/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 1ef7d5c4

Historique | Voir | Annoter | Télécharger (63,2 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
172	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
173	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
174	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
175			* [`noflush_tables`](#-nftables--noflush_tables)
176			* [`rules`](#-nftables--rules)
177			* [`configuration_path`](#-nftables--configuration_path)
178			* [`nft_path`](#-nftables--nft_path)
179			* [`echo`](#-nftables--echo)
180			* [`default_config_mode`](#-nftables--default_config_mode)
181
182			##### <a name="-nftables--out_all"></a>`out_all`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow all outbound connections. If `true` then all other
187			out parameters `out_ntp`, `out_dns`, ... will be assuemed
188			false.
189
190	c24d3118	Tim Meusel	Default value: `false`
191	e17693e3	Steve Traylen
192	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
193	e17693e3	Steve Traylen
194			Data type: `Boolean`
195
196			Allow outbound to ntp servers.
197
198	c24d3118	Tim Meusel	Default value: `true`
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
201	e17693e3	Steve Traylen
202			Data type: `Boolean`
203
204			Allow outbound to http servers.
205
206	c24d3118	Tim Meusel	Default value: `true`
207	e17693e3	Steve Traylen
208	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
209	e17693e3	Steve Traylen
210			Data type: `Boolean`
211
212	09cba182	Steve Traylen	Allow outbound to dns servers.
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	Default value: `true`
215	e17693e3	Steve Traylen
216	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
217	09cba182	Steve Traylen
218			Data type: `Boolean`
219	e17693e3	Steve Traylen
220			Allow outbound to https servers.
221
222	c24d3118	Tim Meusel	Default value: `true`
223	e17693e3	Steve Traylen
224	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
225	7f6cacc5	Steve Traylen
226			Data type: `Boolean`
227
228			Allow outbound ICMPv4/v6 traffic.
229
230	c24d3118	Tim Meusel	Default value: `true`
231	7f6cacc5	Steve Traylen
232	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
233	e17693e3	Steve Traylen
234			Data type: `Boolean`
235
236			Allow inbound to ssh servers.
237
238	c24d3118	Tim Meusel	Default value: `true`
239	e17693e3	Steve Traylen
240	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
241	7f6cacc5	Steve Traylen
242			Data type: `Boolean`
243
244			Allow inbound ICMPv4/v6 traffic.
245
246	c24d3118	Tim Meusel	Default value: `true`
247	7f6cacc5	Steve Traylen
248	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
249	7b9d6ffc	Nacho Barrientos
250			Data type: `Boolean`
251
252			Add default tables, chains and rules to process traffic.
253
254	c24d3118	Tim Meusel	Default value: `true`
255	7b9d6ffc	Nacho Barrientos
256	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
257	7f6cacc5	Steve Traylen
258			Data type: `Boolean`
259
260			Add default tables and chains to process NAT traffic.
261
262	c24d3118	Tim Meusel	Default value: `true`
263	7f6cacc5	Steve Traylen
264	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
265	b02d6ea9	Nacho Barrientos
266			Data type: `String[1]`
267
268			The name of the 'nat' table.
269
270			Default value: `'nat'`
271
272	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
273	b9785000	Steve Traylen
274			Data type: `Hash`
275
276			Allows sourcing set definitions directly from Hiera.
277
278			Default value: `{}`
279
280	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
281	7f6cacc5	Steve Traylen
282			Data type: `String`
283
284			String that will be used as prefix when logging packets. It can contain
285			two variables using standard sprintf() string-formatting:
286			* chain: Will be replaced by the name of the chain.
287			* comment: Allows chains to add extra comments.
288
289			Default value: `'[nftables] %<chain>s %<comment>s'`
290
291	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
292
293			Data type: `Boolean`
294
295			Allow to log discarded packets
296
297			Default value: `true`
298
299	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
300	b9785000	Steve Traylen
301			Data type: `Variant[Boolean[false], String]`
302
303			String with the content of a limit statement to be applied
304			to the rules that log discarded traffic. Set to false to
305			disable rate limiting.
306
307			Default value: `'3/minute burst 5 packets'`
308
309	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
310	7f6cacc5	Steve Traylen
311	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
312	7f6cacc5	Steve Traylen
313			How to discard packets not matching any rule. If `false`, the
314			fate of the packet will be defined by the chain policy (normally
315			drop), otherwise the packet will be rejected with the REJECT_WITH
316			policy indicated by the value of this parameter.
317
318			Default value: `'icmpx type port-unreachable'`
319
320	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
321	7f6cacc5	Steve Traylen
322			Data type: `Boolean`
323
324			Adds INPUT and OUTPUT rules to allow traffic that's part of an
325			established connection and also to drop invalid packets.
326
327	c24d3118	Tim Meusel	Default value: `true`
328	7f6cacc5	Steve Traylen
329	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
330
331			Data type: `Boolean`
332
333			Drops invalid packets in INPUT and OUTPUT
334
335			Default value: `$in_out_conntrack`
336
337	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
338	b9785000	Steve Traylen
339			Data type: `Boolean`
340
341			Adds FORWARD rules to allow traffic that's part of an
342			established connection and also to drop invalid packets.
343
344	c24d3118	Tim Meusel	Default value: `false`
345	b9785000	Steve Traylen
346	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
347
348			Data type: `Boolean`
349
350			Drops invalid packets in FORWARD
351
352			Default value: `$fwd_conntrack`
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
355	7f6cacc5	Steve Traylen
356			Data type: `Variant[Boolean[false], Enum['mask']]`
357
358			Configures how the firewalld systemd service unit is enabled. It might be
359			useful to set this to false if you're externaly removing firewalld from
360			the system completely.
361
362			Default value: `'mask'`
363
364	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
365	b9785000	Steve Traylen
366	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
367	b9785000	Steve Traylen
368			If specified only other existings tables will be flushed.
369			If left unset all tables will be flushed via a `flush ruleset`
370
371	c24d3118	Tim Meusel	Default value: `undef`
372	b9785000	Steve Traylen
373	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
374	7f6cacc5	Steve Traylen
375			Data type: `Hash`
376
377	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
378	7f6cacc5	Steve Traylen
379			Default value: `{}`
380
381	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
382	d0a1ffef	hashworks
383			Data type: `Stdlib::Unixpath`
384
385			The absolute path to the principal nftables configuration file. The default
386			varies depending on the system, and is set in the module's data.
387
388	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
389	8842a597	Tim Meusel
390			Data type: `Stdlib::Unixpath`
391
392			Path to the nft binary
393
394	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
395	821ec83a	Tim Meusel
396			Data type: `Stdlib::Unixpath`
397
398			Path to the echo binary
399
400	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
401	7030bde0	Luis Fernández Álvarez
402			Data type: `Stdlib::Filemode`
403
404			The default file & dir mode for configuration files and directories. The
405			default varies depending on the system, and is set in the module's data.
406
407	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
408	7f6cacc5	Steve Traylen
409			allow forwarding traffic on bridges
410
411			#### Parameters
412
413	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
414	7f6cacc5	Steve Traylen
415	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
416			* [`bridgenames`](#-nftables--bridges--bridgenames)
417	09cba182	Steve Traylen
418	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
419	7f6cacc5	Steve Traylen
420			Data type: `Enum['present','absent']`
421
422
423
424			Default value: `'present'`
425
426	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
427	7f6cacc5	Steve Traylen
428			Data type: `Regexp`
429
430
431
432			Default value: `/^br.+/`
433
434	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
435	e17693e3	Steve Traylen
436			manage basic chains in table inet filter
437
438	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
439	a1f09048	Tim Meusel
440			enable conntrack for fwd
441
442	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
443	a1f09048	Tim Meusel
444			manage input & output conntrack
445
446	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
447	e17693e3	Steve Traylen
448			manage basic chains in table ip nat
449
450	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
451	771b3256	Nacho Barrientos
452			Provides input rules for Apache ActiveMQ
453
454			#### Parameters
455
456			The following parameters are available in the `nftables::rules::activemq` class:
457
458	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
459			* [`udp`](#-nftables--rules--activemq--udp)
460			* [`port`](#-nftables--rules--activemq--port)
461	771b3256	Nacho Barrientos
462	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
463	771b3256	Nacho Barrientos
464			Data type: `Boolean`
465
466			Create the rule for TCP traffic.
467
468	c24d3118	Tim Meusel	Default value: `true`
469	771b3256	Nacho Barrientos
470	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
471	771b3256	Nacho Barrientos
472			Data type: `Boolean`
473
474			Create the rule for UDP traffic.
475
476	c24d3118	Tim Meusel	Default value: `true`
477	771b3256	Nacho Barrientos
478	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
479	771b3256	Nacho Barrientos
480			Data type: `Stdlib::Port`
481
482			The port number for the ActiveMQ daemon.
483
484			Default value: `61616`
485
486	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
487	09cba182	Steve Traylen
488			Open call back port for AFS clients
489	7f6cacc5	Steve Traylen
490	09cba182	Steve Traylen	#### Examples
491
492			##### allow call backs from particular hosts
493
494			```puppet
495	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
496			saddr => ['192.168.0.0/16', '10.0.0.222']
497			}
498	09cba182	Steve Traylen	```
499	7f6cacc5	Steve Traylen
500			#### Parameters
501
502	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
503
504	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
505	7f6cacc5	Steve Traylen
506	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
507	7f6cacc5	Steve Traylen
508			Data type: `Array[Stdlib::IP::Address::V4,1]`
509
510			list of source network ranges to a
511
512			Default value: `['0.0.0.0/0']`
513
514	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
515	b9785000	Steve Traylen
516			Ceph is a distributed object store and file system.
517			Enable this to support Ceph's Object Storage Daemons (OSD),
518			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
519
520	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
521	b9785000	Steve Traylen
522			Ceph is a distributed object store and file system.
523			Enable this option to support Ceph's Monitor Daemon.
524
525			#### Parameters
526
527	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
528	b9785000	Steve Traylen
529	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
530	b9785000	Steve Traylen
531	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
532	b9785000	Steve Traylen
533	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
534	b9785000	Steve Traylen
535	09cba182	Steve Traylen	specify ports for ceph service
536	b9785000	Steve Traylen
537			Default value: `[3300, 6789]`
538
539	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
540	7f6cacc5	Steve Traylen
541	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
542	7f6cacc5	Steve Traylen
543	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
544	7f6cacc5	Steve Traylen
545			manage in dns
546
547	67cdcf15	Steve Traylen	#### Examples
548
549			##### Allow access to stub dns resolver from docker containers
550
551			```puppet
552			class { 'nftables::rules::dns':
553			iifname => ['docker0'],
554			}
555			```
556
557	7f6cacc5	Steve Traylen	#### Parameters
558
559	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
560	7f6cacc5	Steve Traylen
561	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
562	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
563	7f6cacc5	Steve Traylen
564	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
565	7f6cacc5	Steve Traylen
566	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
567	7f6cacc5	Steve Traylen
568	09cba182	Steve Traylen	Specify ports for dns.
569	7f6cacc5	Steve Traylen
570			Default value: `[53]`
571
572	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
573
574			Data type: `Optional[Array[String[1],1]]`
575
576			Specify input interface names.
577
578			Default value: `undef`
579
580	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
581	804b96e4	Nacho Barrientos
582			The configuration distributed in this class represents the default firewall
583			configuration done by docker-ce when the iptables integration is enabled.
584
585			This class is needed as the default docker-ce rules added to ip-filter conflict
586			with the inet-filter forward rules set by default in this module.
587
588			When using this class 'docker::iptables: false' should be set.
589
590			#### Parameters
591
592			The following parameters are available in the `nftables::rules::docker_ce` class:
593
594	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
595			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
596			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
597			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
598	804b96e4	Nacho Barrientos
599	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
600	804b96e4	Nacho Barrientos
601			Data type: `String[1]`
602
603			Interface name used by docker.
604
605			Default value: `'docker0'`
606
607	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
608	804b96e4	Nacho Barrientos
609			Data type: `Stdlib::IP::Address::V4::CIDR`
610
611			The address space used by docker.
612
613			Default value: `'172.17.0.0/16'`
614
615	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
616	804b96e4	Nacho Barrientos
617			Data type: `Boolean`
618
619			Flag to control whether the class should create the docker related chains.
620
621	c24d3118	Tim Meusel	Default value: `true`
622	804b96e4	Nacho Barrientos
623	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
624	804b96e4	Nacho Barrientos
625			Data type: `Boolean`
626
627			Flag to control whether the class should create the base common chains.
628
629	c24d3118	Tim Meusel	Default value: `true`
630	804b96e4	Nacho Barrientos
631	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
632
633			manage in ftp (with conntrack helper)
634
635			#### Parameters
636
637			The following parameters are available in the `nftables::rules::ftp` class:
638
639			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
640			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
641
642			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
643
644			Data type: `Boolean`
645
646			Enable FTP passive mode support
647
648			Default value: `true`
649
650			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
651
652			Data type: `Nftables::Port::Range`
653
654			Set the FTP passive mode port range
655
656			Default value: `'10090-10100'`
657
658	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
659	e17693e3	Steve Traylen
660			manage in http
661
662	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
663	e17693e3	Steve Traylen
664			manage in https
665
666	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
667	e17693e3	Steve Traylen
668			manage in icinga2
669
670			#### Parameters
671
672	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
673	e17693e3	Steve Traylen
674	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
675	e17693e3	Steve Traylen
676	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
677	e17693e3	Steve Traylen
678	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
679	e17693e3	Steve Traylen
680	8db66304	Steve Traylen	Specify ports for icinga2
681	e17693e3	Steve Traylen
682			Default value: `[5665]`
683
684	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
685	7f6cacc5	Steve Traylen
686	8cdd24a5	Tim Meusel	allows incoming ICMP
687	7f6cacc5	Steve Traylen
688			#### Parameters
689
690	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
691
692	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
693			* [`v6_types`](#-nftables--rules--icmp--v6_types)
694			* [`order`](#-nftables--rules--icmp--order)
695	7f6cacc5	Steve Traylen
696	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
697	7f6cacc5	Steve Traylen
698			Data type: `Optional[Array[String]]`
699
700	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
701	7f6cacc5	Steve Traylen
702	c24d3118	Tim Meusel	Default value: `undef`
703	7f6cacc5	Steve Traylen
704	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
705	7f6cacc5	Steve Traylen
706			Data type: `Optional[Array[String]]`
707
708	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
709	7f6cacc5	Steve Traylen
710	c24d3118	Tim Meusel	Default value: `undef`
711	7f6cacc5	Steve Traylen
712	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
713	7f6cacc5	Steve Traylen
714			Data type: `String`
715
716	8cdd24a5	Tim Meusel	the ordering of the rules
717	7f6cacc5	Steve Traylen
718			Default value: `'10'`
719
720	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
721
722			allow incoming IGMP messages
723
724	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
725
726			manage in ldap
727
728			#### Parameters
729
730			The following parameters are available in the `nftables::rules::ldap` class:
731
732			* [`ports`](#-nftables--rules--ldap--ports)
733
734			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
735
736			Data type: `Array[Integer,1]`
737
738			ldap server ports
739
740			Default value: `[389, 636]`
741
742	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
743
744			allow incoming Link-Local Multicast Name Resolution
745
746			* See also
747			* https://datatracker.ietf.org/doc/html/rfc4795
748
749			#### Parameters
750
751			The following parameters are available in the `nftables::rules::llmnr` class:
752
753			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
754			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
755	1ef7d5c4	Tim Meusel	* [`iifname`](#-nftables--rules--llmnr--iifname)
756	3b26826f	Tim Meusel
757			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
758
759			Data type: `Boolean`
760
761			Allow LLMNR over IPv4
762
763			Default value: `true`
764
765			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
766
767			Data type: `Boolean`
768
769			Allow LLMNR over IPv6
770
771			Default value: `true`
772
773	1ef7d5c4	Tim Meusel	##### <a name="-nftables--rules--llmnr--iifname"></a>`iifname`
774
775			Data type: `Array[String[1]]`
776
777			optional list of incoming interfaces to filter on
778
779			Default value: `[]`
780
781	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
782
783			allow incoming multicast DNS
784
785	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
786
787			The following parameters are available in the `nftables::rules::mdns` class:
788
789			* [`ipv4`](#-nftables--rules--mdns--ipv4)
790			* [`ipv6`](#-nftables--rules--mdns--ipv6)
791	4c3d5d6b	Tim Meusel	* [`iifname`](#-nftables--rules--mdns--iifname)
792	ad3dbd7d	Ewoud Kohl van Wijngaarden
793			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
794
795			Data type: `Boolean`
796
797			Allow mdns over IPv4
798
799			Default value: `true`
800
801			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
802
803			Data type: `Boolean`
804
805			Allow mdns over IPv6
806
807			Default value: `true`
808
809	4c3d5d6b	Tim Meusel	##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
810
811			Data type: `Array[String[1]]`
812
813			name for incoming interfaces to filter
814
815			Default value: `[]`
816
817	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
818
819			allow incoming multicast traffic
820
821	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
822	b9785000	Steve Traylen
823			manage in nfs4
824
825	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
826	b9785000	Steve Traylen
827			manage in nfs3
828
829	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
830	7f6cacc5	Steve Traylen
831			manage in node exporter
832
833			#### Parameters
834
835	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
836	7f6cacc5	Steve Traylen
837	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
838			* [`port`](#-nftables--rules--node_exporter--port)
839	7f6cacc5	Steve Traylen
840	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
841	7f6cacc5	Steve Traylen
842	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
843	7f6cacc5	Steve Traylen
844	09cba182	Steve Traylen	Specify server name
845	7f6cacc5	Steve Traylen
846	c24d3118	Tim Meusel	Default value: `undef`
847	7f6cacc5	Steve Traylen
848	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
849	7f6cacc5	Steve Traylen
850	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
851	7f6cacc5	Steve Traylen
852	09cba182	Steve Traylen	Specify port to open
853	7f6cacc5	Steve Traylen
854			Default value: `9100`
855
856	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
857	e17693e3	Steve Traylen
858			manage in ospf
859
860	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
861	e17693e3	Steve Traylen
862			manage in ospf3
863
864	3e2b5119	Tim Meusel	#### Parameters
865
866			The following parameters are available in the `nftables::rules::ospf3` class:
867
868			* [`iifname`](#-nftables--rules--ospf3--iifname)
869
870			##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
871
872			Data type: `Array[String[1]]`
873
874			optional list of incoming interfaces to allow traffic
875
876			Default value: `[]`
877
878	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
879
880			manage outgoing active diectory
881
882			#### Parameters
883
884			The following parameters are available in the `nftables::rules::out::active_directory` class:
885
886			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
887			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
888
889			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
890
891			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
892
893			adserver IPs
894
895			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
896
897			Data type: `Array[Stdlib::Port,1]`
898
899			adserver ports
900
901			Default value: `[389, 636, 3268, 3269]`
902
903	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
904	e17693e3	Steve Traylen
905			allow all outbound
906
907	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
908	b9785000	Steve Traylen
909			Ceph is a distributed object store and file system.
910			Enable this to be a client of Ceph's Monitor (MON),
911			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
912			and Manager Daemons (MGR).
913
914			#### Parameters
915
916	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
917	b9785000	Steve Traylen
918	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
919	b9785000	Steve Traylen
920	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
921	b9785000	Steve Traylen
922	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
923	b9785000	Steve Traylen
924	09cba182	Steve Traylen	Specify ports to open
925	b9785000	Steve Traylen
926			Default value: `[3300, 6789]`
927
928	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
929	e17693e3	Steve Traylen
930			manage out chrony
931
932	7937a13b	Tim Meusel	#### Parameters
933
934			The following parameters are available in the `nftables::rules::out::chrony` class:
935
936	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
937	7937a13b	Tim Meusel
938	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
939	7937a13b	Tim Meusel
940			Data type: `Array[Stdlib::IP::Address]`
941
942			single IP-Address or array of IP-addresses from NTP servers
943
944			Default value: `[]`
945
946	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
947	e17693e3	Steve Traylen
948			manage out dhcp
949
950	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
951	7f6cacc5	Steve Traylen
952	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
953	7f6cacc5	Steve Traylen
954	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
955	e17693e3	Steve Traylen
956			manage out dns
957
958			#### Parameters
959
960	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
961	e17693e3	Steve Traylen
962	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
963	e17693e3	Steve Traylen
964	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
965	e17693e3	Steve Traylen
966	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
967	e17693e3	Steve Traylen
968	09cba182	Steve Traylen	specify dns_server name
969	e17693e3	Steve Traylen
970	9d1ee648	Tim Meusel	Default value: `[]`
971	e17693e3	Steve Traylen
972	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
973	a1f09048	Tim Meusel
974			allow outgoing hkp connections to gpg keyservers
975
976	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
977	e17693e3	Steve Traylen
978			manage out http
979
980	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
981	e17693e3	Steve Traylen
982			manage out https
983
984	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
985	7f6cacc5	Steve Traylen
986	09cba182	Steve Traylen	control outbound icmp packages
987	7f6cacc5	Steve Traylen
988			#### Parameters
989
990	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
991
992	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
993			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
994			* [`order`](#-nftables--rules--out--icmp--order)
995	7f6cacc5	Steve Traylen
996	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
997	7f6cacc5	Steve Traylen
998			Data type: `Optional[Array[String]]`
999
1000	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
1001	7f6cacc5	Steve Traylen
1002	c24d3118	Tim Meusel	Default value: `undef`
1003	7f6cacc5	Steve Traylen
1004	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
1005	7f6cacc5	Steve Traylen
1006			Data type: `Optional[Array[String]]`
1007
1008	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
1009	7f6cacc5	Steve Traylen
1010	c24d3118	Tim Meusel	Default value: `undef`
1011	7f6cacc5	Steve Traylen
1012	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
1013	7f6cacc5	Steve Traylen
1014			Data type: `String`
1015
1016	5d554e75	Tim Meusel	the ordering of the rules
1017	7f6cacc5	Steve Traylen
1018			Default value: `'10'`
1019
1020	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
1021
1022	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
1023	020842af	Tim Meusel
1024	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
1025	19908f41	mh
1026			allow outgoing imap
1027
1028	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
1029	7f6cacc5	Steve Traylen
1030			allows outbound access for kerberos
1031
1032	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1033
1034			manage outgoing ldap
1035
1036			#### Parameters
1037
1038			The following parameters are available in the `nftables::rules::out::ldap` class:
1039
1040			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1041			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1042
1043			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1044
1045			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1046
1047			ldapserver IPs
1048
1049			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1050
1051			Data type: `Array[Stdlib::Port,1]`
1052
1053			ldapserver ports
1054
1055			Default value: `[389, 636]`
1056
1057	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1058
1059			allow outgoing multicast DNS
1060
1061			#### Parameters
1062
1063			The following parameters are available in the `nftables::rules::out::mdns` class:
1064
1065			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1066			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1067	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1068	6b350264	Tim Meusel
1069			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1070
1071			Data type: `Boolean`
1072
1073			Allow mdns over IPv4
1074
1075			Default value: `true`
1076
1077			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1078
1079			Data type: `Boolean`
1080
1081			Allow mdns over IPv6
1082
1083			Default value: `true`
1084
1085	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1086
1087			Data type: `Array[String[1]]`
1088
1089			optional name for outgoing interfaces
1090
1091			Default value: `[]`
1092
1093	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1094
1095			allow multicast listener requests
1096
1097	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1098	e17693e3	Steve Traylen
1099			manage out mysql
1100
1101	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1102	b9785000	Steve Traylen
1103			manage out nfs
1104
1105	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1106	b9785000	Steve Traylen
1107			manage out nfs3
1108
1109	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1110	7f6cacc5	Steve Traylen
1111	09cba182	Steve Traylen	allows outbound access for afs clients
1112	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1113			7002 - afs3-ptserver
1114			7003 - vlserver
1115
1116			* See also
1117			* https://wiki.openafs.org/devel/AFSServicePorts/
1118			* AFS Service Ports
1119
1120			#### Parameters
1121
1122	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1123	7f6cacc5	Steve Traylen
1124	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1125	7f6cacc5	Steve Traylen
1126	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1127	7f6cacc5	Steve Traylen
1128	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1129	7f6cacc5	Steve Traylen
1130	09cba182	Steve Traylen	port numbers to use
1131	7f6cacc5	Steve Traylen
1132			Default value: `[7000, 7002, 7003]`
1133
1134	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1135	e17693e3	Steve Traylen
1136			manage out ospf
1137
1138	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1139	e17693e3	Steve Traylen
1140			manage out ospf3
1141
1142	925c358d	Tim Meusel	#### Parameters
1143
1144			The following parameters are available in the `nftables::rules::out::ospf3` class:
1145
1146			* [`oifname`](#-nftables--rules--out--ospf3--oifname)
1147
1148			##### <a name="-nftables--rules--out--ospf3--oifname"></a>`oifname`
1149
1150			Data type: `Array[String[1]]`
1151
1152			optional list of outgoing interfaces to filter on
1153
1154			Default value: `[]`
1155
1156	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1157	19908f41	mh
1158			allow outgoing pop3
1159
1160	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1161	e17693e3	Steve Traylen
1162			manage out postgres
1163
1164	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1165	e17693e3	Steve Traylen
1166			manage outgoing puppet
1167
1168			#### Parameters
1169
1170	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1171	e17693e3	Steve Traylen
1172	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1173			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1174	e17693e3	Steve Traylen
1175	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1176	e17693e3	Steve Traylen
1177	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1178	e17693e3	Steve Traylen
1179	09cba182	Steve Traylen	puppetserver hostname
1180	e17693e3	Steve Traylen
1181	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1182	e17693e3	Steve Traylen
1183	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1184	e17693e3	Steve Traylen
1185	09cba182	Steve Traylen	puppetserver port
1186	e17693e3	Steve Traylen
1187			Default value: `8140`
1188
1189	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1190	194e05d5	Tim Meusel
1191			manage outgoing pxp-agent
1192
1193			* See also
1194			* also
1195			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1196
1197			#### Parameters
1198
1199			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1200
1201	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1202			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1203	194e05d5	Tim Meusel
1204	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1205	194e05d5	Tim Meusel
1206			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1207
1208			PXP broker IP(s)
1209
1210	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1211	194e05d5	Tim Meusel
1212			Data type: `Stdlib::Port`
1213
1214			PXP broker port
1215
1216			Default value: `8142`
1217
1218	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1219	e17693e3	Steve Traylen
1220	19908f41	mh	allow outgoing smtp
1221
1222	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1223	19908f41	mh
1224			allow outgoing smtp client
1225	e17693e3	Steve Traylen
1226	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1227
1228			allow outgoing SSDP
1229
1230			* See also
1231			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1232
1233			#### Parameters
1234
1235			The following parameters are available in the `nftables::rules::out::ssdp` class:
1236
1237			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1238			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1239
1240			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1241
1242			Data type: `Boolean`
1243
1244			Allow SSDP over IPv4
1245
1246			Default value: `true`
1247
1248			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1249
1250			Data type: `Boolean`
1251
1252			Allow SSDP over IPv6
1253
1254			Default value: `true`
1255
1256	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1257	e17693e3	Steve Traylen
1258			manage out ssh
1259
1260	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1261	e17693e3	Steve Traylen
1262			disable outgoing ssh
1263
1264	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1265	e17693e3	Steve Traylen
1266			manage out tor
1267
1268	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1269	2b1896c1	Tim Meusel
1270			allow clients to query remote whois server
1271
1272	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1273	e17693e3	Steve Traylen
1274			manage out wireguard
1275
1276			#### Parameters
1277
1278	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1279	e17693e3	Steve Traylen
1280	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1281	e17693e3	Steve Traylen
1282	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1283	e17693e3	Steve Traylen
1284	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1285	e17693e3	Steve Traylen
1286	09cba182	Steve Traylen	specify wireguard ports
1287	e17693e3	Steve Traylen
1288			Default value: `[51820]`
1289
1290	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1291
1292			Rules for Podman, a tool for managing OCI containers and pods.
1293			This class defines additional forwarding rules to let root containers
1294			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1295			At the time of writing, Podman supports automatic configuration
1296			of firewall rules with iptables and firewalld only.
1297
1298	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1299	e17693e3	Steve Traylen
1300			manage in puppet
1301
1302			#### Parameters
1303
1304	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1305	e17693e3	Steve Traylen
1306	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1307	e17693e3	Steve Traylen
1308	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1309	e17693e3	Steve Traylen
1310	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1311	e17693e3	Steve Traylen
1312	09cba182	Steve Traylen	puppet server ports
1313	e17693e3	Steve Traylen
1314			Default value: `[8140]`
1315
1316	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1317	7f74df2e	Tim Meusel
1318			manage in pxp-agent
1319
1320			#### Parameters
1321
1322			The following parameters are available in the `nftables::rules::pxp_agent` class:
1323
1324	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1325	7f74df2e	Tim Meusel
1326	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1327	7f74df2e	Tim Meusel
1328	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1329	7f74df2e	Tim Meusel
1330			pxp server ports
1331
1332			Default value: `[8142]`
1333
1334	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1335	cd2a3cbf	Nacho Barrientos
1336			This class configures the typical firewall setup that libvirt
1337			creates. Depending on your requirements you can switch on and off
1338			several aspects, for instance if you don't do DHCP to your guests
1339			you can disable the rules that accept DHCP traffic on the host or if
1340			you don't want your guests to talk to hosts outside you can disable
1341			forwarding and/or masquerading for IPv4 traffic.
1342
1343			#### Parameters
1344
1345			The following parameters are available in the `nftables::rules::qemu` class:
1346
1347	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1348			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1349			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1350			* [`dns`](#-nftables--rules--qemu--dns)
1351			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1352			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1353			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1354			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1355	cd2a3cbf	Nacho Barrientos
1356	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1357	cd2a3cbf	Nacho Barrientos
1358			Data type: `String[1]`
1359
1360			Interface name used by the bridge.
1361
1362			Default value: `'virbr0'`
1363
1364	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1365	cd2a3cbf	Nacho Barrientos
1366			Data type: `Stdlib::IP::Address::V4::CIDR`
1367
1368			The IPv4 network prefix used in the virtual network.
1369
1370			Default value: `'192.168.122.0/24'`
1371
1372	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1373	cd2a3cbf	Nacho Barrientos
1374			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1375
1376			The IPv6 network prefix used in the virtual network.
1377
1378	c24d3118	Tim Meusel	Default value: `undef`
1379	cd2a3cbf	Nacho Barrientos
1380	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1381	cd2a3cbf	Nacho Barrientos
1382			Data type: `Boolean`
1383
1384			Allow DNS traffic from the guests to the host.
1385
1386	c24d3118	Tim Meusel	Default value: `true`
1387	cd2a3cbf	Nacho Barrientos
1388	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1389	cd2a3cbf	Nacho Barrientos
1390			Data type: `Boolean`
1391
1392			Allow DHCPv4 traffic from the guests to the host.
1393
1394	c24d3118	Tim Meusel	Default value: `true`
1395	cd2a3cbf	Nacho Barrientos
1396	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1397	cd2a3cbf	Nacho Barrientos
1398			Data type: `Boolean`
1399
1400			Allow forwarded traffic (out all, in related/established)
1401			generated by the virtual network.
1402
1403	c24d3118	Tim Meusel	Default value: `true`
1404	cd2a3cbf	Nacho Barrientos
1405	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1406	cd2a3cbf	Nacho Barrientos
1407			Data type: `Boolean`
1408
1409			Allow guests in the virtual network to talk to each other.
1410
1411	c24d3118	Tim Meusel	Default value: `true`
1412	cd2a3cbf	Nacho Barrientos
1413	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1414	cd2a3cbf	Nacho Barrientos
1415			Data type: `Boolean`
1416
1417			Do NAT masquerade on all IPv4 traffic generated by guests
1418			to external networks.
1419
1420	c24d3118	Tim Meusel	Default value: `true`
1421	cd2a3cbf	Nacho Barrientos
1422	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1423	19908f41	mh
1424			manage Samba, the suite to allow Windows file sharing on Linux resources.
1425
1426			#### Parameters
1427
1428			The following parameters are available in the `nftables::rules::samba` class:
1429
1430	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1431	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1432	19908f41	mh
1433	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1434	19908f41	mh
1435			Data type: `Boolean`
1436
1437	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1438	19908f41	mh
1439	c24d3118	Tim Meusel	Default value: `false`
1440	19908f41	mh
1441	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1442
1443			Data type: `Enum['accept', 'drop']`
1444
1445			if the traffic should be allowed or dropped
1446
1447			Default value: `'accept'`
1448
1449	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1450	e17693e3	Steve Traylen
1451			manage in smtp
1452
1453	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1454	e17693e3	Steve Traylen
1455			manage in smtp submission
1456
1457	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1458	e17693e3	Steve Traylen
1459			manage in smtps
1460
1461	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1462
1463			allow incoming spotify
1464
1465	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1466
1467			allow incoming SSDP
1468
1469			* See also
1470			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1471
1472			#### Parameters
1473
1474			The following parameters are available in the `nftables::rules::ssdp` class:
1475
1476			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1477			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1478
1479			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1480
1481			Data type: `Boolean`
1482
1483			Allow SSDP over IPv4
1484
1485			Default value: `true`
1486
1487			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1488
1489			Data type: `Boolean`
1490
1491			Allow SSDP over IPv6
1492
1493			Default value: `true`
1494
1495	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1496	e17693e3	Steve Traylen
1497			manage in ssh
1498
1499			#### Parameters
1500
1501	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1502	e17693e3	Steve Traylen
1503	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1504	e17693e3	Steve Traylen
1505	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1506	e17693e3	Steve Traylen
1507	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1508	e17693e3	Steve Traylen
1509	09cba182	Steve Traylen	ssh ports
1510	e17693e3	Steve Traylen
1511			Default value: `[22]`
1512
1513	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1514	e17693e3	Steve Traylen
1515			manage in tor
1516
1517			#### Parameters
1518
1519	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1520	e17693e3	Steve Traylen
1521	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1522	e17693e3	Steve Traylen
1523	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1524	e17693e3	Steve Traylen
1525	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1526	e17693e3	Steve Traylen
1527	09cba182	Steve Traylen	ports for tor
1528	e17693e3	Steve Traylen
1529			Default value: `[9001]`
1530
1531	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1532	e17693e3	Steve Traylen
1533			manage in wireguard
1534
1535			#### Parameters
1536
1537	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1538	e17693e3	Steve Traylen
1539	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1540	e17693e3	Steve Traylen
1541	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1542	e17693e3	Steve Traylen
1543	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1544	e17693e3	Steve Traylen
1545	09cba182	Steve Traylen	wiregueard port
1546	e17693e3	Steve Traylen
1547			Default value: `[51820]`
1548
1549	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1550
1551			allow incoming webservice discovery
1552
1553			* See also
1554			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1555
1556			#### Parameters
1557
1558			The following parameters are available in the `nftables::rules::wsd` class:
1559
1560			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1561			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1562
1563			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1564
1565			Data type: `Boolean`
1566
1567			Allow ws-discovery over IPv4
1568
1569			Default value: `true`
1570
1571			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1572
1573			Data type: `Boolean`
1574
1575			Allow ws-discovery over IPv6
1576
1577			Default value: `true`
1578
1579	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1580	7f6cacc5	Steve Traylen
1581	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1582	7f6cacc5	Steve Traylen
1583	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1584	7f6cacc5	Steve Traylen
1585	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1586	7f6cacc5	Steve Traylen
1587	e17693e3	Steve Traylen	## Defined types
1588
1589	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1590	e17693e3	Steve Traylen
1591			manage a chain
1592
1593			#### Parameters
1594
1595	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1596
1597	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1598			* [`chain`](#-nftables--chain--chain)
1599			* [`inject`](#-nftables--chain--inject)
1600			* [`inject_iif`](#-nftables--chain--inject_iif)
1601			* [`inject_oif`](#-nftables--chain--inject_oif)
1602	e17693e3	Steve Traylen
1603	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1604	e17693e3	Steve Traylen
1605	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1606	e17693e3	Steve Traylen
1607
1608
1609			Default value: `'inet-filter'`
1610
1611	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1612	e17693e3	Steve Traylen
1613			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1614
1615
1616
1617			Default value: `$title`
1618
1619	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1620	e17693e3	Steve Traylen
1621			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1622
1623
1624
1625	c24d3118	Tim Meusel	Default value: `undef`
1626	e17693e3	Steve Traylen
1627	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1628	e17693e3	Steve Traylen
1629			Data type: `Optional[String]`
1630
1631
1632
1633	c24d3118	Tim Meusel	Default value: `undef`
1634	e17693e3	Steve Traylen
1635	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1636	e17693e3	Steve Traylen
1637			Data type: `Optional[String]`
1638
1639
1640
1641	c24d3118	Tim Meusel	Default value: `undef`
1642	e17693e3	Steve Traylen
1643	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1644	e17693e3	Steve Traylen
1645			manage a config snippet
1646
1647			#### Parameters
1648
1649	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1650	e17693e3	Steve Traylen
1651	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1652			* [`content`](#-nftables--config--content)
1653			* [`source`](#-nftables--config--source)
1654			* [`prefix`](#-nftables--config--prefix)
1655	09cba182	Steve Traylen
1656	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1657	13f4e4c6	Steve Traylen
1658			Data type: `Pattern[/^\w+-\w+$/]`
1659
1660
1661
1662			Default value: `$title`
1663
1664	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1665	e17693e3	Steve Traylen
1666			Data type: `Optional[String]`
1667
1668
1669
1670	c24d3118	Tim Meusel	Default value: `undef`
1671	e17693e3	Steve Traylen
1672	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1673	e17693e3	Steve Traylen
1674			Data type: `Optional[Variant[String,Array[String,1]]]`
1675
1676
1677
1678	c24d3118	Tim Meusel	Default value: `undef`
1679	e17693e3	Steve Traylen
1680	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1681	13f4e4c6	Steve Traylen
1682			Data type: `String`
1683
1684
1685
1686			Default value: `'custom-'`
1687
1688	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1689	331b8d85	Steve Traylen
1690			Insert a file into the nftables configuration
1691
1692			#### Examples
1693
1694			##### Include a file that includes other files
1695
1696			```puppet
1697			nftables::file{'geoip':
1698			content => @(EOT)
1699			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1700			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1701			\|EOT,
1702			}
1703			```
1704
1705			#### Parameters
1706
1707			The following parameters are available in the `nftables::file` defined type:
1708
1709	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1710			* [`content`](#-nftables--file--content)
1711			* [`source`](#-nftables--file--source)
1712			* [`prefix`](#-nftables--file--prefix)
1713	331b8d85	Steve Traylen
1714	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1715	331b8d85	Steve Traylen
1716			Data type: `String[1]`
1717
1718			Unique name to include in filename.
1719
1720			Default value: `$title`
1721
1722	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1723	331b8d85	Steve Traylen
1724			Data type: `Optional[String]`
1725
1726			The content to place in the file.
1727
1728	c24d3118	Tim Meusel	Default value: `undef`
1729	331b8d85	Steve Traylen
1730	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1731	331b8d85	Steve Traylen
1732			Data type: `Optional[Variant[String,Array[String,1]]]`
1733
1734			A source to obtain the file content from.
1735
1736	c24d3118	Tim Meusel	Default value: `undef`
1737	331b8d85	Steve Traylen
1738	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1739	331b8d85	Steve Traylen
1740			Data type: `String`
1741
1742			Prefix of file name to be created, if left as `file-` it will be
1743			auto included in the main nft configuration
1744
1745			Default value: `'file-'`
1746
1747	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1748
1749			manage a conntrack helper
1750
1751			#### Examples
1752
1753			##### FTP helper
1754
1755			```puppet
1756			nftables::helper { 'ftp-standard':
1757			content => 'type "ftp" protocol tcp;',
1758			}
1759			```
1760
1761			#### Parameters
1762
1763			The following parameters are available in the `nftables::helper` defined type:
1764
1765			* [`content`](#-nftables--helper--content)
1766			* [`table`](#-nftables--helper--table)
1767			* [`helper`](#-nftables--helper--helper)
1768
1769			##### <a name="-nftables--helper--content"></a>`content`
1770
1771			Data type: `String`
1772
1773			Conntrack helper definition.
1774
1775			##### <a name="-nftables--helper--table"></a>`table`
1776
1777			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1778
1779			The name of the table to add this helper to.
1780
1781			Default value: `'inet-filter'`
1782
1783			##### <a name="-nftables--helper--helper"></a>`helper`
1784
1785			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1786
1787			The symbolic name for the helper.
1788
1789			Default value: `$title`
1790
1791	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1792	e17693e3	Steve Traylen
1793	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1794
1795			#### Examples
1796
1797			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1798
1799			```puppet
1800			nftables::rule {
1801			'default_in-myhttp':
1802			content => 'tcp dport 80 accept',
1803			}
1804			```
1805
1806			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1807
1808			```puppet
1809			nftables::rule {
1810			'PREROUTING6-count':
1811			content => 'counter',
1812			table => 'ip6-nat'
1813			}
1814			```
1815	e17693e3	Steve Traylen
1816	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1817
1818			```puppet
1819			nftables::rule { 'PREROUTING-redirect':
1820			content => 'tcp dport 443 redirect to :8443',
1821			table => 'ip-nat',
1822			}
1823			nftables::rule{'PREROUTING6-redirect':
1824			content => 'tcp dport 443 redirect to :8443',
1825			table => 'ip6-nat',
1826			}
1827			```
1828
1829	e17693e3	Steve Traylen	#### Parameters
1830
1831	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1832
1833	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1834			* [`rulename`](#-nftables--rule--rulename)
1835			* [`order`](#-nftables--rule--order)
1836			* [`table`](#-nftables--rule--table)
1837			* [`content`](#-nftables--rule--content)
1838			* [`source`](#-nftables--rule--source)
1839	e17693e3	Steve Traylen
1840	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1841	e17693e3	Steve Traylen
1842			Data type: `Enum['present','absent']`
1843
1844	13f26dfc	Nacho Barrientos	Should the rule be created.
1845	e17693e3	Steve Traylen
1846			Default value: `'present'`
1847
1848	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1849	e17693e3	Steve Traylen
1850	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1851	e17693e3	Steve Traylen
1852	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1853			format is defined by the Nftables::RuleName type.
1854	e17693e3	Steve Traylen
1855			Default value: `$title`
1856
1857	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1858	e17693e3	Steve Traylen
1859			Data type: `Pattern[/^\d\d$/]`
1860
1861	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1862	e17693e3	Steve Traylen
1863			Default value: `'50'`
1864
1865	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1866	e17693e3	Steve Traylen
1867	b02d6ea9	Nacho Barrientos	Data type: `String`
1868	e17693e3	Steve Traylen
1869	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1870	e17693e3	Steve Traylen
1871			Default value: `'inet-filter'`
1872
1873	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1874	e17693e3	Steve Traylen
1875			Data type: `Optional[String]`
1876
1877	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1878			language.
1879	e17693e3	Steve Traylen
1880	c24d3118	Tim Meusel	Default value: `undef`
1881	e17693e3	Steve Traylen
1882	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1883	e17693e3	Steve Traylen
1884			Data type: `Optional[Variant[String,Array[String,1]]]`
1885
1886	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1887	e17693e3	Steve Traylen
1888	c24d3118	Tim Meusel	Default value: `undef`
1889	e17693e3	Steve Traylen
1890	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1891	e17693e3	Steve Traylen
1892			manage a ipv4 dnat rule
1893
1894			#### Parameters
1895
1896	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1897
1898	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1899			* [`port`](#-nftables--rules--dnat4--port)
1900			* [`rulename`](#-nftables--rules--dnat4--rulename)
1901			* [`order`](#-nftables--rules--dnat4--order)
1902			* [`chain`](#-nftables--rules--dnat4--chain)
1903			* [`iif`](#-nftables--rules--dnat4--iif)
1904			* [`proto`](#-nftables--rules--dnat4--proto)
1905			* [`dport`](#-nftables--rules--dnat4--dport)
1906			* [`ensure`](#-nftables--rules--dnat4--ensure)
1907	e17693e3	Steve Traylen
1908	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1909	e17693e3	Steve Traylen
1910			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1911
1912
1913
1914	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1915	e17693e3	Steve Traylen
1916	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1917	e17693e3	Steve Traylen
1918
1919
1920	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1921	e17693e3	Steve Traylen
1922			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1923
1924
1925
1926			Default value: `$title`
1927
1928	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1929	e17693e3	Steve Traylen
1930			Data type: `Pattern[/^\d\d$/]`
1931
1932
1933
1934			Default value: `'50'`
1935
1936	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1937	e17693e3	Steve Traylen
1938			Data type: `String[1]`
1939
1940
1941
1942			Default value: `'default_fwd'`
1943
1944	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1945	e17693e3	Steve Traylen
1946			Data type: `Optional[String[1]]`
1947
1948
1949
1950	c24d3118	Tim Meusel	Default value: `undef`
1951	e17693e3	Steve Traylen
1952	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1953	e17693e3	Steve Traylen
1954			Data type: `Enum['tcp','udp']`
1955
1956
1957
1958			Default value: `'tcp'`
1959
1960	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1961	e17693e3	Steve Traylen
1962	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1963	e17693e3	Steve Traylen
1964
1965
1966	c24d3118	Tim Meusel	Default value: `undef`
1967	e17693e3	Steve Traylen
1968	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1969	e17693e3	Steve Traylen
1970			Data type: `Enum['present','absent']`
1971
1972
1973
1974			Default value: `'present'`
1975
1976	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1977	e17693e3	Steve Traylen
1978			masquerade all outgoing traffic
1979
1980			#### Parameters
1981
1982	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1983	e17693e3	Steve Traylen
1984	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1985			* [`order`](#-nftables--rules--masquerade--order)
1986			* [`chain`](#-nftables--rules--masquerade--chain)
1987			* [`oif`](#-nftables--rules--masquerade--oif)
1988			* [`saddr`](#-nftables--rules--masquerade--saddr)
1989			* [`daddr`](#-nftables--rules--masquerade--daddr)
1990			* [`proto`](#-nftables--rules--masquerade--proto)
1991			* [`dport`](#-nftables--rules--masquerade--dport)
1992			* [`ensure`](#-nftables--rules--masquerade--ensure)
1993	09cba182	Steve Traylen
1994	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1995	e17693e3	Steve Traylen
1996			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1997
1998
1999
2000			Default value: `$title`
2001
2002	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
2003	e17693e3	Steve Traylen
2004			Data type: `Pattern[/^\d\d$/]`
2005
2006
2007
2008			Default value: `'70'`
2009
2010	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
2011	e17693e3	Steve Traylen
2012			Data type: `String[1]`
2013
2014
2015
2016			Default value: `'POSTROUTING'`
2017
2018	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
2019	e17693e3	Steve Traylen
2020			Data type: `Optional[String[1]]`
2021
2022
2023
2024	c24d3118	Tim Meusel	Default value: `undef`
2025	e17693e3	Steve Traylen
2026	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
2027	e17693e3	Steve Traylen
2028			Data type: `Optional[String[1]]`
2029
2030
2031
2032	c24d3118	Tim Meusel	Default value: `undef`
2033	e17693e3	Steve Traylen
2034	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
2035	e17693e3	Steve Traylen
2036			Data type: `Optional[String[1]]`
2037
2038
2039
2040	c24d3118	Tim Meusel	Default value: `undef`
2041	e17693e3	Steve Traylen
2042	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
2043	e17693e3	Steve Traylen
2044			Data type: `Optional[Enum['tcp','udp']]`
2045
2046
2047
2048	c24d3118	Tim Meusel	Default value: `undef`
2049	e17693e3	Steve Traylen
2050	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2051	e17693e3	Steve Traylen
2052	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2053	e17693e3	Steve Traylen
2054
2055
2056	c24d3118	Tim Meusel	Default value: `undef`
2057	e17693e3	Steve Traylen
2058	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2059	e17693e3	Steve Traylen
2060			Data type: `Enum['present','absent']`
2061
2062
2063
2064			Default value: `'present'`
2065
2066	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2067	e17693e3	Steve Traylen
2068			manage a ipv4 snat rule
2069
2070			#### Parameters
2071
2072	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2073
2074	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2075			* [`rulename`](#-nftables--rules--snat4--rulename)
2076			* [`order`](#-nftables--rules--snat4--order)
2077			* [`chain`](#-nftables--rules--snat4--chain)
2078			* [`oif`](#-nftables--rules--snat4--oif)
2079			* [`saddr`](#-nftables--rules--snat4--saddr)
2080			* [`proto`](#-nftables--rules--snat4--proto)
2081			* [`dport`](#-nftables--rules--snat4--dport)
2082			* [`ensure`](#-nftables--rules--snat4--ensure)
2083	e17693e3	Steve Traylen
2084	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2085	e17693e3	Steve Traylen
2086			Data type: `String[1]`
2087
2088
2089
2090	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2091	e17693e3	Steve Traylen
2092			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2093
2094
2095
2096			Default value: `$title`
2097
2098	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2099	e17693e3	Steve Traylen
2100			Data type: `Pattern[/^\d\d$/]`
2101
2102
2103
2104			Default value: `'70'`
2105
2106	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2107	e17693e3	Steve Traylen
2108			Data type: `String[1]`
2109
2110
2111
2112			Default value: `'POSTROUTING'`
2113
2114	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2115	e17693e3	Steve Traylen
2116			Data type: `Optional[String[1]]`
2117
2118
2119
2120	c24d3118	Tim Meusel	Default value: `undef`
2121	e17693e3	Steve Traylen
2122	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2123	e17693e3	Steve Traylen
2124			Data type: `Optional[String[1]]`
2125
2126
2127
2128	c24d3118	Tim Meusel	Default value: `undef`
2129	e17693e3	Steve Traylen
2130	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2131	e17693e3	Steve Traylen
2132			Data type: `Optional[Enum['tcp','udp']]`
2133
2134
2135
2136	c24d3118	Tim Meusel	Default value: `undef`
2137	e17693e3	Steve Traylen
2138	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2139	e17693e3	Steve Traylen
2140	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2141	e17693e3	Steve Traylen
2142
2143
2144	c24d3118	Tim Meusel	Default value: `undef`
2145	e17693e3	Steve Traylen
2146	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2147	e17693e3	Steve Traylen
2148			Data type: `Enum['present','absent']`
2149
2150
2151
2152			Default value: `'present'`
2153
2154	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2155	7f6cacc5	Steve Traylen
2156			manage a named set
2157
2158	13f4e4c6	Steve Traylen	#### Examples
2159
2160			##### simple set
2161
2162			```puppet
2163			nftables::set{'my_set':
2164			type => 'ipv4_addr',
2165			flags => ['interval'],
2166			elements => ['192.168.0.1/24', '10.0.0.2'],
2167			auto_merge => true,
2168			}
2169			```
2170
2171	7f6cacc5	Steve Traylen	#### Parameters
2172
2173	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2174
2175	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2176			* [`setname`](#-nftables--set--setname)
2177			* [`order`](#-nftables--set--order)
2178			* [`type`](#-nftables--set--type)
2179			* [`table`](#-nftables--set--table)
2180			* [`flags`](#-nftables--set--flags)
2181			* [`timeout`](#-nftables--set--timeout)
2182			* [`gc_interval`](#-nftables--set--gc_interval)
2183			* [`elements`](#-nftables--set--elements)
2184			* [`size`](#-nftables--set--size)
2185			* [`policy`](#-nftables--set--policy)
2186			* [`auto_merge`](#-nftables--set--auto_merge)
2187			* [`content`](#-nftables--set--content)
2188			* [`source`](#-nftables--set--source)
2189
2190			##### <a name="-nftables--set--ensure"></a>`ensure`
2191	7f6cacc5	Steve Traylen
2192			Data type: `Enum['present','absent']`
2193
2194	13f4e4c6	Steve Traylen	should the set be created.
2195	7f6cacc5	Steve Traylen
2196			Default value: `'present'`
2197
2198	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2199	7f6cacc5	Steve Traylen
2200			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2201
2202	13f4e4c6	Steve Traylen	name of set, equal to to title.
2203	7f6cacc5	Steve Traylen
2204			Default value: `$title`
2205
2206	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2207	7f6cacc5	Steve Traylen
2208			Data type: `Pattern[/^\d\d$/]`
2209
2210	13f4e4c6	Steve Traylen	concat ordering.
2211	7f6cacc5	Steve Traylen
2212			Default value: `'10'`
2213
2214	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2215	7f6cacc5	Steve Traylen
2216			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2217
2218	13f4e4c6	Steve Traylen	type of set.
2219	7f6cacc5	Steve Traylen
2220	c24d3118	Tim Meusel	Default value: `undef`
2221	7f6cacc5	Steve Traylen
2222	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2223	7f6cacc5	Steve Traylen
2224	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2225	7f6cacc5	Steve Traylen
2226	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2227	7f6cacc5	Steve Traylen
2228			Default value: `'inet-filter'`
2229
2230	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2231	7f6cacc5	Steve Traylen
2232			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2233
2234	13f4e4c6	Steve Traylen	specify flags for set
2235	7f6cacc5	Steve Traylen
2236			Default value: `[]`
2237
2238	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2239	7f6cacc5	Steve Traylen
2240			Data type: `Optional[Integer]`
2241
2242	13f4e4c6	Steve Traylen	timeout in seconds
2243	7f6cacc5	Steve Traylen
2244	c24d3118	Tim Meusel	Default value: `undef`
2245	7f6cacc5	Steve Traylen
2246	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2247	7f6cacc5	Steve Traylen
2248			Data type: `Optional[Integer]`
2249
2250	13f4e4c6	Steve Traylen	garbage collection interval.
2251	7f6cacc5	Steve Traylen
2252	c24d3118	Tim Meusel	Default value: `undef`
2253	7f6cacc5	Steve Traylen
2254	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2255	7f6cacc5	Steve Traylen
2256			Data type: `Optional[Array[String]]`
2257
2258	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2259	7f6cacc5	Steve Traylen
2260	c24d3118	Tim Meusel	Default value: `undef`
2261	7f6cacc5	Steve Traylen
2262	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2263	7f6cacc5	Steve Traylen
2264			Data type: `Optional[Integer]`
2265
2266	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2267	7f6cacc5	Steve Traylen
2268	c24d3118	Tim Meusel	Default value: `undef`
2269	7f6cacc5	Steve Traylen
2270	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2271	7f6cacc5	Steve Traylen
2272			Data type: `Optional[Enum['performance', 'memory']]`
2273
2274	13f4e4c6	Steve Traylen	determines set selection policy.
2275	7f6cacc5	Steve Traylen
2276	c24d3118	Tim Meusel	Default value: `undef`
2277	7f6cacc5	Steve Traylen
2278	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2279	7f6cacc5	Steve Traylen
2280			Data type: `Boolean`
2281
2282	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2283	7f6cacc5	Steve Traylen
2284	c24d3118	Tim Meusel	Default value: `false`
2285	7f6cacc5	Steve Traylen
2286	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2287	7f6cacc5	Steve Traylen
2288			Data type: `Optional[String]`
2289
2290	13f4e4c6	Steve Traylen	specify content of set.
2291	7f6cacc5	Steve Traylen
2292	c24d3118	Tim Meusel	Default value: `undef`
2293	7f6cacc5	Steve Traylen
2294	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2295	7f6cacc5	Steve Traylen
2296			Data type: `Optional[Variant[String,Array[String,1]]]`
2297
2298	13f4e4c6	Steve Traylen	specify source of set.
2299	7f6cacc5	Steve Traylen
2300	c24d3118	Tim Meusel	Default value: `undef`
2301	7f6cacc5	Steve Traylen
2302	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2303	4d63adda	Nacho Barrientos
2304	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2305	4d63adda	Nacho Barrientos
2306	b46c9ce9	Nacho Barrientos	#### Examples
2307	4d63adda	Nacho Barrientos
2308	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2309	4d63adda	Nacho Barrientos
2310	b46c9ce9	Nacho Barrientos	```puppet
2311			nftables::simplerule{'my_service_in':
2312			action => 'accept',
2313			comment => 'allow traffic to port 543',
2314			counter => true,
2315			proto => 'tcp',
2316			dport => 543,
2317			daddr => '2001:1458::/32',
2318			sport => 541,
2319			}
2320			```
2321	4d63adda	Nacho Barrientos
2322	b46c9ce9	Nacho Barrientos	#### Parameters
2323	4d63adda	Nacho Barrientos
2324	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2325
2326	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2327			* [`rulename`](#-nftables--simplerule--rulename)
2328			* [`order`](#-nftables--simplerule--order)
2329			* [`chain`](#-nftables--simplerule--chain)
2330			* [`table`](#-nftables--simplerule--table)
2331			* [`action`](#-nftables--simplerule--action)
2332			* [`comment`](#-nftables--simplerule--comment)
2333			* [`dport`](#-nftables--simplerule--dport)
2334			* [`proto`](#-nftables--simplerule--proto)
2335			* [`daddr`](#-nftables--simplerule--daddr)
2336			* [`set_type`](#-nftables--simplerule--set_type)
2337			* [`sport`](#-nftables--simplerule--sport)
2338			* [`saddr`](#-nftables--simplerule--saddr)
2339			* [`counter`](#-nftables--simplerule--counter)
2340	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2341	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2342	c24d3118	Tim Meusel
2343			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2344	13f4e4c6	Steve Traylen
2345			Data type: `Enum['present','absent']`
2346
2347			Should the rule be created.
2348
2349			Default value: `'present'`
2350
2351	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2352	4d63adda	Nacho Barrientos
2353	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2354	4d63adda	Nacho Barrientos
2355	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2356	4d63adda	Nacho Barrientos
2357			Default value: `$title`
2358
2359	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2360	4d63adda	Nacho Barrientos
2361			Data type: `Pattern[/^\d\d$/]`
2362
2363	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2364	4d63adda	Nacho Barrientos
2365			Default value: `'50'`
2366
2367	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2368	4d63adda	Nacho Barrientos
2369			Data type: `String`
2370
2371	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2372	4d63adda	Nacho Barrientos
2373			Default value: `'default_in'`
2374
2375	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2376	4d63adda	Nacho Barrientos
2377			Data type: `String`
2378
2379	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2380	4d63adda	Nacho Barrientos
2381			Default value: `'inet-filter'`
2382
2383	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2384	4d63adda	Nacho Barrientos
2385			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2386
2387	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2388	4d63adda	Nacho Barrientos
2389			Default value: `'accept'`
2390
2391	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2392	4d63adda	Nacho Barrientos
2393			Data type: `Optional[String]`
2394
2395	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2396	4d63adda	Nacho Barrientos
2397	c24d3118	Tim Meusel	Default value: `undef`
2398	4d63adda	Nacho Barrientos
2399	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2400	4d63adda	Nacho Barrientos
2401			Data type: `Optional[Nftables::Port]`
2402
2403	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2404	4d63adda	Nacho Barrientos
2405	c24d3118	Tim Meusel	Default value: `undef`
2406	4d63adda	Nacho Barrientos
2407	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2408	4d63adda	Nacho Barrientos
2409			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2410
2411	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2412	4d63adda	Nacho Barrientos
2413	c24d3118	Tim Meusel	Default value: `undef`
2414	4d63adda	Nacho Barrientos
2415	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2416	4d63adda	Nacho Barrientos
2417			Data type: `Optional[Nftables::Addr]`
2418
2419	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2420	4d63adda	Nacho Barrientos
2421	c24d3118	Tim Meusel	Default value: `undef`
2422	4d63adda	Nacho Barrientos
2423	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2424	4d63adda	Nacho Barrientos
2425			Data type: `Enum['ip', 'ip6']`
2426
2427	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2428			Use `ip` for sets of type `ipv4_addr`.
2429	4d63adda	Nacho Barrientos
2430			Default value: `'ip6'`
2431
2432	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2433	4d63adda	Nacho Barrientos
2434			Data type: `Optional[Nftables::Port]`
2435
2436	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2437	4d63adda	Nacho Barrientos
2438	c24d3118	Tim Meusel	Default value: `undef`
2439	4d63adda	Nacho Barrientos
2440	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2441	4d63adda	Nacho Barrientos
2442			Data type: `Optional[Nftables::Addr]`
2443
2444	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2445	4d63adda	Nacho Barrientos
2446	c24d3118	Tim Meusel	Default value: `undef`
2447	4d63adda	Nacho Barrientos
2448	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2449	4d63adda	Nacho Barrientos
2450			Data type: `Boolean`
2451
2452	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2453	4d63adda	Nacho Barrientos
2454	c24d3118	Tim Meusel	Default value: `false`
2455	4d63adda	Nacho Barrientos
2456	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2457
2458	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2459	25b3f3f4	Tim Meusel
2460			Optional filter for the incoming interface
2461
2462	e846c98b	Tim Meusel	Default value: `[]`
2463	25b3f3f4	Tim Meusel
2464	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2465
2466	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2467	d7d6d5d3	Tim Meusel
2468			Optional filter for the outgoing interface
2469
2470	e846c98b	Tim Meusel	Default value: `[]`
2471	d7d6d5d3	Tim Meusel
2472	4d63adda	Nacho Barrientos	## Data types
2473
2474	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2475	4d63adda	Nacho Barrientos
2476			Represents an address expression to be used within a rule.
2477
2478	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2479	09cba182	Steve Traylen
2480	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2481	4d63adda	Nacho Barrientos
2482			Represents a set expression to be used within a rule.
2483
2484	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2485	4d63adda	Nacho Barrientos
2486	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2487	4d63adda	Nacho Barrientos
2488			Represents a port expression to be used within a rule.
2489
2490	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2491	4d63adda	Nacho Barrientos
2492	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2493	4d63adda	Nacho Barrientos
2494			Represents a port range expression to be used within a rule.
2495
2496	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2497	4d63adda	Nacho Barrientos
2498	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2499	8c00b818	Nacho Barrientos
2500			Represents a rule name to be used in a raw rule created via nftables::rule.
2501			It's a dash separated string. The first component describes the chain to
2502			add the rule to, the second the rule name and the (optional) third a number.
2503			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2504
2505	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2506	09cba182	Steve Traylen
2507	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2508	8c00b818	Nacho Barrientos
2509			Represents a simple rule name to be used in a rule created via nftables::simplerule
2510
2511	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 1ef7d5c4