/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 3e2b5119

Historique | Voir | Annoter | Télécharger (63 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
172	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
173	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
174	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
175			* [`noflush_tables`](#-nftables--noflush_tables)
176			* [`rules`](#-nftables--rules)
177			* [`configuration_path`](#-nftables--configuration_path)
178			* [`nft_path`](#-nftables--nft_path)
179			* [`echo`](#-nftables--echo)
180			* [`default_config_mode`](#-nftables--default_config_mode)
181
182			##### <a name="-nftables--out_all"></a>`out_all`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow all outbound connections. If `true` then all other
187			out parameters `out_ntp`, `out_dns`, ... will be assuemed
188			false.
189
190	c24d3118	Tim Meusel	Default value: `false`
191	e17693e3	Steve Traylen
192	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
193	e17693e3	Steve Traylen
194			Data type: `Boolean`
195
196			Allow outbound to ntp servers.
197
198	c24d3118	Tim Meusel	Default value: `true`
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
201	e17693e3	Steve Traylen
202			Data type: `Boolean`
203
204			Allow outbound to http servers.
205
206	c24d3118	Tim Meusel	Default value: `true`
207	e17693e3	Steve Traylen
208	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
209	e17693e3	Steve Traylen
210			Data type: `Boolean`
211
212	09cba182	Steve Traylen	Allow outbound to dns servers.
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	Default value: `true`
215	e17693e3	Steve Traylen
216	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
217	09cba182	Steve Traylen
218			Data type: `Boolean`
219	e17693e3	Steve Traylen
220			Allow outbound to https servers.
221
222	c24d3118	Tim Meusel	Default value: `true`
223	e17693e3	Steve Traylen
224	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
225	7f6cacc5	Steve Traylen
226			Data type: `Boolean`
227
228			Allow outbound ICMPv4/v6 traffic.
229
230	c24d3118	Tim Meusel	Default value: `true`
231	7f6cacc5	Steve Traylen
232	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
233	e17693e3	Steve Traylen
234			Data type: `Boolean`
235
236			Allow inbound to ssh servers.
237
238	c24d3118	Tim Meusel	Default value: `true`
239	e17693e3	Steve Traylen
240	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
241	7f6cacc5	Steve Traylen
242			Data type: `Boolean`
243
244			Allow inbound ICMPv4/v6 traffic.
245
246	c24d3118	Tim Meusel	Default value: `true`
247	7f6cacc5	Steve Traylen
248	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
249	7b9d6ffc	Nacho Barrientos
250			Data type: `Boolean`
251
252			Add default tables, chains and rules to process traffic.
253
254	c24d3118	Tim Meusel	Default value: `true`
255	7b9d6ffc	Nacho Barrientos
256	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
257	7f6cacc5	Steve Traylen
258			Data type: `Boolean`
259
260			Add default tables and chains to process NAT traffic.
261
262	c24d3118	Tim Meusel	Default value: `true`
263	7f6cacc5	Steve Traylen
264	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
265	b02d6ea9	Nacho Barrientos
266			Data type: `String[1]`
267
268			The name of the 'nat' table.
269
270			Default value: `'nat'`
271
272	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
273	b9785000	Steve Traylen
274			Data type: `Hash`
275
276			Allows sourcing set definitions directly from Hiera.
277
278			Default value: `{}`
279
280	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
281	7f6cacc5	Steve Traylen
282			Data type: `String`
283
284			String that will be used as prefix when logging packets. It can contain
285			two variables using standard sprintf() string-formatting:
286			* chain: Will be replaced by the name of the chain.
287			* comment: Allows chains to add extra comments.
288
289			Default value: `'[nftables] %<chain>s %<comment>s'`
290
291	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
292
293			Data type: `Boolean`
294
295			Allow to log discarded packets
296
297			Default value: `true`
298
299	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
300	b9785000	Steve Traylen
301			Data type: `Variant[Boolean[false], String]`
302
303			String with the content of a limit statement to be applied
304			to the rules that log discarded traffic. Set to false to
305			disable rate limiting.
306
307			Default value: `'3/minute burst 5 packets'`
308
309	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
310	7f6cacc5	Steve Traylen
311	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
312	7f6cacc5	Steve Traylen
313			How to discard packets not matching any rule. If `false`, the
314			fate of the packet will be defined by the chain policy (normally
315			drop), otherwise the packet will be rejected with the REJECT_WITH
316			policy indicated by the value of this parameter.
317
318			Default value: `'icmpx type port-unreachable'`
319
320	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
321	7f6cacc5	Steve Traylen
322			Data type: `Boolean`
323
324			Adds INPUT and OUTPUT rules to allow traffic that's part of an
325			established connection and also to drop invalid packets.
326
327	c24d3118	Tim Meusel	Default value: `true`
328	7f6cacc5	Steve Traylen
329	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
330
331			Data type: `Boolean`
332
333			Drops invalid packets in INPUT and OUTPUT
334
335			Default value: `$in_out_conntrack`
336
337	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
338	b9785000	Steve Traylen
339			Data type: `Boolean`
340
341			Adds FORWARD rules to allow traffic that's part of an
342			established connection and also to drop invalid packets.
343
344	c24d3118	Tim Meusel	Default value: `false`
345	b9785000	Steve Traylen
346	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
347
348			Data type: `Boolean`
349
350			Drops invalid packets in FORWARD
351
352			Default value: `$fwd_conntrack`
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
355	7f6cacc5	Steve Traylen
356			Data type: `Variant[Boolean[false], Enum['mask']]`
357
358			Configures how the firewalld systemd service unit is enabled. It might be
359			useful to set this to false if you're externaly removing firewalld from
360			the system completely.
361
362			Default value: `'mask'`
363
364	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
365	b9785000	Steve Traylen
366	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
367	b9785000	Steve Traylen
368			If specified only other existings tables will be flushed.
369			If left unset all tables will be flushed via a `flush ruleset`
370
371	c24d3118	Tim Meusel	Default value: `undef`
372	b9785000	Steve Traylen
373	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
374	7f6cacc5	Steve Traylen
375			Data type: `Hash`
376
377	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
378	7f6cacc5	Steve Traylen
379			Default value: `{}`
380
381	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
382	d0a1ffef	hashworks
383			Data type: `Stdlib::Unixpath`
384
385			The absolute path to the principal nftables configuration file. The default
386			varies depending on the system, and is set in the module's data.
387
388	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
389	8842a597	Tim Meusel
390			Data type: `Stdlib::Unixpath`
391
392			Path to the nft binary
393
394	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
395	821ec83a	Tim Meusel
396			Data type: `Stdlib::Unixpath`
397
398			Path to the echo binary
399
400	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
401	7030bde0	Luis Fernández Álvarez
402			Data type: `Stdlib::Filemode`
403
404			The default file & dir mode for configuration files and directories. The
405			default varies depending on the system, and is set in the module's data.
406
407	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
408	7f6cacc5	Steve Traylen
409			allow forwarding traffic on bridges
410
411			#### Parameters
412
413	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
414	7f6cacc5	Steve Traylen
415	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
416			* [`bridgenames`](#-nftables--bridges--bridgenames)
417	09cba182	Steve Traylen
418	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
419	7f6cacc5	Steve Traylen
420			Data type: `Enum['present','absent']`
421
422
423
424			Default value: `'present'`
425
426	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
427	7f6cacc5	Steve Traylen
428			Data type: `Regexp`
429
430
431
432			Default value: `/^br.+/`
433
434	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
435	e17693e3	Steve Traylen
436			manage basic chains in table inet filter
437
438	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
439	a1f09048	Tim Meusel
440			enable conntrack for fwd
441
442	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
443	a1f09048	Tim Meusel
444			manage input & output conntrack
445
446	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
447	e17693e3	Steve Traylen
448			manage basic chains in table ip nat
449
450	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
451	771b3256	Nacho Barrientos
452			Provides input rules for Apache ActiveMQ
453
454			#### Parameters
455
456			The following parameters are available in the `nftables::rules::activemq` class:
457
458	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
459			* [`udp`](#-nftables--rules--activemq--udp)
460			* [`port`](#-nftables--rules--activemq--port)
461	771b3256	Nacho Barrientos
462	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
463	771b3256	Nacho Barrientos
464			Data type: `Boolean`
465
466			Create the rule for TCP traffic.
467
468	c24d3118	Tim Meusel	Default value: `true`
469	771b3256	Nacho Barrientos
470	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
471	771b3256	Nacho Barrientos
472			Data type: `Boolean`
473
474			Create the rule for UDP traffic.
475
476	c24d3118	Tim Meusel	Default value: `true`
477	771b3256	Nacho Barrientos
478	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
479	771b3256	Nacho Barrientos
480			Data type: `Stdlib::Port`
481
482			The port number for the ActiveMQ daemon.
483
484			Default value: `61616`
485
486	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
487	09cba182	Steve Traylen
488			Open call back port for AFS clients
489	7f6cacc5	Steve Traylen
490	09cba182	Steve Traylen	#### Examples
491
492			##### allow call backs from particular hosts
493
494			```puppet
495	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
496			saddr => ['192.168.0.0/16', '10.0.0.222']
497			}
498	09cba182	Steve Traylen	```
499	7f6cacc5	Steve Traylen
500			#### Parameters
501
502	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
503
504	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
505	7f6cacc5	Steve Traylen
506	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
507	7f6cacc5	Steve Traylen
508			Data type: `Array[Stdlib::IP::Address::V4,1]`
509
510			list of source network ranges to a
511
512			Default value: `['0.0.0.0/0']`
513
514	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
515	b9785000	Steve Traylen
516			Ceph is a distributed object store and file system.
517			Enable this to support Ceph's Object Storage Daemons (OSD),
518			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
519
520	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
521	b9785000	Steve Traylen
522			Ceph is a distributed object store and file system.
523			Enable this option to support Ceph's Monitor Daemon.
524
525			#### Parameters
526
527	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
528	b9785000	Steve Traylen
529	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
530	b9785000	Steve Traylen
531	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
532	b9785000	Steve Traylen
533	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
534	b9785000	Steve Traylen
535	09cba182	Steve Traylen	specify ports for ceph service
536	b9785000	Steve Traylen
537			Default value: `[3300, 6789]`
538
539	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
540	7f6cacc5	Steve Traylen
541	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
542	7f6cacc5	Steve Traylen
543	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
544	7f6cacc5	Steve Traylen
545			manage in dns
546
547	67cdcf15	Steve Traylen	#### Examples
548
549			##### Allow access to stub dns resolver from docker containers
550
551			```puppet
552			class { 'nftables::rules::dns':
553			iifname => ['docker0'],
554			}
555			```
556
557	7f6cacc5	Steve Traylen	#### Parameters
558
559	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
560	7f6cacc5	Steve Traylen
561	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
562	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
563	7f6cacc5	Steve Traylen
564	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
565	7f6cacc5	Steve Traylen
566	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
567	7f6cacc5	Steve Traylen
568	09cba182	Steve Traylen	Specify ports for dns.
569	7f6cacc5	Steve Traylen
570			Default value: `[53]`
571
572	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
573
574			Data type: `Optional[Array[String[1],1]]`
575
576			Specify input interface names.
577
578			Default value: `undef`
579
580	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
581	804b96e4	Nacho Barrientos
582			The configuration distributed in this class represents the default firewall
583			configuration done by docker-ce when the iptables integration is enabled.
584
585			This class is needed as the default docker-ce rules added to ip-filter conflict
586			with the inet-filter forward rules set by default in this module.
587
588			When using this class 'docker::iptables: false' should be set.
589
590			#### Parameters
591
592			The following parameters are available in the `nftables::rules::docker_ce` class:
593
594	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
595			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
596			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
597			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
598	804b96e4	Nacho Barrientos
599	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
600	804b96e4	Nacho Barrientos
601			Data type: `String[1]`
602
603			Interface name used by docker.
604
605			Default value: `'docker0'`
606
607	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
608	804b96e4	Nacho Barrientos
609			Data type: `Stdlib::IP::Address::V4::CIDR`
610
611			The address space used by docker.
612
613			Default value: `'172.17.0.0/16'`
614
615	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
616	804b96e4	Nacho Barrientos
617			Data type: `Boolean`
618
619			Flag to control whether the class should create the docker related chains.
620
621	c24d3118	Tim Meusel	Default value: `true`
622	804b96e4	Nacho Barrientos
623	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
624	804b96e4	Nacho Barrientos
625			Data type: `Boolean`
626
627			Flag to control whether the class should create the base common chains.
628
629	c24d3118	Tim Meusel	Default value: `true`
630	804b96e4	Nacho Barrientos
631	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
632
633			manage in ftp (with conntrack helper)
634
635			#### Parameters
636
637			The following parameters are available in the `nftables::rules::ftp` class:
638
639			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
640			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
641
642			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
643
644			Data type: `Boolean`
645
646			Enable FTP passive mode support
647
648			Default value: `true`
649
650			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
651
652			Data type: `Nftables::Port::Range`
653
654			Set the FTP passive mode port range
655
656			Default value: `'10090-10100'`
657
658	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
659	e17693e3	Steve Traylen
660			manage in http
661
662	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
663	e17693e3	Steve Traylen
664			manage in https
665
666	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
667	e17693e3	Steve Traylen
668			manage in icinga2
669
670			#### Parameters
671
672	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
673	e17693e3	Steve Traylen
674	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
675	e17693e3	Steve Traylen
676	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
677	e17693e3	Steve Traylen
678	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
679	e17693e3	Steve Traylen
680	8db66304	Steve Traylen	Specify ports for icinga2
681	e17693e3	Steve Traylen
682			Default value: `[5665]`
683
684	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
685	7f6cacc5	Steve Traylen
686	8cdd24a5	Tim Meusel	allows incoming ICMP
687	7f6cacc5	Steve Traylen
688			#### Parameters
689
690	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
691
692	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
693			* [`v6_types`](#-nftables--rules--icmp--v6_types)
694			* [`order`](#-nftables--rules--icmp--order)
695	7f6cacc5	Steve Traylen
696	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
697	7f6cacc5	Steve Traylen
698			Data type: `Optional[Array[String]]`
699
700	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
701	7f6cacc5	Steve Traylen
702	c24d3118	Tim Meusel	Default value: `undef`
703	7f6cacc5	Steve Traylen
704	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
705	7f6cacc5	Steve Traylen
706			Data type: `Optional[Array[String]]`
707
708	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
709	7f6cacc5	Steve Traylen
710	c24d3118	Tim Meusel	Default value: `undef`
711	7f6cacc5	Steve Traylen
712	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
713	7f6cacc5	Steve Traylen
714			Data type: `String`
715
716	8cdd24a5	Tim Meusel	the ordering of the rules
717	7f6cacc5	Steve Traylen
718			Default value: `'10'`
719
720	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
721
722			allow incoming IGMP messages
723
724	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
725
726			manage in ldap
727
728			#### Parameters
729
730			The following parameters are available in the `nftables::rules::ldap` class:
731
732			* [`ports`](#-nftables--rules--ldap--ports)
733
734			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
735
736			Data type: `Array[Integer,1]`
737
738			ldap server ports
739
740			Default value: `[389, 636]`
741
742	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
743
744			allow incoming Link-Local Multicast Name Resolution
745
746			* See also
747			* https://datatracker.ietf.org/doc/html/rfc4795
748
749			#### Parameters
750
751			The following parameters are available in the `nftables::rules::llmnr` class:
752
753			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
754			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
755
756			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
757
758			Data type: `Boolean`
759
760			Allow LLMNR over IPv4
761
762			Default value: `true`
763
764			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
765
766			Data type: `Boolean`
767
768			Allow LLMNR over IPv6
769
770			Default value: `true`
771
772	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
773
774			allow incoming multicast DNS
775
776	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
777
778			The following parameters are available in the `nftables::rules::mdns` class:
779
780			* [`ipv4`](#-nftables--rules--mdns--ipv4)
781			* [`ipv6`](#-nftables--rules--mdns--ipv6)
782	4c3d5d6b	Tim Meusel	* [`iifname`](#-nftables--rules--mdns--iifname)
783	ad3dbd7d	Ewoud Kohl van Wijngaarden
784			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
785
786			Data type: `Boolean`
787
788			Allow mdns over IPv4
789
790			Default value: `true`
791
792			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
793
794			Data type: `Boolean`
795
796			Allow mdns over IPv6
797
798			Default value: `true`
799
800	4c3d5d6b	Tim Meusel	##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
801
802			Data type: `Array[String[1]]`
803
804			name for incoming interfaces to filter
805
806			Default value: `[]`
807
808	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
809
810			allow incoming multicast traffic
811
812	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
813	b9785000	Steve Traylen
814			manage in nfs4
815
816	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
817	b9785000	Steve Traylen
818			manage in nfs3
819
820	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
821	7f6cacc5	Steve Traylen
822			manage in node exporter
823
824			#### Parameters
825
826	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
827	7f6cacc5	Steve Traylen
828	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
829			* [`port`](#-nftables--rules--node_exporter--port)
830	7f6cacc5	Steve Traylen
831	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
832	7f6cacc5	Steve Traylen
833	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
834	7f6cacc5	Steve Traylen
835	09cba182	Steve Traylen	Specify server name
836	7f6cacc5	Steve Traylen
837	c24d3118	Tim Meusel	Default value: `undef`
838	7f6cacc5	Steve Traylen
839	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
840	7f6cacc5	Steve Traylen
841	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
842	7f6cacc5	Steve Traylen
843	09cba182	Steve Traylen	Specify port to open
844	7f6cacc5	Steve Traylen
845			Default value: `9100`
846
847	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
848	e17693e3	Steve Traylen
849			manage in ospf
850
851	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
852	e17693e3	Steve Traylen
853			manage in ospf3
854
855	3e2b5119	Tim Meusel	#### Parameters
856
857			The following parameters are available in the `nftables::rules::ospf3` class:
858
859			* [`iifname`](#-nftables--rules--ospf3--iifname)
860
861			##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
862
863			Data type: `Array[String[1]]`
864
865			optional list of incoming interfaces to allow traffic
866
867			Default value: `[]`
868
869	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
870
871			manage outgoing active diectory
872
873			#### Parameters
874
875			The following parameters are available in the `nftables::rules::out::active_directory` class:
876
877			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
878			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
879
880			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
881
882			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
883
884			adserver IPs
885
886			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
887
888			Data type: `Array[Stdlib::Port,1]`
889
890			adserver ports
891
892			Default value: `[389, 636, 3268, 3269]`
893
894	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
895	e17693e3	Steve Traylen
896			allow all outbound
897
898	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
899	b9785000	Steve Traylen
900			Ceph is a distributed object store and file system.
901			Enable this to be a client of Ceph's Monitor (MON),
902			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
903			and Manager Daemons (MGR).
904
905			#### Parameters
906
907	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
908	b9785000	Steve Traylen
909	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
910	b9785000	Steve Traylen
911	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
912	b9785000	Steve Traylen
913	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
914	b9785000	Steve Traylen
915	09cba182	Steve Traylen	Specify ports to open
916	b9785000	Steve Traylen
917			Default value: `[3300, 6789]`
918
919	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
920	e17693e3	Steve Traylen
921			manage out chrony
922
923	7937a13b	Tim Meusel	#### Parameters
924
925			The following parameters are available in the `nftables::rules::out::chrony` class:
926
927	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
928	7937a13b	Tim Meusel
929	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
930	7937a13b	Tim Meusel
931			Data type: `Array[Stdlib::IP::Address]`
932
933			single IP-Address or array of IP-addresses from NTP servers
934
935			Default value: `[]`
936
937	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
938	e17693e3	Steve Traylen
939			manage out dhcp
940
941	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
942	7f6cacc5	Steve Traylen
943	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
944	7f6cacc5	Steve Traylen
945	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
946	e17693e3	Steve Traylen
947			manage out dns
948
949			#### Parameters
950
951	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
952	e17693e3	Steve Traylen
953	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
954	e17693e3	Steve Traylen
955	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
956	e17693e3	Steve Traylen
957	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
958	e17693e3	Steve Traylen
959	09cba182	Steve Traylen	specify dns_server name
960	e17693e3	Steve Traylen
961	9d1ee648	Tim Meusel	Default value: `[]`
962	e17693e3	Steve Traylen
963	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
964	a1f09048	Tim Meusel
965			allow outgoing hkp connections to gpg keyservers
966
967	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
968	e17693e3	Steve Traylen
969			manage out http
970
971	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
972	e17693e3	Steve Traylen
973			manage out https
974
975	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
976	7f6cacc5	Steve Traylen
977	09cba182	Steve Traylen	control outbound icmp packages
978	7f6cacc5	Steve Traylen
979			#### Parameters
980
981	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
982
983	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
984			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
985			* [`order`](#-nftables--rules--out--icmp--order)
986	7f6cacc5	Steve Traylen
987	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
988	7f6cacc5	Steve Traylen
989			Data type: `Optional[Array[String]]`
990
991	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
992	7f6cacc5	Steve Traylen
993	c24d3118	Tim Meusel	Default value: `undef`
994	7f6cacc5	Steve Traylen
995	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
996	7f6cacc5	Steve Traylen
997			Data type: `Optional[Array[String]]`
998
999	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
1000	7f6cacc5	Steve Traylen
1001	c24d3118	Tim Meusel	Default value: `undef`
1002	7f6cacc5	Steve Traylen
1003	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
1004	7f6cacc5	Steve Traylen
1005			Data type: `String`
1006
1007	5d554e75	Tim Meusel	the ordering of the rules
1008	7f6cacc5	Steve Traylen
1009			Default value: `'10'`
1010
1011	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
1012
1013	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
1014	020842af	Tim Meusel
1015	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
1016	19908f41	mh
1017			allow outgoing imap
1018
1019	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
1020	7f6cacc5	Steve Traylen
1021			allows outbound access for kerberos
1022
1023	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1024
1025			manage outgoing ldap
1026
1027			#### Parameters
1028
1029			The following parameters are available in the `nftables::rules::out::ldap` class:
1030
1031			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1032			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1033
1034			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1035
1036			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1037
1038			ldapserver IPs
1039
1040			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1041
1042			Data type: `Array[Stdlib::Port,1]`
1043
1044			ldapserver ports
1045
1046			Default value: `[389, 636]`
1047
1048	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1049
1050			allow outgoing multicast DNS
1051
1052			#### Parameters
1053
1054			The following parameters are available in the `nftables::rules::out::mdns` class:
1055
1056			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1057			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1058	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1059	6b350264	Tim Meusel
1060			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1061
1062			Data type: `Boolean`
1063
1064			Allow mdns over IPv4
1065
1066			Default value: `true`
1067
1068			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1069
1070			Data type: `Boolean`
1071
1072			Allow mdns over IPv6
1073
1074			Default value: `true`
1075
1076	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1077
1078			Data type: `Array[String[1]]`
1079
1080			optional name for outgoing interfaces
1081
1082			Default value: `[]`
1083
1084	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1085
1086			allow multicast listener requests
1087
1088	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1089	e17693e3	Steve Traylen
1090			manage out mysql
1091
1092	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1093	b9785000	Steve Traylen
1094			manage out nfs
1095
1096	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1097	b9785000	Steve Traylen
1098			manage out nfs3
1099
1100	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1101	7f6cacc5	Steve Traylen
1102	09cba182	Steve Traylen	allows outbound access for afs clients
1103	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1104			7002 - afs3-ptserver
1105			7003 - vlserver
1106
1107			* See also
1108			* https://wiki.openafs.org/devel/AFSServicePorts/
1109			* AFS Service Ports
1110
1111			#### Parameters
1112
1113	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1114	7f6cacc5	Steve Traylen
1115	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1116	7f6cacc5	Steve Traylen
1117	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1118	7f6cacc5	Steve Traylen
1119	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1120	7f6cacc5	Steve Traylen
1121	09cba182	Steve Traylen	port numbers to use
1122	7f6cacc5	Steve Traylen
1123			Default value: `[7000, 7002, 7003]`
1124
1125	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1126	e17693e3	Steve Traylen
1127			manage out ospf
1128
1129	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1130	e17693e3	Steve Traylen
1131			manage out ospf3
1132
1133	925c358d	Tim Meusel	#### Parameters
1134
1135			The following parameters are available in the `nftables::rules::out::ospf3` class:
1136
1137			* [`oifname`](#-nftables--rules--out--ospf3--oifname)
1138
1139			##### <a name="-nftables--rules--out--ospf3--oifname"></a>`oifname`
1140
1141			Data type: `Array[String[1]]`
1142
1143			optional list of outgoing interfaces to filter on
1144
1145			Default value: `[]`
1146
1147	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1148	19908f41	mh
1149			allow outgoing pop3
1150
1151	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1152	e17693e3	Steve Traylen
1153			manage out postgres
1154
1155	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1156	e17693e3	Steve Traylen
1157			manage outgoing puppet
1158
1159			#### Parameters
1160
1161	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1162	e17693e3	Steve Traylen
1163	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1164			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1165	e17693e3	Steve Traylen
1166	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1167	e17693e3	Steve Traylen
1168	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1169	e17693e3	Steve Traylen
1170	09cba182	Steve Traylen	puppetserver hostname
1171	e17693e3	Steve Traylen
1172	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1173	e17693e3	Steve Traylen
1174	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1175	e17693e3	Steve Traylen
1176	09cba182	Steve Traylen	puppetserver port
1177	e17693e3	Steve Traylen
1178			Default value: `8140`
1179
1180	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1181	194e05d5	Tim Meusel
1182			manage outgoing pxp-agent
1183
1184			* See also
1185			* also
1186			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1187
1188			#### Parameters
1189
1190			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1191
1192	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1193			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1194	194e05d5	Tim Meusel
1195	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1196	194e05d5	Tim Meusel
1197			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1198
1199			PXP broker IP(s)
1200
1201	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1202	194e05d5	Tim Meusel
1203			Data type: `Stdlib::Port`
1204
1205			PXP broker port
1206
1207			Default value: `8142`
1208
1209	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1210	e17693e3	Steve Traylen
1211	19908f41	mh	allow outgoing smtp
1212
1213	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1214	19908f41	mh
1215			allow outgoing smtp client
1216	e17693e3	Steve Traylen
1217	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1218
1219			allow outgoing SSDP
1220
1221			* See also
1222			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1223
1224			#### Parameters
1225
1226			The following parameters are available in the `nftables::rules::out::ssdp` class:
1227
1228			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1229			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1230
1231			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1232
1233			Data type: `Boolean`
1234
1235			Allow SSDP over IPv4
1236
1237			Default value: `true`
1238
1239			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1240
1241			Data type: `Boolean`
1242
1243			Allow SSDP over IPv6
1244
1245			Default value: `true`
1246
1247	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1248	e17693e3	Steve Traylen
1249			manage out ssh
1250
1251	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1252	e17693e3	Steve Traylen
1253			disable outgoing ssh
1254
1255	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1256	e17693e3	Steve Traylen
1257			manage out tor
1258
1259	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1260	2b1896c1	Tim Meusel
1261			allow clients to query remote whois server
1262
1263	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1264	e17693e3	Steve Traylen
1265			manage out wireguard
1266
1267			#### Parameters
1268
1269	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1270	e17693e3	Steve Traylen
1271	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1272	e17693e3	Steve Traylen
1273	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1274	e17693e3	Steve Traylen
1275	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1276	e17693e3	Steve Traylen
1277	09cba182	Steve Traylen	specify wireguard ports
1278	e17693e3	Steve Traylen
1279			Default value: `[51820]`
1280
1281	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1282
1283			Rules for Podman, a tool for managing OCI containers and pods.
1284			This class defines additional forwarding rules to let root containers
1285			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1286			At the time of writing, Podman supports automatic configuration
1287			of firewall rules with iptables and firewalld only.
1288
1289	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1290	e17693e3	Steve Traylen
1291			manage in puppet
1292
1293			#### Parameters
1294
1295	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1296	e17693e3	Steve Traylen
1297	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1298	e17693e3	Steve Traylen
1299	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1300	e17693e3	Steve Traylen
1301	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1302	e17693e3	Steve Traylen
1303	09cba182	Steve Traylen	puppet server ports
1304	e17693e3	Steve Traylen
1305			Default value: `[8140]`
1306
1307	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1308	7f74df2e	Tim Meusel
1309			manage in pxp-agent
1310
1311			#### Parameters
1312
1313			The following parameters are available in the `nftables::rules::pxp_agent` class:
1314
1315	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1316	7f74df2e	Tim Meusel
1317	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1318	7f74df2e	Tim Meusel
1319	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1320	7f74df2e	Tim Meusel
1321			pxp server ports
1322
1323			Default value: `[8142]`
1324
1325	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1326	cd2a3cbf	Nacho Barrientos
1327			This class configures the typical firewall setup that libvirt
1328			creates. Depending on your requirements you can switch on and off
1329			several aspects, for instance if you don't do DHCP to your guests
1330			you can disable the rules that accept DHCP traffic on the host or if
1331			you don't want your guests to talk to hosts outside you can disable
1332			forwarding and/or masquerading for IPv4 traffic.
1333
1334			#### Parameters
1335
1336			The following parameters are available in the `nftables::rules::qemu` class:
1337
1338	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1339			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1340			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1341			* [`dns`](#-nftables--rules--qemu--dns)
1342			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1343			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1344			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1345			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1346	cd2a3cbf	Nacho Barrientos
1347	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1348	cd2a3cbf	Nacho Barrientos
1349			Data type: `String[1]`
1350
1351			Interface name used by the bridge.
1352
1353			Default value: `'virbr0'`
1354
1355	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1356	cd2a3cbf	Nacho Barrientos
1357			Data type: `Stdlib::IP::Address::V4::CIDR`
1358
1359			The IPv4 network prefix used in the virtual network.
1360
1361			Default value: `'192.168.122.0/24'`
1362
1363	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1364	cd2a3cbf	Nacho Barrientos
1365			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1366
1367			The IPv6 network prefix used in the virtual network.
1368
1369	c24d3118	Tim Meusel	Default value: `undef`
1370	cd2a3cbf	Nacho Barrientos
1371	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1372	cd2a3cbf	Nacho Barrientos
1373			Data type: `Boolean`
1374
1375			Allow DNS traffic from the guests to the host.
1376
1377	c24d3118	Tim Meusel	Default value: `true`
1378	cd2a3cbf	Nacho Barrientos
1379	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1380	cd2a3cbf	Nacho Barrientos
1381			Data type: `Boolean`
1382
1383			Allow DHCPv4 traffic from the guests to the host.
1384
1385	c24d3118	Tim Meusel	Default value: `true`
1386	cd2a3cbf	Nacho Barrientos
1387	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1388	cd2a3cbf	Nacho Barrientos
1389			Data type: `Boolean`
1390
1391			Allow forwarded traffic (out all, in related/established)
1392			generated by the virtual network.
1393
1394	c24d3118	Tim Meusel	Default value: `true`
1395	cd2a3cbf	Nacho Barrientos
1396	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1397	cd2a3cbf	Nacho Barrientos
1398			Data type: `Boolean`
1399
1400			Allow guests in the virtual network to talk to each other.
1401
1402	c24d3118	Tim Meusel	Default value: `true`
1403	cd2a3cbf	Nacho Barrientos
1404	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1405	cd2a3cbf	Nacho Barrientos
1406			Data type: `Boolean`
1407
1408			Do NAT masquerade on all IPv4 traffic generated by guests
1409			to external networks.
1410
1411	c24d3118	Tim Meusel	Default value: `true`
1412	cd2a3cbf	Nacho Barrientos
1413	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1414	19908f41	mh
1415			manage Samba, the suite to allow Windows file sharing on Linux resources.
1416
1417			#### Parameters
1418
1419			The following parameters are available in the `nftables::rules::samba` class:
1420
1421	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1422	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1423	19908f41	mh
1424	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1425	19908f41	mh
1426			Data type: `Boolean`
1427
1428	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1429	19908f41	mh
1430	c24d3118	Tim Meusel	Default value: `false`
1431	19908f41	mh
1432	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1433
1434			Data type: `Enum['accept', 'drop']`
1435
1436			if the traffic should be allowed or dropped
1437
1438			Default value: `'accept'`
1439
1440	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1441	e17693e3	Steve Traylen
1442			manage in smtp
1443
1444	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1445	e17693e3	Steve Traylen
1446			manage in smtp submission
1447
1448	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1449	e17693e3	Steve Traylen
1450			manage in smtps
1451
1452	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1453
1454			allow incoming spotify
1455
1456	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1457
1458			allow incoming SSDP
1459
1460			* See also
1461			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1462
1463			#### Parameters
1464
1465			The following parameters are available in the `nftables::rules::ssdp` class:
1466
1467			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1468			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1469
1470			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1471
1472			Data type: `Boolean`
1473
1474			Allow SSDP over IPv4
1475
1476			Default value: `true`
1477
1478			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1479
1480			Data type: `Boolean`
1481
1482			Allow SSDP over IPv6
1483
1484			Default value: `true`
1485
1486	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1487	e17693e3	Steve Traylen
1488			manage in ssh
1489
1490			#### Parameters
1491
1492	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1493	e17693e3	Steve Traylen
1494	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1495	e17693e3	Steve Traylen
1496	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1497	e17693e3	Steve Traylen
1498	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1499	e17693e3	Steve Traylen
1500	09cba182	Steve Traylen	ssh ports
1501	e17693e3	Steve Traylen
1502			Default value: `[22]`
1503
1504	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1505	e17693e3	Steve Traylen
1506			manage in tor
1507
1508			#### Parameters
1509
1510	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1511	e17693e3	Steve Traylen
1512	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1513	e17693e3	Steve Traylen
1514	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1515	e17693e3	Steve Traylen
1516	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1517	e17693e3	Steve Traylen
1518	09cba182	Steve Traylen	ports for tor
1519	e17693e3	Steve Traylen
1520			Default value: `[9001]`
1521
1522	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1523	e17693e3	Steve Traylen
1524			manage in wireguard
1525
1526			#### Parameters
1527
1528	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1529	e17693e3	Steve Traylen
1530	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1531	e17693e3	Steve Traylen
1532	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1533	e17693e3	Steve Traylen
1534	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1535	e17693e3	Steve Traylen
1536	09cba182	Steve Traylen	wiregueard port
1537	e17693e3	Steve Traylen
1538			Default value: `[51820]`
1539
1540	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1541
1542			allow incoming webservice discovery
1543
1544			* See also
1545			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1546
1547			#### Parameters
1548
1549			The following parameters are available in the `nftables::rules::wsd` class:
1550
1551			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1552			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1553
1554			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1555
1556			Data type: `Boolean`
1557
1558			Allow ws-discovery over IPv4
1559
1560			Default value: `true`
1561
1562			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1563
1564			Data type: `Boolean`
1565
1566			Allow ws-discovery over IPv6
1567
1568			Default value: `true`
1569
1570	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1571	7f6cacc5	Steve Traylen
1572	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1573	7f6cacc5	Steve Traylen
1574	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1575	7f6cacc5	Steve Traylen
1576	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1577	7f6cacc5	Steve Traylen
1578	e17693e3	Steve Traylen	## Defined types
1579
1580	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1581	e17693e3	Steve Traylen
1582			manage a chain
1583
1584			#### Parameters
1585
1586	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1587
1588	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1589			* [`chain`](#-nftables--chain--chain)
1590			* [`inject`](#-nftables--chain--inject)
1591			* [`inject_iif`](#-nftables--chain--inject_iif)
1592			* [`inject_oif`](#-nftables--chain--inject_oif)
1593	e17693e3	Steve Traylen
1594	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1595	e17693e3	Steve Traylen
1596	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1597	e17693e3	Steve Traylen
1598
1599
1600			Default value: `'inet-filter'`
1601
1602	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1603	e17693e3	Steve Traylen
1604			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1605
1606
1607
1608			Default value: `$title`
1609
1610	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1611	e17693e3	Steve Traylen
1612			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1613
1614
1615
1616	c24d3118	Tim Meusel	Default value: `undef`
1617	e17693e3	Steve Traylen
1618	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1619	e17693e3	Steve Traylen
1620			Data type: `Optional[String]`
1621
1622
1623
1624	c24d3118	Tim Meusel	Default value: `undef`
1625	e17693e3	Steve Traylen
1626	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1627	e17693e3	Steve Traylen
1628			Data type: `Optional[String]`
1629
1630
1631
1632	c24d3118	Tim Meusel	Default value: `undef`
1633	e17693e3	Steve Traylen
1634	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1635	e17693e3	Steve Traylen
1636			manage a config snippet
1637
1638			#### Parameters
1639
1640	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1641	e17693e3	Steve Traylen
1642	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1643			* [`content`](#-nftables--config--content)
1644			* [`source`](#-nftables--config--source)
1645			* [`prefix`](#-nftables--config--prefix)
1646	09cba182	Steve Traylen
1647	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1648	13f4e4c6	Steve Traylen
1649			Data type: `Pattern[/^\w+-\w+$/]`
1650
1651
1652
1653			Default value: `$title`
1654
1655	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1656	e17693e3	Steve Traylen
1657			Data type: `Optional[String]`
1658
1659
1660
1661	c24d3118	Tim Meusel	Default value: `undef`
1662	e17693e3	Steve Traylen
1663	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1664	e17693e3	Steve Traylen
1665			Data type: `Optional[Variant[String,Array[String,1]]]`
1666
1667
1668
1669	c24d3118	Tim Meusel	Default value: `undef`
1670	e17693e3	Steve Traylen
1671	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1672	13f4e4c6	Steve Traylen
1673			Data type: `String`
1674
1675
1676
1677			Default value: `'custom-'`
1678
1679	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1680	331b8d85	Steve Traylen
1681			Insert a file into the nftables configuration
1682
1683			#### Examples
1684
1685			##### Include a file that includes other files
1686
1687			```puppet
1688			nftables::file{'geoip':
1689			content => @(EOT)
1690			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1691			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1692			\|EOT,
1693			}
1694			```
1695
1696			#### Parameters
1697
1698			The following parameters are available in the `nftables::file` defined type:
1699
1700	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1701			* [`content`](#-nftables--file--content)
1702			* [`source`](#-nftables--file--source)
1703			* [`prefix`](#-nftables--file--prefix)
1704	331b8d85	Steve Traylen
1705	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1706	331b8d85	Steve Traylen
1707			Data type: `String[1]`
1708
1709			Unique name to include in filename.
1710
1711			Default value: `$title`
1712
1713	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1714	331b8d85	Steve Traylen
1715			Data type: `Optional[String]`
1716
1717			The content to place in the file.
1718
1719	c24d3118	Tim Meusel	Default value: `undef`
1720	331b8d85	Steve Traylen
1721	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1722	331b8d85	Steve Traylen
1723			Data type: `Optional[Variant[String,Array[String,1]]]`
1724
1725			A source to obtain the file content from.
1726
1727	c24d3118	Tim Meusel	Default value: `undef`
1728	331b8d85	Steve Traylen
1729	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1730	331b8d85	Steve Traylen
1731			Data type: `String`
1732
1733			Prefix of file name to be created, if left as `file-` it will be
1734			auto included in the main nft configuration
1735
1736			Default value: `'file-'`
1737
1738	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1739
1740			manage a conntrack helper
1741
1742			#### Examples
1743
1744			##### FTP helper
1745
1746			```puppet
1747			nftables::helper { 'ftp-standard':
1748			content => 'type "ftp" protocol tcp;',
1749			}
1750			```
1751
1752			#### Parameters
1753
1754			The following parameters are available in the `nftables::helper` defined type:
1755
1756			* [`content`](#-nftables--helper--content)
1757			* [`table`](#-nftables--helper--table)
1758			* [`helper`](#-nftables--helper--helper)
1759
1760			##### <a name="-nftables--helper--content"></a>`content`
1761
1762			Data type: `String`
1763
1764			Conntrack helper definition.
1765
1766			##### <a name="-nftables--helper--table"></a>`table`
1767
1768			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1769
1770			The name of the table to add this helper to.
1771
1772			Default value: `'inet-filter'`
1773
1774			##### <a name="-nftables--helper--helper"></a>`helper`
1775
1776			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1777
1778			The symbolic name for the helper.
1779
1780			Default value: `$title`
1781
1782	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1783	e17693e3	Steve Traylen
1784	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1785
1786			#### Examples
1787
1788			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1789
1790			```puppet
1791			nftables::rule {
1792			'default_in-myhttp':
1793			content => 'tcp dport 80 accept',
1794			}
1795			```
1796
1797			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1798
1799			```puppet
1800			nftables::rule {
1801			'PREROUTING6-count':
1802			content => 'counter',
1803			table => 'ip6-nat'
1804			}
1805			```
1806	e17693e3	Steve Traylen
1807	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1808
1809			```puppet
1810			nftables::rule { 'PREROUTING-redirect':
1811			content => 'tcp dport 443 redirect to :8443',
1812			table => 'ip-nat',
1813			}
1814			nftables::rule{'PREROUTING6-redirect':
1815			content => 'tcp dport 443 redirect to :8443',
1816			table => 'ip6-nat',
1817			}
1818			```
1819
1820	e17693e3	Steve Traylen	#### Parameters
1821
1822	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1823
1824	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1825			* [`rulename`](#-nftables--rule--rulename)
1826			* [`order`](#-nftables--rule--order)
1827			* [`table`](#-nftables--rule--table)
1828			* [`content`](#-nftables--rule--content)
1829			* [`source`](#-nftables--rule--source)
1830	e17693e3	Steve Traylen
1831	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1832	e17693e3	Steve Traylen
1833			Data type: `Enum['present','absent']`
1834
1835	13f26dfc	Nacho Barrientos	Should the rule be created.
1836	e17693e3	Steve Traylen
1837			Default value: `'present'`
1838
1839	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1840	e17693e3	Steve Traylen
1841	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1842	e17693e3	Steve Traylen
1843	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1844			format is defined by the Nftables::RuleName type.
1845	e17693e3	Steve Traylen
1846			Default value: `$title`
1847
1848	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1849	e17693e3	Steve Traylen
1850			Data type: `Pattern[/^\d\d$/]`
1851
1852	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1853	e17693e3	Steve Traylen
1854			Default value: `'50'`
1855
1856	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1857	e17693e3	Steve Traylen
1858	b02d6ea9	Nacho Barrientos	Data type: `String`
1859	e17693e3	Steve Traylen
1860	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1861	e17693e3	Steve Traylen
1862			Default value: `'inet-filter'`
1863
1864	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1865	e17693e3	Steve Traylen
1866			Data type: `Optional[String]`
1867
1868	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1869			language.
1870	e17693e3	Steve Traylen
1871	c24d3118	Tim Meusel	Default value: `undef`
1872	e17693e3	Steve Traylen
1873	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1874	e17693e3	Steve Traylen
1875			Data type: `Optional[Variant[String,Array[String,1]]]`
1876
1877	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1878	e17693e3	Steve Traylen
1879	c24d3118	Tim Meusel	Default value: `undef`
1880	e17693e3	Steve Traylen
1881	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1882	e17693e3	Steve Traylen
1883			manage a ipv4 dnat rule
1884
1885			#### Parameters
1886
1887	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1888
1889	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1890			* [`port`](#-nftables--rules--dnat4--port)
1891			* [`rulename`](#-nftables--rules--dnat4--rulename)
1892			* [`order`](#-nftables--rules--dnat4--order)
1893			* [`chain`](#-nftables--rules--dnat4--chain)
1894			* [`iif`](#-nftables--rules--dnat4--iif)
1895			* [`proto`](#-nftables--rules--dnat4--proto)
1896			* [`dport`](#-nftables--rules--dnat4--dport)
1897			* [`ensure`](#-nftables--rules--dnat4--ensure)
1898	e17693e3	Steve Traylen
1899	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1900	e17693e3	Steve Traylen
1901			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1902
1903
1904
1905	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1906	e17693e3	Steve Traylen
1907	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1908	e17693e3	Steve Traylen
1909
1910
1911	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1912	e17693e3	Steve Traylen
1913			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1914
1915
1916
1917			Default value: `$title`
1918
1919	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1920	e17693e3	Steve Traylen
1921			Data type: `Pattern[/^\d\d$/]`
1922
1923
1924
1925			Default value: `'50'`
1926
1927	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1928	e17693e3	Steve Traylen
1929			Data type: `String[1]`
1930
1931
1932
1933			Default value: `'default_fwd'`
1934
1935	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1936	e17693e3	Steve Traylen
1937			Data type: `Optional[String[1]]`
1938
1939
1940
1941	c24d3118	Tim Meusel	Default value: `undef`
1942	e17693e3	Steve Traylen
1943	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1944	e17693e3	Steve Traylen
1945			Data type: `Enum['tcp','udp']`
1946
1947
1948
1949			Default value: `'tcp'`
1950
1951	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1952	e17693e3	Steve Traylen
1953	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1954	e17693e3	Steve Traylen
1955
1956
1957	c24d3118	Tim Meusel	Default value: `undef`
1958	e17693e3	Steve Traylen
1959	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1960	e17693e3	Steve Traylen
1961			Data type: `Enum['present','absent']`
1962
1963
1964
1965			Default value: `'present'`
1966
1967	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1968	e17693e3	Steve Traylen
1969			masquerade all outgoing traffic
1970
1971			#### Parameters
1972
1973	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1974	e17693e3	Steve Traylen
1975	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1976			* [`order`](#-nftables--rules--masquerade--order)
1977			* [`chain`](#-nftables--rules--masquerade--chain)
1978			* [`oif`](#-nftables--rules--masquerade--oif)
1979			* [`saddr`](#-nftables--rules--masquerade--saddr)
1980			* [`daddr`](#-nftables--rules--masquerade--daddr)
1981			* [`proto`](#-nftables--rules--masquerade--proto)
1982			* [`dport`](#-nftables--rules--masquerade--dport)
1983			* [`ensure`](#-nftables--rules--masquerade--ensure)
1984	09cba182	Steve Traylen
1985	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1986	e17693e3	Steve Traylen
1987			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1988
1989
1990
1991			Default value: `$title`
1992
1993	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1994	e17693e3	Steve Traylen
1995			Data type: `Pattern[/^\d\d$/]`
1996
1997
1998
1999			Default value: `'70'`
2000
2001	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
2002	e17693e3	Steve Traylen
2003			Data type: `String[1]`
2004
2005
2006
2007			Default value: `'POSTROUTING'`
2008
2009	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
2010	e17693e3	Steve Traylen
2011			Data type: `Optional[String[1]]`
2012
2013
2014
2015	c24d3118	Tim Meusel	Default value: `undef`
2016	e17693e3	Steve Traylen
2017	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
2018	e17693e3	Steve Traylen
2019			Data type: `Optional[String[1]]`
2020
2021
2022
2023	c24d3118	Tim Meusel	Default value: `undef`
2024	e17693e3	Steve Traylen
2025	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
2026	e17693e3	Steve Traylen
2027			Data type: `Optional[String[1]]`
2028
2029
2030
2031	c24d3118	Tim Meusel	Default value: `undef`
2032	e17693e3	Steve Traylen
2033	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
2034	e17693e3	Steve Traylen
2035			Data type: `Optional[Enum['tcp','udp']]`
2036
2037
2038
2039	c24d3118	Tim Meusel	Default value: `undef`
2040	e17693e3	Steve Traylen
2041	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2042	e17693e3	Steve Traylen
2043	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2044	e17693e3	Steve Traylen
2045
2046
2047	c24d3118	Tim Meusel	Default value: `undef`
2048	e17693e3	Steve Traylen
2049	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2050	e17693e3	Steve Traylen
2051			Data type: `Enum['present','absent']`
2052
2053
2054
2055			Default value: `'present'`
2056
2057	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2058	e17693e3	Steve Traylen
2059			manage a ipv4 snat rule
2060
2061			#### Parameters
2062
2063	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2064
2065	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2066			* [`rulename`](#-nftables--rules--snat4--rulename)
2067			* [`order`](#-nftables--rules--snat4--order)
2068			* [`chain`](#-nftables--rules--snat4--chain)
2069			* [`oif`](#-nftables--rules--snat4--oif)
2070			* [`saddr`](#-nftables--rules--snat4--saddr)
2071			* [`proto`](#-nftables--rules--snat4--proto)
2072			* [`dport`](#-nftables--rules--snat4--dport)
2073			* [`ensure`](#-nftables--rules--snat4--ensure)
2074	e17693e3	Steve Traylen
2075	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2076	e17693e3	Steve Traylen
2077			Data type: `String[1]`
2078
2079
2080
2081	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2082	e17693e3	Steve Traylen
2083			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2084
2085
2086
2087			Default value: `$title`
2088
2089	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2090	e17693e3	Steve Traylen
2091			Data type: `Pattern[/^\d\d$/]`
2092
2093
2094
2095			Default value: `'70'`
2096
2097	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2098	e17693e3	Steve Traylen
2099			Data type: `String[1]`
2100
2101
2102
2103			Default value: `'POSTROUTING'`
2104
2105	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2106	e17693e3	Steve Traylen
2107			Data type: `Optional[String[1]]`
2108
2109
2110
2111	c24d3118	Tim Meusel	Default value: `undef`
2112	e17693e3	Steve Traylen
2113	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2114	e17693e3	Steve Traylen
2115			Data type: `Optional[String[1]]`
2116
2117
2118
2119	c24d3118	Tim Meusel	Default value: `undef`
2120	e17693e3	Steve Traylen
2121	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2122	e17693e3	Steve Traylen
2123			Data type: `Optional[Enum['tcp','udp']]`
2124
2125
2126
2127	c24d3118	Tim Meusel	Default value: `undef`
2128	e17693e3	Steve Traylen
2129	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2130	e17693e3	Steve Traylen
2131	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2132	e17693e3	Steve Traylen
2133
2134
2135	c24d3118	Tim Meusel	Default value: `undef`
2136	e17693e3	Steve Traylen
2137	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2138	e17693e3	Steve Traylen
2139			Data type: `Enum['present','absent']`
2140
2141
2142
2143			Default value: `'present'`
2144
2145	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2146	7f6cacc5	Steve Traylen
2147			manage a named set
2148
2149	13f4e4c6	Steve Traylen	#### Examples
2150
2151			##### simple set
2152
2153			```puppet
2154			nftables::set{'my_set':
2155			type => 'ipv4_addr',
2156			flags => ['interval'],
2157			elements => ['192.168.0.1/24', '10.0.0.2'],
2158			auto_merge => true,
2159			}
2160			```
2161
2162	7f6cacc5	Steve Traylen	#### Parameters
2163
2164	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2165
2166	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2167			* [`setname`](#-nftables--set--setname)
2168			* [`order`](#-nftables--set--order)
2169			* [`type`](#-nftables--set--type)
2170			* [`table`](#-nftables--set--table)
2171			* [`flags`](#-nftables--set--flags)
2172			* [`timeout`](#-nftables--set--timeout)
2173			* [`gc_interval`](#-nftables--set--gc_interval)
2174			* [`elements`](#-nftables--set--elements)
2175			* [`size`](#-nftables--set--size)
2176			* [`policy`](#-nftables--set--policy)
2177			* [`auto_merge`](#-nftables--set--auto_merge)
2178			* [`content`](#-nftables--set--content)
2179			* [`source`](#-nftables--set--source)
2180
2181			##### <a name="-nftables--set--ensure"></a>`ensure`
2182	7f6cacc5	Steve Traylen
2183			Data type: `Enum['present','absent']`
2184
2185	13f4e4c6	Steve Traylen	should the set be created.
2186	7f6cacc5	Steve Traylen
2187			Default value: `'present'`
2188
2189	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2190	7f6cacc5	Steve Traylen
2191			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2192
2193	13f4e4c6	Steve Traylen	name of set, equal to to title.
2194	7f6cacc5	Steve Traylen
2195			Default value: `$title`
2196
2197	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2198	7f6cacc5	Steve Traylen
2199			Data type: `Pattern[/^\d\d$/]`
2200
2201	13f4e4c6	Steve Traylen	concat ordering.
2202	7f6cacc5	Steve Traylen
2203			Default value: `'10'`
2204
2205	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2206	7f6cacc5	Steve Traylen
2207			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2208
2209	13f4e4c6	Steve Traylen	type of set.
2210	7f6cacc5	Steve Traylen
2211	c24d3118	Tim Meusel	Default value: `undef`
2212	7f6cacc5	Steve Traylen
2213	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2214	7f6cacc5	Steve Traylen
2215	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2216	7f6cacc5	Steve Traylen
2217	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2218	7f6cacc5	Steve Traylen
2219			Default value: `'inet-filter'`
2220
2221	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2222	7f6cacc5	Steve Traylen
2223			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2224
2225	13f4e4c6	Steve Traylen	specify flags for set
2226	7f6cacc5	Steve Traylen
2227			Default value: `[]`
2228
2229	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2230	7f6cacc5	Steve Traylen
2231			Data type: `Optional[Integer]`
2232
2233	13f4e4c6	Steve Traylen	timeout in seconds
2234	7f6cacc5	Steve Traylen
2235	c24d3118	Tim Meusel	Default value: `undef`
2236	7f6cacc5	Steve Traylen
2237	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2238	7f6cacc5	Steve Traylen
2239			Data type: `Optional[Integer]`
2240
2241	13f4e4c6	Steve Traylen	garbage collection interval.
2242	7f6cacc5	Steve Traylen
2243	c24d3118	Tim Meusel	Default value: `undef`
2244	7f6cacc5	Steve Traylen
2245	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2246	7f6cacc5	Steve Traylen
2247			Data type: `Optional[Array[String]]`
2248
2249	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2250	7f6cacc5	Steve Traylen
2251	c24d3118	Tim Meusel	Default value: `undef`
2252	7f6cacc5	Steve Traylen
2253	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2254	7f6cacc5	Steve Traylen
2255			Data type: `Optional[Integer]`
2256
2257	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2258	7f6cacc5	Steve Traylen
2259	c24d3118	Tim Meusel	Default value: `undef`
2260	7f6cacc5	Steve Traylen
2261	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2262	7f6cacc5	Steve Traylen
2263			Data type: `Optional[Enum['performance', 'memory']]`
2264
2265	13f4e4c6	Steve Traylen	determines set selection policy.
2266	7f6cacc5	Steve Traylen
2267	c24d3118	Tim Meusel	Default value: `undef`
2268	7f6cacc5	Steve Traylen
2269	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2270	7f6cacc5	Steve Traylen
2271			Data type: `Boolean`
2272
2273	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2274	7f6cacc5	Steve Traylen
2275	c24d3118	Tim Meusel	Default value: `false`
2276	7f6cacc5	Steve Traylen
2277	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2278	7f6cacc5	Steve Traylen
2279			Data type: `Optional[String]`
2280
2281	13f4e4c6	Steve Traylen	specify content of set.
2282	7f6cacc5	Steve Traylen
2283	c24d3118	Tim Meusel	Default value: `undef`
2284	7f6cacc5	Steve Traylen
2285	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2286	7f6cacc5	Steve Traylen
2287			Data type: `Optional[Variant[String,Array[String,1]]]`
2288
2289	13f4e4c6	Steve Traylen	specify source of set.
2290	7f6cacc5	Steve Traylen
2291	c24d3118	Tim Meusel	Default value: `undef`
2292	7f6cacc5	Steve Traylen
2293	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2294	4d63adda	Nacho Barrientos
2295	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2296	4d63adda	Nacho Barrientos
2297	b46c9ce9	Nacho Barrientos	#### Examples
2298	4d63adda	Nacho Barrientos
2299	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2300	4d63adda	Nacho Barrientos
2301	b46c9ce9	Nacho Barrientos	```puppet
2302			nftables::simplerule{'my_service_in':
2303			action => 'accept',
2304			comment => 'allow traffic to port 543',
2305			counter => true,
2306			proto => 'tcp',
2307			dport => 543,
2308			daddr => '2001:1458::/32',
2309			sport => 541,
2310			}
2311			```
2312	4d63adda	Nacho Barrientos
2313	b46c9ce9	Nacho Barrientos	#### Parameters
2314	4d63adda	Nacho Barrientos
2315	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2316
2317	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2318			* [`rulename`](#-nftables--simplerule--rulename)
2319			* [`order`](#-nftables--simplerule--order)
2320			* [`chain`](#-nftables--simplerule--chain)
2321			* [`table`](#-nftables--simplerule--table)
2322			* [`action`](#-nftables--simplerule--action)
2323			* [`comment`](#-nftables--simplerule--comment)
2324			* [`dport`](#-nftables--simplerule--dport)
2325			* [`proto`](#-nftables--simplerule--proto)
2326			* [`daddr`](#-nftables--simplerule--daddr)
2327			* [`set_type`](#-nftables--simplerule--set_type)
2328			* [`sport`](#-nftables--simplerule--sport)
2329			* [`saddr`](#-nftables--simplerule--saddr)
2330			* [`counter`](#-nftables--simplerule--counter)
2331	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2332	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2333	c24d3118	Tim Meusel
2334			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2335	13f4e4c6	Steve Traylen
2336			Data type: `Enum['present','absent']`
2337
2338			Should the rule be created.
2339
2340			Default value: `'present'`
2341
2342	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2343	4d63adda	Nacho Barrientos
2344	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2345	4d63adda	Nacho Barrientos
2346	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2347	4d63adda	Nacho Barrientos
2348			Default value: `$title`
2349
2350	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2351	4d63adda	Nacho Barrientos
2352			Data type: `Pattern[/^\d\d$/]`
2353
2354	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2355	4d63adda	Nacho Barrientos
2356			Default value: `'50'`
2357
2358	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2359	4d63adda	Nacho Barrientos
2360			Data type: `String`
2361
2362	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2363	4d63adda	Nacho Barrientos
2364			Default value: `'default_in'`
2365
2366	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2367	4d63adda	Nacho Barrientos
2368			Data type: `String`
2369
2370	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2371	4d63adda	Nacho Barrientos
2372			Default value: `'inet-filter'`
2373
2374	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2375	4d63adda	Nacho Barrientos
2376			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2377
2378	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2379	4d63adda	Nacho Barrientos
2380			Default value: `'accept'`
2381
2382	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2383	4d63adda	Nacho Barrientos
2384			Data type: `Optional[String]`
2385
2386	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2387	4d63adda	Nacho Barrientos
2388	c24d3118	Tim Meusel	Default value: `undef`
2389	4d63adda	Nacho Barrientos
2390	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2391	4d63adda	Nacho Barrientos
2392			Data type: `Optional[Nftables::Port]`
2393
2394	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2395	4d63adda	Nacho Barrientos
2396	c24d3118	Tim Meusel	Default value: `undef`
2397	4d63adda	Nacho Barrientos
2398	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2399	4d63adda	Nacho Barrientos
2400			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2401
2402	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2403	4d63adda	Nacho Barrientos
2404	c24d3118	Tim Meusel	Default value: `undef`
2405	4d63adda	Nacho Barrientos
2406	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2407	4d63adda	Nacho Barrientos
2408			Data type: `Optional[Nftables::Addr]`
2409
2410	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2411	4d63adda	Nacho Barrientos
2412	c24d3118	Tim Meusel	Default value: `undef`
2413	4d63adda	Nacho Barrientos
2414	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2415	4d63adda	Nacho Barrientos
2416			Data type: `Enum['ip', 'ip6']`
2417
2418	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2419			Use `ip` for sets of type `ipv4_addr`.
2420	4d63adda	Nacho Barrientos
2421			Default value: `'ip6'`
2422
2423	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2424	4d63adda	Nacho Barrientos
2425			Data type: `Optional[Nftables::Port]`
2426
2427	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2428	4d63adda	Nacho Barrientos
2429	c24d3118	Tim Meusel	Default value: `undef`
2430	4d63adda	Nacho Barrientos
2431	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2432	4d63adda	Nacho Barrientos
2433			Data type: `Optional[Nftables::Addr]`
2434
2435	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2436	4d63adda	Nacho Barrientos
2437	c24d3118	Tim Meusel	Default value: `undef`
2438	4d63adda	Nacho Barrientos
2439	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2440	4d63adda	Nacho Barrientos
2441			Data type: `Boolean`
2442
2443	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2444	4d63adda	Nacho Barrientos
2445	c24d3118	Tim Meusel	Default value: `false`
2446	4d63adda	Nacho Barrientos
2447	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2448
2449	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2450	25b3f3f4	Tim Meusel
2451			Optional filter for the incoming interface
2452
2453	e846c98b	Tim Meusel	Default value: `[]`
2454	25b3f3f4	Tim Meusel
2455	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2456
2457	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2458	d7d6d5d3	Tim Meusel
2459			Optional filter for the outgoing interface
2460
2461	e846c98b	Tim Meusel	Default value: `[]`
2462	d7d6d5d3	Tim Meusel
2463	4d63adda	Nacho Barrientos	## Data types
2464
2465	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2466	4d63adda	Nacho Barrientos
2467			Represents an address expression to be used within a rule.
2468
2469	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2470	09cba182	Steve Traylen
2471	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2472	4d63adda	Nacho Barrientos
2473			Represents a set expression to be used within a rule.
2474
2475	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2476	4d63adda	Nacho Barrientos
2477	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2478	4d63adda	Nacho Barrientos
2479			Represents a port expression to be used within a rule.
2480
2481	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2482	4d63adda	Nacho Barrientos
2483	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2484	4d63adda	Nacho Barrientos
2485			Represents a port range expression to be used within a rule.
2486
2487	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2488	4d63adda	Nacho Barrientos
2489	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2490	8c00b818	Nacho Barrientos
2491			Represents a rule name to be used in a raw rule created via nftables::rule.
2492			It's a dash separated string. The first component describes the chain to
2493			add the rule to, the second the rule name and the (optional) third a number.
2494			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2495
2496	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2497	09cba182	Steve Traylen
2498	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2499	8c00b818	Nacho Barrientos
2500			Represents a simple rule name to be used in a rule created via nftables::simplerule
2501
2502	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 3e2b5119