/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 3246b968

Historique | Voir | Annoter | Télécharger (25,3 ko)

-            e17693e3
+# Reference
 <!-- DO NOT EDIT: This document was generated by Puppet Strings -->
 ## Table of Contents
 ### Classes
 * [`nftables`](#nftables): Configure nftables
-f6cacc5
+* [`nftables::bridges`](#nftablesbridges): allow forwarding traffic on bridges
-            e17693e3
+* [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter
 * [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat
-f6cacc5
+* [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients
-            b9785000
+* [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
 * [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.
-f6cacc5
+* [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client)
 * [`nftables::rules::dns`](#nftablesrulesdns): manage in dns
-            e17693e3
+* [`nftables::rules::http`](#nftablesruleshttp): manage in http
 * [`nftables::rules::https`](#nftablesruleshttps): manage in https
 * [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2
-f6cacc5
+* [`nftables::rules::icmp`](#nftablesrulesicmp)
-            b9785000
+* [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4
 * [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3
-f6cacc5
+* [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter
-            e17693e3
+* [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf
 * [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3
 * [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound
-            b9785000
+* [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadat
-            e17693e3
+* [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony
 * [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp
-f6cacc5
+* [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client)
-            e17693e3
+* [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns
 * [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http
 * [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https
-f6cacc5
+* [`nftables::rules::out::icmp`](#nftablesrulesouticmp)
 * [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos
-            e17693e3
+* [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql
-            b9785000
+* [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs
 * [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3
-f6cacc5
+* [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients
-            e17693e3
+* [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf
 * [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3
 * [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres
 * [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet
 * [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): manage out smtp
 * [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh
 * [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh
 * [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor
 * [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard
 * [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet
 * [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp
 * [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission
 * [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps
 * [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh
 * [`nftables::rules::tor`](#nftablesrulestor): manage in tor
 * [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard
-f6cacc5
+* [`nftables::services::dhcpv6_client`](#nftablesservicesdhcpv6_client)
 * [`nftables::services::openafs_client`](#nftablesservicesopenafs_client)
-            e17693e3
+            Steve Traylen
 ### Defined types
 * [`nftables::chain`](#nftableschain): manage a chain
 * [`nftables::config`](#nftablesconfig): manage a config snippet
 * [`nftables::rule`](#nftablesrule): manage a chain rule Name should be:   CHAIN_NAME-rulename
 * [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule
 * [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic
 * [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule
-f6cacc5
+* [`nftables::set`](#nftablesset): manage a named set
-            b46c9ce9
+* [`nftables::simplerule`](#nftablessimplerule): Provides a simplified interface to nftables::rule
-d63adda
+            Nacho Barrientos
 ### Data types
 * [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule.
 * [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule.
 * [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule.
 * [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule.
-c00b818
+* [`Nftables::RuleName`](#nftablesrulename): Represents a rule name to be used in a raw rule created via nftables::rule.
 It's a dash separated string. The first component describes the chain to
 add the rule to, the second the rule name and the (optional) third a number.
 Ex: 'default_in-sshd', 'default_out-my_service-2'.
 * [`Nftables::SimpleRuleName`](#nftablessimplerulename): Represents a simple rule name to be used in a rule created via nftables::simplerule
-            e17693e3
+            Steve Traylen
 ## Classes
 ### `nftables`
 Configure nftables
 #### Examples
-            b9785000
+##### allow dns out and do not allow ntp out
-            e17693e3
+            Steve Traylen
 ```puppet
 class{'nftables:
   out_ntp = false,
   out_dns = true,
+}
 ```
-            b9785000
+##### do not flush particular tables, fail2ban in this case
 ```puppet
 class{'nftables':
   noflush_tables = ['inet-f2b-table'],
+}
 ```
-            e17693e3
+#### Parameters
 The following parameters are available in the `nftables` class.
 ##### `out_all`
 Data type: `Boolean`
 Allow all outbound connections. If `true` then all other
 out parameters `out_ntp`, `out_dns`, ... will be assuemed
 false.
 Default value: ``false``
 ##### `out_ntp`
 Data type: `Boolean`
 Allow outbound to ntp servers.
 Default value: ``true``
 ##### `out_http`
 Data type: `Boolean`
 Allow outbound to http servers.
 Default value: ``true``
 ##### `out_https`
 Data type: `Boolean`
 Allow outbound to https servers.
 Default value: ``true``
 ##### `out_https`
 Allow outbound to https servers.
 Default value: ``true``
-f6cacc5
+##### `out_icmp`
 Data type: `Boolean`
 Allow outbound ICMPv4/v6 traffic.
 Default value: ``true``
-            e17693e3
+##### `in_ssh`
 Data type: `Boolean`
 Allow inbound to ssh servers.
 Default value: ``true``
-f6cacc5
+##### `in_icmp`
 Data type: `Boolean`
 Allow inbound ICMPv4/v6 traffic.
 Default value: ``true``
 ##### `nat`
 Data type: `Boolean`
 Add default tables and chains to process NAT traffic.
 Default value: ``true``
-            b9785000
+##### `sets`
 Data type: `Hash`
 Allows sourcing set definitions directly from Hiera.
 Default value: `{}`
-f6cacc5
+##### `log_prefix`
 Data type: `String`
 String that will be used as prefix when logging packets. It can contain
 two variables using standard sprintf() string-formatting:
  * chain: Will be replaced by the name of the chain.
  * comment: Allows chains to add extra comments.
 Default value: `'[nftables] %<chain>s %<comment>s'`
-            b9785000
+##### `log_limit`
 Data type: `Variant[Boolean[false], String]`
 String with the content of a limit statement to be applied
 to the rules that log discarded traffic. Set to false to
 disable rate limiting.
 Default value: `'3/minute burst 5 packets'`
-f6cacc5
+##### `reject_with`
-            b9785000
+Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`
-f6cacc5
+            Steve Traylen
 How to discard packets not matching any rule. If `false`, the
 fate of the packet will be defined by the chain policy (normally
 drop), otherwise the packet will be rejected with the REJECT_WITH
 policy indicated by the value of this parameter.
 Default value: `'icmpx type port-unreachable'`
 ##### `in_out_conntrack`
 Data type: `Boolean`
 Adds INPUT and OUTPUT rules to allow traffic that's part of an
 established connection and also to drop invalid packets.
 Default value: ``true``
-            b9785000
+##### `fwd_conntrack`
 Data type: `Boolean`
 Adds FORWARD rules to allow traffic that's part of an
 established connection and also to drop invalid packets.
 Default value: ``false``
-f6cacc5
+##### `firewalld_enable`
 Data type: `Variant[Boolean[false], Enum['mask']]`
 Configures how the firewalld systemd service unit is enabled. It might be
 useful to set this to false if you're externaly removing firewalld from
 the system completely.
 Default value: `'mask'`
-            b9785000
+##### `noflush_tables`
 Data type: `Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]`
 If specified only other existings tables will be flushed.
 If left unset all tables will be flushed via a `flush ruleset`
 Default value: ``undef``
-            e17693e3
+##### `out_dns`
 Data type: `Boolean`
 Default value: ``true``
-f6cacc5
+##### `rules`
 Data type: `Hash`
 Default value: `{}`
 ### `nftables::bridges`
 allow forwarding traffic on bridges
 #### Parameters
 The following parameters are available in the `nftables::bridges` class.
 ##### `ensure`
 Data type: `Enum['present','absent']`
 Default value: `'present'`
 ##### `bridgenames`
 Data type: `Regexp`
 Default value: `/^br.+/`
-            e17693e3
+### `nftables::inet_filter`
 manage basic chains in table inet filter
 ### `nftables::ip_nat`
 manage basic chains in table ip nat
-f6cacc5
+### `nftables::rules::afs3_callback`
 class{'nftables::rules::afs3_callback':
   saddr => ['192.168.0.0/16', '10.0.0.222']
+}
 #### Parameters
 The following parameters are available in the `nftables::rules::afs3_callback` class.
 ##### `saddr`
 Data type: `Array[Stdlib::IP::Address::V4,1]`
 list of source network ranges to a
 Default value: `['0.0.0.0/0']`
-            b9785000
+### `nftables::rules::ceph`
 Ceph is a distributed object store and file system.
 Enable this to support Ceph's Object Storage Daemons (OSD),
 Metadata Server Daemons (MDS), or Manager Daemons (MGR).
 ### `nftables::rules::ceph_mon`
 Ceph is a distributed object store and file system.
 Enable this option to support Ceph's Monitor Daemon.
 #### Parameters
 The following parameters are available in the `nftables::rules::ceph_mon` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-            b9785000
+            Steve Traylen
 Default value: `[3300, 6789]`
-f6cacc5
+### `nftables::rules::dhcpv6_client`
 The nftables::rules::dhcpv6_client class.
 ### `nftables::rules::dns`
 manage in dns
 #### Parameters
 The following parameters are available in the `nftables::rules::dns` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-f6cacc5
+            Steve Traylen
 Default value: `[53]`
-            e17693e3
+### `nftables::rules::http`
 manage in http
 ### `nftables::rules::https`
 manage in https
 ### `nftables::rules::icinga2`
 manage in icinga2
 #### Parameters
 The following parameters are available in the `nftables::rules::icinga2` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-            e17693e3
+            Steve Traylen
 Default value: `[5665]`
-f6cacc5
+### `nftables::rules::icmp`
 The nftables::rules::icmp class.
 #### Parameters
 The following parameters are available in the `nftables::rules::icmp` class.
 ##### `v4_types`
 Data type: `Optional[Array[String]]`
 Default value: ``undef``
 ##### `v6_types`
 Data type: `Optional[Array[String]]`
 Default value: ``undef``
 ##### `order`
 Data type: `String`
 Default value: `'10'`
-            b9785000
+### `nftables::rules::nfs`
 manage in nfs4
 ### `nftables::rules::nfs3`
 manage in nfs3
-f6cacc5
+### `nftables::rules::node_exporter`
 manage in node exporter
 #### Parameters
 The following parameters are available in the `nftables::rules::node_exporter` class.
 ##### `prometheus_server`
 Data type: `Optional[Variant[String,Array[String,1]]]`
 Default value: ``undef``
 ##### `port`
-            bc1b0f1a
+Data type: `Stdlib::Port`
-f6cacc5
+            Steve Traylen
 Default value: `9100`
-            e17693e3
+### `nftables::rules::ospf`
 manage in ospf
 ### `nftables::rules::ospf3`
 manage in ospf3
 ### `nftables::rules::out::all`
 allow all outbound
-            b9785000
+### `nftables::rules::out::ceph_client`
 Ceph is a distributed object store and file system.
 Enable this to be a client of Ceph's Monitor (MON),
 Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
 and Manager Daemons (MGR).
 #### Parameters
 The following parameters are available in the `nftables::rules::out::ceph_client` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-            b9785000
+            Steve Traylen
 Default value: `[3300, 6789]`
-            e17693e3
+### `nftables::rules::out::chrony`
 manage out chrony
 ### `nftables::rules::out::dhcp`
 manage out dhcp
-f6cacc5
+### `nftables::rules::out::dhcpv6_client`
 The nftables::rules::out::dhcpv6_client class.
-            e17693e3
+### `nftables::rules::out::dns`
 manage out dns
 #### Parameters
 The following parameters are available in the `nftables::rules::out::dns` class.
 ##### `dns_server`
 Data type: `Optional[Variant[String,Array[String,1]]]`
 Default value: ``undef``
 ### `nftables::rules::out::http`
 manage out http
 ### `nftables::rules::out::https`
 manage out https
-f6cacc5
+### `nftables::rules::out::icmp`
 The nftables::rules::out::icmp class.
 #### Parameters
 The following parameters are available in the `nftables::rules::out::icmp` class.
 ##### `v4_types`
 Data type: `Optional[Array[String]]`
 Default value: ``undef``
 ##### `v6_types`
 Data type: `Optional[Array[String]]`
 Default value: ``undef``
 ##### `order`
 Data type: `String`
 Default value: `'10'`
 ### `nftables::rules::out::kerberos`
 allows outbound access for kerberos
-            e17693e3
+### `nftables::rules::out::mysql`
 manage out mysql
-            b9785000
+### `nftables::rules::out::nfs`
 manage out nfs
 ### `nftables::rules::out::nfs3`
 manage out nfs3
-f6cacc5
+### `nftables::rules::out::openafs_client`
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
 * **See also**
   * https://wiki.openafs.org/devel/AFSServicePorts/
     * AFS Service Ports
 #### Parameters
 The following parameters are available in the `nftables::rules::out::openafs_client` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-f6cacc5
+            Steve Traylen
 Default value: `[7000, 7002, 7003]`
-            e17693e3
+### `nftables::rules::out::ospf`
 manage out ospf
 ### `nftables::rules::out::ospf3`
 manage out ospf3
 ### `nftables::rules::out::postgres`
 manage out postgres
 ### `nftables::rules::out::puppet`
 manage outgoing puppet
 #### Parameters
 The following parameters are available in the `nftables::rules::out::puppet` class.
-f4e4c6
+##### `puppetserver`
-            e17693e3
+            Steve Traylen
-f4e4c6
+Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
-            e17693e3
+            Steve Traylen
 ##### `puppetserver_port`
-            bc1b0f1a
+Data type: `Stdlib::Port`
-            e17693e3
+            Steve Traylen
 Default value: `8140`
 ### `nftables::rules::out::smtp`
 manage out smtp
 ### `nftables::rules::out::ssh`
 manage out ssh
 ### `nftables::rules::out::ssh::remove`
 disable outgoing ssh
 ### `nftables::rules::out::tor`
 manage out tor
 ### `nftables::rules::out::wireguard`
 manage out wireguard
 #### Parameters
 The following parameters are available in the `nftables::rules::out::wireguard` class.
 ##### `ports`
 Data type: `Array[Integer,1]`
 Default value: `[51820]`
 ### `nftables::rules::puppet`
 manage in puppet
 #### Parameters
 The following parameters are available in the `nftables::rules::puppet` class.
 ##### `ports`
 Data type: `Array[Integer,1]`
 Default value: `[8140]`
 ### `nftables::rules::smtp`
 manage in smtp
 ### `nftables::rules::smtp_submission`
 manage in smtp submission
 ### `nftables::rules::smtps`
 manage in smtps
 ### `nftables::rules::ssh`
 manage in ssh
 #### Parameters
 The following parameters are available in the `nftables::rules::ssh` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-            e17693e3
+            Steve Traylen
 Default value: `[22]`
 ### `nftables::rules::tor`
 manage in tor
 #### Parameters
 The following parameters are available in the `nftables::rules::tor` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-            e17693e3
+            Steve Traylen
 Default value: `[9001]`
 ### `nftables::rules::wireguard`
 manage in wireguard
 #### Parameters
 The following parameters are available in the `nftables::rules::wireguard` class.
 ##### `ports`
-            bc1b0f1a
+Data type: `Array[Stdlib::Port,1]`
-            e17693e3
+            Steve Traylen
 Default value: `[51820]`
-f6cacc5
+### `nftables::services::dhcpv6_client`
 The nftables::services::dhcpv6_client class.
 ### `nftables::services::openafs_client`
 The nftables::services::openafs_client class.
-            e17693e3
+## Defined types
 ### `nftables::chain`
 manage a chain
 #### Parameters
 The following parameters are available in the `nftables::chain` defined type.
 ##### `table`
 Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`
 Default value: `'inet-filter'`
 ##### `chain`
 Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
 Default value: `$title`
 ##### `inject`
 Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
 Default value: ``undef``
 ##### `inject_iif`
 Data type: `Optional[String]`
 Default value: ``undef``
 ##### `inject_oif`
 Data type: `Optional[String]`
 Default value: ``undef``
 ### `nftables::config`
 manage a config snippet
 #### Parameters
 The following parameters are available in the `nftables::config` defined type.
-f4e4c6
+##### `tablespec`
 Data type: `Pattern[/^\w+-\w+$/]`
 Default value: `$title`
-            e17693e3
+##### `content`
 Data type: `Optional[String]`
 Default value: ``undef``
 ##### `source`
 Data type: `Optional[Variant[String,Array[String,1]]]`
 Default value: ``undef``
-f4e4c6
+##### `prefix`
 Data type: `String`
 Default value: `'custom-'`
-            e17693e3
+### `nftables::rule`
 manage a chain rule
 Name should be:
   CHAIN_NAME-rulename
 #### Parameters
 The following parameters are available in the `nftables::rule` defined type.
 ##### `ensure`
 Data type: `Enum['present','absent']`
 Default value: `'present'`
 ##### `rulename`
-c00b818
+Data type: `Nftables::RuleName`
-            e17693e3
+            Steve Traylen
 Default value: `$title`
 ##### `order`
 Data type: `Pattern[/^\d\d$/]`
 Default value: `'50'`
 ##### `table`
 Data type: `Optional[String]`
 Default value: `'inet-filter'`
 ##### `content`
 Data type: `Optional[String]`
 Default value: ``undef``
 ##### `source`
 Data type: `Optional[Variant[String,Array[String,1]]]`
 Default value: ``undef``
 ### `nftables::rules::dnat4`
 manage a ipv4 dnat rule
 #### Parameters
 The following parameters are available in the `nftables::rules::dnat4` defined type.
 ##### `daddr`
 Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
 ##### `port`
-            bc1b0f1a
+Data type: `Variant[String,Stdlib::Port]`
-            e17693e3
+            Steve Traylen
 ##### `rulename`
 Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
 Default value: `$title`
 ##### `order`
 Data type: `Pattern[/^\d\d$/]`
 Default value: `'50'`
 ##### `chain`
 Data type: `String[1]`
 Default value: `'default_fwd'`
 ##### `iif`
 Data type: `Optional[String[1]]`
 Default value: ``undef``
 ##### `proto`
 Data type: `Enum['tcp','udp']`
 Default value: `'tcp'`
 ##### `dport`
-            bc1b0f1a
+Data type: `Optional[Variant[String,Stdlib::Port]]`
-            e17693e3
+            Steve Traylen
 Default value: `''`
 ##### `ensure`
 Data type: `Enum['present','absent']`
 Default value: `'present'`
 ### `nftables::rules::masquerade`
 masquerade all outgoing traffic
 #### Parameters
 The following parameters are available in the `nftables::rules::masquerade` defined type.
 ##### `rulename`
 Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
 Default value: `$title`
 ##### `order`
 Data type: `Pattern[/^\d\d$/]`
 Default value: `'70'`
 ##### `chain`
 Data type: `String[1]`
 Default value: `'POSTROUTING'`
 ##### `oif`
 Data type: `Optional[String[1]]`
 Default value: ``undef``
 ##### `saddr`
 Data type: `Optional[String[1]]`
 Default value: ``undef``
 ##### `daddr`
 Data type: `Optional[String[1]]`
 Default value: ``undef``
 ##### `proto`
 Data type: `Optional[Enum['tcp','udp']]`
 Default value: ``undef``
 ##### `dport`
-            bc1b0f1a
+Data type: `Optional[Variant[String,Stdlib::Port]]`
-            e17693e3
+            Steve Traylen
 Default value: ``undef``
 ##### `ensure`
 Data type: `Enum['present','absent']`
 Default value: `'present'`
 ### `nftables::rules::snat4`
 manage a ipv4 snat rule
 #### Parameters
 The following parameters are available in the `nftables::rules::snat4` defined type.
 ##### `snat`
 Data type: `String[1]`
 ##### `rulename`
 Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
 Default value: `$title`
 ##### `order`
 Data type: `Pattern[/^\d\d$/]`
 Default value: `'70'`
 ##### `chain`
 Data type: `String[1]`
 Default value: `'POSTROUTING'`
 ##### `oif`
 Data type: `Optional[String[1]]`
 Default value: ``undef``
 ##### `saddr`
 Data type: `Optional[String[1]]`
 Default value: ``undef``
 ##### `proto`
 Data type: `Optional[Enum['tcp','udp']]`
 Default value: ``undef``
 ##### `dport`
-            bc1b0f1a
+Data type: `Optional[Variant[String,Stdlib::Port]]`
-            e17693e3
+            Steve Traylen
 Default value: ``undef``
 ##### `ensure`
 Data type: `Enum['present','absent']`
 Default value: `'present'`
-f6cacc5
+### `nftables::set`
 manage a named set
-f4e4c6
+#### Examples
 ##### simple set
 ```puppet
 nftables::set{'my_set':
   type       => 'ipv4_addr',
   flags      => ['interval'],
   elements   => ['192.168.0.1/24', '10.0.0.2'],
   auto_merge => true,
+}
 ```
-f6cacc5
+#### Parameters
 The following parameters are available in the `nftables::set` defined type.
 ##### `ensure`
 Data type: `Enum['present','absent']`
-f4e4c6
+should the set be created.
-f6cacc5
+            Steve Traylen
 Default value: `'present'`
 ##### `setname`
 Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
-f4e4c6
+name of set, equal to to title.
-f6cacc5
+            Steve Traylen
 Default value: `$title`
 ##### `order`
 Data type: `Pattern[/^\d\d$/]`
-f4e4c6
+concat ordering.
-f6cacc5
+            Steve Traylen
 Default value: `'10'`
 ##### `type`
 Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
-f4e4c6
+type of set.
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
 ##### `table`
 Data type: `String`
-f4e4c6
+table to add set to.
-f6cacc5
+            Steve Traylen
 Default value: `'inet-filter'`
 ##### `flags`
 Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
-f4e4c6
+specify flags for set
-f6cacc5
+            Steve Traylen
 Default value: `[]`
 ##### `timeout`
 Data type: `Optional[Integer]`
-f4e4c6
+timeout in seconds
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
 ##### `gc_interval`
 Data type: `Optional[Integer]`
-f4e4c6
+garbage collection interval.
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
 ##### `elements`
 Data type: `Optional[Array[String]]`
-f4e4c6
+initialize the set with some elements in it.
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
 ##### `size`
 Data type: `Optional[Integer]`
-f4e4c6
+limits the maximum number of elements of the set.
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
 ##### `policy`
 Data type: `Optional[Enum['performance', 'memory']]`
-f4e4c6
+determines set selection policy.
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
 ##### `auto_merge`
 Data type: `Boolean`
-f4e4c6
+            Steve Traylen
-f6cacc5
+            Steve Traylen
 Default value: ``false``
 ##### `content`
 Data type: `Optional[String]`
-f4e4c6
+specify content of set.
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
 ##### `source`
 Data type: `Optional[Variant[String,Array[String,1]]]`
-f4e4c6
+specify source of set.
-f6cacc5
+            Steve Traylen
 Default value: ``undef``
-d63adda
+### `nftables::simplerule`
-            b46c9ce9
+Provides a simplified interface to nftables::rule
-d63adda
+            Nacho Barrientos
-            b46c9ce9
+#### Examples
-d63adda
+            Nacho Barrientos
-            b46c9ce9
+##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
-d63adda
+            Nacho Barrientos
-            b46c9ce9
+```puppet
 nftables::simplerule{'my_service_in':
   action  => 'accept',
   comment => 'allow traffic to port 543',
   counter => true,
   proto   => 'tcp',
   dport   => 543,
   daddr   => '2001:1458::/32',
   sport   => 541,
+}
 ```
-d63adda
+            Nacho Barrientos
-            b46c9ce9
+#### Parameters
-d63adda
+            Nacho Barrientos
-            b46c9ce9
+The following parameters are available in the `nftables::simplerule` defined type.
-d63adda
+            Nacho Barrientos
-f4e4c6
+##### `ensure`
 Data type: `Enum['present','absent']`
 Should the rule be created.
 Default value: `'present'`
-d63adda
+##### `rulename`
-c00b818
+Data type: `Nftables::SimpleRuleName`
-d63adda
+            Nacho Barrientos
-            b46c9ce9
+The symbolic name for the rule to add. Defaults to the resource's title.
-d63adda
+            Nacho Barrientos
 Default value: `$title`
 ##### `order`
 Data type: `Pattern[/^\d\d$/]`
-            b46c9ce9
+A number representing the order of the rule.
-d63adda
+            Nacho Barrientos
 Default value: `'50'`
 ##### `chain`
 Data type: `String`
-            b46c9ce9
+The name of the chain to add this rule to.
-d63adda
+            Nacho Barrientos
 Default value: `'default_in'`
 ##### `table`
 Data type: `String`
-            b46c9ce9
+The name of the table to add this rule to.
-d63adda
+            Nacho Barrientos
 Default value: `'inet-filter'`
 ##### `action`
 Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
-            b46c9ce9
+The verdict for the matched traffic.
-d63adda
+            Nacho Barrientos
 Default value: `'accept'`
 ##### `comment`
 Data type: `Optional[String]`
-            b46c9ce9
+A typically human-readable comment for the rule.
-d63adda
+            Nacho Barrientos
 Default value: ``undef``
 ##### `dport`
 Data type: `Optional[Nftables::Port]`
-            b46c9ce9
+The destination port, ports or port range.
-d63adda
+            Nacho Barrientos
 Default value: ``undef``
 ##### `proto`
 Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
-            b46c9ce9
+The transport-layer protocol to match.
-d63adda
+            Nacho Barrientos
 Default value: ``undef``
 ##### `daddr`
 Data type: `Optional[Nftables::Addr]`
-            b46c9ce9
+The destination address, CIDR or set to match.
-d63adda
+            Nacho Barrientos
 Default value: ``undef``
 ##### `set_type`
 Data type: `Enum['ip', 'ip6']`
-            b46c9ce9
+When using sets as saddr or daddr, the type of the set.
 Use `ip` for sets of type `ipv4_addr`.
-d63adda
+            Nacho Barrientos
 Default value: `'ip6'`
 ##### `sport`
 Data type: `Optional[Nftables::Port]`
-            b46c9ce9
+The source port, ports or port range.
-d63adda
+            Nacho Barrientos
 Default value: ``undef``
 ##### `saddr`
 Data type: `Optional[Nftables::Addr]`
-            b46c9ce9
+The source address, CIDR or set to match.
-d63adda
+            Nacho Barrientos
 Default value: ``undef``
 ##### `counter`
 Data type: `Boolean`
-            b46c9ce9
+Enable traffic counters for the matched traffic.
-d63adda
+            Nacho Barrientos
 Default value: ``false``
 ## Data types
 ### `Nftables::Addr`
 Represents an address expression to be used within a rule.
 Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
 ### `Nftables::Addr::Set`
 Represents a set expression to be used within a rule.
 Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
 ### `Nftables::Port`
 Represents a port expression to be used within a rule.
 Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
 ### `Nftables::Port::Range`
 Represents a port range expression to be used within a rule.
 Alias of `Pattern[/^\d+-\d+$/]`
-c00b818
+### `Nftables::RuleName`
 Represents a rule name to be used in a raw rule created via nftables::rule.
 It's a dash separated string. The first component describes the chain to
 add the rule to, the second the rule name and the (optional) third a number.
 Ex: 'default_in-sshd', 'default_out-my_service-2'.
 Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
 ### `Nftables::SimpleRuleName`
 Represents a simple rule name to be used in a rule created via nftables::simplerule
 Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 3246b968