/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 2a649e6e

Historique | Voir | Annoter | Télécharger (64,3 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165	3f278f1c	canihavethisone	* [`purge_unmanaged_rules`](#-nftables--purge_unmanaged_rules)
166			* [`inmem_rules_hash_file`](#-nftables--inmem_rules_hash_file)
167	c24d3118	Tim Meusel	* [`sets`](#-nftables--sets)
168			* [`log_prefix`](#-nftables--log_prefix)
169	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
170	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
171			* [`reject_with`](#-nftables--reject_with)
172			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
173	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
174	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
175	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
176	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
177			* [`noflush_tables`](#-nftables--noflush_tables)
178			* [`rules`](#-nftables--rules)
179			* [`configuration_path`](#-nftables--configuration_path)
180			* [`nft_path`](#-nftables--nft_path)
181			* [`echo`](#-nftables--echo)
182			* [`default_config_mode`](#-nftables--default_config_mode)
183	a528bf59	Steve Traylen	* [`clobber_default_config`](#-nftables--clobber_default_config)
184	c24d3118	Tim Meusel
185			##### <a name="-nftables--out_all"></a>`out_all`
186	e17693e3	Steve Traylen
187			Data type: `Boolean`
188
189			Allow all outbound connections. If `true` then all other
190			out parameters `out_ntp`, `out_dns`, ... will be assuemed
191			false.
192
193	c24d3118	Tim Meusel	Default value: `false`
194	e17693e3	Steve Traylen
195	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
196	e17693e3	Steve Traylen
197			Data type: `Boolean`
198
199			Allow outbound to ntp servers.
200
201	c24d3118	Tim Meusel	Default value: `true`
202	e17693e3	Steve Traylen
203	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
204	e17693e3	Steve Traylen
205			Data type: `Boolean`
206
207			Allow outbound to http servers.
208
209	c24d3118	Tim Meusel	Default value: `true`
210	e17693e3	Steve Traylen
211	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
212	e17693e3	Steve Traylen
213			Data type: `Boolean`
214
215	09cba182	Steve Traylen	Allow outbound to dns servers.
216	e17693e3	Steve Traylen
217	c24d3118	Tim Meusel	Default value: `true`
218	e17693e3	Steve Traylen
219	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
220	09cba182	Steve Traylen
221			Data type: `Boolean`
222	e17693e3	Steve Traylen
223			Allow outbound to https servers.
224
225	c24d3118	Tim Meusel	Default value: `true`
226	e17693e3	Steve Traylen
227	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
228	7f6cacc5	Steve Traylen
229			Data type: `Boolean`
230
231			Allow outbound ICMPv4/v6 traffic.
232
233	c24d3118	Tim Meusel	Default value: `true`
234	7f6cacc5	Steve Traylen
235	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
236	e17693e3	Steve Traylen
237			Data type: `Boolean`
238
239			Allow inbound to ssh servers.
240
241	c24d3118	Tim Meusel	Default value: `true`
242	e17693e3	Steve Traylen
243	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
244	7f6cacc5	Steve Traylen
245			Data type: `Boolean`
246
247			Allow inbound ICMPv4/v6 traffic.
248
249	c24d3118	Tim Meusel	Default value: `true`
250	7f6cacc5	Steve Traylen
251	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
252	7b9d6ffc	Nacho Barrientos
253			Data type: `Boolean`
254
255			Add default tables, chains and rules to process traffic.
256
257	c24d3118	Tim Meusel	Default value: `true`
258	7b9d6ffc	Nacho Barrientos
259	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
260	7f6cacc5	Steve Traylen
261			Data type: `Boolean`
262
263			Add default tables and chains to process NAT traffic.
264
265	c24d3118	Tim Meusel	Default value: `true`
266	7f6cacc5	Steve Traylen
267	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
268	b02d6ea9	Nacho Barrientos
269			Data type: `String[1]`
270
271			The name of the 'nat' table.
272
273			Default value: `'nat'`
274
275	3f278f1c	canihavethisone	##### <a name="-nftables--purge_unmanaged_rules"></a>`purge_unmanaged_rules`
276
277			Data type: `Boolean`
278
279			Prohibits in-memory rules that are not declared in Puppet
280			code. Setting this to true activates a check that reloads nftables
281			if the rules in memory have been modified without Puppet.
282
283			Default value: `false`
284
285			##### <a name="-nftables--inmem_rules_hash_file"></a>`inmem_rules_hash_file`
286
287			Data type: `Stdlib::Unixpath`
288
289			The name of the file where the hash of the in-memory rules
290			will be stored.
291
292	efb04acd	canihavethisone	Default value: `'/var/tmp/puppet-nft-memhash'`
293	3f278f1c	canihavethisone
294	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
295	b9785000	Steve Traylen
296			Data type: `Hash`
297
298			Allows sourcing set definitions directly from Hiera.
299
300			Default value: `{}`
301
302	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
303	7f6cacc5	Steve Traylen
304			Data type: `String`
305
306			String that will be used as prefix when logging packets. It can contain
307			two variables using standard sprintf() string-formatting:
308			* chain: Will be replaced by the name of the chain.
309			* comment: Allows chains to add extra comments.
310
311			Default value: `'[nftables] %<chain>s %<comment>s'`
312
313	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
314
315			Data type: `Boolean`
316
317			Allow to log discarded packets
318
319			Default value: `true`
320
321	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
322	b9785000	Steve Traylen
323			Data type: `Variant[Boolean[false], String]`
324
325			String with the content of a limit statement to be applied
326			to the rules that log discarded traffic. Set to false to
327			disable rate limiting.
328
329			Default value: `'3/minute burst 5 packets'`
330
331	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
332	7f6cacc5	Steve Traylen
333	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
334	7f6cacc5	Steve Traylen
335			How to discard packets not matching any rule. If `false`, the
336			fate of the packet will be defined by the chain policy (normally
337			drop), otherwise the packet will be rejected with the REJECT_WITH
338			policy indicated by the value of this parameter.
339
340			Default value: `'icmpx type port-unreachable'`
341
342	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
343	7f6cacc5	Steve Traylen
344			Data type: `Boolean`
345
346			Adds INPUT and OUTPUT rules to allow traffic that's part of an
347			established connection and also to drop invalid packets.
348
349	c24d3118	Tim Meusel	Default value: `true`
350	7f6cacc5	Steve Traylen
351	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
352
353			Data type: `Boolean`
354
355			Drops invalid packets in INPUT and OUTPUT
356
357			Default value: `$in_out_conntrack`
358
359	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
360	b9785000	Steve Traylen
361			Data type: `Boolean`
362
363			Adds FORWARD rules to allow traffic that's part of an
364			established connection and also to drop invalid packets.
365
366	c24d3118	Tim Meusel	Default value: `false`
367	b9785000	Steve Traylen
368	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
369
370			Data type: `Boolean`
371
372			Drops invalid packets in FORWARD
373
374			Default value: `$fwd_conntrack`
375
376	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
377	7f6cacc5	Steve Traylen
378			Data type: `Variant[Boolean[false], Enum['mask']]`
379
380			Configures how the firewalld systemd service unit is enabled. It might be
381			useful to set this to false if you're externaly removing firewalld from
382			the system completely.
383
384			Default value: `'mask'`
385
386	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
387	b9785000	Steve Traylen
388	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
389	b9785000	Steve Traylen
390			If specified only other existings tables will be flushed.
391			If left unset all tables will be flushed via a `flush ruleset`
392
393	c24d3118	Tim Meusel	Default value: `undef`
394	b9785000	Steve Traylen
395	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
396	7f6cacc5	Steve Traylen
397			Data type: `Hash`
398
399	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
400	7f6cacc5	Steve Traylen
401			Default value: `{}`
402
403	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
404	d0a1ffef	hashworks
405			Data type: `Stdlib::Unixpath`
406
407			The absolute path to the principal nftables configuration file. The default
408			varies depending on the system, and is set in the module's data.
409
410	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
411	8842a597	Tim Meusel
412			Data type: `Stdlib::Unixpath`
413
414			Path to the nft binary
415
416	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
417	821ec83a	Tim Meusel
418			Data type: `Stdlib::Unixpath`
419
420			Path to the echo binary
421
422	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
423	7030bde0	Luis Fernández Álvarez
424			Data type: `Stdlib::Filemode`
425
426			The default file & dir mode for configuration files and directories. The
427			default varies depending on the system, and is set in the module's data.
428
429	a528bf59	Steve Traylen	##### <a name="-nftables--clobber_default_config"></a>`clobber_default_config`
430
431			Data type: `Boolean`
432
433			Should the existing OS provided rules in the `configuration_path` be removed? If
434			they are not being removed this module will add all of its configuration to the end of
435			the existing rules.
436
437			Default value: `false`
438
439	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
440	7f6cacc5	Steve Traylen
441			allow forwarding traffic on bridges
442
443			#### Parameters
444
445	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
446	7f6cacc5	Steve Traylen
447	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
448			* [`bridgenames`](#-nftables--bridges--bridgenames)
449	09cba182	Steve Traylen
450	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
451	7f6cacc5	Steve Traylen
452			Data type: `Enum['present','absent']`
453
454
455
456			Default value: `'present'`
457
458	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
459	7f6cacc5	Steve Traylen
460			Data type: `Regexp`
461
462
463
464			Default value: `/^br.+/`
465
466	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
467	e17693e3	Steve Traylen
468			manage basic chains in table inet filter
469
470	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
471	a1f09048	Tim Meusel
472			enable conntrack for fwd
473
474	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
475	a1f09048	Tim Meusel
476			manage input & output conntrack
477
478	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
479	e17693e3	Steve Traylen
480			manage basic chains in table ip nat
481
482	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
483	771b3256	Nacho Barrientos
484			Provides input rules for Apache ActiveMQ
485
486			#### Parameters
487
488			The following parameters are available in the `nftables::rules::activemq` class:
489
490	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
491			* [`udp`](#-nftables--rules--activemq--udp)
492			* [`port`](#-nftables--rules--activemq--port)
493	771b3256	Nacho Barrientos
494	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
495	771b3256	Nacho Barrientos
496			Data type: `Boolean`
497
498			Create the rule for TCP traffic.
499
500	c24d3118	Tim Meusel	Default value: `true`
501	771b3256	Nacho Barrientos
502	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
503	771b3256	Nacho Barrientos
504			Data type: `Boolean`
505
506			Create the rule for UDP traffic.
507
508	c24d3118	Tim Meusel	Default value: `true`
509	771b3256	Nacho Barrientos
510	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
511	771b3256	Nacho Barrientos
512			Data type: `Stdlib::Port`
513
514			The port number for the ActiveMQ daemon.
515
516			Default value: `61616`
517
518	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
519	09cba182	Steve Traylen
520			Open call back port for AFS clients
521	7f6cacc5	Steve Traylen
522	09cba182	Steve Traylen	#### Examples
523
524			##### allow call backs from particular hosts
525
526			```puppet
527	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
528			saddr => ['192.168.0.0/16', '10.0.0.222']
529			}
530	09cba182	Steve Traylen	```
531	7f6cacc5	Steve Traylen
532			#### Parameters
533
534	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
535
536	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
537	7f6cacc5	Steve Traylen
538	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
539	7f6cacc5	Steve Traylen
540			Data type: `Array[Stdlib::IP::Address::V4,1]`
541
542			list of source network ranges to a
543
544			Default value: `['0.0.0.0/0']`
545
546	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
547	b9785000	Steve Traylen
548			Ceph is a distributed object store and file system.
549			Enable this to support Ceph's Object Storage Daemons (OSD),
550			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
551
552	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
553	b9785000	Steve Traylen
554			Ceph is a distributed object store and file system.
555			Enable this option to support Ceph's Monitor Daemon.
556
557			#### Parameters
558
559	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
560	b9785000	Steve Traylen
561	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
562	b9785000	Steve Traylen
563	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
564	b9785000	Steve Traylen
565	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
566	b9785000	Steve Traylen
567	09cba182	Steve Traylen	specify ports for ceph service
568	b9785000	Steve Traylen
569			Default value: `[3300, 6789]`
570
571	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
572	7f6cacc5	Steve Traylen
573	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
574	7f6cacc5	Steve Traylen
575	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
576	7f6cacc5	Steve Traylen
577			manage in dns
578
579	67cdcf15	Steve Traylen	#### Examples
580
581			##### Allow access to stub dns resolver from docker containers
582
583			```puppet
584			class { 'nftables::rules::dns':
585			iifname => ['docker0'],
586			}
587			```
588
589	7f6cacc5	Steve Traylen	#### Parameters
590
591	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
592	7f6cacc5	Steve Traylen
593	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
594	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
595	7f6cacc5	Steve Traylen
596	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
597	7f6cacc5	Steve Traylen
598	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
599	7f6cacc5	Steve Traylen
600	09cba182	Steve Traylen	Specify ports for dns.
601	7f6cacc5	Steve Traylen
602			Default value: `[53]`
603
604	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
605
606			Data type: `Optional[Array[String[1],1]]`
607
608			Specify input interface names.
609
610			Default value: `undef`
611
612	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
613	804b96e4	Nacho Barrientos
614			The configuration distributed in this class represents the default firewall
615			configuration done by docker-ce when the iptables integration is enabled.
616
617			This class is needed as the default docker-ce rules added to ip-filter conflict
618			with the inet-filter forward rules set by default in this module.
619
620			When using this class 'docker::iptables: false' should be set.
621
622			#### Parameters
623
624			The following parameters are available in the `nftables::rules::docker_ce` class:
625
626	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
627			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
628			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
629			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
630	804b96e4	Nacho Barrientos
631	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
632	804b96e4	Nacho Barrientos
633			Data type: `String[1]`
634
635			Interface name used by docker.
636
637			Default value: `'docker0'`
638
639	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
640	804b96e4	Nacho Barrientos
641			Data type: `Stdlib::IP::Address::V4::CIDR`
642
643			The address space used by docker.
644
645			Default value: `'172.17.0.0/16'`
646
647	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
648	804b96e4	Nacho Barrientos
649			Data type: `Boolean`
650
651			Flag to control whether the class should create the docker related chains.
652
653	c24d3118	Tim Meusel	Default value: `true`
654	804b96e4	Nacho Barrientos
655	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
656	804b96e4	Nacho Barrientos
657			Data type: `Boolean`
658
659			Flag to control whether the class should create the base common chains.
660
661	c24d3118	Tim Meusel	Default value: `true`
662	804b96e4	Nacho Barrientos
663	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
664
665			manage in ftp (with conntrack helper)
666
667			#### Parameters
668
669			The following parameters are available in the `nftables::rules::ftp` class:
670
671			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
672			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
673
674			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
675
676			Data type: `Boolean`
677
678			Enable FTP passive mode support
679
680			Default value: `true`
681
682			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
683
684			Data type: `Nftables::Port::Range`
685
686			Set the FTP passive mode port range
687
688			Default value: `'10090-10100'`
689
690	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
691	e17693e3	Steve Traylen
692			manage in http
693
694	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
695	e17693e3	Steve Traylen
696			manage in https
697
698	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
699	e17693e3	Steve Traylen
700			manage in icinga2
701
702			#### Parameters
703
704	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
705	e17693e3	Steve Traylen
706	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
707	e17693e3	Steve Traylen
708	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
709	e17693e3	Steve Traylen
710	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
711	e17693e3	Steve Traylen
712	8db66304	Steve Traylen	Specify ports for icinga2
713	e17693e3	Steve Traylen
714			Default value: `[5665]`
715
716	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
717	7f6cacc5	Steve Traylen
718	8cdd24a5	Tim Meusel	allows incoming ICMP
719	7f6cacc5	Steve Traylen
720			#### Parameters
721
722	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
723
724	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
725			* [`v6_types`](#-nftables--rules--icmp--v6_types)
726			* [`order`](#-nftables--rules--icmp--order)
727	7f6cacc5	Steve Traylen
728	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
729	7f6cacc5	Steve Traylen
730			Data type: `Optional[Array[String]]`
731
732	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
733	7f6cacc5	Steve Traylen
734	c24d3118	Tim Meusel	Default value: `undef`
735	7f6cacc5	Steve Traylen
736	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
737	7f6cacc5	Steve Traylen
738			Data type: `Optional[Array[String]]`
739
740	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
741	7f6cacc5	Steve Traylen
742	c24d3118	Tim Meusel	Default value: `undef`
743	7f6cacc5	Steve Traylen
744	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
745	7f6cacc5	Steve Traylen
746			Data type: `String`
747
748	8cdd24a5	Tim Meusel	the ordering of the rules
749	7f6cacc5	Steve Traylen
750			Default value: `'10'`
751
752	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
753
754			allow incoming IGMP messages
755
756	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
757
758			manage in ldap
759
760			#### Parameters
761
762			The following parameters are available in the `nftables::rules::ldap` class:
763
764			* [`ports`](#-nftables--rules--ldap--ports)
765
766			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
767
768			Data type: `Array[Integer,1]`
769
770			ldap server ports
771
772			Default value: `[389, 636]`
773
774	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
775
776			allow incoming Link-Local Multicast Name Resolution
777
778			* See also
779			* https://datatracker.ietf.org/doc/html/rfc4795
780
781			#### Parameters
782
783			The following parameters are available in the `nftables::rules::llmnr` class:
784
785			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
786			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
787	1ef7d5c4	Tim Meusel	* [`iifname`](#-nftables--rules--llmnr--iifname)
788	3b26826f	Tim Meusel
789			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
790
791			Data type: `Boolean`
792
793			Allow LLMNR over IPv4
794
795			Default value: `true`
796
797			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
798
799			Data type: `Boolean`
800
801			Allow LLMNR over IPv6
802
803			Default value: `true`
804
805	1ef7d5c4	Tim Meusel	##### <a name="-nftables--rules--llmnr--iifname"></a>`iifname`
806
807			Data type: `Array[String[1]]`
808
809			optional list of incoming interfaces to filter on
810
811			Default value: `[]`
812
813	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
814
815			allow incoming multicast DNS
816
817	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
818
819			The following parameters are available in the `nftables::rules::mdns` class:
820
821			* [`ipv4`](#-nftables--rules--mdns--ipv4)
822			* [`ipv6`](#-nftables--rules--mdns--ipv6)
823	4c3d5d6b	Tim Meusel	* [`iifname`](#-nftables--rules--mdns--iifname)
824	ad3dbd7d	Ewoud Kohl van Wijngaarden
825			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
826
827			Data type: `Boolean`
828
829			Allow mdns over IPv4
830
831			Default value: `true`
832
833			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
834
835			Data type: `Boolean`
836
837			Allow mdns over IPv6
838
839			Default value: `true`
840
841	4c3d5d6b	Tim Meusel	##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
842
843			Data type: `Array[String[1]]`
844
845			name for incoming interfaces to filter
846
847			Default value: `[]`
848
849	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
850
851			allow incoming multicast traffic
852
853	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
854	b9785000	Steve Traylen
855			manage in nfs4
856
857	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
858	b9785000	Steve Traylen
859			manage in nfs3
860
861	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
862	7f6cacc5	Steve Traylen
863			manage in node exporter
864
865			#### Parameters
866
867	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
868	7f6cacc5	Steve Traylen
869	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
870			* [`port`](#-nftables--rules--node_exporter--port)
871	7f6cacc5	Steve Traylen
872	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
873	7f6cacc5	Steve Traylen
874	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
875	7f6cacc5	Steve Traylen
876	09cba182	Steve Traylen	Specify server name
877	7f6cacc5	Steve Traylen
878	c24d3118	Tim Meusel	Default value: `undef`
879	7f6cacc5	Steve Traylen
880	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
881	7f6cacc5	Steve Traylen
882	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
883	7f6cacc5	Steve Traylen
884	09cba182	Steve Traylen	Specify port to open
885	7f6cacc5	Steve Traylen
886			Default value: `9100`
887
888	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
889	e17693e3	Steve Traylen
890			manage in ospf
891
892	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
893	e17693e3	Steve Traylen
894			manage in ospf3
895
896	3e2b5119	Tim Meusel	#### Parameters
897
898			The following parameters are available in the `nftables::rules::ospf3` class:
899
900			* [`iifname`](#-nftables--rules--ospf3--iifname)
901
902			##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
903
904			Data type: `Array[String[1]]`
905
906			optional list of incoming interfaces to allow traffic
907
908			Default value: `[]`
909
910	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
911
912			manage outgoing active diectory
913
914			#### Parameters
915
916			The following parameters are available in the `nftables::rules::out::active_directory` class:
917
918			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
919			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
920
921			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
922
923			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
924
925			adserver IPs
926
927			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
928
929			Data type: `Array[Stdlib::Port,1]`
930
931			adserver ports
932
933			Default value: `[389, 636, 3268, 3269]`
934
935	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
936	e17693e3	Steve Traylen
937			allow all outbound
938
939	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
940	b9785000	Steve Traylen
941			Ceph is a distributed object store and file system.
942			Enable this to be a client of Ceph's Monitor (MON),
943			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
944			and Manager Daemons (MGR).
945
946			#### Parameters
947
948	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
949	b9785000	Steve Traylen
950	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
951	b9785000	Steve Traylen
952	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
953	b9785000	Steve Traylen
954	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
955	b9785000	Steve Traylen
956	09cba182	Steve Traylen	Specify ports to open
957	b9785000	Steve Traylen
958			Default value: `[3300, 6789]`
959
960	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
961	e17693e3	Steve Traylen
962			manage out chrony
963
964	7937a13b	Tim Meusel	#### Parameters
965
966			The following parameters are available in the `nftables::rules::out::chrony` class:
967
968	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
969	7937a13b	Tim Meusel
970	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
971	7937a13b	Tim Meusel
972			Data type: `Array[Stdlib::IP::Address]`
973
974			single IP-Address or array of IP-addresses from NTP servers
975
976			Default value: `[]`
977
978	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
979	e17693e3	Steve Traylen
980			manage out dhcp
981
982	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
983	7f6cacc5	Steve Traylen
984	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
985	7f6cacc5	Steve Traylen
986	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
987	e17693e3	Steve Traylen
988			manage out dns
989
990			#### Parameters
991
992	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
993	e17693e3	Steve Traylen
994	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
995	e17693e3	Steve Traylen
996	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
997	e17693e3	Steve Traylen
998	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
999	e17693e3	Steve Traylen
1000	09cba182	Steve Traylen	specify dns_server name
1001	e17693e3	Steve Traylen
1002	9d1ee648	Tim Meusel	Default value: `[]`
1003	e17693e3	Steve Traylen
1004	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
1005	a1f09048	Tim Meusel
1006			allow outgoing hkp connections to gpg keyservers
1007
1008	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
1009	e17693e3	Steve Traylen
1010			manage out http
1011
1012	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
1013	e17693e3	Steve Traylen
1014			manage out https
1015
1016	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
1017	7f6cacc5	Steve Traylen
1018	09cba182	Steve Traylen	control outbound icmp packages
1019	7f6cacc5	Steve Traylen
1020			#### Parameters
1021
1022	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
1023
1024	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
1025			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
1026			* [`order`](#-nftables--rules--out--icmp--order)
1027	7f6cacc5	Steve Traylen
1028	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
1029	7f6cacc5	Steve Traylen
1030			Data type: `Optional[Array[String]]`
1031
1032	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
1033	7f6cacc5	Steve Traylen
1034	c24d3118	Tim Meusel	Default value: `undef`
1035	7f6cacc5	Steve Traylen
1036	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
1037	7f6cacc5	Steve Traylen
1038			Data type: `Optional[Array[String]]`
1039
1040	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
1041	7f6cacc5	Steve Traylen
1042	c24d3118	Tim Meusel	Default value: `undef`
1043	7f6cacc5	Steve Traylen
1044	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
1045	7f6cacc5	Steve Traylen
1046			Data type: `String`
1047
1048	5d554e75	Tim Meusel	the ordering of the rules
1049	7f6cacc5	Steve Traylen
1050			Default value: `'10'`
1051
1052	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
1053
1054	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
1055	020842af	Tim Meusel
1056	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
1057	19908f41	mh
1058			allow outgoing imap
1059
1060	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
1061	7f6cacc5	Steve Traylen
1062			allows outbound access for kerberos
1063
1064	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1065
1066			manage outgoing ldap
1067
1068			#### Parameters
1069
1070			The following parameters are available in the `nftables::rules::out::ldap` class:
1071
1072			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1073			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1074
1075			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1076
1077			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1078
1079			ldapserver IPs
1080
1081			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1082
1083			Data type: `Array[Stdlib::Port,1]`
1084
1085			ldapserver ports
1086
1087			Default value: `[389, 636]`
1088
1089	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1090
1091			allow outgoing multicast DNS
1092
1093			#### Parameters
1094
1095			The following parameters are available in the `nftables::rules::out::mdns` class:
1096
1097			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1098			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1099	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1100	6b350264	Tim Meusel
1101			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1102
1103			Data type: `Boolean`
1104
1105			Allow mdns over IPv4
1106
1107			Default value: `true`
1108
1109			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1110
1111			Data type: `Boolean`
1112
1113			Allow mdns over IPv6
1114
1115			Default value: `true`
1116
1117	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1118
1119			Data type: `Array[String[1]]`
1120
1121			optional name for outgoing interfaces
1122
1123			Default value: `[]`
1124
1125	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1126
1127			allow multicast listener requests
1128
1129	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1130	e17693e3	Steve Traylen
1131			manage out mysql
1132
1133	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1134	b9785000	Steve Traylen
1135			manage out nfs
1136
1137	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1138	b9785000	Steve Traylen
1139			manage out nfs3
1140
1141	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1142	7f6cacc5	Steve Traylen
1143	09cba182	Steve Traylen	allows outbound access for afs clients
1144	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1145			7002 - afs3-ptserver
1146			7003 - vlserver
1147
1148			* See also
1149			* https://wiki.openafs.org/devel/AFSServicePorts/
1150			* AFS Service Ports
1151
1152			#### Parameters
1153
1154	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1155	7f6cacc5	Steve Traylen
1156	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1157	7f6cacc5	Steve Traylen
1158	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1159	7f6cacc5	Steve Traylen
1160	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1161	7f6cacc5	Steve Traylen
1162	09cba182	Steve Traylen	port numbers to use
1163	7f6cacc5	Steve Traylen
1164			Default value: `[7000, 7002, 7003]`
1165
1166	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1167	e17693e3	Steve Traylen
1168			manage out ospf
1169
1170	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1171	e17693e3	Steve Traylen
1172			manage out ospf3
1173
1174	925c358d	Tim Meusel	#### Parameters
1175
1176			The following parameters are available in the `nftables::rules::out::ospf3` class:
1177
1178			* [`oifname`](#-nftables--rules--out--ospf3--oifname)
1179
1180			##### <a name="-nftables--rules--out--ospf3--oifname"></a>`oifname`
1181
1182			Data type: `Array[String[1]]`
1183
1184			optional list of outgoing interfaces to filter on
1185
1186			Default value: `[]`
1187
1188	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1189	19908f41	mh
1190			allow outgoing pop3
1191
1192	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1193	e17693e3	Steve Traylen
1194			manage out postgres
1195
1196	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1197	e17693e3	Steve Traylen
1198			manage outgoing puppet
1199
1200			#### Parameters
1201
1202	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1203	e17693e3	Steve Traylen
1204	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1205			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1206	e17693e3	Steve Traylen
1207	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1208	e17693e3	Steve Traylen
1209	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1210	e17693e3	Steve Traylen
1211	09cba182	Steve Traylen	puppetserver hostname
1212	e17693e3	Steve Traylen
1213	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1214	e17693e3	Steve Traylen
1215	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1216	e17693e3	Steve Traylen
1217	09cba182	Steve Traylen	puppetserver port
1218	e17693e3	Steve Traylen
1219			Default value: `8140`
1220
1221	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1222	194e05d5	Tim Meusel
1223			manage outgoing pxp-agent
1224
1225			* See also
1226			* also
1227			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1228
1229			#### Parameters
1230
1231			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1232
1233	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1234			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1235	194e05d5	Tim Meusel
1236	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1237	194e05d5	Tim Meusel
1238			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1239
1240			PXP broker IP(s)
1241
1242	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1243	194e05d5	Tim Meusel
1244			Data type: `Stdlib::Port`
1245
1246			PXP broker port
1247
1248			Default value: `8142`
1249
1250	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1251	e17693e3	Steve Traylen
1252	19908f41	mh	allow outgoing smtp
1253
1254	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1255	19908f41	mh
1256			allow outgoing smtp client
1257	e17693e3	Steve Traylen
1258	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1259
1260			allow outgoing SSDP
1261
1262			* See also
1263			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1264
1265			#### Parameters
1266
1267			The following parameters are available in the `nftables::rules::out::ssdp` class:
1268
1269			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1270			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1271
1272			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1273
1274			Data type: `Boolean`
1275
1276			Allow SSDP over IPv4
1277
1278			Default value: `true`
1279
1280			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1281
1282			Data type: `Boolean`
1283
1284			Allow SSDP over IPv6
1285
1286			Default value: `true`
1287
1288	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1289	e17693e3	Steve Traylen
1290			manage out ssh
1291
1292	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1293	e17693e3	Steve Traylen
1294			disable outgoing ssh
1295
1296	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1297	e17693e3	Steve Traylen
1298			manage out tor
1299
1300	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1301	2b1896c1	Tim Meusel
1302			allow clients to query remote whois server
1303
1304	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1305	e17693e3	Steve Traylen
1306			manage out wireguard
1307
1308			#### Parameters
1309
1310	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1311	e17693e3	Steve Traylen
1312	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1313	e17693e3	Steve Traylen
1314	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1315	e17693e3	Steve Traylen
1316	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1317	e17693e3	Steve Traylen
1318	09cba182	Steve Traylen	specify wireguard ports
1319	e17693e3	Steve Traylen
1320			Default value: `[51820]`
1321
1322	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1323
1324			Rules for Podman, a tool for managing OCI containers and pods.
1325			This class defines additional forwarding rules to let root containers
1326			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1327			At the time of writing, Podman supports automatic configuration
1328			of firewall rules with iptables and firewalld only.
1329
1330	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1331	e17693e3	Steve Traylen
1332			manage in puppet
1333
1334			#### Parameters
1335
1336	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1337	e17693e3	Steve Traylen
1338	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1339	e17693e3	Steve Traylen
1340	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1341	e17693e3	Steve Traylen
1342	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1343	e17693e3	Steve Traylen
1344	09cba182	Steve Traylen	puppet server ports
1345	e17693e3	Steve Traylen
1346			Default value: `[8140]`
1347
1348	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1349	7f74df2e	Tim Meusel
1350			manage in pxp-agent
1351
1352			#### Parameters
1353
1354			The following parameters are available in the `nftables::rules::pxp_agent` class:
1355
1356	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1357	7f74df2e	Tim Meusel
1358	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1359	7f74df2e	Tim Meusel
1360	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1361	7f74df2e	Tim Meusel
1362			pxp server ports
1363
1364			Default value: `[8142]`
1365
1366	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1367	cd2a3cbf	Nacho Barrientos
1368			This class configures the typical firewall setup that libvirt
1369			creates. Depending on your requirements you can switch on and off
1370			several aspects, for instance if you don't do DHCP to your guests
1371			you can disable the rules that accept DHCP traffic on the host or if
1372			you don't want your guests to talk to hosts outside you can disable
1373			forwarding and/or masquerading for IPv4 traffic.
1374
1375			#### Parameters
1376
1377			The following parameters are available in the `nftables::rules::qemu` class:
1378
1379	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1380			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1381			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1382			* [`dns`](#-nftables--rules--qemu--dns)
1383			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1384			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1385			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1386			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1387	cd2a3cbf	Nacho Barrientos
1388	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1389	cd2a3cbf	Nacho Barrientos
1390			Data type: `String[1]`
1391
1392			Interface name used by the bridge.
1393
1394			Default value: `'virbr0'`
1395
1396	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1397	cd2a3cbf	Nacho Barrientos
1398			Data type: `Stdlib::IP::Address::V4::CIDR`
1399
1400			The IPv4 network prefix used in the virtual network.
1401
1402			Default value: `'192.168.122.0/24'`
1403
1404	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1405	cd2a3cbf	Nacho Barrientos
1406			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1407
1408			The IPv6 network prefix used in the virtual network.
1409
1410	c24d3118	Tim Meusel	Default value: `undef`
1411	cd2a3cbf	Nacho Barrientos
1412	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1413	cd2a3cbf	Nacho Barrientos
1414			Data type: `Boolean`
1415
1416			Allow DNS traffic from the guests to the host.
1417
1418	c24d3118	Tim Meusel	Default value: `true`
1419	cd2a3cbf	Nacho Barrientos
1420	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1421	cd2a3cbf	Nacho Barrientos
1422			Data type: `Boolean`
1423
1424			Allow DHCPv4 traffic from the guests to the host.
1425
1426	c24d3118	Tim Meusel	Default value: `true`
1427	cd2a3cbf	Nacho Barrientos
1428	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1429	cd2a3cbf	Nacho Barrientos
1430			Data type: `Boolean`
1431
1432			Allow forwarded traffic (out all, in related/established)
1433			generated by the virtual network.
1434
1435	c24d3118	Tim Meusel	Default value: `true`
1436	cd2a3cbf	Nacho Barrientos
1437	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1438	cd2a3cbf	Nacho Barrientos
1439			Data type: `Boolean`
1440
1441			Allow guests in the virtual network to talk to each other.
1442
1443	c24d3118	Tim Meusel	Default value: `true`
1444	cd2a3cbf	Nacho Barrientos
1445	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1446	cd2a3cbf	Nacho Barrientos
1447			Data type: `Boolean`
1448
1449			Do NAT masquerade on all IPv4 traffic generated by guests
1450			to external networks.
1451
1452	c24d3118	Tim Meusel	Default value: `true`
1453	cd2a3cbf	Nacho Barrientos
1454	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1455	19908f41	mh
1456			manage Samba, the suite to allow Windows file sharing on Linux resources.
1457
1458			#### Parameters
1459
1460			The following parameters are available in the `nftables::rules::samba` class:
1461
1462	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1463	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1464	19908f41	mh
1465	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1466	19908f41	mh
1467			Data type: `Boolean`
1468
1469	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1470	19908f41	mh
1471	c24d3118	Tim Meusel	Default value: `false`
1472	19908f41	mh
1473	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1474
1475			Data type: `Enum['accept', 'drop']`
1476
1477			if the traffic should be allowed or dropped
1478
1479			Default value: `'accept'`
1480
1481	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1482	e17693e3	Steve Traylen
1483			manage in smtp
1484
1485	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1486	e17693e3	Steve Traylen
1487			manage in smtp submission
1488
1489	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1490	e17693e3	Steve Traylen
1491			manage in smtps
1492
1493	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1494
1495			allow incoming spotify
1496
1497	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1498
1499			allow incoming SSDP
1500
1501			* See also
1502			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1503
1504			#### Parameters
1505
1506			The following parameters are available in the `nftables::rules::ssdp` class:
1507
1508			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1509			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1510
1511			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1512
1513			Data type: `Boolean`
1514
1515			Allow SSDP over IPv4
1516
1517			Default value: `true`
1518
1519			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1520
1521			Data type: `Boolean`
1522
1523			Allow SSDP over IPv6
1524
1525			Default value: `true`
1526
1527	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1528	e17693e3	Steve Traylen
1529			manage in ssh
1530
1531			#### Parameters
1532
1533	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1534	e17693e3	Steve Traylen
1535	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1536	e17693e3	Steve Traylen
1537	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1538	e17693e3	Steve Traylen
1539	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1540	e17693e3	Steve Traylen
1541	09cba182	Steve Traylen	ssh ports
1542	e17693e3	Steve Traylen
1543			Default value: `[22]`
1544
1545	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1546	e17693e3	Steve Traylen
1547			manage in tor
1548
1549			#### Parameters
1550
1551	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1552	e17693e3	Steve Traylen
1553	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1554	e17693e3	Steve Traylen
1555	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1556	e17693e3	Steve Traylen
1557	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1558	e17693e3	Steve Traylen
1559	09cba182	Steve Traylen	ports for tor
1560	e17693e3	Steve Traylen
1561			Default value: `[9001]`
1562
1563	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1564	e17693e3	Steve Traylen
1565			manage in wireguard
1566
1567			#### Parameters
1568
1569	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1570	e17693e3	Steve Traylen
1571	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1572	e17693e3	Steve Traylen
1573	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1574	e17693e3	Steve Traylen
1575	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1576	e17693e3	Steve Traylen
1577	09cba182	Steve Traylen	wiregueard port
1578	e17693e3	Steve Traylen
1579			Default value: `[51820]`
1580
1581	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1582
1583			allow incoming webservice discovery
1584
1585			* See also
1586			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1587
1588			#### Parameters
1589
1590			The following parameters are available in the `nftables::rules::wsd` class:
1591
1592			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1593			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1594
1595			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1596
1597			Data type: `Boolean`
1598
1599			Allow ws-discovery over IPv4
1600
1601			Default value: `true`
1602
1603			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1604
1605			Data type: `Boolean`
1606
1607			Allow ws-discovery over IPv6
1608
1609			Default value: `true`
1610
1611	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1612	7f6cacc5	Steve Traylen
1613	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1614	7f6cacc5	Steve Traylen
1615	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1616	7f6cacc5	Steve Traylen
1617	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1618	7f6cacc5	Steve Traylen
1619	e17693e3	Steve Traylen	## Defined types
1620
1621	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1622	e17693e3	Steve Traylen
1623			manage a chain
1624
1625			#### Parameters
1626
1627	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1628
1629	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1630			* [`chain`](#-nftables--chain--chain)
1631			* [`inject`](#-nftables--chain--inject)
1632			* [`inject_iif`](#-nftables--chain--inject_iif)
1633			* [`inject_oif`](#-nftables--chain--inject_oif)
1634	e17693e3	Steve Traylen
1635	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1636	e17693e3	Steve Traylen
1637	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1638	e17693e3	Steve Traylen
1639
1640
1641			Default value: `'inet-filter'`
1642
1643	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1644	e17693e3	Steve Traylen
1645			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1646
1647
1648
1649			Default value: `$title`
1650
1651	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1652	e17693e3	Steve Traylen
1653			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1654
1655
1656
1657	c24d3118	Tim Meusel	Default value: `undef`
1658	e17693e3	Steve Traylen
1659	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1660	e17693e3	Steve Traylen
1661			Data type: `Optional[String]`
1662
1663
1664
1665	c24d3118	Tim Meusel	Default value: `undef`
1666	e17693e3	Steve Traylen
1667	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1668	e17693e3	Steve Traylen
1669			Data type: `Optional[String]`
1670
1671
1672
1673	c24d3118	Tim Meusel	Default value: `undef`
1674	e17693e3	Steve Traylen
1675	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1676	e17693e3	Steve Traylen
1677			manage a config snippet
1678
1679			#### Parameters
1680
1681	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1682	e17693e3	Steve Traylen
1683	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1684			* [`content`](#-nftables--config--content)
1685			* [`source`](#-nftables--config--source)
1686			* [`prefix`](#-nftables--config--prefix)
1687	09cba182	Steve Traylen
1688	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1689	13f4e4c6	Steve Traylen
1690			Data type: `Pattern[/^\w+-\w+$/]`
1691
1692
1693
1694			Default value: `$title`
1695
1696	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1697	e17693e3	Steve Traylen
1698			Data type: `Optional[String]`
1699
1700
1701
1702	c24d3118	Tim Meusel	Default value: `undef`
1703	e17693e3	Steve Traylen
1704	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1705	e17693e3	Steve Traylen
1706			Data type: `Optional[Variant[String,Array[String,1]]]`
1707
1708
1709
1710	c24d3118	Tim Meusel	Default value: `undef`
1711	e17693e3	Steve Traylen
1712	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1713	13f4e4c6	Steve Traylen
1714			Data type: `String`
1715
1716
1717
1718			Default value: `'custom-'`
1719
1720	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1721	331b8d85	Steve Traylen
1722			Insert a file into the nftables configuration
1723
1724			#### Examples
1725
1726			##### Include a file that includes other files
1727
1728			```puppet
1729			nftables::file{'geoip':
1730			content => @(EOT)
1731			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1732			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1733			\|EOT,
1734			}
1735			```
1736
1737			#### Parameters
1738
1739			The following parameters are available in the `nftables::file` defined type:
1740
1741	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1742			* [`content`](#-nftables--file--content)
1743			* [`source`](#-nftables--file--source)
1744			* [`prefix`](#-nftables--file--prefix)
1745	331b8d85	Steve Traylen
1746	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1747	331b8d85	Steve Traylen
1748			Data type: `String[1]`
1749
1750			Unique name to include in filename.
1751
1752			Default value: `$title`
1753
1754	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1755	331b8d85	Steve Traylen
1756			Data type: `Optional[String]`
1757
1758			The content to place in the file.
1759
1760	c24d3118	Tim Meusel	Default value: `undef`
1761	331b8d85	Steve Traylen
1762	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1763	331b8d85	Steve Traylen
1764			Data type: `Optional[Variant[String,Array[String,1]]]`
1765
1766			A source to obtain the file content from.
1767
1768	c24d3118	Tim Meusel	Default value: `undef`
1769	331b8d85	Steve Traylen
1770	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1771	331b8d85	Steve Traylen
1772			Data type: `String`
1773
1774			Prefix of file name to be created, if left as `file-` it will be
1775			auto included in the main nft configuration
1776
1777			Default value: `'file-'`
1778
1779	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1780
1781			manage a conntrack helper
1782
1783			#### Examples
1784
1785			##### FTP helper
1786
1787			```puppet
1788			nftables::helper { 'ftp-standard':
1789			content => 'type "ftp" protocol tcp;',
1790			}
1791			```
1792
1793			#### Parameters
1794
1795			The following parameters are available in the `nftables::helper` defined type:
1796
1797			* [`content`](#-nftables--helper--content)
1798			* [`table`](#-nftables--helper--table)
1799			* [`helper`](#-nftables--helper--helper)
1800
1801			##### <a name="-nftables--helper--content"></a>`content`
1802
1803			Data type: `String`
1804
1805			Conntrack helper definition.
1806
1807			##### <a name="-nftables--helper--table"></a>`table`
1808
1809			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1810
1811			The name of the table to add this helper to.
1812
1813			Default value: `'inet-filter'`
1814
1815			##### <a name="-nftables--helper--helper"></a>`helper`
1816
1817			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1818
1819			The symbolic name for the helper.
1820
1821			Default value: `$title`
1822
1823	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1824	e17693e3	Steve Traylen
1825	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1826
1827			#### Examples
1828
1829			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1830
1831			```puppet
1832			nftables::rule {
1833			'default_in-myhttp':
1834			content => 'tcp dport 80 accept',
1835			}
1836			```
1837
1838			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1839
1840			```puppet
1841			nftables::rule {
1842			'PREROUTING6-count':
1843			content => 'counter',
1844			table => 'ip6-nat'
1845			}
1846			```
1847	e17693e3	Steve Traylen
1848	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1849
1850			```puppet
1851			nftables::rule { 'PREROUTING-redirect':
1852			content => 'tcp dport 443 redirect to :8443',
1853			table => 'ip-nat',
1854			}
1855			nftables::rule{'PREROUTING6-redirect':
1856			content => 'tcp dport 443 redirect to :8443',
1857			table => 'ip6-nat',
1858			}
1859			```
1860
1861	e17693e3	Steve Traylen	#### Parameters
1862
1863	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1864
1865	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1866			* [`rulename`](#-nftables--rule--rulename)
1867			* [`order`](#-nftables--rule--order)
1868			* [`table`](#-nftables--rule--table)
1869			* [`content`](#-nftables--rule--content)
1870			* [`source`](#-nftables--rule--source)
1871	e17693e3	Steve Traylen
1872	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1873	e17693e3	Steve Traylen
1874			Data type: `Enum['present','absent']`
1875
1876	13f26dfc	Nacho Barrientos	Should the rule be created.
1877	e17693e3	Steve Traylen
1878			Default value: `'present'`
1879
1880	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1881	e17693e3	Steve Traylen
1882	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1883	e17693e3	Steve Traylen
1884	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1885			format is defined by the Nftables::RuleName type.
1886	e17693e3	Steve Traylen
1887			Default value: `$title`
1888
1889	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1890	e17693e3	Steve Traylen
1891			Data type: `Pattern[/^\d\d$/]`
1892
1893	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1894	e17693e3	Steve Traylen
1895			Default value: `'50'`
1896
1897	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1898	e17693e3	Steve Traylen
1899	b02d6ea9	Nacho Barrientos	Data type: `String`
1900	e17693e3	Steve Traylen
1901	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1902	e17693e3	Steve Traylen
1903			Default value: `'inet-filter'`
1904
1905	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1906	e17693e3	Steve Traylen
1907			Data type: `Optional[String]`
1908
1909	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1910			language.
1911	e17693e3	Steve Traylen
1912	c24d3118	Tim Meusel	Default value: `undef`
1913	e17693e3	Steve Traylen
1914	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1915	e17693e3	Steve Traylen
1916			Data type: `Optional[Variant[String,Array[String,1]]]`
1917
1918	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1919	e17693e3	Steve Traylen
1920	c24d3118	Tim Meusel	Default value: `undef`
1921	e17693e3	Steve Traylen
1922	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1923	e17693e3	Steve Traylen
1924			manage a ipv4 dnat rule
1925
1926			#### Parameters
1927
1928	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1929
1930	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1931			* [`port`](#-nftables--rules--dnat4--port)
1932			* [`rulename`](#-nftables--rules--dnat4--rulename)
1933			* [`order`](#-nftables--rules--dnat4--order)
1934			* [`chain`](#-nftables--rules--dnat4--chain)
1935			* [`iif`](#-nftables--rules--dnat4--iif)
1936			* [`proto`](#-nftables--rules--dnat4--proto)
1937			* [`dport`](#-nftables--rules--dnat4--dport)
1938			* [`ensure`](#-nftables--rules--dnat4--ensure)
1939	e17693e3	Steve Traylen
1940	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1941	e17693e3	Steve Traylen
1942			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1943
1944
1945
1946	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1947	e17693e3	Steve Traylen
1948	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1949	e17693e3	Steve Traylen
1950
1951
1952	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1953	e17693e3	Steve Traylen
1954			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1955
1956
1957
1958			Default value: `$title`
1959
1960	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1961	e17693e3	Steve Traylen
1962			Data type: `Pattern[/^\d\d$/]`
1963
1964
1965
1966			Default value: `'50'`
1967
1968	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1969	e17693e3	Steve Traylen
1970			Data type: `String[1]`
1971
1972
1973
1974			Default value: `'default_fwd'`
1975
1976	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1977	e17693e3	Steve Traylen
1978			Data type: `Optional[String[1]]`
1979
1980
1981
1982	c24d3118	Tim Meusel	Default value: `undef`
1983	e17693e3	Steve Traylen
1984	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1985	e17693e3	Steve Traylen
1986			Data type: `Enum['tcp','udp']`
1987
1988
1989
1990			Default value: `'tcp'`
1991
1992	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1993	e17693e3	Steve Traylen
1994	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1995	e17693e3	Steve Traylen
1996
1997
1998	c24d3118	Tim Meusel	Default value: `undef`
1999	e17693e3	Steve Traylen
2000	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
2001	e17693e3	Steve Traylen
2002			Data type: `Enum['present','absent']`
2003
2004
2005
2006			Default value: `'present'`
2007
2008	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
2009	e17693e3	Steve Traylen
2010			masquerade all outgoing traffic
2011
2012			#### Parameters
2013
2014	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
2015	e17693e3	Steve Traylen
2016	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
2017			* [`order`](#-nftables--rules--masquerade--order)
2018			* [`chain`](#-nftables--rules--masquerade--chain)
2019			* [`oif`](#-nftables--rules--masquerade--oif)
2020			* [`saddr`](#-nftables--rules--masquerade--saddr)
2021			* [`daddr`](#-nftables--rules--masquerade--daddr)
2022			* [`proto`](#-nftables--rules--masquerade--proto)
2023			* [`dport`](#-nftables--rules--masquerade--dport)
2024			* [`ensure`](#-nftables--rules--masquerade--ensure)
2025	09cba182	Steve Traylen
2026	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
2027	e17693e3	Steve Traylen
2028			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2029
2030
2031
2032			Default value: `$title`
2033
2034	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
2035	e17693e3	Steve Traylen
2036			Data type: `Pattern[/^\d\d$/]`
2037
2038
2039
2040			Default value: `'70'`
2041
2042	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
2043	e17693e3	Steve Traylen
2044			Data type: `String[1]`
2045
2046
2047
2048			Default value: `'POSTROUTING'`
2049
2050	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
2051	e17693e3	Steve Traylen
2052			Data type: `Optional[String[1]]`
2053
2054
2055
2056	c24d3118	Tim Meusel	Default value: `undef`
2057	e17693e3	Steve Traylen
2058	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
2059	e17693e3	Steve Traylen
2060			Data type: `Optional[String[1]]`
2061
2062
2063
2064	c24d3118	Tim Meusel	Default value: `undef`
2065	e17693e3	Steve Traylen
2066	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
2067	e17693e3	Steve Traylen
2068			Data type: `Optional[String[1]]`
2069
2070
2071
2072	c24d3118	Tim Meusel	Default value: `undef`
2073	e17693e3	Steve Traylen
2074	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
2075	e17693e3	Steve Traylen
2076			Data type: `Optional[Enum['tcp','udp']]`
2077
2078
2079
2080	c24d3118	Tim Meusel	Default value: `undef`
2081	e17693e3	Steve Traylen
2082	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2083	e17693e3	Steve Traylen
2084	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2085	e17693e3	Steve Traylen
2086
2087
2088	c24d3118	Tim Meusel	Default value: `undef`
2089	e17693e3	Steve Traylen
2090	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2091	e17693e3	Steve Traylen
2092			Data type: `Enum['present','absent']`
2093
2094
2095
2096			Default value: `'present'`
2097
2098	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2099	e17693e3	Steve Traylen
2100			manage a ipv4 snat rule
2101
2102			#### Parameters
2103
2104	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2105
2106	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2107			* [`rulename`](#-nftables--rules--snat4--rulename)
2108			* [`order`](#-nftables--rules--snat4--order)
2109			* [`chain`](#-nftables--rules--snat4--chain)
2110			* [`oif`](#-nftables--rules--snat4--oif)
2111			* [`saddr`](#-nftables--rules--snat4--saddr)
2112			* [`proto`](#-nftables--rules--snat4--proto)
2113			* [`dport`](#-nftables--rules--snat4--dport)
2114			* [`ensure`](#-nftables--rules--snat4--ensure)
2115	e17693e3	Steve Traylen
2116	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2117	e17693e3	Steve Traylen
2118			Data type: `String[1]`
2119
2120
2121
2122	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2123	e17693e3	Steve Traylen
2124			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2125
2126
2127
2128			Default value: `$title`
2129
2130	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2131	e17693e3	Steve Traylen
2132			Data type: `Pattern[/^\d\d$/]`
2133
2134
2135
2136			Default value: `'70'`
2137
2138	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2139	e17693e3	Steve Traylen
2140			Data type: `String[1]`
2141
2142
2143
2144			Default value: `'POSTROUTING'`
2145
2146	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2147	e17693e3	Steve Traylen
2148			Data type: `Optional[String[1]]`
2149
2150
2151
2152	c24d3118	Tim Meusel	Default value: `undef`
2153	e17693e3	Steve Traylen
2154	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2155	e17693e3	Steve Traylen
2156			Data type: `Optional[String[1]]`
2157
2158
2159
2160	c24d3118	Tim Meusel	Default value: `undef`
2161	e17693e3	Steve Traylen
2162	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2163	e17693e3	Steve Traylen
2164			Data type: `Optional[Enum['tcp','udp']]`
2165
2166
2167
2168	c24d3118	Tim Meusel	Default value: `undef`
2169	e17693e3	Steve Traylen
2170	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2171	e17693e3	Steve Traylen
2172	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2173	e17693e3	Steve Traylen
2174
2175
2176	c24d3118	Tim Meusel	Default value: `undef`
2177	e17693e3	Steve Traylen
2178	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2179	e17693e3	Steve Traylen
2180			Data type: `Enum['present','absent']`
2181
2182
2183
2184			Default value: `'present'`
2185
2186	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2187	7f6cacc5	Steve Traylen
2188			manage a named set
2189
2190	13f4e4c6	Steve Traylen	#### Examples
2191
2192			##### simple set
2193
2194			```puppet
2195			nftables::set{'my_set':
2196			type => 'ipv4_addr',
2197			flags => ['interval'],
2198			elements => ['192.168.0.1/24', '10.0.0.2'],
2199			auto_merge => true,
2200			}
2201			```
2202
2203	7f6cacc5	Steve Traylen	#### Parameters
2204
2205	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2206
2207	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2208			* [`setname`](#-nftables--set--setname)
2209			* [`order`](#-nftables--set--order)
2210			* [`type`](#-nftables--set--type)
2211			* [`table`](#-nftables--set--table)
2212			* [`flags`](#-nftables--set--flags)
2213			* [`timeout`](#-nftables--set--timeout)
2214			* [`gc_interval`](#-nftables--set--gc_interval)
2215			* [`elements`](#-nftables--set--elements)
2216			* [`size`](#-nftables--set--size)
2217			* [`policy`](#-nftables--set--policy)
2218			* [`auto_merge`](#-nftables--set--auto_merge)
2219			* [`content`](#-nftables--set--content)
2220			* [`source`](#-nftables--set--source)
2221
2222			##### <a name="-nftables--set--ensure"></a>`ensure`
2223	7f6cacc5	Steve Traylen
2224			Data type: `Enum['present','absent']`
2225
2226	13f4e4c6	Steve Traylen	should the set be created.
2227	7f6cacc5	Steve Traylen
2228			Default value: `'present'`
2229
2230	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2231	7f6cacc5	Steve Traylen
2232			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2233
2234	13f4e4c6	Steve Traylen	name of set, equal to to title.
2235	7f6cacc5	Steve Traylen
2236			Default value: `$title`
2237
2238	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2239	7f6cacc5	Steve Traylen
2240			Data type: `Pattern[/^\d\d$/]`
2241
2242	13f4e4c6	Steve Traylen	concat ordering.
2243	7f6cacc5	Steve Traylen
2244			Default value: `'10'`
2245
2246	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2247	7f6cacc5	Steve Traylen
2248			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2249
2250	13f4e4c6	Steve Traylen	type of set.
2251	7f6cacc5	Steve Traylen
2252	c24d3118	Tim Meusel	Default value: `undef`
2253	7f6cacc5	Steve Traylen
2254	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2255	7f6cacc5	Steve Traylen
2256	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2257	7f6cacc5	Steve Traylen
2258	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2259	7f6cacc5	Steve Traylen
2260			Default value: `'inet-filter'`
2261
2262	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2263	7f6cacc5	Steve Traylen
2264			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2265
2266	13f4e4c6	Steve Traylen	specify flags for set
2267	7f6cacc5	Steve Traylen
2268			Default value: `[]`
2269
2270	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2271	7f6cacc5	Steve Traylen
2272			Data type: `Optional[Integer]`
2273
2274	13f4e4c6	Steve Traylen	timeout in seconds
2275	7f6cacc5	Steve Traylen
2276	c24d3118	Tim Meusel	Default value: `undef`
2277	7f6cacc5	Steve Traylen
2278	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2279	7f6cacc5	Steve Traylen
2280			Data type: `Optional[Integer]`
2281
2282	13f4e4c6	Steve Traylen	garbage collection interval.
2283	7f6cacc5	Steve Traylen
2284	c24d3118	Tim Meusel	Default value: `undef`
2285	7f6cacc5	Steve Traylen
2286	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2287	7f6cacc5	Steve Traylen
2288			Data type: `Optional[Array[String]]`
2289
2290	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2291	7f6cacc5	Steve Traylen
2292	c24d3118	Tim Meusel	Default value: `undef`
2293	7f6cacc5	Steve Traylen
2294	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2295	7f6cacc5	Steve Traylen
2296			Data type: `Optional[Integer]`
2297
2298	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2299	7f6cacc5	Steve Traylen
2300	c24d3118	Tim Meusel	Default value: `undef`
2301	7f6cacc5	Steve Traylen
2302	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2303	7f6cacc5	Steve Traylen
2304			Data type: `Optional[Enum['performance', 'memory']]`
2305
2306	13f4e4c6	Steve Traylen	determines set selection policy.
2307	7f6cacc5	Steve Traylen
2308	c24d3118	Tim Meusel	Default value: `undef`
2309	7f6cacc5	Steve Traylen
2310	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2311	7f6cacc5	Steve Traylen
2312			Data type: `Boolean`
2313
2314	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2315	7f6cacc5	Steve Traylen
2316	c24d3118	Tim Meusel	Default value: `false`
2317	7f6cacc5	Steve Traylen
2318	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2319	7f6cacc5	Steve Traylen
2320			Data type: `Optional[String]`
2321
2322	13f4e4c6	Steve Traylen	specify content of set.
2323	7f6cacc5	Steve Traylen
2324	c24d3118	Tim Meusel	Default value: `undef`
2325	7f6cacc5	Steve Traylen
2326	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2327	7f6cacc5	Steve Traylen
2328			Data type: `Optional[Variant[String,Array[String,1]]]`
2329
2330	13f4e4c6	Steve Traylen	specify source of set.
2331	7f6cacc5	Steve Traylen
2332	c24d3118	Tim Meusel	Default value: `undef`
2333	7f6cacc5	Steve Traylen
2334	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2335	4d63adda	Nacho Barrientos
2336	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2337	4d63adda	Nacho Barrientos
2338	b46c9ce9	Nacho Barrientos	#### Examples
2339	4d63adda	Nacho Barrientos
2340	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2341	4d63adda	Nacho Barrientos
2342	b46c9ce9	Nacho Barrientos	```puppet
2343			nftables::simplerule{'my_service_in':
2344			action => 'accept',
2345			comment => 'allow traffic to port 543',
2346			counter => true,
2347			proto => 'tcp',
2348			dport => 543,
2349			daddr => '2001:1458::/32',
2350			sport => 541,
2351			}
2352			```
2353	4d63adda	Nacho Barrientos
2354	b46c9ce9	Nacho Barrientos	#### Parameters
2355	4d63adda	Nacho Barrientos
2356	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2357
2358	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2359			* [`rulename`](#-nftables--simplerule--rulename)
2360			* [`order`](#-nftables--simplerule--order)
2361			* [`chain`](#-nftables--simplerule--chain)
2362			* [`table`](#-nftables--simplerule--table)
2363			* [`action`](#-nftables--simplerule--action)
2364			* [`comment`](#-nftables--simplerule--comment)
2365			* [`dport`](#-nftables--simplerule--dport)
2366			* [`proto`](#-nftables--simplerule--proto)
2367			* [`daddr`](#-nftables--simplerule--daddr)
2368			* [`set_type`](#-nftables--simplerule--set_type)
2369			* [`sport`](#-nftables--simplerule--sport)
2370			* [`saddr`](#-nftables--simplerule--saddr)
2371			* [`counter`](#-nftables--simplerule--counter)
2372	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2373	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2374	c24d3118	Tim Meusel
2375			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2376	13f4e4c6	Steve Traylen
2377			Data type: `Enum['present','absent']`
2378
2379			Should the rule be created.
2380
2381			Default value: `'present'`
2382
2383	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2384	4d63adda	Nacho Barrientos
2385	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2386	4d63adda	Nacho Barrientos
2387	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2388	4d63adda	Nacho Barrientos
2389			Default value: `$title`
2390
2391	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2392	4d63adda	Nacho Barrientos
2393			Data type: `Pattern[/^\d\d$/]`
2394
2395	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2396	4d63adda	Nacho Barrientos
2397			Default value: `'50'`
2398
2399	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2400	4d63adda	Nacho Barrientos
2401			Data type: `String`
2402
2403	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2404	4d63adda	Nacho Barrientos
2405			Default value: `'default_in'`
2406
2407	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2408	4d63adda	Nacho Barrientos
2409			Data type: `String`
2410
2411	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2412	4d63adda	Nacho Barrientos
2413			Default value: `'inet-filter'`
2414
2415	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2416	4d63adda	Nacho Barrientos
2417			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2418
2419	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2420	4d63adda	Nacho Barrientos
2421			Default value: `'accept'`
2422
2423	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2424	4d63adda	Nacho Barrientos
2425			Data type: `Optional[String]`
2426
2427	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2428	4d63adda	Nacho Barrientos
2429	c24d3118	Tim Meusel	Default value: `undef`
2430	4d63adda	Nacho Barrientos
2431	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2432	4d63adda	Nacho Barrientos
2433			Data type: `Optional[Nftables::Port]`
2434
2435	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2436	4d63adda	Nacho Barrientos
2437	c24d3118	Tim Meusel	Default value: `undef`
2438	4d63adda	Nacho Barrientos
2439	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2440	4d63adda	Nacho Barrientos
2441			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2442
2443	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2444	4d63adda	Nacho Barrientos
2445	c24d3118	Tim Meusel	Default value: `undef`
2446	4d63adda	Nacho Barrientos
2447	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2448	4d63adda	Nacho Barrientos
2449			Data type: `Optional[Nftables::Addr]`
2450
2451	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2452	4d63adda	Nacho Barrientos
2453	c24d3118	Tim Meusel	Default value: `undef`
2454	4d63adda	Nacho Barrientos
2455	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2456	4d63adda	Nacho Barrientos
2457			Data type: `Enum['ip', 'ip6']`
2458
2459	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2460			Use `ip` for sets of type `ipv4_addr`.
2461	4d63adda	Nacho Barrientos
2462			Default value: `'ip6'`
2463
2464	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2465	4d63adda	Nacho Barrientos
2466			Data type: `Optional[Nftables::Port]`
2467
2468	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2469	4d63adda	Nacho Barrientos
2470	c24d3118	Tim Meusel	Default value: `undef`
2471	4d63adda	Nacho Barrientos
2472	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2473	4d63adda	Nacho Barrientos
2474			Data type: `Optional[Nftables::Addr]`
2475
2476	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2477	4d63adda	Nacho Barrientos
2478	c24d3118	Tim Meusel	Default value: `undef`
2479	4d63adda	Nacho Barrientos
2480	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2481	4d63adda	Nacho Barrientos
2482			Data type: `Boolean`
2483
2484	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2485	4d63adda	Nacho Barrientos
2486	c24d3118	Tim Meusel	Default value: `false`
2487	4d63adda	Nacho Barrientos
2488	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2489
2490	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2491	25b3f3f4	Tim Meusel
2492			Optional filter for the incoming interface
2493
2494	e846c98b	Tim Meusel	Default value: `[]`
2495	25b3f3f4	Tim Meusel
2496	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2497
2498	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2499	d7d6d5d3	Tim Meusel
2500			Optional filter for the outgoing interface
2501
2502	e846c98b	Tim Meusel	Default value: `[]`
2503	d7d6d5d3	Tim Meusel
2504	4d63adda	Nacho Barrientos	## Data types
2505
2506	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2507	4d63adda	Nacho Barrientos
2508			Represents an address expression to be used within a rule.
2509
2510	9d02e9f8	Stéphanie Jaumotte	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set, Array[Stdlib::IP::Address::V6], Array[Stdlib::IP::Address::V4], Array[Nftables::Addr::Set]]`
2511	09cba182	Steve Traylen
2512	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2513	4d63adda	Nacho Barrientos
2514			Represents a set expression to be used within a rule.
2515
2516	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2517	4d63adda	Nacho Barrientos
2518	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2519	4d63adda	Nacho Barrientos
2520			Represents a port expression to be used within a rule.
2521
2522	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2523	4d63adda	Nacho Barrientos
2524	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2525	4d63adda	Nacho Barrientos
2526			Represents a port range expression to be used within a rule.
2527
2528	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2529	4d63adda	Nacho Barrientos
2530	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2531	8c00b818	Nacho Barrientos
2532			Represents a rule name to be used in a raw rule created via nftables::rule.
2533			It's a dash separated string. The first component describes the chain to
2534			add the rule to, the second the rule name and the (optional) third a number.
2535			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2536
2537	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2538	09cba182	Steve Traylen
2539	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2540	8c00b818	Nacho Barrientos
2541			Represents a simple rule name to be used in a rule created via nftables::simplerule
2542
2543	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 2a649e6e