/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 4c3d5d6b

Historique | Voir | Annoter | Télécharger (62,3 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
172	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
173	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
174	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
175			* [`noflush_tables`](#-nftables--noflush_tables)
176			* [`rules`](#-nftables--rules)
177			* [`configuration_path`](#-nftables--configuration_path)
178			* [`nft_path`](#-nftables--nft_path)
179			* [`echo`](#-nftables--echo)
180			* [`default_config_mode`](#-nftables--default_config_mode)
181
182			##### <a name="-nftables--out_all"></a>`out_all`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow all outbound connections. If `true` then all other
187			out parameters `out_ntp`, `out_dns`, ... will be assuemed
188			false.
189
190	c24d3118	Tim Meusel	Default value: `false`
191	e17693e3	Steve Traylen
192	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
193	e17693e3	Steve Traylen
194			Data type: `Boolean`
195
196			Allow outbound to ntp servers.
197
198	c24d3118	Tim Meusel	Default value: `true`
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
201	e17693e3	Steve Traylen
202			Data type: `Boolean`
203
204			Allow outbound to http servers.
205
206	c24d3118	Tim Meusel	Default value: `true`
207	e17693e3	Steve Traylen
208	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
209	e17693e3	Steve Traylen
210			Data type: `Boolean`
211
212	09cba182	Steve Traylen	Allow outbound to dns servers.
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	Default value: `true`
215	e17693e3	Steve Traylen
216	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
217	09cba182	Steve Traylen
218			Data type: `Boolean`
219	e17693e3	Steve Traylen
220			Allow outbound to https servers.
221
222	c24d3118	Tim Meusel	Default value: `true`
223	e17693e3	Steve Traylen
224	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
225	7f6cacc5	Steve Traylen
226			Data type: `Boolean`
227
228			Allow outbound ICMPv4/v6 traffic.
229
230	c24d3118	Tim Meusel	Default value: `true`
231	7f6cacc5	Steve Traylen
232	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
233	e17693e3	Steve Traylen
234			Data type: `Boolean`
235
236			Allow inbound to ssh servers.
237
238	c24d3118	Tim Meusel	Default value: `true`
239	e17693e3	Steve Traylen
240	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
241	7f6cacc5	Steve Traylen
242			Data type: `Boolean`
243
244			Allow inbound ICMPv4/v6 traffic.
245
246	c24d3118	Tim Meusel	Default value: `true`
247	7f6cacc5	Steve Traylen
248	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
249	7b9d6ffc	Nacho Barrientos
250			Data type: `Boolean`
251
252			Add default tables, chains and rules to process traffic.
253
254	c24d3118	Tim Meusel	Default value: `true`
255	7b9d6ffc	Nacho Barrientos
256	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
257	7f6cacc5	Steve Traylen
258			Data type: `Boolean`
259
260			Add default tables and chains to process NAT traffic.
261
262	c24d3118	Tim Meusel	Default value: `true`
263	7f6cacc5	Steve Traylen
264	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
265	b02d6ea9	Nacho Barrientos
266			Data type: `String[1]`
267
268			The name of the 'nat' table.
269
270			Default value: `'nat'`
271
272	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
273	b9785000	Steve Traylen
274			Data type: `Hash`
275
276			Allows sourcing set definitions directly from Hiera.
277
278			Default value: `{}`
279
280	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
281	7f6cacc5	Steve Traylen
282			Data type: `String`
283
284			String that will be used as prefix when logging packets. It can contain
285			two variables using standard sprintf() string-formatting:
286			* chain: Will be replaced by the name of the chain.
287			* comment: Allows chains to add extra comments.
288
289			Default value: `'[nftables] %<chain>s %<comment>s'`
290
291	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
292
293			Data type: `Boolean`
294
295			Allow to log discarded packets
296
297			Default value: `true`
298
299	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
300	b9785000	Steve Traylen
301			Data type: `Variant[Boolean[false], String]`
302
303			String with the content of a limit statement to be applied
304			to the rules that log discarded traffic. Set to false to
305			disable rate limiting.
306
307			Default value: `'3/minute burst 5 packets'`
308
309	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
310	7f6cacc5	Steve Traylen
311	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
312	7f6cacc5	Steve Traylen
313			How to discard packets not matching any rule. If `false`, the
314			fate of the packet will be defined by the chain policy (normally
315			drop), otherwise the packet will be rejected with the REJECT_WITH
316			policy indicated by the value of this parameter.
317
318			Default value: `'icmpx type port-unreachable'`
319
320	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
321	7f6cacc5	Steve Traylen
322			Data type: `Boolean`
323
324			Adds INPUT and OUTPUT rules to allow traffic that's part of an
325			established connection and also to drop invalid packets.
326
327	c24d3118	Tim Meusel	Default value: `true`
328	7f6cacc5	Steve Traylen
329	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
330
331			Data type: `Boolean`
332
333			Drops invalid packets in INPUT and OUTPUT
334
335			Default value: `$in_out_conntrack`
336
337	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
338	b9785000	Steve Traylen
339			Data type: `Boolean`
340
341			Adds FORWARD rules to allow traffic that's part of an
342			established connection and also to drop invalid packets.
343
344	c24d3118	Tim Meusel	Default value: `false`
345	b9785000	Steve Traylen
346	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
347
348			Data type: `Boolean`
349
350			Drops invalid packets in FORWARD
351
352			Default value: `$fwd_conntrack`
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
355	7f6cacc5	Steve Traylen
356			Data type: `Variant[Boolean[false], Enum['mask']]`
357
358			Configures how the firewalld systemd service unit is enabled. It might be
359			useful to set this to false if you're externaly removing firewalld from
360			the system completely.
361
362			Default value: `'mask'`
363
364	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
365	b9785000	Steve Traylen
366	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
367	b9785000	Steve Traylen
368			If specified only other existings tables will be flushed.
369			If left unset all tables will be flushed via a `flush ruleset`
370
371	c24d3118	Tim Meusel	Default value: `undef`
372	b9785000	Steve Traylen
373	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
374	7f6cacc5	Steve Traylen
375			Data type: `Hash`
376
377	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
378	7f6cacc5	Steve Traylen
379			Default value: `{}`
380
381	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
382	d0a1ffef	hashworks
383			Data type: `Stdlib::Unixpath`
384
385			The absolute path to the principal nftables configuration file. The default
386			varies depending on the system, and is set in the module's data.
387
388	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
389	8842a597	Tim Meusel
390			Data type: `Stdlib::Unixpath`
391
392			Path to the nft binary
393
394	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
395	821ec83a	Tim Meusel
396			Data type: `Stdlib::Unixpath`
397
398			Path to the echo binary
399
400	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
401	7030bde0	Luis Fernández Álvarez
402			Data type: `Stdlib::Filemode`
403
404			The default file & dir mode for configuration files and directories. The
405			default varies depending on the system, and is set in the module's data.
406
407	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
408	7f6cacc5	Steve Traylen
409			allow forwarding traffic on bridges
410
411			#### Parameters
412
413	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
414	7f6cacc5	Steve Traylen
415	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
416			* [`bridgenames`](#-nftables--bridges--bridgenames)
417	09cba182	Steve Traylen
418	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
419	7f6cacc5	Steve Traylen
420			Data type: `Enum['present','absent']`
421
422
423
424			Default value: `'present'`
425
426	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
427	7f6cacc5	Steve Traylen
428			Data type: `Regexp`
429
430
431
432			Default value: `/^br.+/`
433
434	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
435	e17693e3	Steve Traylen
436			manage basic chains in table inet filter
437
438	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
439	a1f09048	Tim Meusel
440			enable conntrack for fwd
441
442	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
443	a1f09048	Tim Meusel
444			manage input & output conntrack
445
446	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
447	e17693e3	Steve Traylen
448			manage basic chains in table ip nat
449
450	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
451	771b3256	Nacho Barrientos
452			Provides input rules for Apache ActiveMQ
453
454			#### Parameters
455
456			The following parameters are available in the `nftables::rules::activemq` class:
457
458	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
459			* [`udp`](#-nftables--rules--activemq--udp)
460			* [`port`](#-nftables--rules--activemq--port)
461	771b3256	Nacho Barrientos
462	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
463	771b3256	Nacho Barrientos
464			Data type: `Boolean`
465
466			Create the rule for TCP traffic.
467
468	c24d3118	Tim Meusel	Default value: `true`
469	771b3256	Nacho Barrientos
470	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
471	771b3256	Nacho Barrientos
472			Data type: `Boolean`
473
474			Create the rule for UDP traffic.
475
476	c24d3118	Tim Meusel	Default value: `true`
477	771b3256	Nacho Barrientos
478	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
479	771b3256	Nacho Barrientos
480			Data type: `Stdlib::Port`
481
482			The port number for the ActiveMQ daemon.
483
484			Default value: `61616`
485
486	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
487	09cba182	Steve Traylen
488			Open call back port for AFS clients
489	7f6cacc5	Steve Traylen
490	09cba182	Steve Traylen	#### Examples
491
492			##### allow call backs from particular hosts
493
494			```puppet
495	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
496			saddr => ['192.168.0.0/16', '10.0.0.222']
497			}
498	09cba182	Steve Traylen	```
499	7f6cacc5	Steve Traylen
500			#### Parameters
501
502	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
503
504	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
505	7f6cacc5	Steve Traylen
506	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
507	7f6cacc5	Steve Traylen
508			Data type: `Array[Stdlib::IP::Address::V4,1]`
509
510			list of source network ranges to a
511
512			Default value: `['0.0.0.0/0']`
513
514	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
515	b9785000	Steve Traylen
516			Ceph is a distributed object store and file system.
517			Enable this to support Ceph's Object Storage Daemons (OSD),
518			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
519
520	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
521	b9785000	Steve Traylen
522			Ceph is a distributed object store and file system.
523			Enable this option to support Ceph's Monitor Daemon.
524
525			#### Parameters
526
527	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
528	b9785000	Steve Traylen
529	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
530	b9785000	Steve Traylen
531	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
532	b9785000	Steve Traylen
533	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
534	b9785000	Steve Traylen
535	09cba182	Steve Traylen	specify ports for ceph service
536	b9785000	Steve Traylen
537			Default value: `[3300, 6789]`
538
539	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
540	7f6cacc5	Steve Traylen
541	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
542	7f6cacc5	Steve Traylen
543	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
544	7f6cacc5	Steve Traylen
545			manage in dns
546
547	67cdcf15	Steve Traylen	#### Examples
548
549			##### Allow access to stub dns resolver from docker containers
550
551			```puppet
552			class { 'nftables::rules::dns':
553			iifname => ['docker0'],
554			}
555			```
556
557	7f6cacc5	Steve Traylen	#### Parameters
558
559	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
560	7f6cacc5	Steve Traylen
561	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
562	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
563	7f6cacc5	Steve Traylen
564	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
565	7f6cacc5	Steve Traylen
566	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
567	7f6cacc5	Steve Traylen
568	09cba182	Steve Traylen	Specify ports for dns.
569	7f6cacc5	Steve Traylen
570			Default value: `[53]`
571
572	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
573
574			Data type: `Optional[Array[String[1],1]]`
575
576			Specify input interface names.
577
578			Default value: `undef`
579
580	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
581	804b96e4	Nacho Barrientos
582			The configuration distributed in this class represents the default firewall
583			configuration done by docker-ce when the iptables integration is enabled.
584
585			This class is needed as the default docker-ce rules added to ip-filter conflict
586			with the inet-filter forward rules set by default in this module.
587
588			When using this class 'docker::iptables: false' should be set.
589
590			#### Parameters
591
592			The following parameters are available in the `nftables::rules::docker_ce` class:
593
594	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
595			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
596			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
597			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
598	804b96e4	Nacho Barrientos
599	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
600	804b96e4	Nacho Barrientos
601			Data type: `String[1]`
602
603			Interface name used by docker.
604
605			Default value: `'docker0'`
606
607	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
608	804b96e4	Nacho Barrientos
609			Data type: `Stdlib::IP::Address::V4::CIDR`
610
611			The address space used by docker.
612
613			Default value: `'172.17.0.0/16'`
614
615	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
616	804b96e4	Nacho Barrientos
617			Data type: `Boolean`
618
619			Flag to control whether the class should create the docker related chains.
620
621	c24d3118	Tim Meusel	Default value: `true`
622	804b96e4	Nacho Barrientos
623	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
624	804b96e4	Nacho Barrientos
625			Data type: `Boolean`
626
627			Flag to control whether the class should create the base common chains.
628
629	c24d3118	Tim Meusel	Default value: `true`
630	804b96e4	Nacho Barrientos
631	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
632
633			manage in ftp (with conntrack helper)
634
635			#### Parameters
636
637			The following parameters are available in the `nftables::rules::ftp` class:
638
639			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
640			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
641
642			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
643
644			Data type: `Boolean`
645
646			Enable FTP passive mode support
647
648			Default value: `true`
649
650			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
651
652			Data type: `Nftables::Port::Range`
653
654			Set the FTP passive mode port range
655
656			Default value: `'10090-10100'`
657
658	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
659	e17693e3	Steve Traylen
660			manage in http
661
662	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
663	e17693e3	Steve Traylen
664			manage in https
665
666	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
667	e17693e3	Steve Traylen
668			manage in icinga2
669
670			#### Parameters
671
672	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
673	e17693e3	Steve Traylen
674	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
675	e17693e3	Steve Traylen
676	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
677	e17693e3	Steve Traylen
678	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
679	e17693e3	Steve Traylen
680	8db66304	Steve Traylen	Specify ports for icinga2
681	e17693e3	Steve Traylen
682			Default value: `[5665]`
683
684	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
685	7f6cacc5	Steve Traylen
686	8cdd24a5	Tim Meusel	allows incoming ICMP
687	7f6cacc5	Steve Traylen
688			#### Parameters
689
690	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
691
692	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
693			* [`v6_types`](#-nftables--rules--icmp--v6_types)
694			* [`order`](#-nftables--rules--icmp--order)
695	7f6cacc5	Steve Traylen
696	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
697	7f6cacc5	Steve Traylen
698			Data type: `Optional[Array[String]]`
699
700	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
701	7f6cacc5	Steve Traylen
702	c24d3118	Tim Meusel	Default value: `undef`
703	7f6cacc5	Steve Traylen
704	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
705	7f6cacc5	Steve Traylen
706			Data type: `Optional[Array[String]]`
707
708	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
709	7f6cacc5	Steve Traylen
710	c24d3118	Tim Meusel	Default value: `undef`
711	7f6cacc5	Steve Traylen
712	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
713	7f6cacc5	Steve Traylen
714			Data type: `String`
715
716	8cdd24a5	Tim Meusel	the ordering of the rules
717	7f6cacc5	Steve Traylen
718			Default value: `'10'`
719
720	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
721
722			allow incoming IGMP messages
723
724	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
725
726			manage in ldap
727
728			#### Parameters
729
730			The following parameters are available in the `nftables::rules::ldap` class:
731
732			* [`ports`](#-nftables--rules--ldap--ports)
733
734			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
735
736			Data type: `Array[Integer,1]`
737
738			ldap server ports
739
740			Default value: `[389, 636]`
741
742	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
743
744			allow incoming Link-Local Multicast Name Resolution
745
746			* See also
747			* https://datatracker.ietf.org/doc/html/rfc4795
748
749			#### Parameters
750
751			The following parameters are available in the `nftables::rules::llmnr` class:
752
753			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
754			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
755
756			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
757
758			Data type: `Boolean`
759
760			Allow LLMNR over IPv4
761
762			Default value: `true`
763
764			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
765
766			Data type: `Boolean`
767
768			Allow LLMNR over IPv6
769
770			Default value: `true`
771
772	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
773
774			allow incoming multicast DNS
775
776	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
777
778			The following parameters are available in the `nftables::rules::mdns` class:
779
780			* [`ipv4`](#-nftables--rules--mdns--ipv4)
781			* [`ipv6`](#-nftables--rules--mdns--ipv6)
782	4c3d5d6b	Tim Meusel	* [`iifname`](#-nftables--rules--mdns--iifname)
783	ad3dbd7d	Ewoud Kohl van Wijngaarden
784			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
785
786			Data type: `Boolean`
787
788			Allow mdns over IPv4
789
790			Default value: `true`
791
792			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
793
794			Data type: `Boolean`
795
796			Allow mdns over IPv6
797
798			Default value: `true`
799
800	4c3d5d6b	Tim Meusel	##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
801
802			Data type: `Array[String[1]]`
803
804			name for incoming interfaces to filter
805
806			Default value: `[]`
807
808	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
809
810			allow incoming multicast traffic
811
812	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
813	b9785000	Steve Traylen
814			manage in nfs4
815
816	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
817	b9785000	Steve Traylen
818			manage in nfs3
819
820	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
821	7f6cacc5	Steve Traylen
822			manage in node exporter
823
824			#### Parameters
825
826	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
827	7f6cacc5	Steve Traylen
828	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
829			* [`port`](#-nftables--rules--node_exporter--port)
830	7f6cacc5	Steve Traylen
831	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
832	7f6cacc5	Steve Traylen
833	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
834	7f6cacc5	Steve Traylen
835	09cba182	Steve Traylen	Specify server name
836	7f6cacc5	Steve Traylen
837	c24d3118	Tim Meusel	Default value: `undef`
838	7f6cacc5	Steve Traylen
839	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
840	7f6cacc5	Steve Traylen
841	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
842	7f6cacc5	Steve Traylen
843	09cba182	Steve Traylen	Specify port to open
844	7f6cacc5	Steve Traylen
845			Default value: `9100`
846
847	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
848	e17693e3	Steve Traylen
849			manage in ospf
850
851	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
852	e17693e3	Steve Traylen
853			manage in ospf3
854
855	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
856
857			manage outgoing active diectory
858
859			#### Parameters
860
861			The following parameters are available in the `nftables::rules::out::active_directory` class:
862
863			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
864			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
865
866			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
867
868			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
869
870			adserver IPs
871
872			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
873
874			Data type: `Array[Stdlib::Port,1]`
875
876			adserver ports
877
878			Default value: `[389, 636, 3268, 3269]`
879
880	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
881	e17693e3	Steve Traylen
882			allow all outbound
883
884	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
885	b9785000	Steve Traylen
886			Ceph is a distributed object store and file system.
887			Enable this to be a client of Ceph's Monitor (MON),
888			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
889			and Manager Daemons (MGR).
890
891			#### Parameters
892
893	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
894	b9785000	Steve Traylen
895	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
896	b9785000	Steve Traylen
897	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
898	b9785000	Steve Traylen
899	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
900	b9785000	Steve Traylen
901	09cba182	Steve Traylen	Specify ports to open
902	b9785000	Steve Traylen
903			Default value: `[3300, 6789]`
904
905	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
906	e17693e3	Steve Traylen
907			manage out chrony
908
909	7937a13b	Tim Meusel	#### Parameters
910
911			The following parameters are available in the `nftables::rules::out::chrony` class:
912
913	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
914	7937a13b	Tim Meusel
915	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
916	7937a13b	Tim Meusel
917			Data type: `Array[Stdlib::IP::Address]`
918
919			single IP-Address or array of IP-addresses from NTP servers
920
921			Default value: `[]`
922
923	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
924	e17693e3	Steve Traylen
925			manage out dhcp
926
927	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
928	7f6cacc5	Steve Traylen
929	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
930	7f6cacc5	Steve Traylen
931	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
932	e17693e3	Steve Traylen
933			manage out dns
934
935			#### Parameters
936
937	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
938	e17693e3	Steve Traylen
939	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
940	e17693e3	Steve Traylen
941	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
942	e17693e3	Steve Traylen
943	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
944	e17693e3	Steve Traylen
945	09cba182	Steve Traylen	specify dns_server name
946	e17693e3	Steve Traylen
947	9d1ee648	Tim Meusel	Default value: `[]`
948	e17693e3	Steve Traylen
949	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
950	a1f09048	Tim Meusel
951			allow outgoing hkp connections to gpg keyservers
952
953	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
954	e17693e3	Steve Traylen
955			manage out http
956
957	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
958	e17693e3	Steve Traylen
959			manage out https
960
961	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
962	7f6cacc5	Steve Traylen
963	09cba182	Steve Traylen	control outbound icmp packages
964	7f6cacc5	Steve Traylen
965			#### Parameters
966
967	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
968
969	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
970			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
971			* [`order`](#-nftables--rules--out--icmp--order)
972	7f6cacc5	Steve Traylen
973	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
974	7f6cacc5	Steve Traylen
975			Data type: `Optional[Array[String]]`
976
977	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
978	7f6cacc5	Steve Traylen
979	c24d3118	Tim Meusel	Default value: `undef`
980	7f6cacc5	Steve Traylen
981	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
982	7f6cacc5	Steve Traylen
983			Data type: `Optional[Array[String]]`
984
985	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
986	7f6cacc5	Steve Traylen
987	c24d3118	Tim Meusel	Default value: `undef`
988	7f6cacc5	Steve Traylen
989	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
990	7f6cacc5	Steve Traylen
991			Data type: `String`
992
993	5d554e75	Tim Meusel	the ordering of the rules
994	7f6cacc5	Steve Traylen
995			Default value: `'10'`
996
997	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
998
999	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
1000	020842af	Tim Meusel
1001	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
1002	19908f41	mh
1003			allow outgoing imap
1004
1005	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
1006	7f6cacc5	Steve Traylen
1007			allows outbound access for kerberos
1008
1009	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1010
1011			manage outgoing ldap
1012
1013			#### Parameters
1014
1015			The following parameters are available in the `nftables::rules::out::ldap` class:
1016
1017			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1018			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1019
1020			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1021
1022			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1023
1024			ldapserver IPs
1025
1026			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1027
1028			Data type: `Array[Stdlib::Port,1]`
1029
1030			ldapserver ports
1031
1032			Default value: `[389, 636]`
1033
1034	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1035
1036			allow outgoing multicast DNS
1037
1038			#### Parameters
1039
1040			The following parameters are available in the `nftables::rules::out::mdns` class:
1041
1042			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1043			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1044	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1045	6b350264	Tim Meusel
1046			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1047
1048			Data type: `Boolean`
1049
1050			Allow mdns over IPv4
1051
1052			Default value: `true`
1053
1054			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1055
1056			Data type: `Boolean`
1057
1058			Allow mdns over IPv6
1059
1060			Default value: `true`
1061
1062	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1063
1064			Data type: `Array[String[1]]`
1065
1066			optional name for outgoing interfaces
1067
1068			Default value: `[]`
1069
1070	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1071
1072			allow multicast listener requests
1073
1074	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1075	e17693e3	Steve Traylen
1076			manage out mysql
1077
1078	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1079	b9785000	Steve Traylen
1080			manage out nfs
1081
1082	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1083	b9785000	Steve Traylen
1084			manage out nfs3
1085
1086	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1087	7f6cacc5	Steve Traylen
1088	09cba182	Steve Traylen	allows outbound access for afs clients
1089	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1090			7002 - afs3-ptserver
1091			7003 - vlserver
1092
1093			* See also
1094			* https://wiki.openafs.org/devel/AFSServicePorts/
1095			* AFS Service Ports
1096
1097			#### Parameters
1098
1099	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1100	7f6cacc5	Steve Traylen
1101	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1102	7f6cacc5	Steve Traylen
1103	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1104	7f6cacc5	Steve Traylen
1105	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1106	7f6cacc5	Steve Traylen
1107	09cba182	Steve Traylen	port numbers to use
1108	7f6cacc5	Steve Traylen
1109			Default value: `[7000, 7002, 7003]`
1110
1111	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1112	e17693e3	Steve Traylen
1113			manage out ospf
1114
1115	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1116	e17693e3	Steve Traylen
1117			manage out ospf3
1118
1119	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1120	19908f41	mh
1121			allow outgoing pop3
1122
1123	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1124	e17693e3	Steve Traylen
1125			manage out postgres
1126
1127	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1128	e17693e3	Steve Traylen
1129			manage outgoing puppet
1130
1131			#### Parameters
1132
1133	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1134	e17693e3	Steve Traylen
1135	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1136			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1137	e17693e3	Steve Traylen
1138	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1139	e17693e3	Steve Traylen
1140	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1141	e17693e3	Steve Traylen
1142	09cba182	Steve Traylen	puppetserver hostname
1143	e17693e3	Steve Traylen
1144	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1145	e17693e3	Steve Traylen
1146	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1147	e17693e3	Steve Traylen
1148	09cba182	Steve Traylen	puppetserver port
1149	e17693e3	Steve Traylen
1150			Default value: `8140`
1151
1152	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1153	194e05d5	Tim Meusel
1154			manage outgoing pxp-agent
1155
1156			* See also
1157			* also
1158			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1159
1160			#### Parameters
1161
1162			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1163
1164	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1165			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1166	194e05d5	Tim Meusel
1167	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1168	194e05d5	Tim Meusel
1169			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1170
1171			PXP broker IP(s)
1172
1173	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1174	194e05d5	Tim Meusel
1175			Data type: `Stdlib::Port`
1176
1177			PXP broker port
1178
1179			Default value: `8142`
1180
1181	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1182	e17693e3	Steve Traylen
1183	19908f41	mh	allow outgoing smtp
1184
1185	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1186	19908f41	mh
1187			allow outgoing smtp client
1188	e17693e3	Steve Traylen
1189	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1190
1191			allow outgoing SSDP
1192
1193			* See also
1194			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1195
1196			#### Parameters
1197
1198			The following parameters are available in the `nftables::rules::out::ssdp` class:
1199
1200			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1201			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1202
1203			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1204
1205			Data type: `Boolean`
1206
1207			Allow SSDP over IPv4
1208
1209			Default value: `true`
1210
1211			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1212
1213			Data type: `Boolean`
1214
1215			Allow SSDP over IPv6
1216
1217			Default value: `true`
1218
1219	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1220	e17693e3	Steve Traylen
1221			manage out ssh
1222
1223	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1224	e17693e3	Steve Traylen
1225			disable outgoing ssh
1226
1227	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1228	e17693e3	Steve Traylen
1229			manage out tor
1230
1231	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1232	2b1896c1	Tim Meusel
1233			allow clients to query remote whois server
1234
1235	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1236	e17693e3	Steve Traylen
1237			manage out wireguard
1238
1239			#### Parameters
1240
1241	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1242	e17693e3	Steve Traylen
1243	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1244	e17693e3	Steve Traylen
1245	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1246	e17693e3	Steve Traylen
1247	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1248	e17693e3	Steve Traylen
1249	09cba182	Steve Traylen	specify wireguard ports
1250	e17693e3	Steve Traylen
1251			Default value: `[51820]`
1252
1253	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1254
1255			Rules for Podman, a tool for managing OCI containers and pods.
1256			This class defines additional forwarding rules to let root containers
1257			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1258			At the time of writing, Podman supports automatic configuration
1259			of firewall rules with iptables and firewalld only.
1260
1261	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1262	e17693e3	Steve Traylen
1263			manage in puppet
1264
1265			#### Parameters
1266
1267	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1268	e17693e3	Steve Traylen
1269	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1270	e17693e3	Steve Traylen
1271	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1272	e17693e3	Steve Traylen
1273	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1274	e17693e3	Steve Traylen
1275	09cba182	Steve Traylen	puppet server ports
1276	e17693e3	Steve Traylen
1277			Default value: `[8140]`
1278
1279	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1280	7f74df2e	Tim Meusel
1281			manage in pxp-agent
1282
1283			#### Parameters
1284
1285			The following parameters are available in the `nftables::rules::pxp_agent` class:
1286
1287	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1288	7f74df2e	Tim Meusel
1289	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1290	7f74df2e	Tim Meusel
1291	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1292	7f74df2e	Tim Meusel
1293			pxp server ports
1294
1295			Default value: `[8142]`
1296
1297	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1298	cd2a3cbf	Nacho Barrientos
1299			This class configures the typical firewall setup that libvirt
1300			creates. Depending on your requirements you can switch on and off
1301			several aspects, for instance if you don't do DHCP to your guests
1302			you can disable the rules that accept DHCP traffic on the host or if
1303			you don't want your guests to talk to hosts outside you can disable
1304			forwarding and/or masquerading for IPv4 traffic.
1305
1306			#### Parameters
1307
1308			The following parameters are available in the `nftables::rules::qemu` class:
1309
1310	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1311			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1312			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1313			* [`dns`](#-nftables--rules--qemu--dns)
1314			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1315			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1316			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1317			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1318	cd2a3cbf	Nacho Barrientos
1319	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1320	cd2a3cbf	Nacho Barrientos
1321			Data type: `String[1]`
1322
1323			Interface name used by the bridge.
1324
1325			Default value: `'virbr0'`
1326
1327	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1328	cd2a3cbf	Nacho Barrientos
1329			Data type: `Stdlib::IP::Address::V4::CIDR`
1330
1331			The IPv4 network prefix used in the virtual network.
1332
1333			Default value: `'192.168.122.0/24'`
1334
1335	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1336	cd2a3cbf	Nacho Barrientos
1337			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1338
1339			The IPv6 network prefix used in the virtual network.
1340
1341	c24d3118	Tim Meusel	Default value: `undef`
1342	cd2a3cbf	Nacho Barrientos
1343	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1344	cd2a3cbf	Nacho Barrientos
1345			Data type: `Boolean`
1346
1347			Allow DNS traffic from the guests to the host.
1348
1349	c24d3118	Tim Meusel	Default value: `true`
1350	cd2a3cbf	Nacho Barrientos
1351	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1352	cd2a3cbf	Nacho Barrientos
1353			Data type: `Boolean`
1354
1355			Allow DHCPv4 traffic from the guests to the host.
1356
1357	c24d3118	Tim Meusel	Default value: `true`
1358	cd2a3cbf	Nacho Barrientos
1359	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1360	cd2a3cbf	Nacho Barrientos
1361			Data type: `Boolean`
1362
1363			Allow forwarded traffic (out all, in related/established)
1364			generated by the virtual network.
1365
1366	c24d3118	Tim Meusel	Default value: `true`
1367	cd2a3cbf	Nacho Barrientos
1368	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1369	cd2a3cbf	Nacho Barrientos
1370			Data type: `Boolean`
1371
1372			Allow guests in the virtual network to talk to each other.
1373
1374	c24d3118	Tim Meusel	Default value: `true`
1375	cd2a3cbf	Nacho Barrientos
1376	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1377	cd2a3cbf	Nacho Barrientos
1378			Data type: `Boolean`
1379
1380			Do NAT masquerade on all IPv4 traffic generated by guests
1381			to external networks.
1382
1383	c24d3118	Tim Meusel	Default value: `true`
1384	cd2a3cbf	Nacho Barrientos
1385	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1386	19908f41	mh
1387			manage Samba, the suite to allow Windows file sharing on Linux resources.
1388
1389			#### Parameters
1390
1391			The following parameters are available in the `nftables::rules::samba` class:
1392
1393	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1394	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1395	19908f41	mh
1396	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1397	19908f41	mh
1398			Data type: `Boolean`
1399
1400	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1401	19908f41	mh
1402	c24d3118	Tim Meusel	Default value: `false`
1403	19908f41	mh
1404	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1405
1406			Data type: `Enum['accept', 'drop']`
1407
1408			if the traffic should be allowed or dropped
1409
1410			Default value: `'accept'`
1411
1412	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1413	e17693e3	Steve Traylen
1414			manage in smtp
1415
1416	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1417	e17693e3	Steve Traylen
1418			manage in smtp submission
1419
1420	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1421	e17693e3	Steve Traylen
1422			manage in smtps
1423
1424	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1425
1426			allow incoming spotify
1427
1428	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1429
1430			allow incoming SSDP
1431
1432			* See also
1433			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1434
1435			#### Parameters
1436
1437			The following parameters are available in the `nftables::rules::ssdp` class:
1438
1439			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1440			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1441
1442			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1443
1444			Data type: `Boolean`
1445
1446			Allow SSDP over IPv4
1447
1448			Default value: `true`
1449
1450			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1451
1452			Data type: `Boolean`
1453
1454			Allow SSDP over IPv6
1455
1456			Default value: `true`
1457
1458	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1459	e17693e3	Steve Traylen
1460			manage in ssh
1461
1462			#### Parameters
1463
1464	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1465	e17693e3	Steve Traylen
1466	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1467	e17693e3	Steve Traylen
1468	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1469	e17693e3	Steve Traylen
1470	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1471	e17693e3	Steve Traylen
1472	09cba182	Steve Traylen	ssh ports
1473	e17693e3	Steve Traylen
1474			Default value: `[22]`
1475
1476	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1477	e17693e3	Steve Traylen
1478			manage in tor
1479
1480			#### Parameters
1481
1482	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1483	e17693e3	Steve Traylen
1484	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1485	e17693e3	Steve Traylen
1486	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1487	e17693e3	Steve Traylen
1488	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1489	e17693e3	Steve Traylen
1490	09cba182	Steve Traylen	ports for tor
1491	e17693e3	Steve Traylen
1492			Default value: `[9001]`
1493
1494	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1495	e17693e3	Steve Traylen
1496			manage in wireguard
1497
1498			#### Parameters
1499
1500	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1501	e17693e3	Steve Traylen
1502	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1503	e17693e3	Steve Traylen
1504	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1505	e17693e3	Steve Traylen
1506	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1507	e17693e3	Steve Traylen
1508	09cba182	Steve Traylen	wiregueard port
1509	e17693e3	Steve Traylen
1510			Default value: `[51820]`
1511
1512	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1513
1514			allow incoming webservice discovery
1515
1516			* See also
1517			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1518
1519			#### Parameters
1520
1521			The following parameters are available in the `nftables::rules::wsd` class:
1522
1523			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1524			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1525
1526			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1527
1528			Data type: `Boolean`
1529
1530			Allow ws-discovery over IPv4
1531
1532			Default value: `true`
1533
1534			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1535
1536			Data type: `Boolean`
1537
1538			Allow ws-discovery over IPv6
1539
1540			Default value: `true`
1541
1542	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1543	7f6cacc5	Steve Traylen
1544	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1545	7f6cacc5	Steve Traylen
1546	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1547	7f6cacc5	Steve Traylen
1548	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1549	7f6cacc5	Steve Traylen
1550	e17693e3	Steve Traylen	## Defined types
1551
1552	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1553	e17693e3	Steve Traylen
1554			manage a chain
1555
1556			#### Parameters
1557
1558	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1559
1560	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1561			* [`chain`](#-nftables--chain--chain)
1562			* [`inject`](#-nftables--chain--inject)
1563			* [`inject_iif`](#-nftables--chain--inject_iif)
1564			* [`inject_oif`](#-nftables--chain--inject_oif)
1565	e17693e3	Steve Traylen
1566	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1567	e17693e3	Steve Traylen
1568	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1569	e17693e3	Steve Traylen
1570
1571
1572			Default value: `'inet-filter'`
1573
1574	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1575	e17693e3	Steve Traylen
1576			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1577
1578
1579
1580			Default value: `$title`
1581
1582	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1583	e17693e3	Steve Traylen
1584			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1585
1586
1587
1588	c24d3118	Tim Meusel	Default value: `undef`
1589	e17693e3	Steve Traylen
1590	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1591	e17693e3	Steve Traylen
1592			Data type: `Optional[String]`
1593
1594
1595
1596	c24d3118	Tim Meusel	Default value: `undef`
1597	e17693e3	Steve Traylen
1598	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1599	e17693e3	Steve Traylen
1600			Data type: `Optional[String]`
1601
1602
1603
1604	c24d3118	Tim Meusel	Default value: `undef`
1605	e17693e3	Steve Traylen
1606	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1607	e17693e3	Steve Traylen
1608			manage a config snippet
1609
1610			#### Parameters
1611
1612	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1613	e17693e3	Steve Traylen
1614	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1615			* [`content`](#-nftables--config--content)
1616			* [`source`](#-nftables--config--source)
1617			* [`prefix`](#-nftables--config--prefix)
1618	09cba182	Steve Traylen
1619	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1620	13f4e4c6	Steve Traylen
1621			Data type: `Pattern[/^\w+-\w+$/]`
1622
1623
1624
1625			Default value: `$title`
1626
1627	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1628	e17693e3	Steve Traylen
1629			Data type: `Optional[String]`
1630
1631
1632
1633	c24d3118	Tim Meusel	Default value: `undef`
1634	e17693e3	Steve Traylen
1635	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1636	e17693e3	Steve Traylen
1637			Data type: `Optional[Variant[String,Array[String,1]]]`
1638
1639
1640
1641	c24d3118	Tim Meusel	Default value: `undef`
1642	e17693e3	Steve Traylen
1643	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1644	13f4e4c6	Steve Traylen
1645			Data type: `String`
1646
1647
1648
1649			Default value: `'custom-'`
1650
1651	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1652	331b8d85	Steve Traylen
1653			Insert a file into the nftables configuration
1654
1655			#### Examples
1656
1657			##### Include a file that includes other files
1658
1659			```puppet
1660			nftables::file{'geoip':
1661			content => @(EOT)
1662			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1663			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1664			\|EOT,
1665			}
1666			```
1667
1668			#### Parameters
1669
1670			The following parameters are available in the `nftables::file` defined type:
1671
1672	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1673			* [`content`](#-nftables--file--content)
1674			* [`source`](#-nftables--file--source)
1675			* [`prefix`](#-nftables--file--prefix)
1676	331b8d85	Steve Traylen
1677	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1678	331b8d85	Steve Traylen
1679			Data type: `String[1]`
1680
1681			Unique name to include in filename.
1682
1683			Default value: `$title`
1684
1685	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1686	331b8d85	Steve Traylen
1687			Data type: `Optional[String]`
1688
1689			The content to place in the file.
1690
1691	c24d3118	Tim Meusel	Default value: `undef`
1692	331b8d85	Steve Traylen
1693	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1694	331b8d85	Steve Traylen
1695			Data type: `Optional[Variant[String,Array[String,1]]]`
1696
1697			A source to obtain the file content from.
1698
1699	c24d3118	Tim Meusel	Default value: `undef`
1700	331b8d85	Steve Traylen
1701	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1702	331b8d85	Steve Traylen
1703			Data type: `String`
1704
1705			Prefix of file name to be created, if left as `file-` it will be
1706			auto included in the main nft configuration
1707
1708			Default value: `'file-'`
1709
1710	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1711
1712			manage a conntrack helper
1713
1714			#### Examples
1715
1716			##### FTP helper
1717
1718			```puppet
1719			nftables::helper { 'ftp-standard':
1720			content => 'type "ftp" protocol tcp;',
1721			}
1722			```
1723
1724			#### Parameters
1725
1726			The following parameters are available in the `nftables::helper` defined type:
1727
1728			* [`content`](#-nftables--helper--content)
1729			* [`table`](#-nftables--helper--table)
1730			* [`helper`](#-nftables--helper--helper)
1731
1732			##### <a name="-nftables--helper--content"></a>`content`
1733
1734			Data type: `String`
1735
1736			Conntrack helper definition.
1737
1738			##### <a name="-nftables--helper--table"></a>`table`
1739
1740			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1741
1742			The name of the table to add this helper to.
1743
1744			Default value: `'inet-filter'`
1745
1746			##### <a name="-nftables--helper--helper"></a>`helper`
1747
1748			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1749
1750			The symbolic name for the helper.
1751
1752			Default value: `$title`
1753
1754	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1755	e17693e3	Steve Traylen
1756	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1757
1758			#### Examples
1759
1760			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1761
1762			```puppet
1763			nftables::rule {
1764			'default_in-myhttp':
1765			content => 'tcp dport 80 accept',
1766			}
1767			```
1768
1769			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1770
1771			```puppet
1772			nftables::rule {
1773			'PREROUTING6-count':
1774			content => 'counter',
1775			table => 'ip6-nat'
1776			}
1777			```
1778	e17693e3	Steve Traylen
1779	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1780
1781			```puppet
1782			nftables::rule { 'PREROUTING-redirect':
1783			content => 'tcp dport 443 redirect to :8443',
1784			table => 'ip-nat',
1785			}
1786			nftables::rule{'PREROUTING6-redirect':
1787			content => 'tcp dport 443 redirect to :8443',
1788			table => 'ip6-nat',
1789			}
1790			```
1791
1792	e17693e3	Steve Traylen	#### Parameters
1793
1794	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1795
1796	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1797			* [`rulename`](#-nftables--rule--rulename)
1798			* [`order`](#-nftables--rule--order)
1799			* [`table`](#-nftables--rule--table)
1800			* [`content`](#-nftables--rule--content)
1801			* [`source`](#-nftables--rule--source)
1802	e17693e3	Steve Traylen
1803	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1804	e17693e3	Steve Traylen
1805			Data type: `Enum['present','absent']`
1806
1807	13f26dfc	Nacho Barrientos	Should the rule be created.
1808	e17693e3	Steve Traylen
1809			Default value: `'present'`
1810
1811	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1812	e17693e3	Steve Traylen
1813	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1814	e17693e3	Steve Traylen
1815	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1816			format is defined by the Nftables::RuleName type.
1817	e17693e3	Steve Traylen
1818			Default value: `$title`
1819
1820	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1821	e17693e3	Steve Traylen
1822			Data type: `Pattern[/^\d\d$/]`
1823
1824	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1825	e17693e3	Steve Traylen
1826			Default value: `'50'`
1827
1828	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1829	e17693e3	Steve Traylen
1830	b02d6ea9	Nacho Barrientos	Data type: `String`
1831	e17693e3	Steve Traylen
1832	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1833	e17693e3	Steve Traylen
1834			Default value: `'inet-filter'`
1835
1836	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1837	e17693e3	Steve Traylen
1838			Data type: `Optional[String]`
1839
1840	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1841			language.
1842	e17693e3	Steve Traylen
1843	c24d3118	Tim Meusel	Default value: `undef`
1844	e17693e3	Steve Traylen
1845	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1846	e17693e3	Steve Traylen
1847			Data type: `Optional[Variant[String,Array[String,1]]]`
1848
1849	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1850	e17693e3	Steve Traylen
1851	c24d3118	Tim Meusel	Default value: `undef`
1852	e17693e3	Steve Traylen
1853	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1854	e17693e3	Steve Traylen
1855			manage a ipv4 dnat rule
1856
1857			#### Parameters
1858
1859	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1860
1861	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1862			* [`port`](#-nftables--rules--dnat4--port)
1863			* [`rulename`](#-nftables--rules--dnat4--rulename)
1864			* [`order`](#-nftables--rules--dnat4--order)
1865			* [`chain`](#-nftables--rules--dnat4--chain)
1866			* [`iif`](#-nftables--rules--dnat4--iif)
1867			* [`proto`](#-nftables--rules--dnat4--proto)
1868			* [`dport`](#-nftables--rules--dnat4--dport)
1869			* [`ensure`](#-nftables--rules--dnat4--ensure)
1870	e17693e3	Steve Traylen
1871	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1872	e17693e3	Steve Traylen
1873			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1874
1875
1876
1877	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1878	e17693e3	Steve Traylen
1879	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1880	e17693e3	Steve Traylen
1881
1882
1883	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1884	e17693e3	Steve Traylen
1885			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1886
1887
1888
1889			Default value: `$title`
1890
1891	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1892	e17693e3	Steve Traylen
1893			Data type: `Pattern[/^\d\d$/]`
1894
1895
1896
1897			Default value: `'50'`
1898
1899	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1900	e17693e3	Steve Traylen
1901			Data type: `String[1]`
1902
1903
1904
1905			Default value: `'default_fwd'`
1906
1907	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1908	e17693e3	Steve Traylen
1909			Data type: `Optional[String[1]]`
1910
1911
1912
1913	c24d3118	Tim Meusel	Default value: `undef`
1914	e17693e3	Steve Traylen
1915	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1916	e17693e3	Steve Traylen
1917			Data type: `Enum['tcp','udp']`
1918
1919
1920
1921			Default value: `'tcp'`
1922
1923	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1924	e17693e3	Steve Traylen
1925	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1926	e17693e3	Steve Traylen
1927
1928
1929	c24d3118	Tim Meusel	Default value: `undef`
1930	e17693e3	Steve Traylen
1931	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1932	e17693e3	Steve Traylen
1933			Data type: `Enum['present','absent']`
1934
1935
1936
1937			Default value: `'present'`
1938
1939	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1940	e17693e3	Steve Traylen
1941			masquerade all outgoing traffic
1942
1943			#### Parameters
1944
1945	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1946	e17693e3	Steve Traylen
1947	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1948			* [`order`](#-nftables--rules--masquerade--order)
1949			* [`chain`](#-nftables--rules--masquerade--chain)
1950			* [`oif`](#-nftables--rules--masquerade--oif)
1951			* [`saddr`](#-nftables--rules--masquerade--saddr)
1952			* [`daddr`](#-nftables--rules--masquerade--daddr)
1953			* [`proto`](#-nftables--rules--masquerade--proto)
1954			* [`dport`](#-nftables--rules--masquerade--dport)
1955			* [`ensure`](#-nftables--rules--masquerade--ensure)
1956	09cba182	Steve Traylen
1957	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1958	e17693e3	Steve Traylen
1959			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1960
1961
1962
1963			Default value: `$title`
1964
1965	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1966	e17693e3	Steve Traylen
1967			Data type: `Pattern[/^\d\d$/]`
1968
1969
1970
1971			Default value: `'70'`
1972
1973	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1974	e17693e3	Steve Traylen
1975			Data type: `String[1]`
1976
1977
1978
1979			Default value: `'POSTROUTING'`
1980
1981	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1982	e17693e3	Steve Traylen
1983			Data type: `Optional[String[1]]`
1984
1985
1986
1987	c24d3118	Tim Meusel	Default value: `undef`
1988	e17693e3	Steve Traylen
1989	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1990	e17693e3	Steve Traylen
1991			Data type: `Optional[String[1]]`
1992
1993
1994
1995	c24d3118	Tim Meusel	Default value: `undef`
1996	e17693e3	Steve Traylen
1997	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1998	e17693e3	Steve Traylen
1999			Data type: `Optional[String[1]]`
2000
2001
2002
2003	c24d3118	Tim Meusel	Default value: `undef`
2004	e17693e3	Steve Traylen
2005	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
2006	e17693e3	Steve Traylen
2007			Data type: `Optional[Enum['tcp','udp']]`
2008
2009
2010
2011	c24d3118	Tim Meusel	Default value: `undef`
2012	e17693e3	Steve Traylen
2013	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2014	e17693e3	Steve Traylen
2015	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2016	e17693e3	Steve Traylen
2017
2018
2019	c24d3118	Tim Meusel	Default value: `undef`
2020	e17693e3	Steve Traylen
2021	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2022	e17693e3	Steve Traylen
2023			Data type: `Enum['present','absent']`
2024
2025
2026
2027			Default value: `'present'`
2028
2029	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2030	e17693e3	Steve Traylen
2031			manage a ipv4 snat rule
2032
2033			#### Parameters
2034
2035	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2036
2037	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2038			* [`rulename`](#-nftables--rules--snat4--rulename)
2039			* [`order`](#-nftables--rules--snat4--order)
2040			* [`chain`](#-nftables--rules--snat4--chain)
2041			* [`oif`](#-nftables--rules--snat4--oif)
2042			* [`saddr`](#-nftables--rules--snat4--saddr)
2043			* [`proto`](#-nftables--rules--snat4--proto)
2044			* [`dport`](#-nftables--rules--snat4--dport)
2045			* [`ensure`](#-nftables--rules--snat4--ensure)
2046	e17693e3	Steve Traylen
2047	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2048	e17693e3	Steve Traylen
2049			Data type: `String[1]`
2050
2051
2052
2053	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2054	e17693e3	Steve Traylen
2055			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2056
2057
2058
2059			Default value: `$title`
2060
2061	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2062	e17693e3	Steve Traylen
2063			Data type: `Pattern[/^\d\d$/]`
2064
2065
2066
2067			Default value: `'70'`
2068
2069	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2070	e17693e3	Steve Traylen
2071			Data type: `String[1]`
2072
2073
2074
2075			Default value: `'POSTROUTING'`
2076
2077	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2078	e17693e3	Steve Traylen
2079			Data type: `Optional[String[1]]`
2080
2081
2082
2083	c24d3118	Tim Meusel	Default value: `undef`
2084	e17693e3	Steve Traylen
2085	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2086	e17693e3	Steve Traylen
2087			Data type: `Optional[String[1]]`
2088
2089
2090
2091	c24d3118	Tim Meusel	Default value: `undef`
2092	e17693e3	Steve Traylen
2093	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2094	e17693e3	Steve Traylen
2095			Data type: `Optional[Enum['tcp','udp']]`
2096
2097
2098
2099	c24d3118	Tim Meusel	Default value: `undef`
2100	e17693e3	Steve Traylen
2101	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2102	e17693e3	Steve Traylen
2103	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2104	e17693e3	Steve Traylen
2105
2106
2107	c24d3118	Tim Meusel	Default value: `undef`
2108	e17693e3	Steve Traylen
2109	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2110	e17693e3	Steve Traylen
2111			Data type: `Enum['present','absent']`
2112
2113
2114
2115			Default value: `'present'`
2116
2117	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2118	7f6cacc5	Steve Traylen
2119			manage a named set
2120
2121	13f4e4c6	Steve Traylen	#### Examples
2122
2123			##### simple set
2124
2125			```puppet
2126			nftables::set{'my_set':
2127			type => 'ipv4_addr',
2128			flags => ['interval'],
2129			elements => ['192.168.0.1/24', '10.0.0.2'],
2130			auto_merge => true,
2131			}
2132			```
2133
2134	7f6cacc5	Steve Traylen	#### Parameters
2135
2136	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2137
2138	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2139			* [`setname`](#-nftables--set--setname)
2140			* [`order`](#-nftables--set--order)
2141			* [`type`](#-nftables--set--type)
2142			* [`table`](#-nftables--set--table)
2143			* [`flags`](#-nftables--set--flags)
2144			* [`timeout`](#-nftables--set--timeout)
2145			* [`gc_interval`](#-nftables--set--gc_interval)
2146			* [`elements`](#-nftables--set--elements)
2147			* [`size`](#-nftables--set--size)
2148			* [`policy`](#-nftables--set--policy)
2149			* [`auto_merge`](#-nftables--set--auto_merge)
2150			* [`content`](#-nftables--set--content)
2151			* [`source`](#-nftables--set--source)
2152
2153			##### <a name="-nftables--set--ensure"></a>`ensure`
2154	7f6cacc5	Steve Traylen
2155			Data type: `Enum['present','absent']`
2156
2157	13f4e4c6	Steve Traylen	should the set be created.
2158	7f6cacc5	Steve Traylen
2159			Default value: `'present'`
2160
2161	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2162	7f6cacc5	Steve Traylen
2163			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2164
2165	13f4e4c6	Steve Traylen	name of set, equal to to title.
2166	7f6cacc5	Steve Traylen
2167			Default value: `$title`
2168
2169	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2170	7f6cacc5	Steve Traylen
2171			Data type: `Pattern[/^\d\d$/]`
2172
2173	13f4e4c6	Steve Traylen	concat ordering.
2174	7f6cacc5	Steve Traylen
2175			Default value: `'10'`
2176
2177	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2178	7f6cacc5	Steve Traylen
2179			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2180
2181	13f4e4c6	Steve Traylen	type of set.
2182	7f6cacc5	Steve Traylen
2183	c24d3118	Tim Meusel	Default value: `undef`
2184	7f6cacc5	Steve Traylen
2185	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2186	7f6cacc5	Steve Traylen
2187	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2188	7f6cacc5	Steve Traylen
2189	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2190	7f6cacc5	Steve Traylen
2191			Default value: `'inet-filter'`
2192
2193	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2194	7f6cacc5	Steve Traylen
2195			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2196
2197	13f4e4c6	Steve Traylen	specify flags for set
2198	7f6cacc5	Steve Traylen
2199			Default value: `[]`
2200
2201	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2202	7f6cacc5	Steve Traylen
2203			Data type: `Optional[Integer]`
2204
2205	13f4e4c6	Steve Traylen	timeout in seconds
2206	7f6cacc5	Steve Traylen
2207	c24d3118	Tim Meusel	Default value: `undef`
2208	7f6cacc5	Steve Traylen
2209	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2210	7f6cacc5	Steve Traylen
2211			Data type: `Optional[Integer]`
2212
2213	13f4e4c6	Steve Traylen	garbage collection interval.
2214	7f6cacc5	Steve Traylen
2215	c24d3118	Tim Meusel	Default value: `undef`
2216	7f6cacc5	Steve Traylen
2217	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2218	7f6cacc5	Steve Traylen
2219			Data type: `Optional[Array[String]]`
2220
2221	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2222	7f6cacc5	Steve Traylen
2223	c24d3118	Tim Meusel	Default value: `undef`
2224	7f6cacc5	Steve Traylen
2225	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2226	7f6cacc5	Steve Traylen
2227			Data type: `Optional[Integer]`
2228
2229	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2230	7f6cacc5	Steve Traylen
2231	c24d3118	Tim Meusel	Default value: `undef`
2232	7f6cacc5	Steve Traylen
2233	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2234	7f6cacc5	Steve Traylen
2235			Data type: `Optional[Enum['performance', 'memory']]`
2236
2237	13f4e4c6	Steve Traylen	determines set selection policy.
2238	7f6cacc5	Steve Traylen
2239	c24d3118	Tim Meusel	Default value: `undef`
2240	7f6cacc5	Steve Traylen
2241	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2242	7f6cacc5	Steve Traylen
2243			Data type: `Boolean`
2244
2245	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2246	7f6cacc5	Steve Traylen
2247	c24d3118	Tim Meusel	Default value: `false`
2248	7f6cacc5	Steve Traylen
2249	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2250	7f6cacc5	Steve Traylen
2251			Data type: `Optional[String]`
2252
2253	13f4e4c6	Steve Traylen	specify content of set.
2254	7f6cacc5	Steve Traylen
2255	c24d3118	Tim Meusel	Default value: `undef`
2256	7f6cacc5	Steve Traylen
2257	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2258	7f6cacc5	Steve Traylen
2259			Data type: `Optional[Variant[String,Array[String,1]]]`
2260
2261	13f4e4c6	Steve Traylen	specify source of set.
2262	7f6cacc5	Steve Traylen
2263	c24d3118	Tim Meusel	Default value: `undef`
2264	7f6cacc5	Steve Traylen
2265	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2266	4d63adda	Nacho Barrientos
2267	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2268	4d63adda	Nacho Barrientos
2269	b46c9ce9	Nacho Barrientos	#### Examples
2270	4d63adda	Nacho Barrientos
2271	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2272	4d63adda	Nacho Barrientos
2273	b46c9ce9	Nacho Barrientos	```puppet
2274			nftables::simplerule{'my_service_in':
2275			action => 'accept',
2276			comment => 'allow traffic to port 543',
2277			counter => true,
2278			proto => 'tcp',
2279			dport => 543,
2280			daddr => '2001:1458::/32',
2281			sport => 541,
2282			}
2283			```
2284	4d63adda	Nacho Barrientos
2285	b46c9ce9	Nacho Barrientos	#### Parameters
2286	4d63adda	Nacho Barrientos
2287	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2288
2289	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2290			* [`rulename`](#-nftables--simplerule--rulename)
2291			* [`order`](#-nftables--simplerule--order)
2292			* [`chain`](#-nftables--simplerule--chain)
2293			* [`table`](#-nftables--simplerule--table)
2294			* [`action`](#-nftables--simplerule--action)
2295			* [`comment`](#-nftables--simplerule--comment)
2296			* [`dport`](#-nftables--simplerule--dport)
2297			* [`proto`](#-nftables--simplerule--proto)
2298			* [`daddr`](#-nftables--simplerule--daddr)
2299			* [`set_type`](#-nftables--simplerule--set_type)
2300			* [`sport`](#-nftables--simplerule--sport)
2301			* [`saddr`](#-nftables--simplerule--saddr)
2302			* [`counter`](#-nftables--simplerule--counter)
2303	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2304	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2305	c24d3118	Tim Meusel
2306			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2307	13f4e4c6	Steve Traylen
2308			Data type: `Enum['present','absent']`
2309
2310			Should the rule be created.
2311
2312			Default value: `'present'`
2313
2314	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2315	4d63adda	Nacho Barrientos
2316	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2317	4d63adda	Nacho Barrientos
2318	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2319	4d63adda	Nacho Barrientos
2320			Default value: `$title`
2321
2322	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2323	4d63adda	Nacho Barrientos
2324			Data type: `Pattern[/^\d\d$/]`
2325
2326	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2327	4d63adda	Nacho Barrientos
2328			Default value: `'50'`
2329
2330	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2331	4d63adda	Nacho Barrientos
2332			Data type: `String`
2333
2334	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2335	4d63adda	Nacho Barrientos
2336			Default value: `'default_in'`
2337
2338	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2339	4d63adda	Nacho Barrientos
2340			Data type: `String`
2341
2342	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2343	4d63adda	Nacho Barrientos
2344			Default value: `'inet-filter'`
2345
2346	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2347	4d63adda	Nacho Barrientos
2348			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2349
2350	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2351	4d63adda	Nacho Barrientos
2352			Default value: `'accept'`
2353
2354	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2355	4d63adda	Nacho Barrientos
2356			Data type: `Optional[String]`
2357
2358	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2359	4d63adda	Nacho Barrientos
2360	c24d3118	Tim Meusel	Default value: `undef`
2361	4d63adda	Nacho Barrientos
2362	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2363	4d63adda	Nacho Barrientos
2364			Data type: `Optional[Nftables::Port]`
2365
2366	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2367	4d63adda	Nacho Barrientos
2368	c24d3118	Tim Meusel	Default value: `undef`
2369	4d63adda	Nacho Barrientos
2370	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2371	4d63adda	Nacho Barrientos
2372			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2373
2374	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2375	4d63adda	Nacho Barrientos
2376	c24d3118	Tim Meusel	Default value: `undef`
2377	4d63adda	Nacho Barrientos
2378	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2379	4d63adda	Nacho Barrientos
2380			Data type: `Optional[Nftables::Addr]`
2381
2382	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2383	4d63adda	Nacho Barrientos
2384	c24d3118	Tim Meusel	Default value: `undef`
2385	4d63adda	Nacho Barrientos
2386	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2387	4d63adda	Nacho Barrientos
2388			Data type: `Enum['ip', 'ip6']`
2389
2390	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2391			Use `ip` for sets of type `ipv4_addr`.
2392	4d63adda	Nacho Barrientos
2393			Default value: `'ip6'`
2394
2395	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2396	4d63adda	Nacho Barrientos
2397			Data type: `Optional[Nftables::Port]`
2398
2399	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2400	4d63adda	Nacho Barrientos
2401	c24d3118	Tim Meusel	Default value: `undef`
2402	4d63adda	Nacho Barrientos
2403	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2404	4d63adda	Nacho Barrientos
2405			Data type: `Optional[Nftables::Addr]`
2406
2407	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2408	4d63adda	Nacho Barrientos
2409	c24d3118	Tim Meusel	Default value: `undef`
2410	4d63adda	Nacho Barrientos
2411	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2412	4d63adda	Nacho Barrientos
2413			Data type: `Boolean`
2414
2415	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2416	4d63adda	Nacho Barrientos
2417	c24d3118	Tim Meusel	Default value: `false`
2418	4d63adda	Nacho Barrientos
2419	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2420
2421	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2422	25b3f3f4	Tim Meusel
2423			Optional filter for the incoming interface
2424
2425	e846c98b	Tim Meusel	Default value: `[]`
2426	25b3f3f4	Tim Meusel
2427	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2428
2429	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2430	d7d6d5d3	Tim Meusel
2431			Optional filter for the outgoing interface
2432
2433	e846c98b	Tim Meusel	Default value: `[]`
2434	d7d6d5d3	Tim Meusel
2435	4d63adda	Nacho Barrientos	## Data types
2436
2437	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2438	4d63adda	Nacho Barrientos
2439			Represents an address expression to be used within a rule.
2440
2441	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2442	09cba182	Steve Traylen
2443	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2444	4d63adda	Nacho Barrientos
2445			Represents a set expression to be used within a rule.
2446
2447	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2448	4d63adda	Nacho Barrientos
2449	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2450	4d63adda	Nacho Barrientos
2451			Represents a port expression to be used within a rule.
2452
2453	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2454	4d63adda	Nacho Barrientos
2455	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2456	4d63adda	Nacho Barrientos
2457			Represents a port range expression to be used within a rule.
2458
2459	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2460	4d63adda	Nacho Barrientos
2461	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2462	8c00b818	Nacho Barrientos
2463			Represents a rule name to be used in a raw rule created via nftables::rule.
2464			It's a dash separated string. The first component describes the chain to
2465			add the rule to, the second the rule name and the (optional) third a number.
2466			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2467
2468	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2469	09cba182	Steve Traylen
2470	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2471	8c00b818	Nacho Barrientos
2472			Represents a simple rule name to be used in a rule created via nftables::simplerule
2473
2474	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 4c3d5d6b