage out tor

### <a name="nftablesrulesoutwireguard"></a>`nftables::rules::out::wireguard`

manage out wireguard

#### Parameters

The following parameters are available in the `nftables::rules::out::wireguard` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Integer,1]`

specify wireguard ports

Default value: `[51820]`

### <a name="nftablesrulespuppet"></a>`nftables::rules::puppet`

manage in puppet

#### Parameters

The following parameters are available in the `nftables::rules::puppet` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Integer,1]`

puppet server ports

Default value: `[8140]`

### <a name="nftablesrulessamba"></a>`nftables::rules::samba`

manage Samba, the suite to allow Windows file sharing on Linux resources.

#### Parameters

The following parameters are available in the `nftables::rules::samba` class:

* [`ctdb`](#ctdb)

##### <a name="ctdb"></a>`ctdb`

Data type: `Boolean`

Enable ctdb-driven clustered Samba setups.

Default value: ``false``

### <a name="nftablesrulessmtp"></a>`nftables::rules::smtp`

manage in smtp

### <a name="nftablesrulessmtp_submission"></a>`nftables::rules::smtp_submission`

manage in smtp submission

### <a name="nftablesrulessmtps"></a>`nftables::rules::smtps`

manage in smtps

### <a name="nftablesrulesssh"></a>`nftables::rules::ssh`

manage in ssh

#### Parameters

The following parameters are available in the `nftables::rules::ssh` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

ssh ports

Default value: `[22]`

### <a name="nftablesrulestor"></a>`nftables::rules::tor`

manage in tor

#### Parameters

The following parameters are available in the `nftables::rules::tor` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

ports for tor

Default value: `[9001]`

### <a name="nftablesruleswireguard"></a>`nftables::rules::wireguard`

manage in wireguard

#### Parameters

The following parameters are available in the `nftables::rules::wireguard` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

wiregueard port

Default value: `[51820]`

### <a name="nftablesservicesdhcpv6_client"></a>`nftables::services::dhcpv6_client`

Allow in and outbound traffic for DHCPv6 server

### <a name="nftablesservicesopenafs_client"></a>`nftables::services::openafs_client`

Open inbound and outbound ports for an AFS client

## Defined types

### <a name="nftableschain"></a>`nftables::chain`

manage a chain

#### Parameters

The following parameters are available in the `nftables::chain` defined type:

* [`table`](#table)

* [`chain`](#chain)

* [`inject`](#inject)

* [`inject_iif`](#inject_iif)

* [`inject_oif`](#inject_oif)

##### <a name="table"></a>`table`

Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`

Default value: `'inet-filter'`

##### <a name="chain"></a>`chain`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### <a name="inject"></a>`inject`

Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`

Default value: ``undef``

##### <a name="inject_iif"></a>`inject_iif`

Data type: `Optional[String]`

Default value: ``undef``

##### <a name="inject_oif"></a>`inject_oif`

Data type: `Optional[String]`

Default value: ``undef``

### <a name="nftablesconfig"></a>`nftables::config`

manage a config snippet

#### Parameters

The following parameters are available in the `nftables::config` defined type:

* [`tablespec`](#tablespec)

* [`content`](#content)

* [`source`](#source)

* [`prefix`](#prefix)

##### <a name="tablespec"></a>`tablespec`

Data type: `Pattern[/^\w+-\w+$/]`

Default value: `$title`

##### <a name="content"></a>`content`

Data type: `Optional[String]`

Default value: ``undef``

##### <a name="source"></a>`source`

Data type: `Optional[Variant[String,Array[String,1]]]`

Default value: ``undef``

##### <a name="prefix"></a>`prefix`

Data type: `String`

Default value: `'custom-'`

### <a name="nftablesrule"></a>`nftables::rule`

Provides an interface to create a firewall rule

#### Examples

##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80

```puppet

nftables::rule {

  'default_in-myhttp':

    content => 'tcp dport 80 accept',

}

```

##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic

```puppet

nftables::rule {

  'PREROUTING6-count':

    content => 'counter',

    table   => 'ip6-nat'

}

```

#### Parameters

The following parameters are available in the `nftables::rule` defined type:

* [`ensure`](#ensure)

* [`rulename`](#rulename)

* [`order`](#order)

* [`table`](#table)

* [`content`](#content)

* [`source`](#source)

##### <a name="ensure"></a>`ensure`

Data type: `Enum['present','absent']`

Should the rule be created.

Default value: `'present'`

##### <a name="rulename"></a>`rulename`

Data type: `Nftables::RuleName`

The symbolic name for the rule and to what chain to add it. The

format is defined by the Nftables::RuleName type.

Default value: `$title`

##### <a name="order"></a>`order`

Data type: `Pattern[/^\d\d$/]`

A number representing the order of the rule.

Default value: `'50'`

##### <a name="table"></a>`table`

Data type: `Optional[String]`

The name of the table to add this rule to.

Default value: `'inet-filter'`

##### <a name="content"></a>`content`

Data type: `Optional[String]`

The raw statements that compose the rule represented using the nftables

language.

Default value: ``undef``

##### <a name="source"></a>`source`

Data type: `Optional[Variant[String,Array[String,1]]]`

Same goal as content but sourcing the value from a file.

Default value: ``undef``

### <a name="nftablesrulesdnat4"></a>`nftables::rules::dnat4`

manage a ipv4 dnat rule

#### Parameters

The following parameters are available in the `nftables::rules::dnat4` defined type:

* [`daddr`](#daddr)

* [`port`](#port)

* [`rulename`](#rulename)

* [`order`](#order)

* [`chain`](#chain)

* [`iif`](#iif)

* [`proto`](#proto)

* [`dport`](#dport)

* [`ensure`](#ensure)

##### <a name="daddr"></a>`daddr`

Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`

##### <a name="port"></a>`port`

Data type: `Variant[String,Stdlib::Port]`