/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 50a5be8b

Historique | Voir | Annoter | Télécharger (56,6 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
28	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
29	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
30	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
31	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
32	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
33			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
34			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
35			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
36			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
37	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
38	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
39			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
40	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
41			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
42			and Manager Daemons (MGR).
43	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
44			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
45			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
46			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
47			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
48			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
49			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
50			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
51	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
52	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
53			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
54	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
55	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
56	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
57	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
58			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
59			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
60			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
61	09cba182	Steve Traylen	7000 - afs3-fileserver
62			7002 - afs3-ptserver
63			7003 - vlserver
64	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
65			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
66			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
67			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
68			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
69			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
70			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
71			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
72	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
73	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
74			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
75			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
76			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
77			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
78			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
79			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
80			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
81			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
82			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
83			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
84			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
85	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
86	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
87	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
88			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
89			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
90			* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
91			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
92	e17693e3	Steve Traylen
93			### Defined types
94
95	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
96			* [`nftables::config`](#nftables--config): manage a config snippet
97			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
98			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
99			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
100			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
101			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
102			* [`nftables::set`](#nftables--set): manage a named set
103			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
104	4d63adda	Nacho Barrientos
105			### Data types
106
107	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
108			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
109			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
110			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
111			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
112	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
113			add the rule to, the second the rule name and the (optional) third a number.
114			Ex: 'default_in-sshd', 'default_out-my_service-2'.
115	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
116	e17693e3	Steve Traylen
117			## Classes
118
119	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
120	e17693e3	Steve Traylen
121			Configure nftables
122
123			#### Examples
124
125	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
126	e17693e3	Steve Traylen
127			```puppet
128	2063deaf	hashworks	class{ 'nftables':
129			out_ntp => false,
130			out_dns => true,
131	e17693e3	Steve Traylen	}
132			```
133
134	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
135
136			```puppet
137	2063deaf	hashworks	class{ 'nftables':
138			noflush_tables => ['inet-f2b-table'],
139	b9785000	Steve Traylen	}
140			```
141
142	e17693e3	Steve Traylen	#### Parameters
143
144	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
145
146	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
147			* [`out_ntp`](#-nftables--out_ntp)
148			* [`out_http`](#-nftables--out_http)
149			* [`out_dns`](#-nftables--out_dns)
150			* [`out_https`](#-nftables--out_https)
151			* [`out_icmp`](#-nftables--out_icmp)
152			* [`in_ssh`](#-nftables--in_ssh)
153			* [`in_icmp`](#-nftables--in_icmp)
154			* [`inet_filter`](#-nftables--inet_filter)
155			* [`nat`](#-nftables--nat)
156			* [`nat_table_name`](#-nftables--nat_table_name)
157			* [`sets`](#-nftables--sets)
158			* [`log_prefix`](#-nftables--log_prefix)
159			* [`log_limit`](#-nftables--log_limit)
160			* [`reject_with`](#-nftables--reject_with)
161			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
162			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
163			* [`firewalld_enable`](#-nftables--firewalld_enable)
164			* [`noflush_tables`](#-nftables--noflush_tables)
165			* [`rules`](#-nftables--rules)
166			* [`configuration_path`](#-nftables--configuration_path)
167			* [`nft_path`](#-nftables--nft_path)
168			* [`echo`](#-nftables--echo)
169			* [`default_config_mode`](#-nftables--default_config_mode)
170
171			##### <a name="-nftables--out_all"></a>`out_all`
172	e17693e3	Steve Traylen
173			Data type: `Boolean`
174
175			Allow all outbound connections. If `true` then all other
176			out parameters `out_ntp`, `out_dns`, ... will be assuemed
177			false.
178
179	c24d3118	Tim Meusel	Default value: `false`
180	e17693e3	Steve Traylen
181	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
182	e17693e3	Steve Traylen
183			Data type: `Boolean`
184
185			Allow outbound to ntp servers.
186
187	c24d3118	Tim Meusel	Default value: `true`
188	e17693e3	Steve Traylen
189	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
190	e17693e3	Steve Traylen
191			Data type: `Boolean`
192
193			Allow outbound to http servers.
194
195	c24d3118	Tim Meusel	Default value: `true`
196	e17693e3	Steve Traylen
197	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
198	e17693e3	Steve Traylen
199			Data type: `Boolean`
200
201	09cba182	Steve Traylen	Allow outbound to dns servers.
202	e17693e3	Steve Traylen
203	c24d3118	Tim Meusel	Default value: `true`
204	e17693e3	Steve Traylen
205	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
206	09cba182	Steve Traylen
207			Data type: `Boolean`
208	e17693e3	Steve Traylen
209			Allow outbound to https servers.
210
211	c24d3118	Tim Meusel	Default value: `true`
212	e17693e3	Steve Traylen
213	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
214	7f6cacc5	Steve Traylen
215			Data type: `Boolean`
216
217			Allow outbound ICMPv4/v6 traffic.
218
219	c24d3118	Tim Meusel	Default value: `true`
220	7f6cacc5	Steve Traylen
221	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
222	e17693e3	Steve Traylen
223			Data type: `Boolean`
224
225			Allow inbound to ssh servers.
226
227	c24d3118	Tim Meusel	Default value: `true`
228	e17693e3	Steve Traylen
229	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
230	7f6cacc5	Steve Traylen
231			Data type: `Boolean`
232
233			Allow inbound ICMPv4/v6 traffic.
234
235	c24d3118	Tim Meusel	Default value: `true`
236	7f6cacc5	Steve Traylen
237	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
238	7b9d6ffc	Nacho Barrientos
239			Data type: `Boolean`
240
241			Add default tables, chains and rules to process traffic.
242
243	c24d3118	Tim Meusel	Default value: `true`
244	7b9d6ffc	Nacho Barrientos
245	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
246	7f6cacc5	Steve Traylen
247			Data type: `Boolean`
248
249			Add default tables and chains to process NAT traffic.
250
251	c24d3118	Tim Meusel	Default value: `true`
252	7f6cacc5	Steve Traylen
253	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
254	b02d6ea9	Nacho Barrientos
255			Data type: `String[1]`
256
257			The name of the 'nat' table.
258
259			Default value: `'nat'`
260
261	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
262	b9785000	Steve Traylen
263			Data type: `Hash`
264
265			Allows sourcing set definitions directly from Hiera.
266
267			Default value: `{}`
268
269	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
270	7f6cacc5	Steve Traylen
271			Data type: `String`
272
273			String that will be used as prefix when logging packets. It can contain
274			two variables using standard sprintf() string-formatting:
275			* chain: Will be replaced by the name of the chain.
276			* comment: Allows chains to add extra comments.
277
278			Default value: `'[nftables] %<chain>s %<comment>s'`
279
280	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
281	b9785000	Steve Traylen
282			Data type: `Variant[Boolean[false], String]`
283
284			String with the content of a limit statement to be applied
285			to the rules that log discarded traffic. Set to false to
286			disable rate limiting.
287
288			Default value: `'3/minute burst 5 packets'`
289
290	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
291	7f6cacc5	Steve Traylen
292	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
293	7f6cacc5	Steve Traylen
294			How to discard packets not matching any rule. If `false`, the
295			fate of the packet will be defined by the chain policy (normally
296			drop), otherwise the packet will be rejected with the REJECT_WITH
297			policy indicated by the value of this parameter.
298
299			Default value: `'icmpx type port-unreachable'`
300
301	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
302	7f6cacc5	Steve Traylen
303			Data type: `Boolean`
304
305			Adds INPUT and OUTPUT rules to allow traffic that's part of an
306			established connection and also to drop invalid packets.
307
308	c24d3118	Tim Meusel	Default value: `true`
309	7f6cacc5	Steve Traylen
310	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
311	b9785000	Steve Traylen
312			Data type: `Boolean`
313
314			Adds FORWARD rules to allow traffic that's part of an
315			established connection and also to drop invalid packets.
316
317	c24d3118	Tim Meusel	Default value: `false`
318	b9785000	Steve Traylen
319	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
320	7f6cacc5	Steve Traylen
321			Data type: `Variant[Boolean[false], Enum['mask']]`
322
323			Configures how the firewalld systemd service unit is enabled. It might be
324			useful to set this to false if you're externaly removing firewalld from
325			the system completely.
326
327			Default value: `'mask'`
328
329	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
330	b9785000	Steve Traylen
331	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
332	b9785000	Steve Traylen
333			If specified only other existings tables will be flushed.
334			If left unset all tables will be flushed via a `flush ruleset`
335
336	c24d3118	Tim Meusel	Default value: `undef`
337	b9785000	Steve Traylen
338	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
339	7f6cacc5	Steve Traylen
340			Data type: `Hash`
341
342	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
343	7f6cacc5	Steve Traylen
344			Default value: `{}`
345
346	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
347	d0a1ffef	hashworks
348			Data type: `Stdlib::Unixpath`
349
350			The absolute path to the principal nftables configuration file. The default
351			varies depending on the system, and is set in the module's data.
352
353	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
354	8842a597	Tim Meusel
355			Data type: `Stdlib::Unixpath`
356
357			Path to the nft binary
358
359	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
360	821ec83a	Tim Meusel
361			Data type: `Stdlib::Unixpath`
362
363			Path to the echo binary
364
365	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
366	7030bde0	Luis Fernández Álvarez
367			Data type: `Stdlib::Filemode`
368
369			The default file & dir mode for configuration files and directories. The
370			default varies depending on the system, and is set in the module's data.
371
372	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
373	7f6cacc5	Steve Traylen
374			allow forwarding traffic on bridges
375
376			#### Parameters
377
378	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
379	7f6cacc5	Steve Traylen
380	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
381			* [`bridgenames`](#-nftables--bridges--bridgenames)
382	09cba182	Steve Traylen
383	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
384	7f6cacc5	Steve Traylen
385			Data type: `Enum['present','absent']`
386
387
388
389			Default value: `'present'`
390
391	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
392	7f6cacc5	Steve Traylen
393			Data type: `Regexp`
394
395
396
397			Default value: `/^br.+/`
398
399	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
400	e17693e3	Steve Traylen
401			manage basic chains in table inet filter
402
403	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
404	a1f09048	Tim Meusel
405			enable conntrack for fwd
406
407	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
408	a1f09048	Tim Meusel
409			manage input & output conntrack
410
411	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
412	e17693e3	Steve Traylen
413			manage basic chains in table ip nat
414
415	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
416	771b3256	Nacho Barrientos
417			Provides input rules for Apache ActiveMQ
418
419			#### Parameters
420
421			The following parameters are available in the `nftables::rules::activemq` class:
422
423	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
424			* [`udp`](#-nftables--rules--activemq--udp)
425			* [`port`](#-nftables--rules--activemq--port)
426	771b3256	Nacho Barrientos
427	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
428	771b3256	Nacho Barrientos
429			Data type: `Boolean`
430
431			Create the rule for TCP traffic.
432
433	c24d3118	Tim Meusel	Default value: `true`
434	771b3256	Nacho Barrientos
435	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
436	771b3256	Nacho Barrientos
437			Data type: `Boolean`
438
439			Create the rule for UDP traffic.
440
441	c24d3118	Tim Meusel	Default value: `true`
442	771b3256	Nacho Barrientos
443	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
444	771b3256	Nacho Barrientos
445			Data type: `Stdlib::Port`
446
447			The port number for the ActiveMQ daemon.
448
449			Default value: `61616`
450
451	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
452	09cba182	Steve Traylen
453			Open call back port for AFS clients
454	7f6cacc5	Steve Traylen
455	09cba182	Steve Traylen	#### Examples
456
457			##### allow call backs from particular hosts
458
459			```puppet
460	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
461			saddr => ['192.168.0.0/16', '10.0.0.222']
462			}
463	09cba182	Steve Traylen	```
464	7f6cacc5	Steve Traylen
465			#### Parameters
466
467	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
468
469	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
470	7f6cacc5	Steve Traylen
471	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
472	7f6cacc5	Steve Traylen
473			Data type: `Array[Stdlib::IP::Address::V4,1]`
474
475			list of source network ranges to a
476
477			Default value: `['0.0.0.0/0']`
478
479	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
480	b9785000	Steve Traylen
481			Ceph is a distributed object store and file system.
482			Enable this to support Ceph's Object Storage Daemons (OSD),
483			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
484
485	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
486	b9785000	Steve Traylen
487			Ceph is a distributed object store and file system.
488			Enable this option to support Ceph's Monitor Daemon.
489
490			#### Parameters
491
492	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
493	b9785000	Steve Traylen
494	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
495	b9785000	Steve Traylen
496	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
497	b9785000	Steve Traylen
498	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
499	b9785000	Steve Traylen
500	09cba182	Steve Traylen	specify ports for ceph service
501	b9785000	Steve Traylen
502			Default value: `[3300, 6789]`
503
504	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
505	7f6cacc5	Steve Traylen
506	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
507	7f6cacc5	Steve Traylen
508	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
509	7f6cacc5	Steve Traylen
510			manage in dns
511
512			#### Parameters
513
514	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
515	7f6cacc5	Steve Traylen
516	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
517	7f6cacc5	Steve Traylen
518	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
519	7f6cacc5	Steve Traylen
520	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
521	7f6cacc5	Steve Traylen
522	09cba182	Steve Traylen	Specify ports for dns.
523	7f6cacc5	Steve Traylen
524			Default value: `[53]`
525
526	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
527	804b96e4	Nacho Barrientos
528			The configuration distributed in this class represents the default firewall
529			configuration done by docker-ce when the iptables integration is enabled.
530
531			This class is needed as the default docker-ce rules added to ip-filter conflict
532			with the inet-filter forward rules set by default in this module.
533
534			When using this class 'docker::iptables: false' should be set.
535
536			#### Parameters
537
538			The following parameters are available in the `nftables::rules::docker_ce` class:
539
540	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
541			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
542			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
543			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
544	804b96e4	Nacho Barrientos
545	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
546	804b96e4	Nacho Barrientos
547			Data type: `String[1]`
548
549			Interface name used by docker.
550
551			Default value: `'docker0'`
552
553	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
554	804b96e4	Nacho Barrientos
555			Data type: `Stdlib::IP::Address::V4::CIDR`
556
557			The address space used by docker.
558
559			Default value: `'172.17.0.0/16'`
560
561	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
562	804b96e4	Nacho Barrientos
563			Data type: `Boolean`
564
565			Flag to control whether the class should create the docker related chains.
566
567	c24d3118	Tim Meusel	Default value: `true`
568	804b96e4	Nacho Barrientos
569	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
570	804b96e4	Nacho Barrientos
571			Data type: `Boolean`
572
573			Flag to control whether the class should create the base common chains.
574
575	c24d3118	Tim Meusel	Default value: `true`
576	804b96e4	Nacho Barrientos
577	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
578	e17693e3	Steve Traylen
579			manage in http
580
581	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
582	e17693e3	Steve Traylen
583			manage in https
584
585	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
586	e17693e3	Steve Traylen
587			manage in icinga2
588
589			#### Parameters
590
591	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
592	e17693e3	Steve Traylen
593	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
594	e17693e3	Steve Traylen
595	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
596	e17693e3	Steve Traylen
597	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
598	e17693e3	Steve Traylen
599	8db66304	Steve Traylen	Specify ports for icinga2
600	e17693e3	Steve Traylen
601			Default value: `[5665]`
602
603	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
604	7f6cacc5	Steve Traylen
605			The nftables::rules::icmp class.
606
607			#### Parameters
608
609	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
610
611	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
612			* [`v6_types`](#-nftables--rules--icmp--v6_types)
613			* [`order`](#-nftables--rules--icmp--order)
614	7f6cacc5	Steve Traylen
615	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
616	7f6cacc5	Steve Traylen
617			Data type: `Optional[Array[String]]`
618
619
620
621	c24d3118	Tim Meusel	Default value: `undef`
622	7f6cacc5	Steve Traylen
623	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
624	7f6cacc5	Steve Traylen
625			Data type: `Optional[Array[String]]`
626
627
628
629	c24d3118	Tim Meusel	Default value: `undef`
630	7f6cacc5	Steve Traylen
631	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
632	7f6cacc5	Steve Traylen
633			Data type: `String`
634
635
636
637			Default value: `'10'`
638
639	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
640
641			allow incoming IGMP messages
642
643	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
644
645			manage in ldap
646
647			#### Parameters
648
649			The following parameters are available in the `nftables::rules::ldap` class:
650
651			* [`ports`](#-nftables--rules--ldap--ports)
652
653			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
654
655			Data type: `Array[Integer,1]`
656
657			ldap server ports
658
659			Default value: `[389, 636]`
660
661	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
662
663			allow incoming Link-Local Multicast Name Resolution
664
665			* See also
666			* https://datatracker.ietf.org/doc/html/rfc4795
667
668			#### Parameters
669
670			The following parameters are available in the `nftables::rules::llmnr` class:
671
672			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
673			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
674
675			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
676
677			Data type: `Boolean`
678
679			Allow LLMNR over IPv4
680
681			Default value: `true`
682
683			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
684
685			Data type: `Boolean`
686
687			Allow LLMNR over IPv6
688
689			Default value: `true`
690
691	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
692
693			allow incoming multicast DNS
694
695	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
696
697			The following parameters are available in the `nftables::rules::mdns` class:
698
699			* [`ipv4`](#-nftables--rules--mdns--ipv4)
700			* [`ipv6`](#-nftables--rules--mdns--ipv6)
701
702			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
703
704			Data type: `Boolean`
705
706			Allow mdns over IPv4
707
708			Default value: `true`
709
710			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
711
712			Data type: `Boolean`
713
714			Allow mdns over IPv6
715
716			Default value: `true`
717
718	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
719
720			allow incoming multicast traffic
721
722	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
723	b9785000	Steve Traylen
724			manage in nfs4
725
726	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
727	b9785000	Steve Traylen
728			manage in nfs3
729
730	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
731	7f6cacc5	Steve Traylen
732			manage in node exporter
733
734			#### Parameters
735
736	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
737	7f6cacc5	Steve Traylen
738	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
739			* [`port`](#-nftables--rules--node_exporter--port)
740	7f6cacc5	Steve Traylen
741	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
742	7f6cacc5	Steve Traylen
743	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
744	7f6cacc5	Steve Traylen
745	09cba182	Steve Traylen	Specify server name
746	7f6cacc5	Steve Traylen
747	c24d3118	Tim Meusel	Default value: `undef`
748	7f6cacc5	Steve Traylen
749	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
750	7f6cacc5	Steve Traylen
751	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
752	7f6cacc5	Steve Traylen
753	09cba182	Steve Traylen	Specify port to open
754	7f6cacc5	Steve Traylen
755			Default value: `9100`
756
757	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
758	e17693e3	Steve Traylen
759			manage in ospf
760
761	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
762	e17693e3	Steve Traylen
763			manage in ospf3
764
765	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
766
767			manage outgoing active diectory
768
769			#### Parameters
770
771			The following parameters are available in the `nftables::rules::out::active_directory` class:
772
773			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
774			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
775
776			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
777
778			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
779
780			adserver IPs
781
782			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
783
784			Data type: `Array[Stdlib::Port,1]`
785
786			adserver ports
787
788			Default value: `[389, 636, 3268, 3269]`
789
790	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
791	e17693e3	Steve Traylen
792			allow all outbound
793
794	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
795	b9785000	Steve Traylen
796			Ceph is a distributed object store and file system.
797			Enable this to be a client of Ceph's Monitor (MON),
798			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
799			and Manager Daemons (MGR).
800
801			#### Parameters
802
803	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
804	b9785000	Steve Traylen
805	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
806	b9785000	Steve Traylen
807	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
808	b9785000	Steve Traylen
809	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
810	b9785000	Steve Traylen
811	09cba182	Steve Traylen	Specify ports to open
812	b9785000	Steve Traylen
813			Default value: `[3300, 6789]`
814
815	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
816	e17693e3	Steve Traylen
817			manage out chrony
818
819	7937a13b	Tim Meusel	#### Parameters
820
821			The following parameters are available in the `nftables::rules::out::chrony` class:
822
823	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
824	7937a13b	Tim Meusel
825	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
826	7937a13b	Tim Meusel
827			Data type: `Array[Stdlib::IP::Address]`
828
829			single IP-Address or array of IP-addresses from NTP servers
830
831			Default value: `[]`
832
833	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
834	e17693e3	Steve Traylen
835			manage out dhcp
836
837	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
838	7f6cacc5	Steve Traylen
839	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
840	7f6cacc5	Steve Traylen
841	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
842	e17693e3	Steve Traylen
843			manage out dns
844
845			#### Parameters
846
847	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
848	e17693e3	Steve Traylen
849	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
850	e17693e3	Steve Traylen
851	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
852	e17693e3	Steve Traylen
853	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
854	e17693e3	Steve Traylen
855	09cba182	Steve Traylen	specify dns_server name
856	e17693e3	Steve Traylen
857	c24d3118	Tim Meusel	Default value: `undef`
858	e17693e3	Steve Traylen
859	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
860	a1f09048	Tim Meusel
861			allow outgoing hkp connections to gpg keyservers
862
863	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
864	e17693e3	Steve Traylen
865			manage out http
866
867	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
868	e17693e3	Steve Traylen
869			manage out https
870
871	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
872	7f6cacc5	Steve Traylen
873	09cba182	Steve Traylen	control outbound icmp packages
874	7f6cacc5	Steve Traylen
875			#### Parameters
876
877	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
878
879	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
880			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
881			* [`order`](#-nftables--rules--out--icmp--order)
882	7f6cacc5	Steve Traylen
883	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
884	7f6cacc5	Steve Traylen
885			Data type: `Optional[Array[String]]`
886
887
888
889	c24d3118	Tim Meusel	Default value: `undef`
890	7f6cacc5	Steve Traylen
891	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
892	7f6cacc5	Steve Traylen
893			Data type: `Optional[Array[String]]`
894
895
896
897	c24d3118	Tim Meusel	Default value: `undef`
898	7f6cacc5	Steve Traylen
899	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
900	7f6cacc5	Steve Traylen
901			Data type: `String`
902
903
904
905			Default value: `'10'`
906
907	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
908
909	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
910	020842af	Tim Meusel
911	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
912	19908f41	mh
913			allow outgoing imap
914
915	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
916	7f6cacc5	Steve Traylen
917			allows outbound access for kerberos
918
919	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
920
921			manage outgoing ldap
922
923			#### Parameters
924
925			The following parameters are available in the `nftables::rules::out::ldap` class:
926
927			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
928			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
929
930			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
931
932			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
933
934			ldapserver IPs
935
936			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
937
938			Data type: `Array[Stdlib::Port,1]`
939
940			ldapserver ports
941
942			Default value: `[389, 636]`
943
944	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
945
946			allow outgoing multicast DNS
947
948			#### Parameters
949
950			The following parameters are available in the `nftables::rules::out::mdns` class:
951
952			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
953			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
954
955			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
956
957			Data type: `Boolean`
958
959			Allow mdns over IPv4
960
961			Default value: `true`
962
963			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
964
965			Data type: `Boolean`
966
967			Allow mdns over IPv6
968
969			Default value: `true`
970
971	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
972
973			allow multicast listener requests
974
975	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
976	e17693e3	Steve Traylen
977			manage out mysql
978
979	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
980	b9785000	Steve Traylen
981			manage out nfs
982
983	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
984	b9785000	Steve Traylen
985			manage out nfs3
986
987	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
988	7f6cacc5	Steve Traylen
989	09cba182	Steve Traylen	allows outbound access for afs clients
990	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
991			7002 - afs3-ptserver
992			7003 - vlserver
993
994			* See also
995			* https://wiki.openafs.org/devel/AFSServicePorts/
996			* AFS Service Ports
997
998			#### Parameters
999
1000	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1001	7f6cacc5	Steve Traylen
1002	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1003	7f6cacc5	Steve Traylen
1004	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1005	7f6cacc5	Steve Traylen
1006	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1007	7f6cacc5	Steve Traylen
1008	09cba182	Steve Traylen	port numbers to use
1009	7f6cacc5	Steve Traylen
1010			Default value: `[7000, 7002, 7003]`
1011
1012	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1013	e17693e3	Steve Traylen
1014			manage out ospf
1015
1016	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1017	e17693e3	Steve Traylen
1018			manage out ospf3
1019
1020	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1021	19908f41	mh
1022			allow outgoing pop3
1023
1024	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1025	e17693e3	Steve Traylen
1026			manage out postgres
1027
1028	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1029	e17693e3	Steve Traylen
1030			manage outgoing puppet
1031
1032			#### Parameters
1033
1034	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1035	e17693e3	Steve Traylen
1036	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1037			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1038	e17693e3	Steve Traylen
1039	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1040	e17693e3	Steve Traylen
1041	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1042	e17693e3	Steve Traylen
1043	09cba182	Steve Traylen	puppetserver hostname
1044	e17693e3	Steve Traylen
1045	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1046	e17693e3	Steve Traylen
1047	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1048	e17693e3	Steve Traylen
1049	09cba182	Steve Traylen	puppetserver port
1050	e17693e3	Steve Traylen
1051			Default value: `8140`
1052
1053	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1054	194e05d5	Tim Meusel
1055			manage outgoing pxp-agent
1056
1057			* See also
1058			* also
1059			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1060
1061			#### Parameters
1062
1063			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1064
1065	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1066			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1067	194e05d5	Tim Meusel
1068	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1069	194e05d5	Tim Meusel
1070			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1071
1072			PXP broker IP(s)
1073
1074	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1075	194e05d5	Tim Meusel
1076			Data type: `Stdlib::Port`
1077
1078			PXP broker port
1079
1080			Default value: `8142`
1081
1082	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1083	e17693e3	Steve Traylen
1084	19908f41	mh	allow outgoing smtp
1085
1086	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1087	19908f41	mh
1088			allow outgoing smtp client
1089	e17693e3	Steve Traylen
1090	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1091
1092			allow outgoing SSDP
1093
1094			* See also
1095			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1096
1097			#### Parameters
1098
1099			The following parameters are available in the `nftables::rules::out::ssdp` class:
1100
1101			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1102			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1103
1104			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1105
1106			Data type: `Boolean`
1107
1108			Allow SSDP over IPv4
1109
1110			Default value: `true`
1111
1112			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1113
1114			Data type: `Boolean`
1115
1116			Allow SSDP over IPv6
1117
1118			Default value: `true`
1119
1120	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1121	e17693e3	Steve Traylen
1122			manage out ssh
1123
1124	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1125	e17693e3	Steve Traylen
1126			disable outgoing ssh
1127
1128	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1129	e17693e3	Steve Traylen
1130			manage out tor
1131
1132	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1133	2b1896c1	Tim Meusel
1134			allow clients to query remote whois server
1135
1136	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1137	e17693e3	Steve Traylen
1138			manage out wireguard
1139
1140			#### Parameters
1141
1142	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1143	e17693e3	Steve Traylen
1144	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1145	e17693e3	Steve Traylen
1146	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1147	e17693e3	Steve Traylen
1148	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1149	e17693e3	Steve Traylen
1150	09cba182	Steve Traylen	specify wireguard ports
1151	e17693e3	Steve Traylen
1152			Default value: `[51820]`
1153
1154	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1155	e17693e3	Steve Traylen
1156			manage in puppet
1157
1158			#### Parameters
1159
1160	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1161	e17693e3	Steve Traylen
1162	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1163	e17693e3	Steve Traylen
1164	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1165	e17693e3	Steve Traylen
1166	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1167	e17693e3	Steve Traylen
1168	09cba182	Steve Traylen	puppet server ports
1169	e17693e3	Steve Traylen
1170			Default value: `[8140]`
1171
1172	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1173	7f74df2e	Tim Meusel
1174			manage in pxp-agent
1175
1176			#### Parameters
1177
1178			The following parameters are available in the `nftables::rules::pxp_agent` class:
1179
1180	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1181	7f74df2e	Tim Meusel
1182	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1183	7f74df2e	Tim Meusel
1184	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1185	7f74df2e	Tim Meusel
1186			pxp server ports
1187
1188			Default value: `[8142]`
1189
1190	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1191	cd2a3cbf	Nacho Barrientos
1192			This class configures the typical firewall setup that libvirt
1193			creates. Depending on your requirements you can switch on and off
1194			several aspects, for instance if you don't do DHCP to your guests
1195			you can disable the rules that accept DHCP traffic on the host or if
1196			you don't want your guests to talk to hosts outside you can disable
1197			forwarding and/or masquerading for IPv4 traffic.
1198
1199			#### Parameters
1200
1201			The following parameters are available in the `nftables::rules::qemu` class:
1202
1203	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1204			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1205			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1206			* [`dns`](#-nftables--rules--qemu--dns)
1207			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1208			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1209			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1210			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1211	cd2a3cbf	Nacho Barrientos
1212	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1213	cd2a3cbf	Nacho Barrientos
1214			Data type: `String[1]`
1215
1216			Interface name used by the bridge.
1217
1218			Default value: `'virbr0'`
1219
1220	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1221	cd2a3cbf	Nacho Barrientos
1222			Data type: `Stdlib::IP::Address::V4::CIDR`
1223
1224			The IPv4 network prefix used in the virtual network.
1225
1226			Default value: `'192.168.122.0/24'`
1227
1228	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1229	cd2a3cbf	Nacho Barrientos
1230			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1231
1232			The IPv6 network prefix used in the virtual network.
1233
1234	c24d3118	Tim Meusel	Default value: `undef`
1235	cd2a3cbf	Nacho Barrientos
1236	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1237	cd2a3cbf	Nacho Barrientos
1238			Data type: `Boolean`
1239
1240			Allow DNS traffic from the guests to the host.
1241
1242	c24d3118	Tim Meusel	Default value: `true`
1243	cd2a3cbf	Nacho Barrientos
1244	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1245	cd2a3cbf	Nacho Barrientos
1246			Data type: `Boolean`
1247
1248			Allow DHCPv4 traffic from the guests to the host.
1249
1250	c24d3118	Tim Meusel	Default value: `true`
1251	cd2a3cbf	Nacho Barrientos
1252	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1253	cd2a3cbf	Nacho Barrientos
1254			Data type: `Boolean`
1255
1256			Allow forwarded traffic (out all, in related/established)
1257			generated by the virtual network.
1258
1259	c24d3118	Tim Meusel	Default value: `true`
1260	cd2a3cbf	Nacho Barrientos
1261	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1262	cd2a3cbf	Nacho Barrientos
1263			Data type: `Boolean`
1264
1265			Allow guests in the virtual network to talk to each other.
1266
1267	c24d3118	Tim Meusel	Default value: `true`
1268	cd2a3cbf	Nacho Barrientos
1269	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1270	cd2a3cbf	Nacho Barrientos
1271			Data type: `Boolean`
1272
1273			Do NAT masquerade on all IPv4 traffic generated by guests
1274			to external networks.
1275
1276	c24d3118	Tim Meusel	Default value: `true`
1277	cd2a3cbf	Nacho Barrientos
1278	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1279	19908f41	mh
1280			manage Samba, the suite to allow Windows file sharing on Linux resources.
1281
1282			#### Parameters
1283
1284			The following parameters are available in the `nftables::rules::samba` class:
1285
1286	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1287	19908f41	mh
1288	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1289	19908f41	mh
1290			Data type: `Boolean`
1291
1292			Enable ctdb-driven clustered Samba setups.
1293
1294	c24d3118	Tim Meusel	Default value: `false`
1295	19908f41	mh
1296	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1297	e17693e3	Steve Traylen
1298			manage in smtp
1299
1300	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1301	e17693e3	Steve Traylen
1302			manage in smtp submission
1303
1304	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1305	e17693e3	Steve Traylen
1306			manage in smtps
1307
1308	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1309
1310			allow incoming spotify
1311
1312	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1313
1314			allow incoming SSDP
1315
1316			* See also
1317			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1318
1319			#### Parameters
1320
1321			The following parameters are available in the `nftables::rules::ssdp` class:
1322
1323			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1324			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1325
1326			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1327
1328			Data type: `Boolean`
1329
1330			Allow SSDP over IPv4
1331
1332			Default value: `true`
1333
1334			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1335
1336			Data type: `Boolean`
1337
1338			Allow SSDP over IPv6
1339
1340			Default value: `true`
1341
1342	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1343	e17693e3	Steve Traylen
1344			manage in ssh
1345
1346			#### Parameters
1347
1348	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1349	e17693e3	Steve Traylen
1350	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1351	e17693e3	Steve Traylen
1352	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1353	e17693e3	Steve Traylen
1354	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1355	e17693e3	Steve Traylen
1356	09cba182	Steve Traylen	ssh ports
1357	e17693e3	Steve Traylen
1358			Default value: `[22]`
1359
1360	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1361	e17693e3	Steve Traylen
1362			manage in tor
1363
1364			#### Parameters
1365
1366	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1367	e17693e3	Steve Traylen
1368	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1369	e17693e3	Steve Traylen
1370	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1371	e17693e3	Steve Traylen
1372	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1373	e17693e3	Steve Traylen
1374	09cba182	Steve Traylen	ports for tor
1375	e17693e3	Steve Traylen
1376			Default value: `[9001]`
1377
1378	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1379	e17693e3	Steve Traylen
1380			manage in wireguard
1381
1382			#### Parameters
1383
1384	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1385	e17693e3	Steve Traylen
1386	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1387	e17693e3	Steve Traylen
1388	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1389	e17693e3	Steve Traylen
1390	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1391	e17693e3	Steve Traylen
1392	09cba182	Steve Traylen	wiregueard port
1393	e17693e3	Steve Traylen
1394			Default value: `[51820]`
1395
1396	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1397	7f6cacc5	Steve Traylen
1398	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1399	7f6cacc5	Steve Traylen
1400	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1401	7f6cacc5	Steve Traylen
1402	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1403	7f6cacc5	Steve Traylen
1404	e17693e3	Steve Traylen	## Defined types
1405
1406	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1407	e17693e3	Steve Traylen
1408			manage a chain
1409
1410			#### Parameters
1411
1412	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1413
1414	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1415			* [`chain`](#-nftables--chain--chain)
1416			* [`inject`](#-nftables--chain--inject)
1417			* [`inject_iif`](#-nftables--chain--inject_iif)
1418			* [`inject_oif`](#-nftables--chain--inject_oif)
1419	e17693e3	Steve Traylen
1420	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1421	e17693e3	Steve Traylen
1422	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1423	e17693e3	Steve Traylen
1424
1425
1426			Default value: `'inet-filter'`
1427
1428	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1429	e17693e3	Steve Traylen
1430			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1431
1432
1433
1434			Default value: `$title`
1435
1436	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1437	e17693e3	Steve Traylen
1438			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1439
1440
1441
1442	c24d3118	Tim Meusel	Default value: `undef`
1443	e17693e3	Steve Traylen
1444	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1445	e17693e3	Steve Traylen
1446			Data type: `Optional[String]`
1447
1448
1449
1450	c24d3118	Tim Meusel	Default value: `undef`
1451	e17693e3	Steve Traylen
1452	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1453	e17693e3	Steve Traylen
1454			Data type: `Optional[String]`
1455
1456
1457
1458	c24d3118	Tim Meusel	Default value: `undef`
1459	e17693e3	Steve Traylen
1460	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1461	e17693e3	Steve Traylen
1462			manage a config snippet
1463
1464			#### Parameters
1465
1466	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1467	e17693e3	Steve Traylen
1468	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1469			* [`content`](#-nftables--config--content)
1470			* [`source`](#-nftables--config--source)
1471			* [`prefix`](#-nftables--config--prefix)
1472	09cba182	Steve Traylen
1473	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1474	13f4e4c6	Steve Traylen
1475			Data type: `Pattern[/^\w+-\w+$/]`
1476
1477
1478
1479			Default value: `$title`
1480
1481	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1482	e17693e3	Steve Traylen
1483			Data type: `Optional[String]`
1484
1485
1486
1487	c24d3118	Tim Meusel	Default value: `undef`
1488	e17693e3	Steve Traylen
1489	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1490	e17693e3	Steve Traylen
1491			Data type: `Optional[Variant[String,Array[String,1]]]`
1492
1493
1494
1495	c24d3118	Tim Meusel	Default value: `undef`
1496	e17693e3	Steve Traylen
1497	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1498	13f4e4c6	Steve Traylen
1499			Data type: `String`
1500
1501
1502
1503			Default value: `'custom-'`
1504
1505	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1506	331b8d85	Steve Traylen
1507			Insert a file into the nftables configuration
1508
1509			#### Examples
1510
1511			##### Include a file that includes other files
1512
1513			```puppet
1514			nftables::file{'geoip':
1515			content => @(EOT)
1516			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1517			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1518			\|EOT,
1519			}
1520			```
1521
1522			#### Parameters
1523
1524			The following parameters are available in the `nftables::file` defined type:
1525
1526	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1527			* [`content`](#-nftables--file--content)
1528			* [`source`](#-nftables--file--source)
1529			* [`prefix`](#-nftables--file--prefix)
1530	331b8d85	Steve Traylen
1531	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1532	331b8d85	Steve Traylen
1533			Data type: `String[1]`
1534
1535			Unique name to include in filename.
1536
1537			Default value: `$title`
1538
1539	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1540	331b8d85	Steve Traylen
1541			Data type: `Optional[String]`
1542
1543			The content to place in the file.
1544
1545	c24d3118	Tim Meusel	Default value: `undef`
1546	331b8d85	Steve Traylen
1547	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1548	331b8d85	Steve Traylen
1549			Data type: `Optional[Variant[String,Array[String,1]]]`
1550
1551			A source to obtain the file content from.
1552
1553	c24d3118	Tim Meusel	Default value: `undef`
1554	331b8d85	Steve Traylen
1555	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1556	331b8d85	Steve Traylen
1557			Data type: `String`
1558
1559			Prefix of file name to be created, if left as `file-` it will be
1560			auto included in the main nft configuration
1561
1562			Default value: `'file-'`
1563
1564	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1565	e17693e3	Steve Traylen
1566	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1567
1568			#### Examples
1569
1570			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1571
1572			```puppet
1573			nftables::rule {
1574			'default_in-myhttp':
1575			content => 'tcp dport 80 accept',
1576			}
1577			```
1578
1579			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1580
1581			```puppet
1582			nftables::rule {
1583			'PREROUTING6-count':
1584			content => 'counter',
1585			table => 'ip6-nat'
1586			}
1587			```
1588	e17693e3	Steve Traylen
1589			#### Parameters
1590
1591	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1592
1593	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1594			* [`rulename`](#-nftables--rule--rulename)
1595			* [`order`](#-nftables--rule--order)
1596			* [`table`](#-nftables--rule--table)
1597			* [`content`](#-nftables--rule--content)
1598			* [`source`](#-nftables--rule--source)
1599	e17693e3	Steve Traylen
1600	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1601	e17693e3	Steve Traylen
1602			Data type: `Enum['present','absent']`
1603
1604	13f26dfc	Nacho Barrientos	Should the rule be created.
1605	e17693e3	Steve Traylen
1606			Default value: `'present'`
1607
1608	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1609	e17693e3	Steve Traylen
1610	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1611	e17693e3	Steve Traylen
1612	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1613			format is defined by the Nftables::RuleName type.
1614	e17693e3	Steve Traylen
1615			Default value: `$title`
1616
1617	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1618	e17693e3	Steve Traylen
1619			Data type: `Pattern[/^\d\d$/]`
1620
1621	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1622	e17693e3	Steve Traylen
1623			Default value: `'50'`
1624
1625	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1626	e17693e3	Steve Traylen
1627	b02d6ea9	Nacho Barrientos	Data type: `String`
1628	e17693e3	Steve Traylen
1629	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1630	e17693e3	Steve Traylen
1631			Default value: `'inet-filter'`
1632
1633	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1634	e17693e3	Steve Traylen
1635			Data type: `Optional[String]`
1636
1637	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1638			language.
1639	e17693e3	Steve Traylen
1640	c24d3118	Tim Meusel	Default value: `undef`
1641	e17693e3	Steve Traylen
1642	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1643	e17693e3	Steve Traylen
1644			Data type: `Optional[Variant[String,Array[String,1]]]`
1645
1646	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1647	e17693e3	Steve Traylen
1648	c24d3118	Tim Meusel	Default value: `undef`
1649	e17693e3	Steve Traylen
1650	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1651	e17693e3	Steve Traylen
1652			manage a ipv4 dnat rule
1653
1654			#### Parameters
1655
1656	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1657
1658	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1659			* [`port`](#-nftables--rules--dnat4--port)
1660			* [`rulename`](#-nftables--rules--dnat4--rulename)
1661			* [`order`](#-nftables--rules--dnat4--order)
1662			* [`chain`](#-nftables--rules--dnat4--chain)
1663			* [`iif`](#-nftables--rules--dnat4--iif)
1664			* [`proto`](#-nftables--rules--dnat4--proto)
1665			* [`dport`](#-nftables--rules--dnat4--dport)
1666			* [`ensure`](#-nftables--rules--dnat4--ensure)
1667	e17693e3	Steve Traylen
1668	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1669	e17693e3	Steve Traylen
1670			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1671
1672
1673
1674	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1675	e17693e3	Steve Traylen
1676	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1677	e17693e3	Steve Traylen
1678
1679
1680	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1681	e17693e3	Steve Traylen
1682			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1683
1684
1685
1686			Default value: `$title`
1687
1688	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1689	e17693e3	Steve Traylen
1690			Data type: `Pattern[/^\d\d$/]`
1691
1692
1693
1694			Default value: `'50'`
1695
1696	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1697	e17693e3	Steve Traylen
1698			Data type: `String[1]`
1699
1700
1701
1702			Default value: `'default_fwd'`
1703
1704	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1705	e17693e3	Steve Traylen
1706			Data type: `Optional[String[1]]`
1707
1708
1709
1710	c24d3118	Tim Meusel	Default value: `undef`
1711	e17693e3	Steve Traylen
1712	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1713	e17693e3	Steve Traylen
1714			Data type: `Enum['tcp','udp']`
1715
1716
1717
1718			Default value: `'tcp'`
1719
1720	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1721	e17693e3	Steve Traylen
1722	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1723	e17693e3	Steve Traylen
1724
1725
1726	c24d3118	Tim Meusel	Default value: `undef`
1727	e17693e3	Steve Traylen
1728	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1729	e17693e3	Steve Traylen
1730			Data type: `Enum['present','absent']`
1731
1732
1733
1734			Default value: `'present'`
1735
1736	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1737	e17693e3	Steve Traylen
1738			masquerade all outgoing traffic
1739
1740			#### Parameters
1741
1742	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1743	e17693e3	Steve Traylen
1744	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1745			* [`order`](#-nftables--rules--masquerade--order)
1746			* [`chain`](#-nftables--rules--masquerade--chain)
1747			* [`oif`](#-nftables--rules--masquerade--oif)
1748			* [`saddr`](#-nftables--rules--masquerade--saddr)
1749			* [`daddr`](#-nftables--rules--masquerade--daddr)
1750			* [`proto`](#-nftables--rules--masquerade--proto)
1751			* [`dport`](#-nftables--rules--masquerade--dport)
1752			* [`ensure`](#-nftables--rules--masquerade--ensure)
1753	09cba182	Steve Traylen
1754	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1755	e17693e3	Steve Traylen
1756			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1757
1758
1759
1760			Default value: `$title`
1761
1762	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1763	e17693e3	Steve Traylen
1764			Data type: `Pattern[/^\d\d$/]`
1765
1766
1767
1768			Default value: `'70'`
1769
1770	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1771	e17693e3	Steve Traylen
1772			Data type: `String[1]`
1773
1774
1775
1776			Default value: `'POSTROUTING'`
1777
1778	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1779	e17693e3	Steve Traylen
1780			Data type: `Optional[String[1]]`
1781
1782
1783
1784	c24d3118	Tim Meusel	Default value: `undef`
1785	e17693e3	Steve Traylen
1786	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1787	e17693e3	Steve Traylen
1788			Data type: `Optional[String[1]]`
1789
1790
1791
1792	c24d3118	Tim Meusel	Default value: `undef`
1793	e17693e3	Steve Traylen
1794	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1795	e17693e3	Steve Traylen
1796			Data type: `Optional[String[1]]`
1797
1798
1799
1800	c24d3118	Tim Meusel	Default value: `undef`
1801	e17693e3	Steve Traylen
1802	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1803	e17693e3	Steve Traylen
1804			Data type: `Optional[Enum['tcp','udp']]`
1805
1806
1807
1808	c24d3118	Tim Meusel	Default value: `undef`
1809	e17693e3	Steve Traylen
1810	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1811	e17693e3	Steve Traylen
1812	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1813	e17693e3	Steve Traylen
1814
1815
1816	c24d3118	Tim Meusel	Default value: `undef`
1817	e17693e3	Steve Traylen
1818	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1819	e17693e3	Steve Traylen
1820			Data type: `Enum['present','absent']`
1821
1822
1823
1824			Default value: `'present'`
1825
1826	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1827	e17693e3	Steve Traylen
1828			manage a ipv4 snat rule
1829
1830			#### Parameters
1831
1832	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1833
1834	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1835			* [`rulename`](#-nftables--rules--snat4--rulename)
1836			* [`order`](#-nftables--rules--snat4--order)
1837			* [`chain`](#-nftables--rules--snat4--chain)
1838			* [`oif`](#-nftables--rules--snat4--oif)
1839			* [`saddr`](#-nftables--rules--snat4--saddr)
1840			* [`proto`](#-nftables--rules--snat4--proto)
1841			* [`dport`](#-nftables--rules--snat4--dport)
1842			* [`ensure`](#-nftables--rules--snat4--ensure)
1843	e17693e3	Steve Traylen
1844	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1845	e17693e3	Steve Traylen
1846			Data type: `String[1]`
1847
1848
1849
1850	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1851	e17693e3	Steve Traylen
1852			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1853
1854
1855
1856			Default value: `$title`
1857
1858	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1859	e17693e3	Steve Traylen
1860			Data type: `Pattern[/^\d\d$/]`
1861
1862
1863
1864			Default value: `'70'`
1865
1866	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1867	e17693e3	Steve Traylen
1868			Data type: `String[1]`
1869
1870
1871
1872			Default value: `'POSTROUTING'`
1873
1874	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1875	e17693e3	Steve Traylen
1876			Data type: `Optional[String[1]]`
1877
1878
1879
1880	c24d3118	Tim Meusel	Default value: `undef`
1881	e17693e3	Steve Traylen
1882	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1883	e17693e3	Steve Traylen
1884			Data type: `Optional[String[1]]`
1885
1886
1887
1888	c24d3118	Tim Meusel	Default value: `undef`
1889	e17693e3	Steve Traylen
1890	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1891	e17693e3	Steve Traylen
1892			Data type: `Optional[Enum['tcp','udp']]`
1893
1894
1895
1896	c24d3118	Tim Meusel	Default value: `undef`
1897	e17693e3	Steve Traylen
1898	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1899	e17693e3	Steve Traylen
1900	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1901	e17693e3	Steve Traylen
1902
1903
1904	c24d3118	Tim Meusel	Default value: `undef`
1905	e17693e3	Steve Traylen
1906	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1907	e17693e3	Steve Traylen
1908			Data type: `Enum['present','absent']`
1909
1910
1911
1912			Default value: `'present'`
1913
1914	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1915	7f6cacc5	Steve Traylen
1916			manage a named set
1917
1918	13f4e4c6	Steve Traylen	#### Examples
1919
1920			##### simple set
1921
1922			```puppet
1923			nftables::set{'my_set':
1924			type => 'ipv4_addr',
1925			flags => ['interval'],
1926			elements => ['192.168.0.1/24', '10.0.0.2'],
1927			auto_merge => true,
1928			}
1929			```
1930
1931	7f6cacc5	Steve Traylen	#### Parameters
1932
1933	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1934
1935	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1936			* [`setname`](#-nftables--set--setname)
1937			* [`order`](#-nftables--set--order)
1938			* [`type`](#-nftables--set--type)
1939			* [`table`](#-nftables--set--table)
1940			* [`flags`](#-nftables--set--flags)
1941			* [`timeout`](#-nftables--set--timeout)
1942			* [`gc_interval`](#-nftables--set--gc_interval)
1943			* [`elements`](#-nftables--set--elements)
1944			* [`size`](#-nftables--set--size)
1945			* [`policy`](#-nftables--set--policy)
1946			* [`auto_merge`](#-nftables--set--auto_merge)
1947			* [`content`](#-nftables--set--content)
1948			* [`source`](#-nftables--set--source)
1949
1950			##### <a name="-nftables--set--ensure"></a>`ensure`
1951	7f6cacc5	Steve Traylen
1952			Data type: `Enum['present','absent']`
1953
1954	13f4e4c6	Steve Traylen	should the set be created.
1955	7f6cacc5	Steve Traylen
1956			Default value: `'present'`
1957
1958	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1959	7f6cacc5	Steve Traylen
1960			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
1961
1962	13f4e4c6	Steve Traylen	name of set, equal to to title.
1963	7f6cacc5	Steve Traylen
1964			Default value: `$title`
1965
1966	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
1967	7f6cacc5	Steve Traylen
1968			Data type: `Pattern[/^\d\d$/]`
1969
1970	13f4e4c6	Steve Traylen	concat ordering.
1971	7f6cacc5	Steve Traylen
1972			Default value: `'10'`
1973
1974	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
1975	7f6cacc5	Steve Traylen
1976			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
1977
1978	13f4e4c6	Steve Traylen	type of set.
1979	7f6cacc5	Steve Traylen
1980	c24d3118	Tim Meusel	Default value: `undef`
1981	7f6cacc5	Steve Traylen
1982	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
1983	7f6cacc5	Steve Traylen
1984	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
1985	7f6cacc5	Steve Traylen
1986	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
1987	7f6cacc5	Steve Traylen
1988			Default value: `'inet-filter'`
1989
1990	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
1991	7f6cacc5	Steve Traylen
1992			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
1993
1994	13f4e4c6	Steve Traylen	specify flags for set
1995	7f6cacc5	Steve Traylen
1996			Default value: `[]`
1997
1998	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
1999	7f6cacc5	Steve Traylen
2000			Data type: `Optional[Integer]`
2001
2002	13f4e4c6	Steve Traylen	timeout in seconds
2003	7f6cacc5	Steve Traylen
2004	c24d3118	Tim Meusel	Default value: `undef`
2005	7f6cacc5	Steve Traylen
2006	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2007	7f6cacc5	Steve Traylen
2008			Data type: `Optional[Integer]`
2009
2010	13f4e4c6	Steve Traylen	garbage collection interval.
2011	7f6cacc5	Steve Traylen
2012	c24d3118	Tim Meusel	Default value: `undef`
2013	7f6cacc5	Steve Traylen
2014	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2015	7f6cacc5	Steve Traylen
2016			Data type: `Optional[Array[String]]`
2017
2018	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2019	7f6cacc5	Steve Traylen
2020	c24d3118	Tim Meusel	Default value: `undef`
2021	7f6cacc5	Steve Traylen
2022	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2023	7f6cacc5	Steve Traylen
2024			Data type: `Optional[Integer]`
2025
2026	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2027	7f6cacc5	Steve Traylen
2028	c24d3118	Tim Meusel	Default value: `undef`
2029	7f6cacc5	Steve Traylen
2030	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2031	7f6cacc5	Steve Traylen
2032			Data type: `Optional[Enum['performance', 'memory']]`
2033
2034	13f4e4c6	Steve Traylen	determines set selection policy.
2035	7f6cacc5	Steve Traylen
2036	c24d3118	Tim Meusel	Default value: `undef`
2037	7f6cacc5	Steve Traylen
2038	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2039	7f6cacc5	Steve Traylen
2040			Data type: `Boolean`
2041
2042	13f4e4c6	Steve Traylen	?
2043	7f6cacc5	Steve Traylen
2044	c24d3118	Tim Meusel	Default value: `false`
2045	7f6cacc5	Steve Traylen
2046	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2047	7f6cacc5	Steve Traylen
2048			Data type: `Optional[String]`
2049
2050	13f4e4c6	Steve Traylen	specify content of set.
2051	7f6cacc5	Steve Traylen
2052	c24d3118	Tim Meusel	Default value: `undef`
2053	7f6cacc5	Steve Traylen
2054	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2055	7f6cacc5	Steve Traylen
2056			Data type: `Optional[Variant[String,Array[String,1]]]`
2057
2058	13f4e4c6	Steve Traylen	specify source of set.
2059	7f6cacc5	Steve Traylen
2060	c24d3118	Tim Meusel	Default value: `undef`
2061	7f6cacc5	Steve Traylen
2062	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2063	4d63adda	Nacho Barrientos
2064	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2065	4d63adda	Nacho Barrientos
2066	b46c9ce9	Nacho Barrientos	#### Examples
2067	4d63adda	Nacho Barrientos
2068	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2069	4d63adda	Nacho Barrientos
2070	b46c9ce9	Nacho Barrientos	```puppet
2071			nftables::simplerule{'my_service_in':
2072			action => 'accept',
2073			comment => 'allow traffic to port 543',
2074			counter => true,
2075			proto => 'tcp',
2076			dport => 543,
2077			daddr => '2001:1458::/32',
2078			sport => 541,
2079			}
2080			```
2081	4d63adda	Nacho Barrientos
2082	b46c9ce9	Nacho Barrientos	#### Parameters
2083	4d63adda	Nacho Barrientos
2084	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2085
2086	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2087			* [`rulename`](#-nftables--simplerule--rulename)
2088			* [`order`](#-nftables--simplerule--order)
2089			* [`chain`](#-nftables--simplerule--chain)
2090			* [`table`](#-nftables--simplerule--table)
2091			* [`action`](#-nftables--simplerule--action)
2092			* [`comment`](#-nftables--simplerule--comment)
2093			* [`dport`](#-nftables--simplerule--dport)
2094			* [`proto`](#-nftables--simplerule--proto)
2095			* [`daddr`](#-nftables--simplerule--daddr)
2096			* [`set_type`](#-nftables--simplerule--set_type)
2097			* [`sport`](#-nftables--simplerule--sport)
2098			* [`saddr`](#-nftables--simplerule--saddr)
2099			* [`counter`](#-nftables--simplerule--counter)
2100
2101			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2102	13f4e4c6	Steve Traylen
2103			Data type: `Enum['present','absent']`
2104
2105			Should the rule be created.
2106
2107			Default value: `'present'`
2108
2109	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2110	4d63adda	Nacho Barrientos
2111	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2112	4d63adda	Nacho Barrientos
2113	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2114	4d63adda	Nacho Barrientos
2115			Default value: `$title`
2116
2117	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2118	4d63adda	Nacho Barrientos
2119			Data type: `Pattern[/^\d\d$/]`
2120
2121	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2122	4d63adda	Nacho Barrientos
2123			Default value: `'50'`
2124
2125	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2126	4d63adda	Nacho Barrientos
2127			Data type: `String`
2128
2129	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2130	4d63adda	Nacho Barrientos
2131			Default value: `'default_in'`
2132
2133	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2134	4d63adda	Nacho Barrientos
2135			Data type: `String`
2136
2137	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2138	4d63adda	Nacho Barrientos
2139			Default value: `'inet-filter'`
2140
2141	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2142	4d63adda	Nacho Barrientos
2143			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2144
2145	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2146	4d63adda	Nacho Barrientos
2147			Default value: `'accept'`
2148
2149	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2150	4d63adda	Nacho Barrientos
2151			Data type: `Optional[String]`
2152
2153	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2154	4d63adda	Nacho Barrientos
2155	c24d3118	Tim Meusel	Default value: `undef`
2156	4d63adda	Nacho Barrientos
2157	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2158	4d63adda	Nacho Barrientos
2159			Data type: `Optional[Nftables::Port]`
2160
2161	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2162	4d63adda	Nacho Barrientos
2163	c24d3118	Tim Meusel	Default value: `undef`
2164	4d63adda	Nacho Barrientos
2165	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2166	4d63adda	Nacho Barrientos
2167			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2168
2169	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2170	4d63adda	Nacho Barrientos
2171	c24d3118	Tim Meusel	Default value: `undef`
2172	4d63adda	Nacho Barrientos
2173	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2174	4d63adda	Nacho Barrientos
2175			Data type: `Optional[Nftables::Addr]`
2176
2177	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2178	4d63adda	Nacho Barrientos
2179	c24d3118	Tim Meusel	Default value: `undef`
2180	4d63adda	Nacho Barrientos
2181	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2182	4d63adda	Nacho Barrientos
2183			Data type: `Enum['ip', 'ip6']`
2184
2185	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2186			Use `ip` for sets of type `ipv4_addr`.
2187	4d63adda	Nacho Barrientos
2188			Default value: `'ip6'`
2189
2190	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2191	4d63adda	Nacho Barrientos
2192			Data type: `Optional[Nftables::Port]`
2193
2194	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2195	4d63adda	Nacho Barrientos
2196	c24d3118	Tim Meusel	Default value: `undef`
2197	4d63adda	Nacho Barrientos
2198	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2199	4d63adda	Nacho Barrientos
2200			Data type: `Optional[Nftables::Addr]`
2201
2202	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2203	4d63adda	Nacho Barrientos
2204	c24d3118	Tim Meusel	Default value: `undef`
2205	4d63adda	Nacho Barrientos
2206	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2207	4d63adda	Nacho Barrientos
2208			Data type: `Boolean`
2209
2210	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2211	4d63adda	Nacho Barrientos
2212	c24d3118	Tim Meusel	Default value: `false`
2213	4d63adda	Nacho Barrientos
2214			## Data types
2215
2216	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2217	4d63adda	Nacho Barrientos
2218			Represents an address expression to be used within a rule.
2219
2220	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2221	09cba182	Steve Traylen
2222	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2223	4d63adda	Nacho Barrientos
2224			Represents a set expression to be used within a rule.
2225
2226	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2227	4d63adda	Nacho Barrientos
2228	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2229	4d63adda	Nacho Barrientos
2230			Represents a port expression to be used within a rule.
2231
2232	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2233	4d63adda	Nacho Barrientos
2234	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2235	4d63adda	Nacho Barrientos
2236			Represents a port range expression to be used within a rule.
2237
2238	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2239	4d63adda	Nacho Barrientos
2240	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2241	8c00b818	Nacho Barrientos
2242			Represents a rule name to be used in a raw rule created via nftables::rule.
2243			It's a dash separated string. The first component describes the chain to
2244			add the rule to, the second the rule name and the (optional) third a number.
2245			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2246
2247	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2248	09cba182	Steve Traylen
2249	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2250	8c00b818	Nacho Barrientos
2251			Represents a simple rule name to be used in a rule created via nftables::simplerule
2252
2253	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 50a5be8b