/REFERENCE.md - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 13f26dfc

Historique | Voir | Annoter | Télécharger (35 ko)

       # Reference
       <!-- DO NOT EDIT: This document was generated by Puppet Strings -->
       ## Table of Contents
       ### Classes
       * [`nftables`](#nftables): Configure nftables
       * [`nftables::bridges`](#nftablesbridges): allow forwarding traffic on bridges
       * [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter
       * [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat
       * [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients
       * [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
       * [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system.
       Enable this option to support Ceph's Monitor Daemon.
       * [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client): allow DHCPv6 requests in to a host
       * [`nftables::rules::dns`](#nftablesrulesdns): manage in dns
       * [`nftables::rules::http`](#nftablesruleshttp): manage in http
       * [`nftables::rules::https`](#nftablesruleshttps): manage in https
       * [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2
       * [`nftables::rules::icmp`](#nftablesrulesicmp)
       * [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4
       * [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3
       * [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter
       * [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf
       * [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3
       * [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound
       * [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system.
       Enable this to be a client of Ceph's Monitor (MON),
       Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
       and Manager Daemons (MGR).
       * [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony
       * [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp
       * [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client): Allow DHCPv6 requests out of a host
       * [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns
       * [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http
       * [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https
       * [`nftables::rules::out::icmp`](#nftablesrulesouticmp): control outbound icmp packages
       * [`nftables::rules::out::imap`](#nftablesrulesoutimap): allow outgoing imap
       * [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos
       * [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql
       * [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs
       * [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3
       * [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
       * [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf
       * [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3
       * [`nftables::rules::out::pop3`](#nftablesrulesoutpop3): allow outgoing pop3
       * [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres
       * [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet
       * [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): allow outgoing smtp
       * [`nftables::rules::out::smtp_client`](#nftablesrulesoutsmtp_client): allow outgoing smtp client
       * [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh
       * [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh
       * [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor
       * [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard
       * [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet
       * [`nftables::rules::samba`](#nftablesrulessamba): manage Samba, the suite to allow Windows file sharing on Linux resources.
       * [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp
       * [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission
       * [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps
       * [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh
       * [`nftables::rules::tor`](#nftablesrulestor): manage in tor
       * [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard
       * [`nftables::services::dhcpv6_client`](#nftablesservicesdhcpv6_client): Allow in and outbound traffic for DHCPv6 server
       * [`nftables::services::openafs_client`](#nftablesservicesopenafs_client): Open inbound and outbound ports for an AFS client
       ### Defined types
       * [`nftables::chain`](#nftableschain): manage a chain
       * [`nftables::config`](#nftablesconfig): manage a config snippet
       * [`nftables::rule`](#nftablesrule): Provides an interface to create a firewall rule
       * [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule
       * [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic
       * [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule
       * [`nftables::set`](#nftablesset): manage a named set
       * [`nftables::simplerule`](#nftablessimplerule): Provides a simplified interface to nftables::rule
       ### Data types
       * [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule.
       * [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule.
       * [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule.
       * [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule.
       * [`Nftables::RuleName`](#nftablesrulename): Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       * [`Nftables::SimpleRuleName`](#nftablessimplerulename): Represents a simple rule name to be used in a rule created via nftables::simplerule
       ## Classes
       ### <a name="nftables"></a>`nftables`
       Configure nftables
       #### Examples
       ##### allow dns out and do not allow ntp out
       ```puppet
       class{'nftables:
         out_ntp = false,
         out_dns = true,
+      }
       ```
       ##### do not flush particular tables, fail2ban in this case
       ```puppet
       class{'nftables':
         noflush_tables = ['inet-f2b-table'],
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables` class:
       * [`out_all`](#out_all)
       * [`out_ntp`](#out_ntp)
       * [`out_http`](#out_http)
       * [`out_dns`](#out_dns)
       * [`out_https`](#out_https)
       * [`out_icmp`](#out_icmp)
       * [`in_ssh`](#in_ssh)
       * [`in_icmp`](#in_icmp)
       * [`nat`](#nat)
       * [`sets`](#sets)
       * [`log_prefix`](#log_prefix)
       * [`log_limit`](#log_limit)
       * [`reject_with`](#reject_with)
       * [`in_out_conntrack`](#in_out_conntrack)
       * [`fwd_conntrack`](#fwd_conntrack)
       * [`firewalld_enable`](#firewalld_enable)
       * [`noflush_tables`](#noflush_tables)
       * [`rules`](#rules)
       ##### <a name="out_all"></a>`out_all`
       Data type: `Boolean`
       Allow all outbound connections. If `true` then all other
       out parameters `out_ntp`, `out_dns`, ... will be assuemed
       false.
       Default value: ``false``
       ##### <a name="out_ntp"></a>`out_ntp`
       Data type: `Boolean`
       Allow outbound to ntp servers.
       Default value: ``true``
       ##### <a name="out_http"></a>`out_http`
       Data type: `Boolean`
       Allow outbound to http servers.
       Default value: ``true``
       ##### <a name="out_dns"></a>`out_dns`
       Data type: `Boolean`
       Allow outbound to dns servers.
       Default value: ``true``
       ##### <a name="out_https"></a>`out_https`
       Data type: `Boolean`
       Allow outbound to https servers.
       Default value: ``true``
       ##### <a name="out_icmp"></a>`out_icmp`
       Data type: `Boolean`
       Allow outbound ICMPv4/v6 traffic.
       Default value: ``true``
       ##### <a name="in_ssh"></a>`in_ssh`
       Data type: `Boolean`
       Allow inbound to ssh servers.
       Default value: ``true``
       ##### <a name="in_icmp"></a>`in_icmp`
       Data type: `Boolean`
       Allow inbound ICMPv4/v6 traffic.
       Default value: ``true``
       ##### <a name="nat"></a>`nat`
       Data type: `Boolean`
       Add default tables and chains to process NAT traffic.
       Default value: ``true``
       ##### <a name="sets"></a>`sets`
       Data type: `Hash`
       Allows sourcing set definitions directly from Hiera.
       Default value: `{}`
       ##### <a name="log_prefix"></a>`log_prefix`
       Data type: `String`
       String that will be used as prefix when logging packets. It can contain
       two variables using standard sprintf() string-formatting:
        * chain: Will be replaced by the name of the chain.
        * comment: Allows chains to add extra comments.
       Default value: `'[nftables] %<chain>s %<comment>s'`
       ##### <a name="log_limit"></a>`log_limit`
       Data type: `Variant[Boolean[false], String]`
       String with the content of a limit statement to be applied
       to the rules that log discarded traffic. Set to false to
       disable rate limiting.
       Default value: `'3/minute burst 5 packets'`
       ##### <a name="reject_with"></a>`reject_with`
       Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`
       How to discard packets not matching any rule. If `false`, the
       fate of the packet will be defined by the chain policy (normally
       drop), otherwise the packet will be rejected with the REJECT_WITH
       policy indicated by the value of this parameter.
       Default value: `'icmpx type port-unreachable'`
       ##### <a name="in_out_conntrack"></a>`in_out_conntrack`
       Data type: `Boolean`
       Adds INPUT and OUTPUT rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: ``true``
       ##### <a name="fwd_conntrack"></a>`fwd_conntrack`
       Data type: `Boolean`
       Adds FORWARD rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: ``false``
       ##### <a name="firewalld_enable"></a>`firewalld_enable`
       Data type: `Variant[Boolean[false], Enum['mask']]`
       Configures how the firewalld systemd service unit is enabled. It might be
       useful to set this to false if you're externaly removing firewalld from
       the system completely.
       Default value: `'mask'`
       ##### <a name="noflush_tables"></a>`noflush_tables`
       Data type: `Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]`
       If specified only other existings tables will be flushed.
       If left unset all tables will be flushed via a `flush ruleset`
       Default value: ``undef``
       ##### <a name="rules"></a>`rules`
       Data type: `Hash`
       Specify hashes of `nftables::rule`s via hiera
       Default value: `{}`
       ### <a name="nftablesbridges"></a>`nftables::bridges`
       allow forwarding traffic on bridges
       #### Parameters
       The following parameters are available in the `nftables::bridges` class:
       * [`ensure`](#ensure)
       * [`bridgenames`](#bridgenames)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ##### <a name="bridgenames"></a>`bridgenames`
       Data type: `Regexp`
       Default value: `/^br.+/`
       ### <a name="nftablesinet_filter"></a>`nftables::inet_filter`
       manage basic chains in table inet filter
       ### <a name="nftablesip_nat"></a>`nftables::ip_nat`
       manage basic chains in table ip nat
       ### <a name="nftablesrulesafs3_callback"></a>`nftables::rules::afs3_callback`
       Open call back port for AFS clients
       #### Examples
       ##### allow call backs from particular hosts
       ```puppet
       class{'nftables::rules::afs3_callback':
         saddr => ['192.168.0.0/16', '10.0.0.222']
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::rules::afs3_callback` class:
       * [`saddr`](#saddr)
       ##### <a name="saddr"></a>`saddr`
       Data type: `Array[Stdlib::IP::Address::V4,1]`
       list of source network ranges to a
       Default value: `['0.0.0.0/0']`
       ### <a name="nftablesrulesceph"></a>`nftables::rules::ceph`
       Ceph is a distributed object store and file system.
       Enable this to support Ceph's Object Storage Daemons (OSD),
       Metadata Server Daemons (MDS), or Manager Daemons (MGR).
       ### <a name="nftablesrulesceph_mon"></a>`nftables::rules::ceph_mon`
       Ceph is a distributed object store and file system.
       Enable this option to support Ceph's Monitor Daemon.
       #### Parameters
       The following parameters are available in the `nftables::rules::ceph_mon` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       specify ports for ceph service
       Default value: `[3300, 6789]`
       ### <a name="nftablesrulesdhcpv6_client"></a>`nftables::rules::dhcpv6_client`
       allow DHCPv6 requests in to a host
       ### <a name="nftablesrulesdns"></a>`nftables::rules::dns`
       manage in dns
       #### Parameters
       The following parameters are available in the `nftables::rules::dns` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports for dns.
       Default value: `[53]`
       ### <a name="nftablesruleshttp"></a>`nftables::rules::http`
       manage in http
       ### <a name="nftablesruleshttps"></a>`nftables::rules::https`
       manage in https
       ### <a name="nftablesrulesicinga2"></a>`nftables::rules::icinga2`
       manage in icinga2
       #### Parameters
       The following parameters are available in the `nftables::rules::icinga2` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports for icinga1
       Default value: `[5665]`
       ### <a name="nftablesrulesicmp"></a>`nftables::rules::icmp`
       The nftables::rules::icmp class.
       #### Parameters
       The following parameters are available in the `nftables::rules::icmp` class:
       * [`v4_types`](#v4_types)
       * [`v6_types`](#v6_types)
       * [`order`](#order)
       ##### <a name="v4_types"></a>`v4_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="v6_types"></a>`v6_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="order"></a>`order`
       Data type: `String`
       Default value: `'10'`
       ### <a name="nftablesrulesnfs"></a>`nftables::rules::nfs`
       manage in nfs4
       ### <a name="nftablesrulesnfs3"></a>`nftables::rules::nfs3`
       manage in nfs3
       ### <a name="nftablesrulesnode_exporter"></a>`nftables::rules::node_exporter`
       manage in node exporter
       #### Parameters
       The following parameters are available in the `nftables::rules::node_exporter` class:
       * [`prometheus_server`](#prometheus_server)
       * [`port`](#port)
       ##### <a name="prometheus_server"></a>`prometheus_server`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Specify server name
       Default value: ``undef``
       ##### <a name="port"></a>`port`
       Data type: `Stdlib::Port`
       Specify port to open
       Default value: `9100`
       ### <a name="nftablesrulesospf"></a>`nftables::rules::ospf`
       manage in ospf
       ### <a name="nftablesrulesospf3"></a>`nftables::rules::ospf3`
       manage in ospf3
       ### <a name="nftablesrulesoutall"></a>`nftables::rules::out::all`
       allow all outbound
       ### <a name="nftablesrulesoutceph_client"></a>`nftables::rules::out::ceph_client`
       Ceph is a distributed object store and file system.
       Enable this to be a client of Ceph's Monitor (MON),
       Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
       and Manager Daemons (MGR).
       #### Parameters
       The following parameters are available in the `nftables::rules::out::ceph_client` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports to open
       Default value: `[3300, 6789]`
       ### <a name="nftablesrulesoutchrony"></a>`nftables::rules::out::chrony`
       manage out chrony
       ### <a name="nftablesrulesoutdhcp"></a>`nftables::rules::out::dhcp`
       manage out dhcp
       ### <a name="nftablesrulesoutdhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
       Allow DHCPv6 requests out of a host
       ### <a name="nftablesrulesoutdns"></a>`nftables::rules::out::dns`
       manage out dns
       #### Parameters
       The following parameters are available in the `nftables::rules::out::dns` class:
       * [`dns_server`](#dns_server)
       ##### <a name="dns_server"></a>`dns_server`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       specify dns_server name
       Default value: ``undef``
       ### <a name="nftablesrulesouthttp"></a>`nftables::rules::out::http`
       manage out http
       ### <a name="nftablesrulesouthttps"></a>`nftables::rules::out::https`
       manage out https
       ### <a name="nftablesrulesouticmp"></a>`nftables::rules::out::icmp`
       control outbound icmp packages
       #### Parameters
       The following parameters are available in the `nftables::rules::out::icmp` class:
       * [`v4_types`](#v4_types)
       * [`v6_types`](#v6_types)
       * [`order`](#order)
       ##### <a name="v4_types"></a>`v4_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="v6_types"></a>`v6_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="order"></a>`order`
       Data type: `String`
       Default value: `'10'`
       ### <a name="nftablesrulesoutimap"></a>`nftables::rules::out::imap`
       allow outgoing imap
       ### <a name="nftablesrulesoutkerberos"></a>`nftables::rules::out::kerberos`
       allows outbound access for kerberos
       ### <a name="nftablesrulesoutmysql"></a>`nftables::rules::out::mysql`
       manage out mysql
       ### <a name="nftablesrulesoutnfs"></a>`nftables::rules::out::nfs`
       manage out nfs
       ### <a name="nftablesrulesoutnfs3"></a>`nftables::rules::out::nfs3`
       manage out nfs3
       ### <a name="nftablesrulesoutopenafs_client"></a>`nftables::rules::out::openafs_client`
       allows outbound access for afs clients
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
       * **See also**
         * https://wiki.openafs.org/devel/AFSServicePorts/
           * AFS Service Ports
       #### Parameters
       The following parameters are available in the `nftables::rules::out::openafs_client` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       port numbers to use
       Default value: `[7000, 7002, 7003]`
       ### <a name="nftablesrulesoutospf"></a>`nftables::rules::out::ospf`
       manage out ospf
       ### <a name="nftablesrulesoutospf3"></a>`nftables::rules::out::ospf3`
       manage out ospf3
       ### <a name="nftablesrulesoutpop3"></a>`nftables::rules::out::pop3`
       allow outgoing pop3
       ### <a name="nftablesrulesoutpostgres"></a>`nftables::rules::out::postgres`
       manage out postgres
       ### <a name="nftablesrulesoutpuppet"></a>`nftables::rules::out::puppet`
       manage outgoing puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::out::puppet` class:
       * [`puppetserver`](#puppetserver)
       * [`puppetserver_port`](#puppetserver_port)
       ##### <a name="puppetserver"></a>`puppetserver`
       Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
       puppetserver hostname
       ##### <a name="puppetserver_port"></a>`puppetserver_port`
       Data type: `Stdlib::Port`
       puppetserver port
       Default value: `8140`
       ### <a name="nftablesrulesoutsmtp"></a>`nftables::rules::out::smtp`
       allow outgoing smtp
       ### <a name="nftablesrulesoutsmtp_client"></a>`nftables::rules::out::smtp_client`
       allow outgoing smtp client
       ### <a name="nftablesrulesoutssh"></a>`nftables::rules::out::ssh`
       manage out ssh
       ### <a name="nftablesrulesoutsshremove"></a>`nftables::rules::out::ssh::remove`
       disable outgoing ssh
       ### <a name="nftablesrulesouttor"></a>`nftables::rules::out::tor`
       manage out tor
       ### <a name="nftablesrulesoutwireguard"></a>`nftables::rules::out::wireguard`
       manage out wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::out::wireguard` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Integer,1]`
       specify wireguard ports
       Default value: `[51820]`
       ### <a name="nftablesrulespuppet"></a>`nftables::rules::puppet`
       manage in puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::puppet` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Integer,1]`
       puppet server ports
       Default value: `[8140]`
       ### <a name="nftablesrulessamba"></a>`nftables::rules::samba`
       manage Samba, the suite to allow Windows file sharing on Linux resources.
       #### Parameters
       The following parameters are available in the `nftables::rules::samba` class:
       * [`ctdb`](#ctdb)
       ##### <a name="ctdb"></a>`ctdb`
       Data type: `Boolean`
       Enable ctdb-driven clustered Samba setups.
       Default value: ``false``
       ### <a name="nftablesrulessmtp"></a>`nftables::rules::smtp`
       manage in smtp
       ### <a name="nftablesrulessmtp_submission"></a>`nftables::rules::smtp_submission`
       manage in smtp submission
       ### <a name="nftablesrulessmtps"></a>`nftables::rules::smtps`
       manage in smtps
       ### <a name="nftablesrulesssh"></a>`nftables::rules::ssh`
       manage in ssh
       #### Parameters
       The following parameters are available in the `nftables::rules::ssh` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       ssh ports
       Default value: `[22]`
       ### <a name="nftablesrulestor"></a>`nftables::rules::tor`
       manage in tor
       #### Parameters
       The following parameters are available in the `nftables::rules::tor` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       ports for tor
       Default value: `[9001]`
       ### <a name="nftablesruleswireguard"></a>`nftables::rules::wireguard`
       manage in wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::wireguard` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       wiregueard port
       Default value: `[51820]`
       ### <a name="nftablesservicesdhcpv6_client"></a>`nftables::services::dhcpv6_client`
       Allow in and outbound traffic for DHCPv6 server
       ### <a name="nftablesservicesopenafs_client"></a>`nftables::services::openafs_client`
       Open inbound and outbound ports for an AFS client
       ## Defined types
       ### <a name="nftableschain"></a>`nftables::chain`
       manage a chain
       #### Parameters
       The following parameters are available in the `nftables::chain` defined type:
       * [`table`](#table)
       * [`chain`](#chain)
       * [`inject`](#inject)
       * [`inject_iif`](#inject_iif)
       * [`inject_oif`](#inject_oif)
       ##### <a name="table"></a>`table`
       Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`
       Default value: `'inet-filter'`
       ##### <a name="chain"></a>`chain`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="inject"></a>`inject`
       Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
       Default value: ``undef``
       ##### <a name="inject_iif"></a>`inject_iif`
       Data type: `Optional[String]`
       Default value: ``undef``
       ##### <a name="inject_oif"></a>`inject_oif`
       Data type: `Optional[String]`
       Default value: ``undef``
       ### <a name="nftablesconfig"></a>`nftables::config`
       manage a config snippet
       #### Parameters
       The following parameters are available in the `nftables::config` defined type:
       * [`tablespec`](#tablespec)
       * [`content`](#content)
       * [`source`](#source)
       * [`prefix`](#prefix)
       ##### <a name="tablespec"></a>`tablespec`
       Data type: `Pattern[/^\w+-\w+$/]`
       Default value: `$title`
       ##### <a name="content"></a>`content`
       Data type: `Optional[String]`
       Default value: ``undef``
       ##### <a name="source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Default value: ``undef``
       ##### <a name="prefix"></a>`prefix`
       Data type: `String`
       Default value: `'custom-'`
       ### <a name="nftablesrule"></a>`nftables::rule`
       Provides an interface to create a firewall rule
       #### Examples
       ##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
       ```puppet
       nftables::rule {
         'default_in-myhttp':
           content => 'tcp dport 80 accept',
+      }
       ```
       ##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
       ```puppet
       nftables::rule {
         'PREROUTING6-count':
           content => 'counter',
           table   => 'ip6-nat'
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::rule` defined type:
       * [`ensure`](#ensure)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`table`](#table)
       * [`content`](#content)
       * [`source`](#source)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Should the rule be created.
       Default value: `'present'`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Nftables::RuleName`
       The symbolic name for the rule and to what chain to add it. The
       format is defined by the Nftables::RuleName type.
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       A number representing the order of the rule.
       Default value: `'50'`
       ##### <a name="table"></a>`table`
       Data type: `Optional[String]`
       The name of the table to add this rule to.
       Default value: `'inet-filter'`
       ##### <a name="content"></a>`content`
       Data type: `Optional[String]`
       The raw statements that compose the rule represented using the nftables
       language.
       Default value: ``undef``
       ##### <a name="source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Same goal as content but sourcing the value from a file.
       Default value: ``undef``
       ### <a name="nftablesrulesdnat4"></a>`nftables::rules::dnat4`
       manage a ipv4 dnat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::dnat4` defined type:
       * [`daddr`](#daddr)
       * [`port`](#port)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`iif`](#iif)
       * [`proto`](#proto)
       * [`dport`](#dport)
       * [`ensure`](#ensure)
       ##### <a name="daddr"></a>`daddr`
       Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
       ##### <a name="port"></a>`port`
       Data type: `Variant[String,Stdlib::Port]`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'50'`
       ##### <a name="chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'default_fwd'`
       ##### <a name="iif"></a>`iif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Enum['tcp','udp']`
       Default value: `'tcp'`
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: `''`
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftablesrulesmasquerade"></a>`nftables::rules::masquerade`
       masquerade all outgoing traffic
       #### Parameters
       The following parameters are available in the `nftables::rules::masquerade` defined type:
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`oif`](#oif)
       * [`saddr`](#saddr)
       * [`daddr`](#daddr)
       * [`proto`](#proto)
       * [`dport`](#dport)
       * [`ensure`](#ensure)
       ##### <a name="rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### <a name="chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### <a name="oif"></a>`oif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="saddr"></a>`saddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="daddr"></a>`daddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: ``undef``
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: ``undef``
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftablesrulessnat4"></a>`nftables::rules::snat4`
       manage a ipv4 snat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::snat4` defined type:
       * [`snat`](#snat)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`oif`](#oif)
       * [`saddr`](#saddr)
       * [`proto`](#proto)
       * [`dport`](#dport)
       * [`ensure`](#ensure)
       ##### <a name="snat"></a>`snat`
       Data type: `String[1]`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### <a name="chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### <a name="oif"></a>`oif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="saddr"></a>`saddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: ``undef``
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: ``undef``
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftablesset"></a>`nftables::set`
       manage a named set
       #### Examples
       ##### simple set
       ```puppet
       nftables::set{'my_set':
         type       => 'ipv4_addr',
         flags      => ['interval'],
         elements   => ['192.168.0.1/24', '10.0.0.2'],
         auto_merge => true,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::set` defined type:
       * [`ensure`](#ensure)
       * [`setname`](#setname)
       * [`order`](#order)
       * [`type`](#type)
       * [`table`](#table)
       * [`flags`](#flags)
       * [`timeout`](#timeout)
       * [`gc_interval`](#gc_interval)
       * [`elements`](#elements)
       * [`size`](#size)
       * [`policy`](#policy)
       * [`auto_merge`](#auto_merge)
       * [`content`](#content)
       * [`source`](#source)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       should the set be created.
       Default value: `'present'`
       ##### <a name="setname"></a>`setname`
       Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
       name of set, equal to to title.
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       concat ordering.
       Default value: `'10'`
       ##### <a name="type"></a>`type`
       Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
       type of set.
       Default value: ``undef``
       ##### <a name="table"></a>`table`
       Data type: `String`
       table to add set to.
       Default value: `'inet-filter'`
       ##### <a name="flags"></a>`flags`
       Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
       specify flags for set
       Default value: `[]`
       ##### <a name="timeout"></a>`timeout`
       Data type: `Optional[Integer]`
       timeout in seconds
       Default value: ``undef``
       ##### <a name="gc_interval"></a>`gc_interval`
       Data type: `Optional[Integer]`
       garbage collection interval.
       Default value: ``undef``
       ##### <a name="elements"></a>`elements`
       Data type: `Optional[Array[String]]`
       initialize the set with some elements in it.
       Default value: ``undef``
       ##### <a name="size"></a>`size`
       Data type: `Optional[Integer]`
       limits the maximum number of elements of the set.
       Default value: ``undef``
       ##### <a name="policy"></a>`policy`
       Data type: `Optional[Enum['performance', 'memory']]`
       determines set selection policy.
       Default value: ``undef``
       ##### <a name="auto_merge"></a>`auto_merge`
       Data type: `Boolean`
+      ?
       Default value: ``false``
       ##### <a name="content"></a>`content`
       Data type: `Optional[String]`
       specify content of set.
       Default value: ``undef``
       ##### <a name="source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       specify source of set.
       Default value: ``undef``
       ### <a name="nftablessimplerule"></a>`nftables::simplerule`
       Provides a simplified interface to nftables::rule
       #### Examples
       ##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
       ```puppet
       nftables::simplerule{'my_service_in':
         action  => 'accept',
         comment => 'allow traffic to port 543',
         counter => true,
         proto   => 'tcp',
         dport   => 543,
         daddr   => '2001:1458::/32',
         sport   => 541,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::simplerule` defined type:
       * [`ensure`](#ensure)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`table`](#table)
       * [`action`](#action)
       * [`comment`](#comment)
       * [`dport`](#dport)
       * [`proto`](#proto)
       * [`daddr`](#daddr)
       * [`set_type`](#set_type)
       * [`sport`](#sport)
       * [`saddr`](#saddr)
       * [`counter`](#counter)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Should the rule be created.
       Default value: `'present'`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Nftables::SimpleRuleName`
       The symbolic name for the rule to add. Defaults to the resource's title.
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       A number representing the order of the rule.
       Default value: `'50'`
       ##### <a name="chain"></a>`chain`
       Data type: `String`
       The name of the chain to add this rule to.
       Default value: `'default_in'`
       ##### <a name="table"></a>`table`
       Data type: `String`
       The name of the table to add this rule to.
       Default value: `'inet-filter'`
       ##### <a name="action"></a>`action`
       Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
       The verdict for the matched traffic.
       Default value: `'accept'`
       ##### <a name="comment"></a>`comment`
       Data type: `Optional[String]`
       A typically human-readable comment for the rule.
       Default value: ``undef``
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Nftables::Port]`
       The destination port, ports or port range.
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
       The transport-layer protocol to match.
       Default value: ``undef``
       ##### <a name="daddr"></a>`daddr`
       Data type: `Optional[Nftables::Addr]`
       The destination address, CIDR or set to match.
       Default value: ``undef``
       ##### <a name="set_type"></a>`set_type`
       Data type: `Enum['ip', 'ip6']`
       When using sets as saddr or daddr, the type of the set.
       Use `ip` for sets of type `ipv4_addr`.
       Default value: `'ip6'`
       ##### <a name="sport"></a>`sport`
       Data type: `Optional[Nftables::Port]`
       The source port, ports or port range.
       Default value: ``undef``
       ##### <a name="saddr"></a>`saddr`
       Data type: `Optional[Nftables::Addr]`
       The source address, CIDR or set to match.
       Default value: ``undef``
       ##### <a name="counter"></a>`counter`
       Data type: `Boolean`
       Enable traffic counters for the matched traffic.
       Default value: ``false``
       ## Data types
       ### <a name="nftablesaddr"></a>`Nftables::Addr`
       Represents an address expression to be used within a rule.
       Alias of
       ```puppet
       Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]
       ```
       ### <a name="nftablesaddrset"></a>`Nftables::Addr::Set`
       Represents a set expression to be used within a rule.
       Alias of
       ```puppet
       Pattern[/^@[-a-zA-Z0-9_]+$/]
       ```
       ### <a name="nftablesport"></a>`Nftables::Port`
       Represents a port expression to be used within a rule.
       Alias of
       ```puppet
       Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]
       ```
       ### <a name="nftablesportrange"></a>`Nftables::Port::Range`
       Represents a port range expression to be used within a rule.
       Alias of
       ```puppet
       Pattern[/^\d+-\d+$/]
       ```
       ### <a name="nftablesrulename"></a>`Nftables::RuleName`
       Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       Alias of
       ```puppet
       Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]
       ```
       ### <a name="nftablessimplerulename"></a>`Nftables::SimpleRuleName`
       Represents a simple rule name to be used in a rule created via nftables::simplerule
       Alias of
       ```puppet
       Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]
       ```

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 13f26dfc