Révision 13f26dfc
Improve nftables::rule's documentation (#68)
| README.md | ||
|---|---|---|
| 86 | 86 |
|
| 87 | 87 |
You can define the order by using the `order` param. |
| 88 | 88 |
|
| 89 |
Before defining your own rule, take a look to the list of ready-to-use rules |
|
| 90 |
available in the |
|
| 91 |
[REFERENCE](https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md), |
|
| 92 |
somebody might have encapsulated a rule definition for you already. |
|
| 93 |
|
|
| 89 | 94 |
## nftables::set |
| 90 | 95 |
|
| 91 | 96 |
Adds a named set to a given table. It allows composing the |
| REFERENCE.md | ||
|---|---|---|
| 72 | 72 |
|
| 73 | 73 |
* [`nftables::chain`](#nftableschain): manage a chain |
| 74 | 74 |
* [`nftables::config`](#nftablesconfig): manage a config snippet |
| 75 |
* [`nftables::rule`](#nftablesrule): manage a chain rule Name should be: CHAIN_NAME-rulename
|
|
| 75 |
* [`nftables::rule`](#nftablesrule): Provides an interface to create a firewall rule
|
|
| 76 | 76 |
* [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule |
| 77 | 77 |
* [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic |
| 78 | 78 |
* [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule |
| ... | ... | |
| 949 | 949 |
|
| 950 | 950 |
### <a name="nftablesrule"></a>`nftables::rule` |
| 951 | 951 |
|
| 952 |
manage a chain rule |
|
| 953 |
Name should be: |
|
| 954 |
CHAIN_NAME-rulename |
|
| 952 |
Provides an interface to create a firewall rule |
|
| 953 |
|
|
| 954 |
#### Examples |
|
| 955 |
|
|
| 956 |
##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80 |
|
| 957 |
|
|
| 958 |
```puppet |
|
| 959 |
nftables::rule {
|
|
| 960 |
'default_in-myhttp': |
|
| 961 |
content => 'tcp dport 80 accept', |
|
| 962 |
} |
|
| 963 |
``` |
|
| 964 |
|
|
| 965 |
##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic |
|
| 966 |
|
|
| 967 |
```puppet |
|
| 968 |
nftables::rule {
|
|
| 969 |
'PREROUTING6-count': |
|
| 970 |
content => 'counter', |
|
| 971 |
table => 'ip6-nat' |
|
| 972 |
} |
|
| 973 |
``` |
|
| 955 | 974 |
|
| 956 | 975 |
#### Parameters |
| 957 | 976 |
|
| ... | ... | |
| 968 | 987 |
|
| 969 | 988 |
Data type: `Enum['present','absent']` |
| 970 | 989 |
|
| 971 |
|
|
| 990 |
Should the rule be created. |
|
| 972 | 991 |
|
| 973 | 992 |
Default value: `'present'` |
| 974 | 993 |
|
| ... | ... | |
| 976 | 995 |
|
| 977 | 996 |
Data type: `Nftables::RuleName` |
| 978 | 997 |
|
| 979 |
|
|
| 998 |
The symbolic name for the rule and to what chain to add it. The |
|
| 999 |
format is defined by the Nftables::RuleName type. |
|
| 980 | 1000 |
|
| 981 | 1001 |
Default value: `$title` |
| 982 | 1002 |
|
| ... | ... | |
| 984 | 1004 |
|
| 985 | 1005 |
Data type: `Pattern[/^\d\d$/]` |
| 986 | 1006 |
|
| 987 |
|
|
| 1007 |
A number representing the order of the rule. |
|
| 988 | 1008 |
|
| 989 | 1009 |
Default value: `'50'` |
| 990 | 1010 |
|
| ... | ... | |
| 992 | 1012 |
|
| 993 | 1013 |
Data type: `Optional[String]` |
| 994 | 1014 |
|
| 995 |
|
|
| 1015 |
The name of the table to add this rule to. |
|
| 996 | 1016 |
|
| 997 | 1017 |
Default value: `'inet-filter'` |
| 998 | 1018 |
|
| ... | ... | |
| 1000 | 1020 |
|
| 1001 | 1021 |
Data type: `Optional[String]` |
| 1002 | 1022 |
|
| 1003 |
|
|
| 1023 |
The raw statements that compose the rule represented using the nftables |
|
| 1024 |
language. |
|
| 1004 | 1025 |
|
| 1005 | 1026 |
Default value: ``undef`` |
| 1006 | 1027 |
|
| ... | ... | |
| 1008 | 1029 |
|
| 1009 | 1030 |
Data type: `Optional[Variant[String,Array[String,1]]]` |
| 1010 | 1031 |
|
| 1011 |
|
|
| 1032 |
Same goal as content but sourcing the value from a file. |
|
| 1012 | 1033 |
|
| 1013 | 1034 |
Default value: ``undef`` |
| 1014 | 1035 |
|
| manifests/rule.pp | ||
|---|---|---|
| 1 |
# manage a chain rule |
|
| 2 |
# Name should be: |
|
| 3 |
# CHAIN_NAME-rulename |
|
| 1 |
# @summary Provides an interface to create a firewall rule |
|
| 2 |
# |
|
| 3 |
# @example add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80 |
|
| 4 |
# nftables::rule {
|
|
| 5 |
# 'default_in-myhttp': |
|
| 6 |
# content => 'tcp dport 80 accept', |
|
| 7 |
# } |
|
| 8 |
# |
|
| 9 |
# @example add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic |
|
| 10 |
# nftables::rule {
|
|
| 11 |
# 'PREROUTING6-count': |
|
| 12 |
# content => 'counter', |
|
| 13 |
# table => 'ip6-nat' |
|
| 14 |
# } |
|
| 15 |
# |
|
| 16 |
# @param ensure |
|
| 17 |
# Should the rule be created. |
|
| 18 |
# |
|
| 19 |
# @param rulename |
|
| 20 |
# The symbolic name for the rule and to what chain to add it. The |
|
| 21 |
# format is defined by the Nftables::RuleName type. |
|
| 22 |
# |
|
| 23 |
# @param order |
|
| 24 |
# A number representing the order of the rule. |
|
| 25 |
# |
|
| 26 |
# @param table |
|
| 27 |
# The name of the table to add this rule to. |
|
| 28 |
# |
|
| 29 |
# @param content |
|
| 30 |
# The raw statements that compose the rule represented using the nftables |
|
| 31 |
# language. |
|
| 32 |
# |
|
| 33 |
# @param source |
|
| 34 |
# Same goal as content but sourcing the value from a file. |
|
| 4 | 35 |
define nftables::rule ( |
| 5 |
# lint:ignore:parameter_documentation |
|
| 6 | 36 |
Enum['present','absent'] $ensure = 'present', |
| 7 | 37 |
Nftables::RuleName $rulename = $title, |
| 8 | 38 |
Pattern[/^\d\d$/] $order = '50', |
| 9 | 39 |
Optional[String] $table = 'inet-filter', |
| 10 | 40 |
Optional[String] $content = undef, |
| 11 | 41 |
Optional[Variant[String,Array[String,1]]] $source = undef, |
| 12 |
# lint:endignore |
|
| 13 | 42 |
) {
|
| 14 | 43 |
if $ensure == 'present' {
|
| 15 | 44 |
$data = split($rulename, '-') |
Formats disponibles : Unified diff