puppet nftables

# Reference

<!-- DO NOT EDIT: This document was generated by Puppet Strings -->

## Table of Contents

### Classes

* [`nftables`](#nftables): Configure nftables

* [`nftables::bridges`](#nftablesbridges): allow forwarding traffic on bridges

* [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter

* [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat

* [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients

* [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)

* [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.

* [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client)

* [`nftables::rules::dns`](#nftablesrulesdns): manage in dns

* [`nftables::rules::http`](#nftablesruleshttp): manage in http

* [`nftables::rules::https`](#nftablesruleshttps): manage in https

* [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2

* [`nftables::rules::icmp`](#nftablesrulesicmp)

* [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4

* [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3

* [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter

* [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf

* [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3

* [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound

* [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadat

* [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony

* [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp

* [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client)

* [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns

* [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http

* [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https

* [`nftables::rules::out::icmp`](#nftablesrulesouticmp)

* [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos

* [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql

* [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs

* [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3

* [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients

* [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf

* [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3

* [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres

* [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet

* [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): manage out smtp

* [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh

* [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh

* [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor

* [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard

* [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet

* [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp

* [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission

* [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps

* [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh

* [`nftables::rules::tor`](#nftablesrulestor): manage in tor

* [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard

* [`nftables::services::dhcpv6_client`](#nftablesservicesdhcpv6_client)

* [`nftables::services::openafs_client`](#nftablesservicesopenafs_client)

### Defined types

* [`nftables::chain`](#nftableschain): manage a chain

* [`nftables::config`](#nftablesconfig): manage a config snippet

* [`nftables::rule`](#nftablesrule): manage a chain rule Name should be:   CHAIN_NAME-rulename

* [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule

* [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic

* [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule

* [`nftables::set`](#nftablesset): manage a named set

## Classes

### `nftables`

Configure nftables

#### Examples

##### allow dns out and do not allow ntp out

```puppet

class{'nftables:

  out_ntp = false,

  out_dns = true,

}

```

##### do not flush particular tables, fail2ban in this case

```puppet

class{'nftables':

  noflush_tables = ['inet-f2b-table'],

}

```

#### Parameters

The following parameters are available in the `nftables` class.

##### `out_all`

Data type: `Boolean`

Allow all outbound connections. If `true` then all other

out parameters `out_ntp`, `out_dns`, ... will be assuemed

false.

Default value: ``false``

##### `out_ntp`

Data type: `Boolean`

Allow outbound to ntp servers.

Default value: ``true``

##### `out_http`

Data type: `Boolean`

Allow outbound to http servers.

Default value: ``true``

##### `out_https`

Data type: `Boolean`

Allow outbound to https servers.

Default value: ``true``

##### `out_https`

Allow outbound to https servers.

Default value: ``true``

##### `out_icmp`

Data type: `Boolean`

Allow outbound ICMPv4/v6 traffic.

Default value: ``true``

##### `in_ssh`

Data type: `Boolean`

Allow inbound to ssh servers.

Default value: ``true``

##### `in_icmp`

Data type: `Boolean`

Allow inbound ICMPv4/v6 traffic.

Default value: ``true``

##### `nat`

Data type: `Boolean`

Add default tables and chains to process NAT traffic.

Default value: ``true``

##### `sets`

Data type: `Hash`

Allows sourcing set definitions directly from Hiera.

Default value: `{}`

##### `log_prefix`

Data type: `String`

String that will be used as prefix when logging packets. It can contain

two variables using standard sprintf() string-formatting:

 * chain: Will be replaced by the name of the chain.

 * comment: Allows chains to add extra comments.

Default value: `'[nftables] %<chain>s %<comment>s'`

##### `log_limit`

Data type: `Variant[Boolean[false], String]`

String with the content of a limit statement to be applied

to the rules that log discarded traffic. Set to false to

disable rate limiting.

Default value: `'3/minute burst 5 packets'`

##### `reject_with`

Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`

How to discard packets not matching any rule. If `false`, the

fate of the packet will be defined by the chain policy (normally

drop), otherwise the packet will be rejected with the REJECT_WITH

policy indicated by the value of this parameter.

Default value: `'icmpx type port-unreachable'`

##### `in_out_conntrack`

Data type: `Boolean`

Adds INPUT and OUTPUT rules to allow traffic that's part of an

established connection and also to drop invalid packets.

Default value: ``true``

##### `fwd_conntrack`

Data type: `Boolean`

Adds FORWARD rules to allow traffic that's part of an

established connection and also to drop invalid packets.

Default value: ``false``

##### `firewalld_enable`

Data type: `Variant[Boolean[false], Enum['mask']]`

Configures how the firewalld systemd service unit is enabled. It might be

useful to set this to false if you're externaly removing firewalld from

the system completely.

Default value: `'mask'`

##### `noflush_tables`

Data type: `Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]`

If specified only other existings tables will be flushed.

If left unset all tables will be flushed via a `flush ruleset`

Default value: ``undef``

##### `out_dns`

Data type: `Boolean`

Default value: ``true``

##### `rules`

Data type: `Hash`

Default value: `{}`

### `nftables::bridges`

allow forwarding traffic on bridges

#### Parameters

The following parameters are available in the `nftables::bridges` class.

##### `ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

##### `bridgenames`

Data type: `Regexp`

Default value: `/^br.+/`

### `nftables::inet_filter`

manage basic chains in table inet filter

### `nftables::ip_nat`

manage basic chains in table ip nat

### `nftables::rules::afs3_callback`

class{'nftables::rules::afs3_callback':

  saddr => ['192.168.0.0/16', '10.0.0.222']

}

#### Parameters

The following parameters are available in the `nftables::rules::afs3_callback` class.

##### `saddr`

Data type: `Array[Stdlib::IP::Address::V4,1]`

list of source network ranges to a

Default value: `['0.0.0.0/0']`

### `nftables::rules::ceph`

Ceph is a distributed object store and file system.

Enable this to support Ceph's Object Storage Daemons (OSD),

Metadata Server Daemons (MDS), or Manager Daemons (MGR).

### `nftables::rules::ceph_mon`

Ceph is a distributed object store and file system.

Enable this option to support Ceph's Monitor Daemon.

#### Parameters

The following parameters are available in the `nftables::rules::ceph_mon` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[3300, 6789]`

### `nftables::rules::dhcpv6_client`

The nftables::rules::dhcpv6_client class.

### `nftables::rules::dns`

manage in dns

#### Parameters

The following parameters are available in the `nftables::rules::dns` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[53]`

### `nftables::rules::http`

manage in http

### `nftables::rules::https`

manage in https

### `nftables::rules::icinga2`

manage in icinga2

#### Parameters

The following parameters are available in the `nftables::rules::icinga2` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[5665]`

### `nftables::rules::icmp`

The nftables::rules::icmp class.

#### Parameters

The following parameters are available in the `nftables::rules::icmp` class.

##### `v4_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### `v6_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### `order`

Data type: `String`

Default value: `'10'`

### `nftables::rules::nfs`

manage in nfs4

### `nftables::rules::nfs3`

manage in nfs3

### `nftables::rules::node_exporter`

manage in node exporter

#### Parameters

The following parameters are available in the `nftables::rules::node_exporter` class.

##### `prometheus_server`

Data type: `Optional[Variant[String,Array[String,1]]]`

Default value: ``undef``

##### `port`

Data type: `Integer`

Default value: `9100`

### `nftables::rules::ospf`

manage in ospf

### `nftables::rules::ospf3`

manage in ospf3

### `nftables::rules::out::all`

allow all outbound

### `nftables::rules::out::ceph_client`

Ceph is a distributed object store and file system.

Enable this to be a client of Ceph's Monitor (MON),

Object Storage Daemons (OSD), Metadata Server Daemons (MDS),

and Manager Daemons (MGR).

#### Parameters

The following parameters are available in the `nftables::rules::out::ceph_client` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[3300, 6789]`

### `nftables::rules::out::chrony`

manage out chrony

### `nftables::rules::out::dhcp`

manage out dhcp

### `nftables::rules::out::dhcpv6_client`

The nftables::rules::out::dhcpv6_client class.

### `nftables::rules::out::dns`

manage out dns

#### Parameters

The following parameters are available in the `nftables::rules::out::dns` class.

##### `dns_server`

Data type: `Optional[Variant[String,Array[String,1]]]`

Default value: ``undef``

### `nftables::rules::out::http`

manage out http

### `nftables::rules::out::https`

manage out https

### `nftables::rules::out::icmp`

The nftables::rules::out::icmp class.

#### Parameters

The following parameters are available in the `nftables::rules::out::icmp` class.

##### `v4_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### `v6_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### `order`

Data type: `String`

Default value: `'10'`

### `nftables::rules::out::kerberos`

allows outbound access for kerberos

### `nftables::rules::out::mysql`

manage out mysql

### `nftables::rules::out::nfs`

manage out nfs

### `nftables::rules::out::nfs3`

manage out nfs3

### `nftables::rules::out::openafs_client`

7000 - afs3-fileserver

7002 - afs3-ptserver

7003 - vlserver

* **See also**

  * https://wiki.openafs.org/devel/AFSServicePorts/

    * AFS Service Ports

#### Parameters

The following parameters are available in the `nftables::rules::out::openafs_client` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[7000, 7002, 7003]`

### `nftables::rules::out::ospf`

manage out ospf

### `nftables::rules::out::ospf3`

manage out ospf3

### `nftables::rules::out::postgres`

manage out postgres

### `nftables::rules::out::puppet`

manage outgoing puppet

#### Parameters

The following parameters are available in the `nftables::rules::out::puppet` class.

##### `puppetmaster`

Data type: `Variant[String,Array[String,1]]`

##### `puppetserver_port`

Data type: `Integer`

Default value: `8140`

### `nftables::rules::out::smtp`

manage out smtp

### `nftables::rules::out::ssh`

manage out ssh

### `nftables::rules::out::ssh::remove`

disable outgoing ssh

### `nftables::rules::out::tor`

manage out tor

### `nftables::rules::out::wireguard`

manage out wireguard

#### Parameters

The following parameters are available in the `nftables::rules::out::wireguard` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[51820]`

### `nftables::rules::puppet`

manage in puppet

#### Parameters

The following parameters are available in the `nftables::rules::puppet` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[8140]`

### `nftables::rules::smtp`

manage in smtp

### `nftables::rules::smtp_submission`

manage in smtp submission

### `nftables::rules::smtps`

manage in smtps

### `nftables::rules::ssh`

manage in ssh

#### Parameters

The following parameters are available in the `nftables::rules::ssh` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[22]`

### `nftables::rules::tor`

manage in tor

#### Parameters

The following parameters are available in the `nftables::rules::tor` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[9001]`

### `nftables::rules::wireguard`

manage in wireguard

#### Parameters

The following parameters are available in the `nftables::rules::wireguard` class.

##### `ports`

Data type: `Array[Integer,1]`

Default value: `[51820]`

### `nftables::services::dhcpv6_client`

The nftables::services::dhcpv6_client class.

### `nftables::services::openafs_client`

The nftables::services::openafs_client class.

## Defined types

### `nftables::chain`

manage a chain

#### Parameters

The following parameters are available in the `nftables::chain` defined type.

##### `table`

Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`

Default value: `'inet-filter'`

##### `chain`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### `inject`

Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`

Default value: ``undef``

##### `inject_iif`

Data type: `Optional[String]`

Default value: ``undef``

##### `inject_oif`

Data type: `Optional[String]`

Default value: ``undef``

### `nftables::config`

manage a config snippet

#### Parameters

The following parameters are available in the `nftables::config` defined type.

##### `content`

Data type: `Optional[String]`

Default value: ``undef``

##### `source`

Data type: `Optional[Variant[String,Array[String,1]]]`

Default value: ``undef``

### `nftables::rule`

manage a chain rule

Name should be:

  CHAIN_NAME-rulename

#### Parameters

The following parameters are available in the `nftables::rule` defined type.

##### `ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

##### `rulename`

Data type: `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`

Default value: `$title`

##### `order`

Data type: `Pattern[/^\d\d$/]`

Default value: `'50'`

##### `table`

Data type: `Optional[String]`

Default value: `'inet-filter'`

##### `content`

Data type: `Optional[String]`

Default value: ``undef``

##### `source`

Data type: `Optional[Variant[String,Array[String,1]]]`

Default value: ``undef``

### `nftables::rules::dnat4`

manage a ipv4 dnat rule

#### Parameters

The following parameters are available in the `nftables::rules::dnat4` defined type.

##### `daddr`

Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`

##### `port`

Data type: `Variant[String,Integer[1,65535]]`

##### `rulename`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### `order`

Data type: `Pattern[/^\d\d$/]`

Default value: `'50'`

##### `chain`

Data type: `String[1]`

Default value: `'default_fwd'`

##### `iif`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### `proto`

Data type: `Enum['tcp','udp']`

Default value: `'tcp'`

##### `dport`

Data type: `Optional[Variant[String,Integer[1,65535]]]`

Default value: `''`

##### `ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

### `nftables::rules::masquerade`

masquerade all outgoing traffic

#### Parameters

The following parameters are available in the `nftables::rules::masquerade` defined type.

##### `rulename`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### `order`

Data type: `Pattern[/^\d\d$/]`

Default value: `'70'`

##### `chain`

Data type: `String[1]`

Default value: `'POSTROUTING'`

##### `oif`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### `saddr`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### `daddr`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### `proto`

Data type: `Optional[Enum['tcp','udp']]`

Default value: ``undef``

##### `dport`

Data type: `Optional[Variant[String,Integer[1,65535]]]`

Default value: ``undef``

##### `ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

### `nftables::rules::snat4`

manage a ipv4 snat rule

#### Parameters

The following parameters are available in the `nftables::rules::snat4` defined type.

##### `snat`

Data type: `String[1]`

##### `rulename`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### `order`

Data type: `Pattern[/^\d\d$/]`

Default value: `'70'`

##### `chain`

Data type: `String[1]`

Default value: `'POSTROUTING'`

##### `oif`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### `saddr`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### `proto`

Data type: `Optional[Enum['tcp','udp']]`

Default value: ``undef``

##### `dport`

Data type: `Optional[Variant[String,Integer[1,65535]]]`

Default value: ``undef``

##### `ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

### `nftables::set`

manage a named set

#### Parameters

The following parameters are available in the `nftables::set` defined type.

##### `ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

##### `setname`

Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`

Default value: `$title`

##### `order`

Data type: `Pattern[/^\d\d$/]`

Default value: `'10'`

##### `type`

Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`

Default value: ``undef``

##### `table`

Data type: `String`

Default value: `'inet-filter'`

##### `flags`

Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`

Default value: `[]`

##### `timeout`

Data type: `Optional[Integer]`

Default value: ``undef``

##### `gc_interval`

Data type: `Optional[Integer]`

Default value: ``undef``

##### `elements`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### `size`

Data type: `Optional[Integer]`

Default value: ``undef``

##### `policy`

Data type: `Optional[Enum['performance', 'memory']]`

Default value: ``undef``

##### `auto_merge`

Data type: `Boolean`

Default value: ``false``

##### `content`

Data type: `Optional[String]`

Default value: ``undef``

##### `source`

Data type: `Optional[Variant[String,Array[String,1]]]`

Default value: ``undef``