/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 3b26826f

Historique | Voir | Annoter | Télécharger (55,3 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
28	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
29	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
30	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
31	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
32	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
33			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
34			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
35			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
36			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
37	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
38	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
39			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
40	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
41			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
42			and Manager Daemons (MGR).
43	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
44			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
45			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
46			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
47			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
48			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
49			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
50			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
51	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
52	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
53			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
54	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
55	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
56	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
57	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
58			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
59			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
60			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
61	09cba182	Steve Traylen	7000 - afs3-fileserver
62			7002 - afs3-ptserver
63			7003 - vlserver
64	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
65			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
66			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
67			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
68			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
69			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
70			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
71			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
72			* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
73			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
74			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
75			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
76			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
77			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
78			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
79			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
80			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
81			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
82			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
83			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
84	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
85	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
86			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
87			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
88			* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
89			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
90	e17693e3	Steve Traylen
91			### Defined types
92
93	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
94			* [`nftables::config`](#nftables--config): manage a config snippet
95			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
96			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
97			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
98			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
99			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
100			* [`nftables::set`](#nftables--set): manage a named set
101			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
102	4d63adda	Nacho Barrientos
103			### Data types
104
105	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
106			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
107			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
108			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
109			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
110	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
111			add the rule to, the second the rule name and the (optional) third a number.
112			Ex: 'default_in-sshd', 'default_out-my_service-2'.
113	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
114	e17693e3	Steve Traylen
115			## Classes
116
117	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
118	e17693e3	Steve Traylen
119			Configure nftables
120
121			#### Examples
122
123	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
124	e17693e3	Steve Traylen
125			```puppet
126	2063deaf	hashworks	class{ 'nftables':
127			out_ntp => false,
128			out_dns => true,
129	e17693e3	Steve Traylen	}
130			```
131
132	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
133
134			```puppet
135	2063deaf	hashworks	class{ 'nftables':
136			noflush_tables => ['inet-f2b-table'],
137	b9785000	Steve Traylen	}
138			```
139
140	e17693e3	Steve Traylen	#### Parameters
141
142	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
143
144	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
145			* [`out_ntp`](#-nftables--out_ntp)
146			* [`out_http`](#-nftables--out_http)
147			* [`out_dns`](#-nftables--out_dns)
148			* [`out_https`](#-nftables--out_https)
149			* [`out_icmp`](#-nftables--out_icmp)
150			* [`in_ssh`](#-nftables--in_ssh)
151			* [`in_icmp`](#-nftables--in_icmp)
152			* [`inet_filter`](#-nftables--inet_filter)
153			* [`nat`](#-nftables--nat)
154			* [`nat_table_name`](#-nftables--nat_table_name)
155			* [`sets`](#-nftables--sets)
156			* [`log_prefix`](#-nftables--log_prefix)
157			* [`log_limit`](#-nftables--log_limit)
158			* [`reject_with`](#-nftables--reject_with)
159			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
160			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
161			* [`firewalld_enable`](#-nftables--firewalld_enable)
162			* [`noflush_tables`](#-nftables--noflush_tables)
163			* [`rules`](#-nftables--rules)
164			* [`configuration_path`](#-nftables--configuration_path)
165			* [`nft_path`](#-nftables--nft_path)
166			* [`echo`](#-nftables--echo)
167			* [`default_config_mode`](#-nftables--default_config_mode)
168
169			##### <a name="-nftables--out_all"></a>`out_all`
170	e17693e3	Steve Traylen
171			Data type: `Boolean`
172
173			Allow all outbound connections. If `true` then all other
174			out parameters `out_ntp`, `out_dns`, ... will be assuemed
175			false.
176
177	c24d3118	Tim Meusel	Default value: `false`
178	e17693e3	Steve Traylen
179	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
180	e17693e3	Steve Traylen
181			Data type: `Boolean`
182
183			Allow outbound to ntp servers.
184
185	c24d3118	Tim Meusel	Default value: `true`
186	e17693e3	Steve Traylen
187	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
188	e17693e3	Steve Traylen
189			Data type: `Boolean`
190
191			Allow outbound to http servers.
192
193	c24d3118	Tim Meusel	Default value: `true`
194	e17693e3	Steve Traylen
195	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
196	e17693e3	Steve Traylen
197			Data type: `Boolean`
198
199	09cba182	Steve Traylen	Allow outbound to dns servers.
200	e17693e3	Steve Traylen
201	c24d3118	Tim Meusel	Default value: `true`
202	e17693e3	Steve Traylen
203	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
204	09cba182	Steve Traylen
205			Data type: `Boolean`
206	e17693e3	Steve Traylen
207			Allow outbound to https servers.
208
209	c24d3118	Tim Meusel	Default value: `true`
210	e17693e3	Steve Traylen
211	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
212	7f6cacc5	Steve Traylen
213			Data type: `Boolean`
214
215			Allow outbound ICMPv4/v6 traffic.
216
217	c24d3118	Tim Meusel	Default value: `true`
218	7f6cacc5	Steve Traylen
219	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
220	e17693e3	Steve Traylen
221			Data type: `Boolean`
222
223			Allow inbound to ssh servers.
224
225	c24d3118	Tim Meusel	Default value: `true`
226	e17693e3	Steve Traylen
227	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
228	7f6cacc5	Steve Traylen
229			Data type: `Boolean`
230
231			Allow inbound ICMPv4/v6 traffic.
232
233	c24d3118	Tim Meusel	Default value: `true`
234	7f6cacc5	Steve Traylen
235	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
236	7b9d6ffc	Nacho Barrientos
237			Data type: `Boolean`
238
239			Add default tables, chains and rules to process traffic.
240
241	c24d3118	Tim Meusel	Default value: `true`
242	7b9d6ffc	Nacho Barrientos
243	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
244	7f6cacc5	Steve Traylen
245			Data type: `Boolean`
246
247			Add default tables and chains to process NAT traffic.
248
249	c24d3118	Tim Meusel	Default value: `true`
250	7f6cacc5	Steve Traylen
251	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
252	b02d6ea9	Nacho Barrientos
253			Data type: `String[1]`
254
255			The name of the 'nat' table.
256
257			Default value: `'nat'`
258
259	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
260	b9785000	Steve Traylen
261			Data type: `Hash`
262
263			Allows sourcing set definitions directly from Hiera.
264
265			Default value: `{}`
266
267	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
268	7f6cacc5	Steve Traylen
269			Data type: `String`
270
271			String that will be used as prefix when logging packets. It can contain
272			two variables using standard sprintf() string-formatting:
273			* chain: Will be replaced by the name of the chain.
274			* comment: Allows chains to add extra comments.
275
276			Default value: `'[nftables] %<chain>s %<comment>s'`
277
278	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
279	b9785000	Steve Traylen
280			Data type: `Variant[Boolean[false], String]`
281
282			String with the content of a limit statement to be applied
283			to the rules that log discarded traffic. Set to false to
284			disable rate limiting.
285
286			Default value: `'3/minute burst 5 packets'`
287
288	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
289	7f6cacc5	Steve Traylen
290	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
291	7f6cacc5	Steve Traylen
292			How to discard packets not matching any rule. If `false`, the
293			fate of the packet will be defined by the chain policy (normally
294			drop), otherwise the packet will be rejected with the REJECT_WITH
295			policy indicated by the value of this parameter.
296
297			Default value: `'icmpx type port-unreachable'`
298
299	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
300	7f6cacc5	Steve Traylen
301			Data type: `Boolean`
302
303			Adds INPUT and OUTPUT rules to allow traffic that's part of an
304			established connection and also to drop invalid packets.
305
306	c24d3118	Tim Meusel	Default value: `true`
307	7f6cacc5	Steve Traylen
308	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
309	b9785000	Steve Traylen
310			Data type: `Boolean`
311
312			Adds FORWARD rules to allow traffic that's part of an
313			established connection and also to drop invalid packets.
314
315	c24d3118	Tim Meusel	Default value: `false`
316	b9785000	Steve Traylen
317	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
318	7f6cacc5	Steve Traylen
319			Data type: `Variant[Boolean[false], Enum['mask']]`
320
321			Configures how the firewalld systemd service unit is enabled. It might be
322			useful to set this to false if you're externaly removing firewalld from
323			the system completely.
324
325			Default value: `'mask'`
326
327	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
328	b9785000	Steve Traylen
329	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
330	b9785000	Steve Traylen
331			If specified only other existings tables will be flushed.
332			If left unset all tables will be flushed via a `flush ruleset`
333
334	c24d3118	Tim Meusel	Default value: `undef`
335	b9785000	Steve Traylen
336	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
337	7f6cacc5	Steve Traylen
338			Data type: `Hash`
339
340	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
341	7f6cacc5	Steve Traylen
342			Default value: `{}`
343
344	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
345	d0a1ffef	hashworks
346			Data type: `Stdlib::Unixpath`
347
348			The absolute path to the principal nftables configuration file. The default
349			varies depending on the system, and is set in the module's data.
350
351	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
352	8842a597	Tim Meusel
353			Data type: `Stdlib::Unixpath`
354
355			Path to the nft binary
356
357	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
358	821ec83a	Tim Meusel
359			Data type: `Stdlib::Unixpath`
360
361			Path to the echo binary
362
363	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
364	7030bde0	Luis Fernández Álvarez
365			Data type: `Stdlib::Filemode`
366
367			The default file & dir mode for configuration files and directories. The
368			default varies depending on the system, and is set in the module's data.
369
370	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
371	7f6cacc5	Steve Traylen
372			allow forwarding traffic on bridges
373
374			#### Parameters
375
376	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
377	7f6cacc5	Steve Traylen
378	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
379			* [`bridgenames`](#-nftables--bridges--bridgenames)
380	09cba182	Steve Traylen
381	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
382	7f6cacc5	Steve Traylen
383			Data type: `Enum['present','absent']`
384
385
386
387			Default value: `'present'`
388
389	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
390	7f6cacc5	Steve Traylen
391			Data type: `Regexp`
392
393
394
395			Default value: `/^br.+/`
396
397	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
398	e17693e3	Steve Traylen
399			manage basic chains in table inet filter
400
401	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
402	a1f09048	Tim Meusel
403			enable conntrack for fwd
404
405	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
406	a1f09048	Tim Meusel
407			manage input & output conntrack
408
409	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
410	e17693e3	Steve Traylen
411			manage basic chains in table ip nat
412
413	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
414	771b3256	Nacho Barrientos
415			Provides input rules for Apache ActiveMQ
416
417			#### Parameters
418
419			The following parameters are available in the `nftables::rules::activemq` class:
420
421	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
422			* [`udp`](#-nftables--rules--activemq--udp)
423			* [`port`](#-nftables--rules--activemq--port)
424	771b3256	Nacho Barrientos
425	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
426	771b3256	Nacho Barrientos
427			Data type: `Boolean`
428
429			Create the rule for TCP traffic.
430
431	c24d3118	Tim Meusel	Default value: `true`
432	771b3256	Nacho Barrientos
433	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
434	771b3256	Nacho Barrientos
435			Data type: `Boolean`
436
437			Create the rule for UDP traffic.
438
439	c24d3118	Tim Meusel	Default value: `true`
440	771b3256	Nacho Barrientos
441	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
442	771b3256	Nacho Barrientos
443			Data type: `Stdlib::Port`
444
445			The port number for the ActiveMQ daemon.
446
447			Default value: `61616`
448
449	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
450	09cba182	Steve Traylen
451			Open call back port for AFS clients
452	7f6cacc5	Steve Traylen
453	09cba182	Steve Traylen	#### Examples
454
455			##### allow call backs from particular hosts
456
457			```puppet
458	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
459			saddr => ['192.168.0.0/16', '10.0.0.222']
460			}
461	09cba182	Steve Traylen	```
462	7f6cacc5	Steve Traylen
463			#### Parameters
464
465	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
466
467	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
468	7f6cacc5	Steve Traylen
469	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
470	7f6cacc5	Steve Traylen
471			Data type: `Array[Stdlib::IP::Address::V4,1]`
472
473			list of source network ranges to a
474
475			Default value: `['0.0.0.0/0']`
476
477	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
478	b9785000	Steve Traylen
479			Ceph is a distributed object store and file system.
480			Enable this to support Ceph's Object Storage Daemons (OSD),
481			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
482
483	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
484	b9785000	Steve Traylen
485			Ceph is a distributed object store and file system.
486			Enable this option to support Ceph's Monitor Daemon.
487
488			#### Parameters
489
490	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
491	b9785000	Steve Traylen
492	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
493	b9785000	Steve Traylen
494	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
495	b9785000	Steve Traylen
496	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
497	b9785000	Steve Traylen
498	09cba182	Steve Traylen	specify ports for ceph service
499	b9785000	Steve Traylen
500			Default value: `[3300, 6789]`
501
502	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
503	7f6cacc5	Steve Traylen
504	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
505	7f6cacc5	Steve Traylen
506	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
507	7f6cacc5	Steve Traylen
508			manage in dns
509
510			#### Parameters
511
512	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
513	7f6cacc5	Steve Traylen
514	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
515	7f6cacc5	Steve Traylen
516	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
517	7f6cacc5	Steve Traylen
518	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
519	7f6cacc5	Steve Traylen
520	09cba182	Steve Traylen	Specify ports for dns.
521	7f6cacc5	Steve Traylen
522			Default value: `[53]`
523
524	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
525	804b96e4	Nacho Barrientos
526			The configuration distributed in this class represents the default firewall
527			configuration done by docker-ce when the iptables integration is enabled.
528
529			This class is needed as the default docker-ce rules added to ip-filter conflict
530			with the inet-filter forward rules set by default in this module.
531
532			When using this class 'docker::iptables: false' should be set.
533
534			#### Parameters
535
536			The following parameters are available in the `nftables::rules::docker_ce` class:
537
538	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
539			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
540			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
541			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
542	804b96e4	Nacho Barrientos
543	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
544	804b96e4	Nacho Barrientos
545			Data type: `String[1]`
546
547			Interface name used by docker.
548
549			Default value: `'docker0'`
550
551	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
552	804b96e4	Nacho Barrientos
553			Data type: `Stdlib::IP::Address::V4::CIDR`
554
555			The address space used by docker.
556
557			Default value: `'172.17.0.0/16'`
558
559	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
560	804b96e4	Nacho Barrientos
561			Data type: `Boolean`
562
563			Flag to control whether the class should create the docker related chains.
564
565	c24d3118	Tim Meusel	Default value: `true`
566	804b96e4	Nacho Barrientos
567	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
568	804b96e4	Nacho Barrientos
569			Data type: `Boolean`
570
571			Flag to control whether the class should create the base common chains.
572
573	c24d3118	Tim Meusel	Default value: `true`
574	804b96e4	Nacho Barrientos
575	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
576	e17693e3	Steve Traylen
577			manage in http
578
579	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
580	e17693e3	Steve Traylen
581			manage in https
582
583	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
584	e17693e3	Steve Traylen
585			manage in icinga2
586
587			#### Parameters
588
589	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
590	e17693e3	Steve Traylen
591	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
592	e17693e3	Steve Traylen
593	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
594	e17693e3	Steve Traylen
595	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
596	e17693e3	Steve Traylen
597	8db66304	Steve Traylen	Specify ports for icinga2
598	e17693e3	Steve Traylen
599			Default value: `[5665]`
600
601	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
602	7f6cacc5	Steve Traylen
603			The nftables::rules::icmp class.
604
605			#### Parameters
606
607	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
608
609	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
610			* [`v6_types`](#-nftables--rules--icmp--v6_types)
611			* [`order`](#-nftables--rules--icmp--order)
612	7f6cacc5	Steve Traylen
613	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
614	7f6cacc5	Steve Traylen
615			Data type: `Optional[Array[String]]`
616
617
618
619	c24d3118	Tim Meusel	Default value: `undef`
620	7f6cacc5	Steve Traylen
621	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
622	7f6cacc5	Steve Traylen
623			Data type: `Optional[Array[String]]`
624
625
626
627	c24d3118	Tim Meusel	Default value: `undef`
628	7f6cacc5	Steve Traylen
629	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
630	7f6cacc5	Steve Traylen
631			Data type: `String`
632
633
634
635			Default value: `'10'`
636
637	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
638
639			allow incoming IGMP messages
640
641	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
642
643			manage in ldap
644
645			#### Parameters
646
647			The following parameters are available in the `nftables::rules::ldap` class:
648
649			* [`ports`](#-nftables--rules--ldap--ports)
650
651			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
652
653			Data type: `Array[Integer,1]`
654
655			ldap server ports
656
657			Default value: `[389, 636]`
658
659	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
660
661			allow incoming Link-Local Multicast Name Resolution
662
663			* See also
664			* https://datatracker.ietf.org/doc/html/rfc4795
665
666			#### Parameters
667
668			The following parameters are available in the `nftables::rules::llmnr` class:
669
670			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
671			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
672
673			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
674
675			Data type: `Boolean`
676
677			Allow LLMNR over IPv4
678
679			Default value: `true`
680
681			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
682
683			Data type: `Boolean`
684
685			Allow LLMNR over IPv6
686
687			Default value: `true`
688
689	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
690
691			allow incoming multicast DNS
692
693	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
694
695			The following parameters are available in the `nftables::rules::mdns` class:
696
697			* [`ipv4`](#-nftables--rules--mdns--ipv4)
698			* [`ipv6`](#-nftables--rules--mdns--ipv6)
699
700			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
701
702			Data type: `Boolean`
703
704			Allow mdns over IPv4
705
706			Default value: `true`
707
708			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
709
710			Data type: `Boolean`
711
712			Allow mdns over IPv6
713
714			Default value: `true`
715
716	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
717
718			allow incoming multicast traffic
719
720	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
721	b9785000	Steve Traylen
722			manage in nfs4
723
724	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
725	b9785000	Steve Traylen
726			manage in nfs3
727
728	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
729	7f6cacc5	Steve Traylen
730			manage in node exporter
731
732			#### Parameters
733
734	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
735	7f6cacc5	Steve Traylen
736	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
737			* [`port`](#-nftables--rules--node_exporter--port)
738	7f6cacc5	Steve Traylen
739	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
740	7f6cacc5	Steve Traylen
741	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
742	7f6cacc5	Steve Traylen
743	09cba182	Steve Traylen	Specify server name
744	7f6cacc5	Steve Traylen
745	c24d3118	Tim Meusel	Default value: `undef`
746	7f6cacc5	Steve Traylen
747	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
748	7f6cacc5	Steve Traylen
749	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
750	7f6cacc5	Steve Traylen
751	09cba182	Steve Traylen	Specify port to open
752	7f6cacc5	Steve Traylen
753			Default value: `9100`
754
755	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
756	e17693e3	Steve Traylen
757			manage in ospf
758
759	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
760	e17693e3	Steve Traylen
761			manage in ospf3
762
763	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
764
765			manage outgoing active diectory
766
767			#### Parameters
768
769			The following parameters are available in the `nftables::rules::out::active_directory` class:
770
771			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
772			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
773
774			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
775
776			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
777
778			adserver IPs
779
780			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
781
782			Data type: `Array[Stdlib::Port,1]`
783
784			adserver ports
785
786			Default value: `[389, 636, 3268, 3269]`
787
788	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
789	e17693e3	Steve Traylen
790			allow all outbound
791
792	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
793	b9785000	Steve Traylen
794			Ceph is a distributed object store and file system.
795			Enable this to be a client of Ceph's Monitor (MON),
796			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
797			and Manager Daemons (MGR).
798
799			#### Parameters
800
801	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
802	b9785000	Steve Traylen
803	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
804	b9785000	Steve Traylen
805	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
806	b9785000	Steve Traylen
807	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
808	b9785000	Steve Traylen
809	09cba182	Steve Traylen	Specify ports to open
810	b9785000	Steve Traylen
811			Default value: `[3300, 6789]`
812
813	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
814	e17693e3	Steve Traylen
815			manage out chrony
816
817	7937a13b	Tim Meusel	#### Parameters
818
819			The following parameters are available in the `nftables::rules::out::chrony` class:
820
821	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
822	7937a13b	Tim Meusel
823	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
824	7937a13b	Tim Meusel
825			Data type: `Array[Stdlib::IP::Address]`
826
827			single IP-Address or array of IP-addresses from NTP servers
828
829			Default value: `[]`
830
831	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
832	e17693e3	Steve Traylen
833			manage out dhcp
834
835	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
836	7f6cacc5	Steve Traylen
837	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
838	7f6cacc5	Steve Traylen
839	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
840	e17693e3	Steve Traylen
841			manage out dns
842
843			#### Parameters
844
845	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
846	e17693e3	Steve Traylen
847	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
848	e17693e3	Steve Traylen
849	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
850	e17693e3	Steve Traylen
851	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
852	e17693e3	Steve Traylen
853	09cba182	Steve Traylen	specify dns_server name
854	e17693e3	Steve Traylen
855	c24d3118	Tim Meusel	Default value: `undef`
856	e17693e3	Steve Traylen
857	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
858	a1f09048	Tim Meusel
859			allow outgoing hkp connections to gpg keyservers
860
861	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
862	e17693e3	Steve Traylen
863			manage out http
864
865	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
866	e17693e3	Steve Traylen
867			manage out https
868
869	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
870	7f6cacc5	Steve Traylen
871	09cba182	Steve Traylen	control outbound icmp packages
872	7f6cacc5	Steve Traylen
873			#### Parameters
874
875	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
876
877	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
878			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
879			* [`order`](#-nftables--rules--out--icmp--order)
880	7f6cacc5	Steve Traylen
881	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
882	7f6cacc5	Steve Traylen
883			Data type: `Optional[Array[String]]`
884
885
886
887	c24d3118	Tim Meusel	Default value: `undef`
888	7f6cacc5	Steve Traylen
889	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
890	7f6cacc5	Steve Traylen
891			Data type: `Optional[Array[String]]`
892
893
894
895	c24d3118	Tim Meusel	Default value: `undef`
896	7f6cacc5	Steve Traylen
897	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
898	7f6cacc5	Steve Traylen
899			Data type: `String`
900
901
902
903			Default value: `'10'`
904
905	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
906
907	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
908	020842af	Tim Meusel
909	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
910	19908f41	mh
911			allow outgoing imap
912
913	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
914	7f6cacc5	Steve Traylen
915			allows outbound access for kerberos
916
917	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
918
919			manage outgoing ldap
920
921			#### Parameters
922
923			The following parameters are available in the `nftables::rules::out::ldap` class:
924
925			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
926			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
927
928			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
929
930			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
931
932			ldapserver IPs
933
934			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
935
936			Data type: `Array[Stdlib::Port,1]`
937
938			ldapserver ports
939
940			Default value: `[389, 636]`
941
942	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
943
944			allow outgoing multicast DNS
945
946			#### Parameters
947
948			The following parameters are available in the `nftables::rules::out::mdns` class:
949
950			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
951			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
952
953			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
954
955			Data type: `Boolean`
956
957			Allow mdns over IPv4
958
959			Default value: `true`
960
961			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
962
963			Data type: `Boolean`
964
965			Allow mdns over IPv6
966
967			Default value: `true`
968
969	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
970
971			allow multicast listener requests
972
973	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
974	e17693e3	Steve Traylen
975			manage out mysql
976
977	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
978	b9785000	Steve Traylen
979			manage out nfs
980
981	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
982	b9785000	Steve Traylen
983			manage out nfs3
984
985	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
986	7f6cacc5	Steve Traylen
987	09cba182	Steve Traylen	allows outbound access for afs clients
988	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
989			7002 - afs3-ptserver
990			7003 - vlserver
991
992			* See also
993			* https://wiki.openafs.org/devel/AFSServicePorts/
994			* AFS Service Ports
995
996			#### Parameters
997
998	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
999	7f6cacc5	Steve Traylen
1000	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1001	7f6cacc5	Steve Traylen
1002	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1003	7f6cacc5	Steve Traylen
1004	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1005	7f6cacc5	Steve Traylen
1006	09cba182	Steve Traylen	port numbers to use
1007	7f6cacc5	Steve Traylen
1008			Default value: `[7000, 7002, 7003]`
1009
1010	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1011	e17693e3	Steve Traylen
1012			manage out ospf
1013
1014	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1015	e17693e3	Steve Traylen
1016			manage out ospf3
1017
1018	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1019	19908f41	mh
1020			allow outgoing pop3
1021
1022	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1023	e17693e3	Steve Traylen
1024			manage out postgres
1025
1026	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1027	e17693e3	Steve Traylen
1028			manage outgoing puppet
1029
1030			#### Parameters
1031
1032	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1033	e17693e3	Steve Traylen
1034	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1035			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1036	e17693e3	Steve Traylen
1037	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1038	e17693e3	Steve Traylen
1039	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1040	e17693e3	Steve Traylen
1041	09cba182	Steve Traylen	puppetserver hostname
1042	e17693e3	Steve Traylen
1043	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1044	e17693e3	Steve Traylen
1045	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1046	e17693e3	Steve Traylen
1047	09cba182	Steve Traylen	puppetserver port
1048	e17693e3	Steve Traylen
1049			Default value: `8140`
1050
1051	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1052	194e05d5	Tim Meusel
1053			manage outgoing pxp-agent
1054
1055			* See also
1056			* also
1057			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1058
1059			#### Parameters
1060
1061			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1062
1063	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1064			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1065	194e05d5	Tim Meusel
1066	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1067	194e05d5	Tim Meusel
1068			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1069
1070			PXP broker IP(s)
1071
1072	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1073	194e05d5	Tim Meusel
1074			Data type: `Stdlib::Port`
1075
1076			PXP broker port
1077
1078			Default value: `8142`
1079
1080	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1081	e17693e3	Steve Traylen
1082	19908f41	mh	allow outgoing smtp
1083
1084	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1085	19908f41	mh
1086			allow outgoing smtp client
1087	e17693e3	Steve Traylen
1088	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1089	e17693e3	Steve Traylen
1090			manage out ssh
1091
1092	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1093	e17693e3	Steve Traylen
1094			disable outgoing ssh
1095
1096	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1097	e17693e3	Steve Traylen
1098			manage out tor
1099
1100	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1101	2b1896c1	Tim Meusel
1102			allow clients to query remote whois server
1103
1104	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1105	e17693e3	Steve Traylen
1106			manage out wireguard
1107
1108			#### Parameters
1109
1110	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1111	e17693e3	Steve Traylen
1112	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1113	e17693e3	Steve Traylen
1114	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1115	e17693e3	Steve Traylen
1116	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1117	e17693e3	Steve Traylen
1118	09cba182	Steve Traylen	specify wireguard ports
1119	e17693e3	Steve Traylen
1120			Default value: `[51820]`
1121
1122	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1123	e17693e3	Steve Traylen
1124			manage in puppet
1125
1126			#### Parameters
1127
1128	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1129	e17693e3	Steve Traylen
1130	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1131	e17693e3	Steve Traylen
1132	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1133	e17693e3	Steve Traylen
1134	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1135	e17693e3	Steve Traylen
1136	09cba182	Steve Traylen	puppet server ports
1137	e17693e3	Steve Traylen
1138			Default value: `[8140]`
1139
1140	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1141	7f74df2e	Tim Meusel
1142			manage in pxp-agent
1143
1144			#### Parameters
1145
1146			The following parameters are available in the `nftables::rules::pxp_agent` class:
1147
1148	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1149	7f74df2e	Tim Meusel
1150	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1151	7f74df2e	Tim Meusel
1152	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1153	7f74df2e	Tim Meusel
1154			pxp server ports
1155
1156			Default value: `[8142]`
1157
1158	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1159	cd2a3cbf	Nacho Barrientos
1160			This class configures the typical firewall setup that libvirt
1161			creates. Depending on your requirements you can switch on and off
1162			several aspects, for instance if you don't do DHCP to your guests
1163			you can disable the rules that accept DHCP traffic on the host or if
1164			you don't want your guests to talk to hosts outside you can disable
1165			forwarding and/or masquerading for IPv4 traffic.
1166
1167			#### Parameters
1168
1169			The following parameters are available in the `nftables::rules::qemu` class:
1170
1171	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1172			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1173			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1174			* [`dns`](#-nftables--rules--qemu--dns)
1175			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1176			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1177			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1178			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1179	cd2a3cbf	Nacho Barrientos
1180	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1181	cd2a3cbf	Nacho Barrientos
1182			Data type: `String[1]`
1183
1184			Interface name used by the bridge.
1185
1186			Default value: `'virbr0'`
1187
1188	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1189	cd2a3cbf	Nacho Barrientos
1190			Data type: `Stdlib::IP::Address::V4::CIDR`
1191
1192			The IPv4 network prefix used in the virtual network.
1193
1194			Default value: `'192.168.122.0/24'`
1195
1196	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1197	cd2a3cbf	Nacho Barrientos
1198			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1199
1200			The IPv6 network prefix used in the virtual network.
1201
1202	c24d3118	Tim Meusel	Default value: `undef`
1203	cd2a3cbf	Nacho Barrientos
1204	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1205	cd2a3cbf	Nacho Barrientos
1206			Data type: `Boolean`
1207
1208			Allow DNS traffic from the guests to the host.
1209
1210	c24d3118	Tim Meusel	Default value: `true`
1211	cd2a3cbf	Nacho Barrientos
1212	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1213	cd2a3cbf	Nacho Barrientos
1214			Data type: `Boolean`
1215
1216			Allow DHCPv4 traffic from the guests to the host.
1217
1218	c24d3118	Tim Meusel	Default value: `true`
1219	cd2a3cbf	Nacho Barrientos
1220	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1221	cd2a3cbf	Nacho Barrientos
1222			Data type: `Boolean`
1223
1224			Allow forwarded traffic (out all, in related/established)
1225			generated by the virtual network.
1226
1227	c24d3118	Tim Meusel	Default value: `true`
1228	cd2a3cbf	Nacho Barrientos
1229	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1230	cd2a3cbf	Nacho Barrientos
1231			Data type: `Boolean`
1232
1233			Allow guests in the virtual network to talk to each other.
1234
1235	c24d3118	Tim Meusel	Default value: `true`
1236	cd2a3cbf	Nacho Barrientos
1237	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1238	cd2a3cbf	Nacho Barrientos
1239			Data type: `Boolean`
1240
1241			Do NAT masquerade on all IPv4 traffic generated by guests
1242			to external networks.
1243
1244	c24d3118	Tim Meusel	Default value: `true`
1245	cd2a3cbf	Nacho Barrientos
1246	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1247	19908f41	mh
1248			manage Samba, the suite to allow Windows file sharing on Linux resources.
1249
1250			#### Parameters
1251
1252			The following parameters are available in the `nftables::rules::samba` class:
1253
1254	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1255	19908f41	mh
1256	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1257	19908f41	mh
1258			Data type: `Boolean`
1259
1260			Enable ctdb-driven clustered Samba setups.
1261
1262	c24d3118	Tim Meusel	Default value: `false`
1263	19908f41	mh
1264	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1265	e17693e3	Steve Traylen
1266			manage in smtp
1267
1268	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1269	e17693e3	Steve Traylen
1270			manage in smtp submission
1271
1272	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1273	e17693e3	Steve Traylen
1274			manage in smtps
1275
1276	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1277
1278			allow incoming spotify
1279
1280	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1281	e17693e3	Steve Traylen
1282			manage in ssh
1283
1284			#### Parameters
1285
1286	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1287	e17693e3	Steve Traylen
1288	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1289	e17693e3	Steve Traylen
1290	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1291	e17693e3	Steve Traylen
1292	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1293	e17693e3	Steve Traylen
1294	09cba182	Steve Traylen	ssh ports
1295	e17693e3	Steve Traylen
1296			Default value: `[22]`
1297
1298	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1299	e17693e3	Steve Traylen
1300			manage in tor
1301
1302			#### Parameters
1303
1304	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1305	e17693e3	Steve Traylen
1306	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1307	e17693e3	Steve Traylen
1308	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1309	e17693e3	Steve Traylen
1310	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1311	e17693e3	Steve Traylen
1312	09cba182	Steve Traylen	ports for tor
1313	e17693e3	Steve Traylen
1314			Default value: `[9001]`
1315
1316	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1317	e17693e3	Steve Traylen
1318			manage in wireguard
1319
1320			#### Parameters
1321
1322	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1323	e17693e3	Steve Traylen
1324	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1325	e17693e3	Steve Traylen
1326	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1327	e17693e3	Steve Traylen
1328	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1329	e17693e3	Steve Traylen
1330	09cba182	Steve Traylen	wiregueard port
1331	e17693e3	Steve Traylen
1332			Default value: `[51820]`
1333
1334	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1335	7f6cacc5	Steve Traylen
1336	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1337	7f6cacc5	Steve Traylen
1338	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1339	7f6cacc5	Steve Traylen
1340	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1341	7f6cacc5	Steve Traylen
1342	e17693e3	Steve Traylen	## Defined types
1343
1344	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1345	e17693e3	Steve Traylen
1346			manage a chain
1347
1348			#### Parameters
1349
1350	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1351
1352	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1353			* [`chain`](#-nftables--chain--chain)
1354			* [`inject`](#-nftables--chain--inject)
1355			* [`inject_iif`](#-nftables--chain--inject_iif)
1356			* [`inject_oif`](#-nftables--chain--inject_oif)
1357	e17693e3	Steve Traylen
1358	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1359	e17693e3	Steve Traylen
1360	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1361	e17693e3	Steve Traylen
1362
1363
1364			Default value: `'inet-filter'`
1365
1366	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1367	e17693e3	Steve Traylen
1368			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1369
1370
1371
1372			Default value: `$title`
1373
1374	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1375	e17693e3	Steve Traylen
1376			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1377
1378
1379
1380	c24d3118	Tim Meusel	Default value: `undef`
1381	e17693e3	Steve Traylen
1382	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1383	e17693e3	Steve Traylen
1384			Data type: `Optional[String]`
1385
1386
1387
1388	c24d3118	Tim Meusel	Default value: `undef`
1389	e17693e3	Steve Traylen
1390	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1391	e17693e3	Steve Traylen
1392			Data type: `Optional[String]`
1393
1394
1395
1396	c24d3118	Tim Meusel	Default value: `undef`
1397	e17693e3	Steve Traylen
1398	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1399	e17693e3	Steve Traylen
1400			manage a config snippet
1401
1402			#### Parameters
1403
1404	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1405	e17693e3	Steve Traylen
1406	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1407			* [`content`](#-nftables--config--content)
1408			* [`source`](#-nftables--config--source)
1409			* [`prefix`](#-nftables--config--prefix)
1410	09cba182	Steve Traylen
1411	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1412	13f4e4c6	Steve Traylen
1413			Data type: `Pattern[/^\w+-\w+$/]`
1414
1415
1416
1417			Default value: `$title`
1418
1419	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1420	e17693e3	Steve Traylen
1421			Data type: `Optional[String]`
1422
1423
1424
1425	c24d3118	Tim Meusel	Default value: `undef`
1426	e17693e3	Steve Traylen
1427	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1428	e17693e3	Steve Traylen
1429			Data type: `Optional[Variant[String,Array[String,1]]]`
1430
1431
1432
1433	c24d3118	Tim Meusel	Default value: `undef`
1434	e17693e3	Steve Traylen
1435	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1436	13f4e4c6	Steve Traylen
1437			Data type: `String`
1438
1439
1440
1441			Default value: `'custom-'`
1442
1443	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1444	331b8d85	Steve Traylen
1445			Insert a file into the nftables configuration
1446
1447			#### Examples
1448
1449			##### Include a file that includes other files
1450
1451			```puppet
1452			nftables::file{'geoip':
1453			content => @(EOT)
1454			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1455			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1456			\|EOT,
1457			}
1458			```
1459
1460			#### Parameters
1461
1462			The following parameters are available in the `nftables::file` defined type:
1463
1464	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1465			* [`content`](#-nftables--file--content)
1466			* [`source`](#-nftables--file--source)
1467			* [`prefix`](#-nftables--file--prefix)
1468	331b8d85	Steve Traylen
1469	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1470	331b8d85	Steve Traylen
1471			Data type: `String[1]`
1472
1473			Unique name to include in filename.
1474
1475			Default value: `$title`
1476
1477	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1478	331b8d85	Steve Traylen
1479			Data type: `Optional[String]`
1480
1481			The content to place in the file.
1482
1483	c24d3118	Tim Meusel	Default value: `undef`
1484	331b8d85	Steve Traylen
1485	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1486	331b8d85	Steve Traylen
1487			Data type: `Optional[Variant[String,Array[String,1]]]`
1488
1489			A source to obtain the file content from.
1490
1491	c24d3118	Tim Meusel	Default value: `undef`
1492	331b8d85	Steve Traylen
1493	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1494	331b8d85	Steve Traylen
1495			Data type: `String`
1496
1497			Prefix of file name to be created, if left as `file-` it will be
1498			auto included in the main nft configuration
1499
1500			Default value: `'file-'`
1501
1502	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1503	e17693e3	Steve Traylen
1504	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1505
1506			#### Examples
1507
1508			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1509
1510			```puppet
1511			nftables::rule {
1512			'default_in-myhttp':
1513			content => 'tcp dport 80 accept',
1514			}
1515			```
1516
1517			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1518
1519			```puppet
1520			nftables::rule {
1521			'PREROUTING6-count':
1522			content => 'counter',
1523			table => 'ip6-nat'
1524			}
1525			```
1526	e17693e3	Steve Traylen
1527			#### Parameters
1528
1529	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1530
1531	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1532			* [`rulename`](#-nftables--rule--rulename)
1533			* [`order`](#-nftables--rule--order)
1534			* [`table`](#-nftables--rule--table)
1535			* [`content`](#-nftables--rule--content)
1536			* [`source`](#-nftables--rule--source)
1537	e17693e3	Steve Traylen
1538	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1539	e17693e3	Steve Traylen
1540			Data type: `Enum['present','absent']`
1541
1542	13f26dfc	Nacho Barrientos	Should the rule be created.
1543	e17693e3	Steve Traylen
1544			Default value: `'present'`
1545
1546	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1547	e17693e3	Steve Traylen
1548	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1549	e17693e3	Steve Traylen
1550	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1551			format is defined by the Nftables::RuleName type.
1552	e17693e3	Steve Traylen
1553			Default value: `$title`
1554
1555	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1556	e17693e3	Steve Traylen
1557			Data type: `Pattern[/^\d\d$/]`
1558
1559	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1560	e17693e3	Steve Traylen
1561			Default value: `'50'`
1562
1563	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1564	e17693e3	Steve Traylen
1565	b02d6ea9	Nacho Barrientos	Data type: `String`
1566	e17693e3	Steve Traylen
1567	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1568	e17693e3	Steve Traylen
1569			Default value: `'inet-filter'`
1570
1571	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1572	e17693e3	Steve Traylen
1573			Data type: `Optional[String]`
1574
1575	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1576			language.
1577	e17693e3	Steve Traylen
1578	c24d3118	Tim Meusel	Default value: `undef`
1579	e17693e3	Steve Traylen
1580	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1581	e17693e3	Steve Traylen
1582			Data type: `Optional[Variant[String,Array[String,1]]]`
1583
1584	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1585	e17693e3	Steve Traylen
1586	c24d3118	Tim Meusel	Default value: `undef`
1587	e17693e3	Steve Traylen
1588	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1589	e17693e3	Steve Traylen
1590			manage a ipv4 dnat rule
1591
1592			#### Parameters
1593
1594	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1595
1596	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1597			* [`port`](#-nftables--rules--dnat4--port)
1598			* [`rulename`](#-nftables--rules--dnat4--rulename)
1599			* [`order`](#-nftables--rules--dnat4--order)
1600			* [`chain`](#-nftables--rules--dnat4--chain)
1601			* [`iif`](#-nftables--rules--dnat4--iif)
1602			* [`proto`](#-nftables--rules--dnat4--proto)
1603			* [`dport`](#-nftables--rules--dnat4--dport)
1604			* [`ensure`](#-nftables--rules--dnat4--ensure)
1605	e17693e3	Steve Traylen
1606	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1607	e17693e3	Steve Traylen
1608			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1609
1610
1611
1612	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1613	e17693e3	Steve Traylen
1614	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1615	e17693e3	Steve Traylen
1616
1617
1618	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1619	e17693e3	Steve Traylen
1620			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1621
1622
1623
1624			Default value: `$title`
1625
1626	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1627	e17693e3	Steve Traylen
1628			Data type: `Pattern[/^\d\d$/]`
1629
1630
1631
1632			Default value: `'50'`
1633
1634	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1635	e17693e3	Steve Traylen
1636			Data type: `String[1]`
1637
1638
1639
1640			Default value: `'default_fwd'`
1641
1642	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1643	e17693e3	Steve Traylen
1644			Data type: `Optional[String[1]]`
1645
1646
1647
1648	c24d3118	Tim Meusel	Default value: `undef`
1649	e17693e3	Steve Traylen
1650	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1651	e17693e3	Steve Traylen
1652			Data type: `Enum['tcp','udp']`
1653
1654
1655
1656			Default value: `'tcp'`
1657
1658	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1659	e17693e3	Steve Traylen
1660	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1661	e17693e3	Steve Traylen
1662
1663
1664	c24d3118	Tim Meusel	Default value: `undef`
1665	e17693e3	Steve Traylen
1666	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1667	e17693e3	Steve Traylen
1668			Data type: `Enum['present','absent']`
1669
1670
1671
1672			Default value: `'present'`
1673
1674	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1675	e17693e3	Steve Traylen
1676			masquerade all outgoing traffic
1677
1678			#### Parameters
1679
1680	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1681	e17693e3	Steve Traylen
1682	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1683			* [`order`](#-nftables--rules--masquerade--order)
1684			* [`chain`](#-nftables--rules--masquerade--chain)
1685			* [`oif`](#-nftables--rules--masquerade--oif)
1686			* [`saddr`](#-nftables--rules--masquerade--saddr)
1687			* [`daddr`](#-nftables--rules--masquerade--daddr)
1688			* [`proto`](#-nftables--rules--masquerade--proto)
1689			* [`dport`](#-nftables--rules--masquerade--dport)
1690			* [`ensure`](#-nftables--rules--masquerade--ensure)
1691	09cba182	Steve Traylen
1692	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1693	e17693e3	Steve Traylen
1694			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1695
1696
1697
1698			Default value: `$title`
1699
1700	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1701	e17693e3	Steve Traylen
1702			Data type: `Pattern[/^\d\d$/]`
1703
1704
1705
1706			Default value: `'70'`
1707
1708	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1709	e17693e3	Steve Traylen
1710			Data type: `String[1]`
1711
1712
1713
1714			Default value: `'POSTROUTING'`
1715
1716	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1717	e17693e3	Steve Traylen
1718			Data type: `Optional[String[1]]`
1719
1720
1721
1722	c24d3118	Tim Meusel	Default value: `undef`
1723	e17693e3	Steve Traylen
1724	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1725	e17693e3	Steve Traylen
1726			Data type: `Optional[String[1]]`
1727
1728
1729
1730	c24d3118	Tim Meusel	Default value: `undef`
1731	e17693e3	Steve Traylen
1732	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1733	e17693e3	Steve Traylen
1734			Data type: `Optional[String[1]]`
1735
1736
1737
1738	c24d3118	Tim Meusel	Default value: `undef`
1739	e17693e3	Steve Traylen
1740	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1741	e17693e3	Steve Traylen
1742			Data type: `Optional[Enum['tcp','udp']]`
1743
1744
1745
1746	c24d3118	Tim Meusel	Default value: `undef`
1747	e17693e3	Steve Traylen
1748	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1749	e17693e3	Steve Traylen
1750	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1751	e17693e3	Steve Traylen
1752
1753
1754	c24d3118	Tim Meusel	Default value: `undef`
1755	e17693e3	Steve Traylen
1756	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1757	e17693e3	Steve Traylen
1758			Data type: `Enum['present','absent']`
1759
1760
1761
1762			Default value: `'present'`
1763
1764	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1765	e17693e3	Steve Traylen
1766			manage a ipv4 snat rule
1767
1768			#### Parameters
1769
1770	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1771
1772	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1773			* [`rulename`](#-nftables--rules--snat4--rulename)
1774			* [`order`](#-nftables--rules--snat4--order)
1775			* [`chain`](#-nftables--rules--snat4--chain)
1776			* [`oif`](#-nftables--rules--snat4--oif)
1777			* [`saddr`](#-nftables--rules--snat4--saddr)
1778			* [`proto`](#-nftables--rules--snat4--proto)
1779			* [`dport`](#-nftables--rules--snat4--dport)
1780			* [`ensure`](#-nftables--rules--snat4--ensure)
1781	e17693e3	Steve Traylen
1782	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1783	e17693e3	Steve Traylen
1784			Data type: `String[1]`
1785
1786
1787
1788	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1789	e17693e3	Steve Traylen
1790			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1791
1792
1793
1794			Default value: `$title`
1795
1796	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1797	e17693e3	Steve Traylen
1798			Data type: `Pattern[/^\d\d$/]`
1799
1800
1801
1802			Default value: `'70'`
1803
1804	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1805	e17693e3	Steve Traylen
1806			Data type: `String[1]`
1807
1808
1809
1810			Default value: `'POSTROUTING'`
1811
1812	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1813	e17693e3	Steve Traylen
1814			Data type: `Optional[String[1]]`
1815
1816
1817
1818	c24d3118	Tim Meusel	Default value: `undef`
1819	e17693e3	Steve Traylen
1820	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1821	e17693e3	Steve Traylen
1822			Data type: `Optional[String[1]]`
1823
1824
1825
1826	c24d3118	Tim Meusel	Default value: `undef`
1827	e17693e3	Steve Traylen
1828	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1829	e17693e3	Steve Traylen
1830			Data type: `Optional[Enum['tcp','udp']]`
1831
1832
1833
1834	c24d3118	Tim Meusel	Default value: `undef`
1835	e17693e3	Steve Traylen
1836	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1837	e17693e3	Steve Traylen
1838	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1839	e17693e3	Steve Traylen
1840
1841
1842	c24d3118	Tim Meusel	Default value: `undef`
1843	e17693e3	Steve Traylen
1844	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1845	e17693e3	Steve Traylen
1846			Data type: `Enum['present','absent']`
1847
1848
1849
1850			Default value: `'present'`
1851
1852	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1853	7f6cacc5	Steve Traylen
1854			manage a named set
1855
1856	13f4e4c6	Steve Traylen	#### Examples
1857
1858			##### simple set
1859
1860			```puppet
1861			nftables::set{'my_set':
1862			type => 'ipv4_addr',
1863			flags => ['interval'],
1864			elements => ['192.168.0.1/24', '10.0.0.2'],
1865			auto_merge => true,
1866			}
1867			```
1868
1869	7f6cacc5	Steve Traylen	#### Parameters
1870
1871	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1872
1873	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1874			* [`setname`](#-nftables--set--setname)
1875			* [`order`](#-nftables--set--order)
1876			* [`type`](#-nftables--set--type)
1877			* [`table`](#-nftables--set--table)
1878			* [`flags`](#-nftables--set--flags)
1879			* [`timeout`](#-nftables--set--timeout)
1880			* [`gc_interval`](#-nftables--set--gc_interval)
1881			* [`elements`](#-nftables--set--elements)
1882			* [`size`](#-nftables--set--size)
1883			* [`policy`](#-nftables--set--policy)
1884			* [`auto_merge`](#-nftables--set--auto_merge)
1885			* [`content`](#-nftables--set--content)
1886			* [`source`](#-nftables--set--source)
1887
1888			##### <a name="-nftables--set--ensure"></a>`ensure`
1889	7f6cacc5	Steve Traylen
1890			Data type: `Enum['present','absent']`
1891
1892	13f4e4c6	Steve Traylen	should the set be created.
1893	7f6cacc5	Steve Traylen
1894			Default value: `'present'`
1895
1896	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1897	7f6cacc5	Steve Traylen
1898			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
1899
1900	13f4e4c6	Steve Traylen	name of set, equal to to title.
1901	7f6cacc5	Steve Traylen
1902			Default value: `$title`
1903
1904	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
1905	7f6cacc5	Steve Traylen
1906			Data type: `Pattern[/^\d\d$/]`
1907
1908	13f4e4c6	Steve Traylen	concat ordering.
1909	7f6cacc5	Steve Traylen
1910			Default value: `'10'`
1911
1912	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
1913	7f6cacc5	Steve Traylen
1914			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
1915
1916	13f4e4c6	Steve Traylen	type of set.
1917	7f6cacc5	Steve Traylen
1918	c24d3118	Tim Meusel	Default value: `undef`
1919	7f6cacc5	Steve Traylen
1920	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
1921	7f6cacc5	Steve Traylen
1922	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
1923	7f6cacc5	Steve Traylen
1924	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
1925	7f6cacc5	Steve Traylen
1926			Default value: `'inet-filter'`
1927
1928	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
1929	7f6cacc5	Steve Traylen
1930			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
1931
1932	13f4e4c6	Steve Traylen	specify flags for set
1933	7f6cacc5	Steve Traylen
1934			Default value: `[]`
1935
1936	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
1937	7f6cacc5	Steve Traylen
1938			Data type: `Optional[Integer]`
1939
1940	13f4e4c6	Steve Traylen	timeout in seconds
1941	7f6cacc5	Steve Traylen
1942	c24d3118	Tim Meusel	Default value: `undef`
1943	7f6cacc5	Steve Traylen
1944	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
1945	7f6cacc5	Steve Traylen
1946			Data type: `Optional[Integer]`
1947
1948	13f4e4c6	Steve Traylen	garbage collection interval.
1949	7f6cacc5	Steve Traylen
1950	c24d3118	Tim Meusel	Default value: `undef`
1951	7f6cacc5	Steve Traylen
1952	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
1953	7f6cacc5	Steve Traylen
1954			Data type: `Optional[Array[String]]`
1955
1956	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
1957	7f6cacc5	Steve Traylen
1958	c24d3118	Tim Meusel	Default value: `undef`
1959	7f6cacc5	Steve Traylen
1960	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
1961	7f6cacc5	Steve Traylen
1962			Data type: `Optional[Integer]`
1963
1964	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
1965	7f6cacc5	Steve Traylen
1966	c24d3118	Tim Meusel	Default value: `undef`
1967	7f6cacc5	Steve Traylen
1968	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
1969	7f6cacc5	Steve Traylen
1970			Data type: `Optional[Enum['performance', 'memory']]`
1971
1972	13f4e4c6	Steve Traylen	determines set selection policy.
1973	7f6cacc5	Steve Traylen
1974	c24d3118	Tim Meusel	Default value: `undef`
1975	7f6cacc5	Steve Traylen
1976	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
1977	7f6cacc5	Steve Traylen
1978			Data type: `Boolean`
1979
1980	13f4e4c6	Steve Traylen	?
1981	7f6cacc5	Steve Traylen
1982	c24d3118	Tim Meusel	Default value: `false`
1983	7f6cacc5	Steve Traylen
1984	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
1985	7f6cacc5	Steve Traylen
1986			Data type: `Optional[String]`
1987
1988	13f4e4c6	Steve Traylen	specify content of set.
1989	7f6cacc5	Steve Traylen
1990	c24d3118	Tim Meusel	Default value: `undef`
1991	7f6cacc5	Steve Traylen
1992	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
1993	7f6cacc5	Steve Traylen
1994			Data type: `Optional[Variant[String,Array[String,1]]]`
1995
1996	13f4e4c6	Steve Traylen	specify source of set.
1997	7f6cacc5	Steve Traylen
1998	c24d3118	Tim Meusel	Default value: `undef`
1999	7f6cacc5	Steve Traylen
2000	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2001	4d63adda	Nacho Barrientos
2002	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2003	4d63adda	Nacho Barrientos
2004	b46c9ce9	Nacho Barrientos	#### Examples
2005	4d63adda	Nacho Barrientos
2006	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2007	4d63adda	Nacho Barrientos
2008	b46c9ce9	Nacho Barrientos	```puppet
2009			nftables::simplerule{'my_service_in':
2010			action => 'accept',
2011			comment => 'allow traffic to port 543',
2012			counter => true,
2013			proto => 'tcp',
2014			dport => 543,
2015			daddr => '2001:1458::/32',
2016			sport => 541,
2017			}
2018			```
2019	4d63adda	Nacho Barrientos
2020	b46c9ce9	Nacho Barrientos	#### Parameters
2021	4d63adda	Nacho Barrientos
2022	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2023
2024	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2025			* [`rulename`](#-nftables--simplerule--rulename)
2026			* [`order`](#-nftables--simplerule--order)
2027			* [`chain`](#-nftables--simplerule--chain)
2028			* [`table`](#-nftables--simplerule--table)
2029			* [`action`](#-nftables--simplerule--action)
2030			* [`comment`](#-nftables--simplerule--comment)
2031			* [`dport`](#-nftables--simplerule--dport)
2032			* [`proto`](#-nftables--simplerule--proto)
2033			* [`daddr`](#-nftables--simplerule--daddr)
2034			* [`set_type`](#-nftables--simplerule--set_type)
2035			* [`sport`](#-nftables--simplerule--sport)
2036			* [`saddr`](#-nftables--simplerule--saddr)
2037			* [`counter`](#-nftables--simplerule--counter)
2038
2039			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2040	13f4e4c6	Steve Traylen
2041			Data type: `Enum['present','absent']`
2042
2043			Should the rule be created.
2044
2045			Default value: `'present'`
2046
2047	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2048	4d63adda	Nacho Barrientos
2049	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2050	4d63adda	Nacho Barrientos
2051	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2052	4d63adda	Nacho Barrientos
2053			Default value: `$title`
2054
2055	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2056	4d63adda	Nacho Barrientos
2057			Data type: `Pattern[/^\d\d$/]`
2058
2059	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2060	4d63adda	Nacho Barrientos
2061			Default value: `'50'`
2062
2063	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2064	4d63adda	Nacho Barrientos
2065			Data type: `String`
2066
2067	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2068	4d63adda	Nacho Barrientos
2069			Default value: `'default_in'`
2070
2071	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2072	4d63adda	Nacho Barrientos
2073			Data type: `String`
2074
2075	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2076	4d63adda	Nacho Barrientos
2077			Default value: `'inet-filter'`
2078
2079	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2080	4d63adda	Nacho Barrientos
2081			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2082
2083	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2084	4d63adda	Nacho Barrientos
2085			Default value: `'accept'`
2086
2087	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2088	4d63adda	Nacho Barrientos
2089			Data type: `Optional[String]`
2090
2091	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2092	4d63adda	Nacho Barrientos
2093	c24d3118	Tim Meusel	Default value: `undef`
2094	4d63adda	Nacho Barrientos
2095	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2096	4d63adda	Nacho Barrientos
2097			Data type: `Optional[Nftables::Port]`
2098
2099	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2100	4d63adda	Nacho Barrientos
2101	c24d3118	Tim Meusel	Default value: `undef`
2102	4d63adda	Nacho Barrientos
2103	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2104	4d63adda	Nacho Barrientos
2105			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2106
2107	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2108	4d63adda	Nacho Barrientos
2109	c24d3118	Tim Meusel	Default value: `undef`
2110	4d63adda	Nacho Barrientos
2111	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2112	4d63adda	Nacho Barrientos
2113			Data type: `Optional[Nftables::Addr]`
2114
2115	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2116	4d63adda	Nacho Barrientos
2117	c24d3118	Tim Meusel	Default value: `undef`
2118	4d63adda	Nacho Barrientos
2119	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2120	4d63adda	Nacho Barrientos
2121			Data type: `Enum['ip', 'ip6']`
2122
2123	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2124			Use `ip` for sets of type `ipv4_addr`.
2125	4d63adda	Nacho Barrientos
2126			Default value: `'ip6'`
2127
2128	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2129	4d63adda	Nacho Barrientos
2130			Data type: `Optional[Nftables::Port]`
2131
2132	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2133	4d63adda	Nacho Barrientos
2134	c24d3118	Tim Meusel	Default value: `undef`
2135	4d63adda	Nacho Barrientos
2136	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2137	4d63adda	Nacho Barrientos
2138			Data type: `Optional[Nftables::Addr]`
2139
2140	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2141	4d63adda	Nacho Barrientos
2142	c24d3118	Tim Meusel	Default value: `undef`
2143	4d63adda	Nacho Barrientos
2144	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2145	4d63adda	Nacho Barrientos
2146			Data type: `Boolean`
2147
2148	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2149	4d63adda	Nacho Barrientos
2150	c24d3118	Tim Meusel	Default value: `false`
2151	4d63adda	Nacho Barrientos
2152			## Data types
2153
2154	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2155	4d63adda	Nacho Barrientos
2156			Represents an address expression to be used within a rule.
2157
2158	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2159	09cba182	Steve Traylen
2160	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2161	4d63adda	Nacho Barrientos
2162			Represents a set expression to be used within a rule.
2163
2164	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2165	4d63adda	Nacho Barrientos
2166	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2167	4d63adda	Nacho Barrientos
2168			Represents a port expression to be used within a rule.
2169
2170	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2171	4d63adda	Nacho Barrientos
2172	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2173	4d63adda	Nacho Barrientos
2174			Represents a port range expression to be used within a rule.
2175
2176	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2177	4d63adda	Nacho Barrientos
2178	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2179	8c00b818	Nacho Barrientos
2180			Represents a rule name to be used in a raw rule created via nftables::rule.
2181			It's a dash separated string. The first component describes the chain to
2182			add the rule to, the second the rule name and the (optional) third a number.
2183			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2184
2185	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2186	09cba182	Steve Traylen
2187	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2188	8c00b818	Nacho Barrientos
2189			Represents a simple rule name to be used in a rule created via nftables::simplerule
2190
2191	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 3b26826f