/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 51850192

Historique | Voir | Annoter | Télécharger (62,1 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
172	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
173	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
174	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
175			* [`noflush_tables`](#-nftables--noflush_tables)
176			* [`rules`](#-nftables--rules)
177			* [`configuration_path`](#-nftables--configuration_path)
178			* [`nft_path`](#-nftables--nft_path)
179			* [`echo`](#-nftables--echo)
180			* [`default_config_mode`](#-nftables--default_config_mode)
181
182			##### <a name="-nftables--out_all"></a>`out_all`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow all outbound connections. If `true` then all other
187			out parameters `out_ntp`, `out_dns`, ... will be assuemed
188			false.
189
190	c24d3118	Tim Meusel	Default value: `false`
191	e17693e3	Steve Traylen
192	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
193	e17693e3	Steve Traylen
194			Data type: `Boolean`
195
196			Allow outbound to ntp servers.
197
198	c24d3118	Tim Meusel	Default value: `true`
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
201	e17693e3	Steve Traylen
202			Data type: `Boolean`
203
204			Allow outbound to http servers.
205
206	c24d3118	Tim Meusel	Default value: `true`
207	e17693e3	Steve Traylen
208	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
209	e17693e3	Steve Traylen
210			Data type: `Boolean`
211
212	09cba182	Steve Traylen	Allow outbound to dns servers.
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	Default value: `true`
215	e17693e3	Steve Traylen
216	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
217	09cba182	Steve Traylen
218			Data type: `Boolean`
219	e17693e3	Steve Traylen
220			Allow outbound to https servers.
221
222	c24d3118	Tim Meusel	Default value: `true`
223	e17693e3	Steve Traylen
224	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
225	7f6cacc5	Steve Traylen
226			Data type: `Boolean`
227
228			Allow outbound ICMPv4/v6 traffic.
229
230	c24d3118	Tim Meusel	Default value: `true`
231	7f6cacc5	Steve Traylen
232	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
233	e17693e3	Steve Traylen
234			Data type: `Boolean`
235
236			Allow inbound to ssh servers.
237
238	c24d3118	Tim Meusel	Default value: `true`
239	e17693e3	Steve Traylen
240	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
241	7f6cacc5	Steve Traylen
242			Data type: `Boolean`
243
244			Allow inbound ICMPv4/v6 traffic.
245
246	c24d3118	Tim Meusel	Default value: `true`
247	7f6cacc5	Steve Traylen
248	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
249	7b9d6ffc	Nacho Barrientos
250			Data type: `Boolean`
251
252			Add default tables, chains and rules to process traffic.
253
254	c24d3118	Tim Meusel	Default value: `true`
255	7b9d6ffc	Nacho Barrientos
256	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
257	7f6cacc5	Steve Traylen
258			Data type: `Boolean`
259
260			Add default tables and chains to process NAT traffic.
261
262	c24d3118	Tim Meusel	Default value: `true`
263	7f6cacc5	Steve Traylen
264	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
265	b02d6ea9	Nacho Barrientos
266			Data type: `String[1]`
267
268			The name of the 'nat' table.
269
270			Default value: `'nat'`
271
272	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
273	b9785000	Steve Traylen
274			Data type: `Hash`
275
276			Allows sourcing set definitions directly from Hiera.
277
278			Default value: `{}`
279
280	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
281	7f6cacc5	Steve Traylen
282			Data type: `String`
283
284			String that will be used as prefix when logging packets. It can contain
285			two variables using standard sprintf() string-formatting:
286			* chain: Will be replaced by the name of the chain.
287			* comment: Allows chains to add extra comments.
288
289			Default value: `'[nftables] %<chain>s %<comment>s'`
290
291	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
292
293			Data type: `Boolean`
294
295			Allow to log discarded packets
296
297			Default value: `true`
298
299	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
300	b9785000	Steve Traylen
301			Data type: `Variant[Boolean[false], String]`
302
303			String with the content of a limit statement to be applied
304			to the rules that log discarded traffic. Set to false to
305			disable rate limiting.
306
307			Default value: `'3/minute burst 5 packets'`
308
309	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
310	7f6cacc5	Steve Traylen
311	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
312	7f6cacc5	Steve Traylen
313			How to discard packets not matching any rule. If `false`, the
314			fate of the packet will be defined by the chain policy (normally
315			drop), otherwise the packet will be rejected with the REJECT_WITH
316			policy indicated by the value of this parameter.
317
318			Default value: `'icmpx type port-unreachable'`
319
320	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
321	7f6cacc5	Steve Traylen
322			Data type: `Boolean`
323
324			Adds INPUT and OUTPUT rules to allow traffic that's part of an
325			established connection and also to drop invalid packets.
326
327	c24d3118	Tim Meusel	Default value: `true`
328	7f6cacc5	Steve Traylen
329	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
330
331			Data type: `Boolean`
332
333			Drops invalid packets in INPUT and OUTPUT
334
335			Default value: `$in_out_conntrack`
336
337	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
338	b9785000	Steve Traylen
339			Data type: `Boolean`
340
341			Adds FORWARD rules to allow traffic that's part of an
342			established connection and also to drop invalid packets.
343
344	c24d3118	Tim Meusel	Default value: `false`
345	b9785000	Steve Traylen
346	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
347
348			Data type: `Boolean`
349
350			Drops invalid packets in FORWARD
351
352			Default value: `$fwd_conntrack`
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
355	7f6cacc5	Steve Traylen
356			Data type: `Variant[Boolean[false], Enum['mask']]`
357
358			Configures how the firewalld systemd service unit is enabled. It might be
359			useful to set this to false if you're externaly removing firewalld from
360			the system completely.
361
362			Default value: `'mask'`
363
364	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
365	b9785000	Steve Traylen
366	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
367	b9785000	Steve Traylen
368			If specified only other existings tables will be flushed.
369			If left unset all tables will be flushed via a `flush ruleset`
370
371	c24d3118	Tim Meusel	Default value: `undef`
372	b9785000	Steve Traylen
373	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
374	7f6cacc5	Steve Traylen
375			Data type: `Hash`
376
377	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
378	7f6cacc5	Steve Traylen
379			Default value: `{}`
380
381	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
382	d0a1ffef	hashworks
383			Data type: `Stdlib::Unixpath`
384
385			The absolute path to the principal nftables configuration file. The default
386			varies depending on the system, and is set in the module's data.
387
388	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
389	8842a597	Tim Meusel
390			Data type: `Stdlib::Unixpath`
391
392			Path to the nft binary
393
394	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
395	821ec83a	Tim Meusel
396			Data type: `Stdlib::Unixpath`
397
398			Path to the echo binary
399
400	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
401	7030bde0	Luis Fernández Álvarez
402			Data type: `Stdlib::Filemode`
403
404			The default file & dir mode for configuration files and directories. The
405			default varies depending on the system, and is set in the module's data.
406
407	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
408	7f6cacc5	Steve Traylen
409			allow forwarding traffic on bridges
410
411			#### Parameters
412
413	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
414	7f6cacc5	Steve Traylen
415	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
416			* [`bridgenames`](#-nftables--bridges--bridgenames)
417	09cba182	Steve Traylen
418	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
419	7f6cacc5	Steve Traylen
420			Data type: `Enum['present','absent']`
421
422
423
424			Default value: `'present'`
425
426	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
427	7f6cacc5	Steve Traylen
428			Data type: `Regexp`
429
430
431
432			Default value: `/^br.+/`
433
434	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
435	e17693e3	Steve Traylen
436			manage basic chains in table inet filter
437
438	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
439	a1f09048	Tim Meusel
440			enable conntrack for fwd
441
442	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
443	a1f09048	Tim Meusel
444			manage input & output conntrack
445
446	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
447	e17693e3	Steve Traylen
448			manage basic chains in table ip nat
449
450	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
451	771b3256	Nacho Barrientos
452			Provides input rules for Apache ActiveMQ
453
454			#### Parameters
455
456			The following parameters are available in the `nftables::rules::activemq` class:
457
458	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
459			* [`udp`](#-nftables--rules--activemq--udp)
460			* [`port`](#-nftables--rules--activemq--port)
461	771b3256	Nacho Barrientos
462	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
463	771b3256	Nacho Barrientos
464			Data type: `Boolean`
465
466			Create the rule for TCP traffic.
467
468	c24d3118	Tim Meusel	Default value: `true`
469	771b3256	Nacho Barrientos
470	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
471	771b3256	Nacho Barrientos
472			Data type: `Boolean`
473
474			Create the rule for UDP traffic.
475
476	c24d3118	Tim Meusel	Default value: `true`
477	771b3256	Nacho Barrientos
478	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
479	771b3256	Nacho Barrientos
480			Data type: `Stdlib::Port`
481
482			The port number for the ActiveMQ daemon.
483
484			Default value: `61616`
485
486	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
487	09cba182	Steve Traylen
488			Open call back port for AFS clients
489	7f6cacc5	Steve Traylen
490	09cba182	Steve Traylen	#### Examples
491
492			##### allow call backs from particular hosts
493
494			```puppet
495	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
496			saddr => ['192.168.0.0/16', '10.0.0.222']
497			}
498	09cba182	Steve Traylen	```
499	7f6cacc5	Steve Traylen
500			#### Parameters
501
502	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
503
504	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
505	7f6cacc5	Steve Traylen
506	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
507	7f6cacc5	Steve Traylen
508			Data type: `Array[Stdlib::IP::Address::V4,1]`
509
510			list of source network ranges to a
511
512			Default value: `['0.0.0.0/0']`
513
514	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
515	b9785000	Steve Traylen
516			Ceph is a distributed object store and file system.
517			Enable this to support Ceph's Object Storage Daemons (OSD),
518			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
519
520	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
521	b9785000	Steve Traylen
522			Ceph is a distributed object store and file system.
523			Enable this option to support Ceph's Monitor Daemon.
524
525			#### Parameters
526
527	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
528	b9785000	Steve Traylen
529	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
530	b9785000	Steve Traylen
531	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
532	b9785000	Steve Traylen
533	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
534	b9785000	Steve Traylen
535	09cba182	Steve Traylen	specify ports for ceph service
536	b9785000	Steve Traylen
537			Default value: `[3300, 6789]`
538
539	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
540	7f6cacc5	Steve Traylen
541	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
542	7f6cacc5	Steve Traylen
543	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
544	7f6cacc5	Steve Traylen
545			manage in dns
546
547	67cdcf15	Steve Traylen	#### Examples
548
549			##### Allow access to stub dns resolver from docker containers
550
551			```puppet
552			class { 'nftables::rules::dns':
553			iifname => ['docker0'],
554			}
555			```
556
557	7f6cacc5	Steve Traylen	#### Parameters
558
559	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
560	7f6cacc5	Steve Traylen
561	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
562	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
563	7f6cacc5	Steve Traylen
564	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
565	7f6cacc5	Steve Traylen
566	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
567	7f6cacc5	Steve Traylen
568	09cba182	Steve Traylen	Specify ports for dns.
569	7f6cacc5	Steve Traylen
570			Default value: `[53]`
571
572	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
573
574			Data type: `Optional[Array[String[1],1]]`
575
576			Specify input interface names.
577
578			Default value: `undef`
579
580	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
581	804b96e4	Nacho Barrientos
582			The configuration distributed in this class represents the default firewall
583			configuration done by docker-ce when the iptables integration is enabled.
584
585			This class is needed as the default docker-ce rules added to ip-filter conflict
586			with the inet-filter forward rules set by default in this module.
587
588			When using this class 'docker::iptables: false' should be set.
589
590			#### Parameters
591
592			The following parameters are available in the `nftables::rules::docker_ce` class:
593
594	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
595			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
596			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
597			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
598	804b96e4	Nacho Barrientos
599	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
600	804b96e4	Nacho Barrientos
601			Data type: `String[1]`
602
603			Interface name used by docker.
604
605			Default value: `'docker0'`
606
607	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
608	804b96e4	Nacho Barrientos
609			Data type: `Stdlib::IP::Address::V4::CIDR`
610
611			The address space used by docker.
612
613			Default value: `'172.17.0.0/16'`
614
615	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
616	804b96e4	Nacho Barrientos
617			Data type: `Boolean`
618
619			Flag to control whether the class should create the docker related chains.
620
621	c24d3118	Tim Meusel	Default value: `true`
622	804b96e4	Nacho Barrientos
623	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
624	804b96e4	Nacho Barrientos
625			Data type: `Boolean`
626
627			Flag to control whether the class should create the base common chains.
628
629	c24d3118	Tim Meusel	Default value: `true`
630	804b96e4	Nacho Barrientos
631	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
632
633			manage in ftp (with conntrack helper)
634
635			#### Parameters
636
637			The following parameters are available in the `nftables::rules::ftp` class:
638
639			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
640			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
641
642			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
643
644			Data type: `Boolean`
645
646			Enable FTP passive mode support
647
648			Default value: `true`
649
650			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
651
652			Data type: `Nftables::Port::Range`
653
654			Set the FTP passive mode port range
655
656			Default value: `'10090-10100'`
657
658	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
659	e17693e3	Steve Traylen
660			manage in http
661
662	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
663	e17693e3	Steve Traylen
664			manage in https
665
666	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
667	e17693e3	Steve Traylen
668			manage in icinga2
669
670			#### Parameters
671
672	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
673	e17693e3	Steve Traylen
674	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
675	e17693e3	Steve Traylen
676	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
677	e17693e3	Steve Traylen
678	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
679	e17693e3	Steve Traylen
680	8db66304	Steve Traylen	Specify ports for icinga2
681	e17693e3	Steve Traylen
682			Default value: `[5665]`
683
684	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
685	7f6cacc5	Steve Traylen
686	8cdd24a5	Tim Meusel	allows incoming ICMP
687	7f6cacc5	Steve Traylen
688			#### Parameters
689
690	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
691
692	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
693			* [`v6_types`](#-nftables--rules--icmp--v6_types)
694			* [`order`](#-nftables--rules--icmp--order)
695	7f6cacc5	Steve Traylen
696	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
697	7f6cacc5	Steve Traylen
698			Data type: `Optional[Array[String]]`
699
700	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
701	7f6cacc5	Steve Traylen
702	c24d3118	Tim Meusel	Default value: `undef`
703	7f6cacc5	Steve Traylen
704	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
705	7f6cacc5	Steve Traylen
706			Data type: `Optional[Array[String]]`
707
708	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
709	7f6cacc5	Steve Traylen
710	c24d3118	Tim Meusel	Default value: `undef`
711	7f6cacc5	Steve Traylen
712	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
713	7f6cacc5	Steve Traylen
714			Data type: `String`
715
716	8cdd24a5	Tim Meusel	the ordering of the rules
717	7f6cacc5	Steve Traylen
718			Default value: `'10'`
719
720	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
721
722			allow incoming IGMP messages
723
724	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
725
726			manage in ldap
727
728			#### Parameters
729
730			The following parameters are available in the `nftables::rules::ldap` class:
731
732			* [`ports`](#-nftables--rules--ldap--ports)
733
734			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
735
736			Data type: `Array[Integer,1]`
737
738			ldap server ports
739
740			Default value: `[389, 636]`
741
742	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
743
744			allow incoming Link-Local Multicast Name Resolution
745
746			* See also
747			* https://datatracker.ietf.org/doc/html/rfc4795
748
749			#### Parameters
750
751			The following parameters are available in the `nftables::rules::llmnr` class:
752
753			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
754			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
755
756			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
757
758			Data type: `Boolean`
759
760			Allow LLMNR over IPv4
761
762			Default value: `true`
763
764			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
765
766			Data type: `Boolean`
767
768			Allow LLMNR over IPv6
769
770			Default value: `true`
771
772	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
773
774			allow incoming multicast DNS
775
776	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
777
778			The following parameters are available in the `nftables::rules::mdns` class:
779
780			* [`ipv4`](#-nftables--rules--mdns--ipv4)
781			* [`ipv6`](#-nftables--rules--mdns--ipv6)
782
783			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
784
785			Data type: `Boolean`
786
787			Allow mdns over IPv4
788
789			Default value: `true`
790
791			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
792
793			Data type: `Boolean`
794
795			Allow mdns over IPv6
796
797			Default value: `true`
798
799	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
800
801			allow incoming multicast traffic
802
803	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
804	b9785000	Steve Traylen
805			manage in nfs4
806
807	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
808	b9785000	Steve Traylen
809			manage in nfs3
810
811	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
812	7f6cacc5	Steve Traylen
813			manage in node exporter
814
815			#### Parameters
816
817	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
818	7f6cacc5	Steve Traylen
819	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
820			* [`port`](#-nftables--rules--node_exporter--port)
821	7f6cacc5	Steve Traylen
822	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
823	7f6cacc5	Steve Traylen
824	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
825	7f6cacc5	Steve Traylen
826	09cba182	Steve Traylen	Specify server name
827	7f6cacc5	Steve Traylen
828	c24d3118	Tim Meusel	Default value: `undef`
829	7f6cacc5	Steve Traylen
830	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
831	7f6cacc5	Steve Traylen
832	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
833	7f6cacc5	Steve Traylen
834	09cba182	Steve Traylen	Specify port to open
835	7f6cacc5	Steve Traylen
836			Default value: `9100`
837
838	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
839	e17693e3	Steve Traylen
840			manage in ospf
841
842	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
843	e17693e3	Steve Traylen
844			manage in ospf3
845
846	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
847
848			manage outgoing active diectory
849
850			#### Parameters
851
852			The following parameters are available in the `nftables::rules::out::active_directory` class:
853
854			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
855			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
856
857			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
858
859			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
860
861			adserver IPs
862
863			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
864
865			Data type: `Array[Stdlib::Port,1]`
866
867			adserver ports
868
869			Default value: `[389, 636, 3268, 3269]`
870
871	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
872	e17693e3	Steve Traylen
873			allow all outbound
874
875	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
876	b9785000	Steve Traylen
877			Ceph is a distributed object store and file system.
878			Enable this to be a client of Ceph's Monitor (MON),
879			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
880			and Manager Daemons (MGR).
881
882			#### Parameters
883
884	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
885	b9785000	Steve Traylen
886	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
887	b9785000	Steve Traylen
888	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
889	b9785000	Steve Traylen
890	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
891	b9785000	Steve Traylen
892	09cba182	Steve Traylen	Specify ports to open
893	b9785000	Steve Traylen
894			Default value: `[3300, 6789]`
895
896	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
897	e17693e3	Steve Traylen
898			manage out chrony
899
900	7937a13b	Tim Meusel	#### Parameters
901
902			The following parameters are available in the `nftables::rules::out::chrony` class:
903
904	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
905	7937a13b	Tim Meusel
906	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
907	7937a13b	Tim Meusel
908			Data type: `Array[Stdlib::IP::Address]`
909
910			single IP-Address or array of IP-addresses from NTP servers
911
912			Default value: `[]`
913
914	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
915	e17693e3	Steve Traylen
916			manage out dhcp
917
918	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
919	7f6cacc5	Steve Traylen
920	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
921	7f6cacc5	Steve Traylen
922	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
923	e17693e3	Steve Traylen
924			manage out dns
925
926			#### Parameters
927
928	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
929	e17693e3	Steve Traylen
930	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
931	e17693e3	Steve Traylen
932	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
933	e17693e3	Steve Traylen
934	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
935	e17693e3	Steve Traylen
936	09cba182	Steve Traylen	specify dns_server name
937	e17693e3	Steve Traylen
938	9d1ee648	Tim Meusel	Default value: `[]`
939	e17693e3	Steve Traylen
940	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
941	a1f09048	Tim Meusel
942			allow outgoing hkp connections to gpg keyservers
943
944	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
945	e17693e3	Steve Traylen
946			manage out http
947
948	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
949	e17693e3	Steve Traylen
950			manage out https
951
952	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
953	7f6cacc5	Steve Traylen
954	09cba182	Steve Traylen	control outbound icmp packages
955	7f6cacc5	Steve Traylen
956			#### Parameters
957
958	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
959
960	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
961			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
962			* [`order`](#-nftables--rules--out--icmp--order)
963	7f6cacc5	Steve Traylen
964	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
965	7f6cacc5	Steve Traylen
966			Data type: `Optional[Array[String]]`
967
968	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
969	7f6cacc5	Steve Traylen
970	c24d3118	Tim Meusel	Default value: `undef`
971	7f6cacc5	Steve Traylen
972	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
973	7f6cacc5	Steve Traylen
974			Data type: `Optional[Array[String]]`
975
976	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
977	7f6cacc5	Steve Traylen
978	c24d3118	Tim Meusel	Default value: `undef`
979	7f6cacc5	Steve Traylen
980	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
981	7f6cacc5	Steve Traylen
982			Data type: `String`
983
984	5d554e75	Tim Meusel	the ordering of the rules
985	7f6cacc5	Steve Traylen
986			Default value: `'10'`
987
988	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
989
990	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
991	020842af	Tim Meusel
992	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
993	19908f41	mh
994			allow outgoing imap
995
996	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
997	7f6cacc5	Steve Traylen
998			allows outbound access for kerberos
999
1000	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1001
1002			manage outgoing ldap
1003
1004			#### Parameters
1005
1006			The following parameters are available in the `nftables::rules::out::ldap` class:
1007
1008			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1009			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1010
1011			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1012
1013			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1014
1015			ldapserver IPs
1016
1017			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1018
1019			Data type: `Array[Stdlib::Port,1]`
1020
1021			ldapserver ports
1022
1023			Default value: `[389, 636]`
1024
1025	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1026
1027			allow outgoing multicast DNS
1028
1029			#### Parameters
1030
1031			The following parameters are available in the `nftables::rules::out::mdns` class:
1032
1033			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1034			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1035	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1036	6b350264	Tim Meusel
1037			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1038
1039			Data type: `Boolean`
1040
1041			Allow mdns over IPv4
1042
1043			Default value: `true`
1044
1045			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1046
1047			Data type: `Boolean`
1048
1049			Allow mdns over IPv6
1050
1051			Default value: `true`
1052
1053	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1054
1055			Data type: `Array[String[1]]`
1056
1057			optional name for outgoing interfaces
1058
1059			Default value: `[]`
1060
1061	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1062
1063			allow multicast listener requests
1064
1065	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1066	e17693e3	Steve Traylen
1067			manage out mysql
1068
1069	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1070	b9785000	Steve Traylen
1071			manage out nfs
1072
1073	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1074	b9785000	Steve Traylen
1075			manage out nfs3
1076
1077	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1078	7f6cacc5	Steve Traylen
1079	09cba182	Steve Traylen	allows outbound access for afs clients
1080	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1081			7002 - afs3-ptserver
1082			7003 - vlserver
1083
1084			* See also
1085			* https://wiki.openafs.org/devel/AFSServicePorts/
1086			* AFS Service Ports
1087
1088			#### Parameters
1089
1090	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1091	7f6cacc5	Steve Traylen
1092	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1093	7f6cacc5	Steve Traylen
1094	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1095	7f6cacc5	Steve Traylen
1096	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1097	7f6cacc5	Steve Traylen
1098	09cba182	Steve Traylen	port numbers to use
1099	7f6cacc5	Steve Traylen
1100			Default value: `[7000, 7002, 7003]`
1101
1102	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1103	e17693e3	Steve Traylen
1104			manage out ospf
1105
1106	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1107	e17693e3	Steve Traylen
1108			manage out ospf3
1109
1110	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1111	19908f41	mh
1112			allow outgoing pop3
1113
1114	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1115	e17693e3	Steve Traylen
1116			manage out postgres
1117
1118	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1119	e17693e3	Steve Traylen
1120			manage outgoing puppet
1121
1122			#### Parameters
1123
1124	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1125	e17693e3	Steve Traylen
1126	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1127			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1128	e17693e3	Steve Traylen
1129	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1130	e17693e3	Steve Traylen
1131	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1132	e17693e3	Steve Traylen
1133	09cba182	Steve Traylen	puppetserver hostname
1134	e17693e3	Steve Traylen
1135	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1136	e17693e3	Steve Traylen
1137	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1138	e17693e3	Steve Traylen
1139	09cba182	Steve Traylen	puppetserver port
1140	e17693e3	Steve Traylen
1141			Default value: `8140`
1142
1143	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1144	194e05d5	Tim Meusel
1145			manage outgoing pxp-agent
1146
1147			* See also
1148			* also
1149			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1150
1151			#### Parameters
1152
1153			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1154
1155	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1156			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1157	194e05d5	Tim Meusel
1158	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1159	194e05d5	Tim Meusel
1160			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1161
1162			PXP broker IP(s)
1163
1164	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1165	194e05d5	Tim Meusel
1166			Data type: `Stdlib::Port`
1167
1168			PXP broker port
1169
1170			Default value: `8142`
1171
1172	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1173	e17693e3	Steve Traylen
1174	19908f41	mh	allow outgoing smtp
1175
1176	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1177	19908f41	mh
1178			allow outgoing smtp client
1179	e17693e3	Steve Traylen
1180	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1181
1182			allow outgoing SSDP
1183
1184			* See also
1185			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1186
1187			#### Parameters
1188
1189			The following parameters are available in the `nftables::rules::out::ssdp` class:
1190
1191			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1192			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1193
1194			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1195
1196			Data type: `Boolean`
1197
1198			Allow SSDP over IPv4
1199
1200			Default value: `true`
1201
1202			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1203
1204			Data type: `Boolean`
1205
1206			Allow SSDP over IPv6
1207
1208			Default value: `true`
1209
1210	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1211	e17693e3	Steve Traylen
1212			manage out ssh
1213
1214	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1215	e17693e3	Steve Traylen
1216			disable outgoing ssh
1217
1218	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1219	e17693e3	Steve Traylen
1220			manage out tor
1221
1222	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1223	2b1896c1	Tim Meusel
1224			allow clients to query remote whois server
1225
1226	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1227	e17693e3	Steve Traylen
1228			manage out wireguard
1229
1230			#### Parameters
1231
1232	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1233	e17693e3	Steve Traylen
1234	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1235	e17693e3	Steve Traylen
1236	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1237	e17693e3	Steve Traylen
1238	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1239	e17693e3	Steve Traylen
1240	09cba182	Steve Traylen	specify wireguard ports
1241	e17693e3	Steve Traylen
1242			Default value: `[51820]`
1243
1244	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1245
1246			Rules for Podman, a tool for managing OCI containers and pods.
1247			This class defines additional forwarding rules to let root containers
1248			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1249			At the time of writing, Podman supports automatic configuration
1250			of firewall rules with iptables and firewalld only.
1251
1252	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1253	e17693e3	Steve Traylen
1254			manage in puppet
1255
1256			#### Parameters
1257
1258	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1259	e17693e3	Steve Traylen
1260	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1261	e17693e3	Steve Traylen
1262	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1263	e17693e3	Steve Traylen
1264	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1265	e17693e3	Steve Traylen
1266	09cba182	Steve Traylen	puppet server ports
1267	e17693e3	Steve Traylen
1268			Default value: `[8140]`
1269
1270	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1271	7f74df2e	Tim Meusel
1272			manage in pxp-agent
1273
1274			#### Parameters
1275
1276			The following parameters are available in the `nftables::rules::pxp_agent` class:
1277
1278	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1279	7f74df2e	Tim Meusel
1280	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1281	7f74df2e	Tim Meusel
1282	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1283	7f74df2e	Tim Meusel
1284			pxp server ports
1285
1286			Default value: `[8142]`
1287
1288	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1289	cd2a3cbf	Nacho Barrientos
1290			This class configures the typical firewall setup that libvirt
1291			creates. Depending on your requirements you can switch on and off
1292			several aspects, for instance if you don't do DHCP to your guests
1293			you can disable the rules that accept DHCP traffic on the host or if
1294			you don't want your guests to talk to hosts outside you can disable
1295			forwarding and/or masquerading for IPv4 traffic.
1296
1297			#### Parameters
1298
1299			The following parameters are available in the `nftables::rules::qemu` class:
1300
1301	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1302			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1303			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1304			* [`dns`](#-nftables--rules--qemu--dns)
1305			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1306			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1307			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1308			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1309	cd2a3cbf	Nacho Barrientos
1310	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1311	cd2a3cbf	Nacho Barrientos
1312			Data type: `String[1]`
1313
1314			Interface name used by the bridge.
1315
1316			Default value: `'virbr0'`
1317
1318	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1319	cd2a3cbf	Nacho Barrientos
1320			Data type: `Stdlib::IP::Address::V4::CIDR`
1321
1322			The IPv4 network prefix used in the virtual network.
1323
1324			Default value: `'192.168.122.0/24'`
1325
1326	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1327	cd2a3cbf	Nacho Barrientos
1328			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1329
1330			The IPv6 network prefix used in the virtual network.
1331
1332	c24d3118	Tim Meusel	Default value: `undef`
1333	cd2a3cbf	Nacho Barrientos
1334	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1335	cd2a3cbf	Nacho Barrientos
1336			Data type: `Boolean`
1337
1338			Allow DNS traffic from the guests to the host.
1339
1340	c24d3118	Tim Meusel	Default value: `true`
1341	cd2a3cbf	Nacho Barrientos
1342	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1343	cd2a3cbf	Nacho Barrientos
1344			Data type: `Boolean`
1345
1346			Allow DHCPv4 traffic from the guests to the host.
1347
1348	c24d3118	Tim Meusel	Default value: `true`
1349	cd2a3cbf	Nacho Barrientos
1350	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1351	cd2a3cbf	Nacho Barrientos
1352			Data type: `Boolean`
1353
1354			Allow forwarded traffic (out all, in related/established)
1355			generated by the virtual network.
1356
1357	c24d3118	Tim Meusel	Default value: `true`
1358	cd2a3cbf	Nacho Barrientos
1359	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1360	cd2a3cbf	Nacho Barrientos
1361			Data type: `Boolean`
1362
1363			Allow guests in the virtual network to talk to each other.
1364
1365	c24d3118	Tim Meusel	Default value: `true`
1366	cd2a3cbf	Nacho Barrientos
1367	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1368	cd2a3cbf	Nacho Barrientos
1369			Data type: `Boolean`
1370
1371			Do NAT masquerade on all IPv4 traffic generated by guests
1372			to external networks.
1373
1374	c24d3118	Tim Meusel	Default value: `true`
1375	cd2a3cbf	Nacho Barrientos
1376	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1377	19908f41	mh
1378			manage Samba, the suite to allow Windows file sharing on Linux resources.
1379
1380			#### Parameters
1381
1382			The following parameters are available in the `nftables::rules::samba` class:
1383
1384	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1385	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1386	19908f41	mh
1387	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1388	19908f41	mh
1389			Data type: `Boolean`
1390
1391	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1392	19908f41	mh
1393	c24d3118	Tim Meusel	Default value: `false`
1394	19908f41	mh
1395	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1396
1397			Data type: `Enum['accept', 'drop']`
1398
1399			if the traffic should be allowed or dropped
1400
1401			Default value: `'accept'`
1402
1403	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1404	e17693e3	Steve Traylen
1405			manage in smtp
1406
1407	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1408	e17693e3	Steve Traylen
1409			manage in smtp submission
1410
1411	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1412	e17693e3	Steve Traylen
1413			manage in smtps
1414
1415	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1416
1417			allow incoming spotify
1418
1419	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1420
1421			allow incoming SSDP
1422
1423			* See also
1424			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1425
1426			#### Parameters
1427
1428			The following parameters are available in the `nftables::rules::ssdp` class:
1429
1430			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1431			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1432
1433			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1434
1435			Data type: `Boolean`
1436
1437			Allow SSDP over IPv4
1438
1439			Default value: `true`
1440
1441			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1442
1443			Data type: `Boolean`
1444
1445			Allow SSDP over IPv6
1446
1447			Default value: `true`
1448
1449	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1450	e17693e3	Steve Traylen
1451			manage in ssh
1452
1453			#### Parameters
1454
1455	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1456	e17693e3	Steve Traylen
1457	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1458	e17693e3	Steve Traylen
1459	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1460	e17693e3	Steve Traylen
1461	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1462	e17693e3	Steve Traylen
1463	09cba182	Steve Traylen	ssh ports
1464	e17693e3	Steve Traylen
1465			Default value: `[22]`
1466
1467	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1468	e17693e3	Steve Traylen
1469			manage in tor
1470
1471			#### Parameters
1472
1473	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1474	e17693e3	Steve Traylen
1475	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1476	e17693e3	Steve Traylen
1477	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1478	e17693e3	Steve Traylen
1479	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1480	e17693e3	Steve Traylen
1481	09cba182	Steve Traylen	ports for tor
1482	e17693e3	Steve Traylen
1483			Default value: `[9001]`
1484
1485	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1486	e17693e3	Steve Traylen
1487			manage in wireguard
1488
1489			#### Parameters
1490
1491	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1492	e17693e3	Steve Traylen
1493	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1494	e17693e3	Steve Traylen
1495	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1496	e17693e3	Steve Traylen
1497	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1498	e17693e3	Steve Traylen
1499	09cba182	Steve Traylen	wiregueard port
1500	e17693e3	Steve Traylen
1501			Default value: `[51820]`
1502
1503	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1504
1505			allow incoming webservice discovery
1506
1507			* See also
1508			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1509
1510			#### Parameters
1511
1512			The following parameters are available in the `nftables::rules::wsd` class:
1513
1514			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1515			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1516
1517			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1518
1519			Data type: `Boolean`
1520
1521			Allow ws-discovery over IPv4
1522
1523			Default value: `true`
1524
1525			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1526
1527			Data type: `Boolean`
1528
1529			Allow ws-discovery over IPv6
1530
1531			Default value: `true`
1532
1533	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1534	7f6cacc5	Steve Traylen
1535	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1536	7f6cacc5	Steve Traylen
1537	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1538	7f6cacc5	Steve Traylen
1539	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1540	7f6cacc5	Steve Traylen
1541	e17693e3	Steve Traylen	## Defined types
1542
1543	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1544	e17693e3	Steve Traylen
1545			manage a chain
1546
1547			#### Parameters
1548
1549	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1550
1551	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1552			* [`chain`](#-nftables--chain--chain)
1553			* [`inject`](#-nftables--chain--inject)
1554			* [`inject_iif`](#-nftables--chain--inject_iif)
1555			* [`inject_oif`](#-nftables--chain--inject_oif)
1556	e17693e3	Steve Traylen
1557	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1558	e17693e3	Steve Traylen
1559	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1560	e17693e3	Steve Traylen
1561
1562
1563			Default value: `'inet-filter'`
1564
1565	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1566	e17693e3	Steve Traylen
1567			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1568
1569
1570
1571			Default value: `$title`
1572
1573	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1574	e17693e3	Steve Traylen
1575			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1576
1577
1578
1579	c24d3118	Tim Meusel	Default value: `undef`
1580	e17693e3	Steve Traylen
1581	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1582	e17693e3	Steve Traylen
1583			Data type: `Optional[String]`
1584
1585
1586
1587	c24d3118	Tim Meusel	Default value: `undef`
1588	e17693e3	Steve Traylen
1589	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1590	e17693e3	Steve Traylen
1591			Data type: `Optional[String]`
1592
1593
1594
1595	c24d3118	Tim Meusel	Default value: `undef`
1596	e17693e3	Steve Traylen
1597	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1598	e17693e3	Steve Traylen
1599			manage a config snippet
1600
1601			#### Parameters
1602
1603	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1604	e17693e3	Steve Traylen
1605	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1606			* [`content`](#-nftables--config--content)
1607			* [`source`](#-nftables--config--source)
1608			* [`prefix`](#-nftables--config--prefix)
1609	09cba182	Steve Traylen
1610	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1611	13f4e4c6	Steve Traylen
1612			Data type: `Pattern[/^\w+-\w+$/]`
1613
1614
1615
1616			Default value: `$title`
1617
1618	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1619	e17693e3	Steve Traylen
1620			Data type: `Optional[String]`
1621
1622
1623
1624	c24d3118	Tim Meusel	Default value: `undef`
1625	e17693e3	Steve Traylen
1626	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1627	e17693e3	Steve Traylen
1628			Data type: `Optional[Variant[String,Array[String,1]]]`
1629
1630
1631
1632	c24d3118	Tim Meusel	Default value: `undef`
1633	e17693e3	Steve Traylen
1634	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1635	13f4e4c6	Steve Traylen
1636			Data type: `String`
1637
1638
1639
1640			Default value: `'custom-'`
1641
1642	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1643	331b8d85	Steve Traylen
1644			Insert a file into the nftables configuration
1645
1646			#### Examples
1647
1648			##### Include a file that includes other files
1649
1650			```puppet
1651			nftables::file{'geoip':
1652			content => @(EOT)
1653			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1654			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1655			\|EOT,
1656			}
1657			```
1658
1659			#### Parameters
1660
1661			The following parameters are available in the `nftables::file` defined type:
1662
1663	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1664			* [`content`](#-nftables--file--content)
1665			* [`source`](#-nftables--file--source)
1666			* [`prefix`](#-nftables--file--prefix)
1667	331b8d85	Steve Traylen
1668	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1669	331b8d85	Steve Traylen
1670			Data type: `String[1]`
1671
1672			Unique name to include in filename.
1673
1674			Default value: `$title`
1675
1676	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1677	331b8d85	Steve Traylen
1678			Data type: `Optional[String]`
1679
1680			The content to place in the file.
1681
1682	c24d3118	Tim Meusel	Default value: `undef`
1683	331b8d85	Steve Traylen
1684	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1685	331b8d85	Steve Traylen
1686			Data type: `Optional[Variant[String,Array[String,1]]]`
1687
1688			A source to obtain the file content from.
1689
1690	c24d3118	Tim Meusel	Default value: `undef`
1691	331b8d85	Steve Traylen
1692	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1693	331b8d85	Steve Traylen
1694			Data type: `String`
1695
1696			Prefix of file name to be created, if left as `file-` it will be
1697			auto included in the main nft configuration
1698
1699			Default value: `'file-'`
1700
1701	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1702
1703			manage a conntrack helper
1704
1705			#### Examples
1706
1707			##### FTP helper
1708
1709			```puppet
1710			nftables::helper { 'ftp-standard':
1711			content => 'type "ftp" protocol tcp;',
1712			}
1713			```
1714
1715			#### Parameters
1716
1717			The following parameters are available in the `nftables::helper` defined type:
1718
1719			* [`content`](#-nftables--helper--content)
1720			* [`table`](#-nftables--helper--table)
1721			* [`helper`](#-nftables--helper--helper)
1722
1723			##### <a name="-nftables--helper--content"></a>`content`
1724
1725			Data type: `String`
1726
1727			Conntrack helper definition.
1728
1729			##### <a name="-nftables--helper--table"></a>`table`
1730
1731			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1732
1733			The name of the table to add this helper to.
1734
1735			Default value: `'inet-filter'`
1736
1737			##### <a name="-nftables--helper--helper"></a>`helper`
1738
1739			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1740
1741			The symbolic name for the helper.
1742
1743			Default value: `$title`
1744
1745	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1746	e17693e3	Steve Traylen
1747	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1748
1749			#### Examples
1750
1751			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1752
1753			```puppet
1754			nftables::rule {
1755			'default_in-myhttp':
1756			content => 'tcp dport 80 accept',
1757			}
1758			```
1759
1760			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1761
1762			```puppet
1763			nftables::rule {
1764			'PREROUTING6-count':
1765			content => 'counter',
1766			table => 'ip6-nat'
1767			}
1768			```
1769	e17693e3	Steve Traylen
1770	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1771
1772			```puppet
1773			nftables::rule { 'PREROUTING-redirect':
1774			content => 'tcp dport 443 redirect to :8443',
1775			table => 'ip-nat',
1776			}
1777			nftables::rule{'PREROUTING6-redirect':
1778			content => 'tcp dport 443 redirect to :8443',
1779			table => 'ip6-nat',
1780			}
1781			```
1782
1783	e17693e3	Steve Traylen	#### Parameters
1784
1785	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1786
1787	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1788			* [`rulename`](#-nftables--rule--rulename)
1789			* [`order`](#-nftables--rule--order)
1790			* [`table`](#-nftables--rule--table)
1791			* [`content`](#-nftables--rule--content)
1792			* [`source`](#-nftables--rule--source)
1793	e17693e3	Steve Traylen
1794	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1795	e17693e3	Steve Traylen
1796			Data type: `Enum['present','absent']`
1797
1798	13f26dfc	Nacho Barrientos	Should the rule be created.
1799	e17693e3	Steve Traylen
1800			Default value: `'present'`
1801
1802	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1803	e17693e3	Steve Traylen
1804	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1805	e17693e3	Steve Traylen
1806	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1807			format is defined by the Nftables::RuleName type.
1808	e17693e3	Steve Traylen
1809			Default value: `$title`
1810
1811	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1812	e17693e3	Steve Traylen
1813			Data type: `Pattern[/^\d\d$/]`
1814
1815	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1816	e17693e3	Steve Traylen
1817			Default value: `'50'`
1818
1819	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1820	e17693e3	Steve Traylen
1821	b02d6ea9	Nacho Barrientos	Data type: `String`
1822	e17693e3	Steve Traylen
1823	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1824	e17693e3	Steve Traylen
1825			Default value: `'inet-filter'`
1826
1827	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1828	e17693e3	Steve Traylen
1829			Data type: `Optional[String]`
1830
1831	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1832			language.
1833	e17693e3	Steve Traylen
1834	c24d3118	Tim Meusel	Default value: `undef`
1835	e17693e3	Steve Traylen
1836	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1837	e17693e3	Steve Traylen
1838			Data type: `Optional[Variant[String,Array[String,1]]]`
1839
1840	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1841	e17693e3	Steve Traylen
1842	c24d3118	Tim Meusel	Default value: `undef`
1843	e17693e3	Steve Traylen
1844	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1845	e17693e3	Steve Traylen
1846			manage a ipv4 dnat rule
1847
1848			#### Parameters
1849
1850	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1851
1852	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1853			* [`port`](#-nftables--rules--dnat4--port)
1854			* [`rulename`](#-nftables--rules--dnat4--rulename)
1855			* [`order`](#-nftables--rules--dnat4--order)
1856			* [`chain`](#-nftables--rules--dnat4--chain)
1857			* [`iif`](#-nftables--rules--dnat4--iif)
1858			* [`proto`](#-nftables--rules--dnat4--proto)
1859			* [`dport`](#-nftables--rules--dnat4--dport)
1860			* [`ensure`](#-nftables--rules--dnat4--ensure)
1861	e17693e3	Steve Traylen
1862	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1863	e17693e3	Steve Traylen
1864			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1865
1866
1867
1868	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1869	e17693e3	Steve Traylen
1870	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1871	e17693e3	Steve Traylen
1872
1873
1874	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1875	e17693e3	Steve Traylen
1876			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1877
1878
1879
1880			Default value: `$title`
1881
1882	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1883	e17693e3	Steve Traylen
1884			Data type: `Pattern[/^\d\d$/]`
1885
1886
1887
1888			Default value: `'50'`
1889
1890	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1891	e17693e3	Steve Traylen
1892			Data type: `String[1]`
1893
1894
1895
1896			Default value: `'default_fwd'`
1897
1898	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1899	e17693e3	Steve Traylen
1900			Data type: `Optional[String[1]]`
1901
1902
1903
1904	c24d3118	Tim Meusel	Default value: `undef`
1905	e17693e3	Steve Traylen
1906	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1907	e17693e3	Steve Traylen
1908			Data type: `Enum['tcp','udp']`
1909
1910
1911
1912			Default value: `'tcp'`
1913
1914	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1915	e17693e3	Steve Traylen
1916	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1917	e17693e3	Steve Traylen
1918
1919
1920	c24d3118	Tim Meusel	Default value: `undef`
1921	e17693e3	Steve Traylen
1922	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1923	e17693e3	Steve Traylen
1924			Data type: `Enum['present','absent']`
1925
1926
1927
1928			Default value: `'present'`
1929
1930	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1931	e17693e3	Steve Traylen
1932			masquerade all outgoing traffic
1933
1934			#### Parameters
1935
1936	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1937	e17693e3	Steve Traylen
1938	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1939			* [`order`](#-nftables--rules--masquerade--order)
1940			* [`chain`](#-nftables--rules--masquerade--chain)
1941			* [`oif`](#-nftables--rules--masquerade--oif)
1942			* [`saddr`](#-nftables--rules--masquerade--saddr)
1943			* [`daddr`](#-nftables--rules--masquerade--daddr)
1944			* [`proto`](#-nftables--rules--masquerade--proto)
1945			* [`dport`](#-nftables--rules--masquerade--dport)
1946			* [`ensure`](#-nftables--rules--masquerade--ensure)
1947	09cba182	Steve Traylen
1948	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1949	e17693e3	Steve Traylen
1950			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1951
1952
1953
1954			Default value: `$title`
1955
1956	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1957	e17693e3	Steve Traylen
1958			Data type: `Pattern[/^\d\d$/]`
1959
1960
1961
1962			Default value: `'70'`
1963
1964	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1965	e17693e3	Steve Traylen
1966			Data type: `String[1]`
1967
1968
1969
1970			Default value: `'POSTROUTING'`
1971
1972	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1973	e17693e3	Steve Traylen
1974			Data type: `Optional[String[1]]`
1975
1976
1977
1978	c24d3118	Tim Meusel	Default value: `undef`
1979	e17693e3	Steve Traylen
1980	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1981	e17693e3	Steve Traylen
1982			Data type: `Optional[String[1]]`
1983
1984
1985
1986	c24d3118	Tim Meusel	Default value: `undef`
1987	e17693e3	Steve Traylen
1988	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1989	e17693e3	Steve Traylen
1990			Data type: `Optional[String[1]]`
1991
1992
1993
1994	c24d3118	Tim Meusel	Default value: `undef`
1995	e17693e3	Steve Traylen
1996	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1997	e17693e3	Steve Traylen
1998			Data type: `Optional[Enum['tcp','udp']]`
1999
2000
2001
2002	c24d3118	Tim Meusel	Default value: `undef`
2003	e17693e3	Steve Traylen
2004	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2005	e17693e3	Steve Traylen
2006	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2007	e17693e3	Steve Traylen
2008
2009
2010	c24d3118	Tim Meusel	Default value: `undef`
2011	e17693e3	Steve Traylen
2012	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2013	e17693e3	Steve Traylen
2014			Data type: `Enum['present','absent']`
2015
2016
2017
2018			Default value: `'present'`
2019
2020	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2021	e17693e3	Steve Traylen
2022			manage a ipv4 snat rule
2023
2024			#### Parameters
2025
2026	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2027
2028	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2029			* [`rulename`](#-nftables--rules--snat4--rulename)
2030			* [`order`](#-nftables--rules--snat4--order)
2031			* [`chain`](#-nftables--rules--snat4--chain)
2032			* [`oif`](#-nftables--rules--snat4--oif)
2033			* [`saddr`](#-nftables--rules--snat4--saddr)
2034			* [`proto`](#-nftables--rules--snat4--proto)
2035			* [`dport`](#-nftables--rules--snat4--dport)
2036			* [`ensure`](#-nftables--rules--snat4--ensure)
2037	e17693e3	Steve Traylen
2038	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2039	e17693e3	Steve Traylen
2040			Data type: `String[1]`
2041
2042
2043
2044	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2045	e17693e3	Steve Traylen
2046			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2047
2048
2049
2050			Default value: `$title`
2051
2052	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2053	e17693e3	Steve Traylen
2054			Data type: `Pattern[/^\d\d$/]`
2055
2056
2057
2058			Default value: `'70'`
2059
2060	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2061	e17693e3	Steve Traylen
2062			Data type: `String[1]`
2063
2064
2065
2066			Default value: `'POSTROUTING'`
2067
2068	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2069	e17693e3	Steve Traylen
2070			Data type: `Optional[String[1]]`
2071
2072
2073
2074	c24d3118	Tim Meusel	Default value: `undef`
2075	e17693e3	Steve Traylen
2076	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2077	e17693e3	Steve Traylen
2078			Data type: `Optional[String[1]]`
2079
2080
2081
2082	c24d3118	Tim Meusel	Default value: `undef`
2083	e17693e3	Steve Traylen
2084	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2085	e17693e3	Steve Traylen
2086			Data type: `Optional[Enum['tcp','udp']]`
2087
2088
2089
2090	c24d3118	Tim Meusel	Default value: `undef`
2091	e17693e3	Steve Traylen
2092	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2093	e17693e3	Steve Traylen
2094	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2095	e17693e3	Steve Traylen
2096
2097
2098	c24d3118	Tim Meusel	Default value: `undef`
2099	e17693e3	Steve Traylen
2100	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2101	e17693e3	Steve Traylen
2102			Data type: `Enum['present','absent']`
2103
2104
2105
2106			Default value: `'present'`
2107
2108	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2109	7f6cacc5	Steve Traylen
2110			manage a named set
2111
2112	13f4e4c6	Steve Traylen	#### Examples
2113
2114			##### simple set
2115
2116			```puppet
2117			nftables::set{'my_set':
2118			type => 'ipv4_addr',
2119			flags => ['interval'],
2120			elements => ['192.168.0.1/24', '10.0.0.2'],
2121			auto_merge => true,
2122			}
2123			```
2124
2125	7f6cacc5	Steve Traylen	#### Parameters
2126
2127	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2128
2129	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2130			* [`setname`](#-nftables--set--setname)
2131			* [`order`](#-nftables--set--order)
2132			* [`type`](#-nftables--set--type)
2133			* [`table`](#-nftables--set--table)
2134			* [`flags`](#-nftables--set--flags)
2135			* [`timeout`](#-nftables--set--timeout)
2136			* [`gc_interval`](#-nftables--set--gc_interval)
2137			* [`elements`](#-nftables--set--elements)
2138			* [`size`](#-nftables--set--size)
2139			* [`policy`](#-nftables--set--policy)
2140			* [`auto_merge`](#-nftables--set--auto_merge)
2141			* [`content`](#-nftables--set--content)
2142			* [`source`](#-nftables--set--source)
2143
2144			##### <a name="-nftables--set--ensure"></a>`ensure`
2145	7f6cacc5	Steve Traylen
2146			Data type: `Enum['present','absent']`
2147
2148	13f4e4c6	Steve Traylen	should the set be created.
2149	7f6cacc5	Steve Traylen
2150			Default value: `'present'`
2151
2152	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2153	7f6cacc5	Steve Traylen
2154			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2155
2156	13f4e4c6	Steve Traylen	name of set, equal to to title.
2157	7f6cacc5	Steve Traylen
2158			Default value: `$title`
2159
2160	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2161	7f6cacc5	Steve Traylen
2162			Data type: `Pattern[/^\d\d$/]`
2163
2164	13f4e4c6	Steve Traylen	concat ordering.
2165	7f6cacc5	Steve Traylen
2166			Default value: `'10'`
2167
2168	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2169	7f6cacc5	Steve Traylen
2170			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2171
2172	13f4e4c6	Steve Traylen	type of set.
2173	7f6cacc5	Steve Traylen
2174	c24d3118	Tim Meusel	Default value: `undef`
2175	7f6cacc5	Steve Traylen
2176	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2177	7f6cacc5	Steve Traylen
2178	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2179	7f6cacc5	Steve Traylen
2180	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2181	7f6cacc5	Steve Traylen
2182			Default value: `'inet-filter'`
2183
2184	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2185	7f6cacc5	Steve Traylen
2186			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2187
2188	13f4e4c6	Steve Traylen	specify flags for set
2189	7f6cacc5	Steve Traylen
2190			Default value: `[]`
2191
2192	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2193	7f6cacc5	Steve Traylen
2194			Data type: `Optional[Integer]`
2195
2196	13f4e4c6	Steve Traylen	timeout in seconds
2197	7f6cacc5	Steve Traylen
2198	c24d3118	Tim Meusel	Default value: `undef`
2199	7f6cacc5	Steve Traylen
2200	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2201	7f6cacc5	Steve Traylen
2202			Data type: `Optional[Integer]`
2203
2204	13f4e4c6	Steve Traylen	garbage collection interval.
2205	7f6cacc5	Steve Traylen
2206	c24d3118	Tim Meusel	Default value: `undef`
2207	7f6cacc5	Steve Traylen
2208	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2209	7f6cacc5	Steve Traylen
2210			Data type: `Optional[Array[String]]`
2211
2212	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2213	7f6cacc5	Steve Traylen
2214	c24d3118	Tim Meusel	Default value: `undef`
2215	7f6cacc5	Steve Traylen
2216	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2217	7f6cacc5	Steve Traylen
2218			Data type: `Optional[Integer]`
2219
2220	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2221	7f6cacc5	Steve Traylen
2222	c24d3118	Tim Meusel	Default value: `undef`
2223	7f6cacc5	Steve Traylen
2224	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2225	7f6cacc5	Steve Traylen
2226			Data type: `Optional[Enum['performance', 'memory']]`
2227
2228	13f4e4c6	Steve Traylen	determines set selection policy.
2229	7f6cacc5	Steve Traylen
2230	c24d3118	Tim Meusel	Default value: `undef`
2231	7f6cacc5	Steve Traylen
2232	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2233	7f6cacc5	Steve Traylen
2234			Data type: `Boolean`
2235
2236	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2237	7f6cacc5	Steve Traylen
2238	c24d3118	Tim Meusel	Default value: `false`
2239	7f6cacc5	Steve Traylen
2240	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2241	7f6cacc5	Steve Traylen
2242			Data type: `Optional[String]`
2243
2244	13f4e4c6	Steve Traylen	specify content of set.
2245	7f6cacc5	Steve Traylen
2246	c24d3118	Tim Meusel	Default value: `undef`
2247	7f6cacc5	Steve Traylen
2248	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2249	7f6cacc5	Steve Traylen
2250			Data type: `Optional[Variant[String,Array[String,1]]]`
2251
2252	13f4e4c6	Steve Traylen	specify source of set.
2253	7f6cacc5	Steve Traylen
2254	c24d3118	Tim Meusel	Default value: `undef`
2255	7f6cacc5	Steve Traylen
2256	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2257	4d63adda	Nacho Barrientos
2258	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2259	4d63adda	Nacho Barrientos
2260	b46c9ce9	Nacho Barrientos	#### Examples
2261	4d63adda	Nacho Barrientos
2262	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2263	4d63adda	Nacho Barrientos
2264	b46c9ce9	Nacho Barrientos	```puppet
2265			nftables::simplerule{'my_service_in':
2266			action => 'accept',
2267			comment => 'allow traffic to port 543',
2268			counter => true,
2269			proto => 'tcp',
2270			dport => 543,
2271			daddr => '2001:1458::/32',
2272			sport => 541,
2273			}
2274			```
2275	4d63adda	Nacho Barrientos
2276	b46c9ce9	Nacho Barrientos	#### Parameters
2277	4d63adda	Nacho Barrientos
2278	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2279
2280	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2281			* [`rulename`](#-nftables--simplerule--rulename)
2282			* [`order`](#-nftables--simplerule--order)
2283			* [`chain`](#-nftables--simplerule--chain)
2284			* [`table`](#-nftables--simplerule--table)
2285			* [`action`](#-nftables--simplerule--action)
2286			* [`comment`](#-nftables--simplerule--comment)
2287			* [`dport`](#-nftables--simplerule--dport)
2288			* [`proto`](#-nftables--simplerule--proto)
2289			* [`daddr`](#-nftables--simplerule--daddr)
2290			* [`set_type`](#-nftables--simplerule--set_type)
2291			* [`sport`](#-nftables--simplerule--sport)
2292			* [`saddr`](#-nftables--simplerule--saddr)
2293			* [`counter`](#-nftables--simplerule--counter)
2294	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2295	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2296	c24d3118	Tim Meusel
2297			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2298	13f4e4c6	Steve Traylen
2299			Data type: `Enum['present','absent']`
2300
2301			Should the rule be created.
2302
2303			Default value: `'present'`
2304
2305	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2306	4d63adda	Nacho Barrientos
2307	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2308	4d63adda	Nacho Barrientos
2309	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2310	4d63adda	Nacho Barrientos
2311			Default value: `$title`
2312
2313	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2314	4d63adda	Nacho Barrientos
2315			Data type: `Pattern[/^\d\d$/]`
2316
2317	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2318	4d63adda	Nacho Barrientos
2319			Default value: `'50'`
2320
2321	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2322	4d63adda	Nacho Barrientos
2323			Data type: `String`
2324
2325	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2326	4d63adda	Nacho Barrientos
2327			Default value: `'default_in'`
2328
2329	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2330	4d63adda	Nacho Barrientos
2331			Data type: `String`
2332
2333	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2334	4d63adda	Nacho Barrientos
2335			Default value: `'inet-filter'`
2336
2337	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2338	4d63adda	Nacho Barrientos
2339			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2340
2341	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2342	4d63adda	Nacho Barrientos
2343			Default value: `'accept'`
2344
2345	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2346	4d63adda	Nacho Barrientos
2347			Data type: `Optional[String]`
2348
2349	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2350	4d63adda	Nacho Barrientos
2351	c24d3118	Tim Meusel	Default value: `undef`
2352	4d63adda	Nacho Barrientos
2353	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2354	4d63adda	Nacho Barrientos
2355			Data type: `Optional[Nftables::Port]`
2356
2357	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2358	4d63adda	Nacho Barrientos
2359	c24d3118	Tim Meusel	Default value: `undef`
2360	4d63adda	Nacho Barrientos
2361	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2362	4d63adda	Nacho Barrientos
2363			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2364
2365	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2366	4d63adda	Nacho Barrientos
2367	c24d3118	Tim Meusel	Default value: `undef`
2368	4d63adda	Nacho Barrientos
2369	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2370	4d63adda	Nacho Barrientos
2371			Data type: `Optional[Nftables::Addr]`
2372
2373	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2374	4d63adda	Nacho Barrientos
2375	c24d3118	Tim Meusel	Default value: `undef`
2376	4d63adda	Nacho Barrientos
2377	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2378	4d63adda	Nacho Barrientos
2379			Data type: `Enum['ip', 'ip6']`
2380
2381	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2382			Use `ip` for sets of type `ipv4_addr`.
2383	4d63adda	Nacho Barrientos
2384			Default value: `'ip6'`
2385
2386	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2387	4d63adda	Nacho Barrientos
2388			Data type: `Optional[Nftables::Port]`
2389
2390	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2391	4d63adda	Nacho Barrientos
2392	c24d3118	Tim Meusel	Default value: `undef`
2393	4d63adda	Nacho Barrientos
2394	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2395	4d63adda	Nacho Barrientos
2396			Data type: `Optional[Nftables::Addr]`
2397
2398	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2399	4d63adda	Nacho Barrientos
2400	c24d3118	Tim Meusel	Default value: `undef`
2401	4d63adda	Nacho Barrientos
2402	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2403	4d63adda	Nacho Barrientos
2404			Data type: `Boolean`
2405
2406	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2407	4d63adda	Nacho Barrientos
2408	c24d3118	Tim Meusel	Default value: `false`
2409	4d63adda	Nacho Barrientos
2410	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2411
2412	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2413	25b3f3f4	Tim Meusel
2414			Optional filter for the incoming interface
2415
2416	e846c98b	Tim Meusel	Default value: `[]`
2417	25b3f3f4	Tim Meusel
2418	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2419
2420	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2421	d7d6d5d3	Tim Meusel
2422			Optional filter for the outgoing interface
2423
2424	e846c98b	Tim Meusel	Default value: `[]`
2425	d7d6d5d3	Tim Meusel
2426	4d63adda	Nacho Barrientos	## Data types
2427
2428	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2429	4d63adda	Nacho Barrientos
2430			Represents an address expression to be used within a rule.
2431
2432	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2433	09cba182	Steve Traylen
2434	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2435	4d63adda	Nacho Barrientos
2436			Represents a set expression to be used within a rule.
2437
2438	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2439	4d63adda	Nacho Barrientos
2440	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2441	4d63adda	Nacho Barrientos
2442			Represents a port expression to be used within a rule.
2443
2444	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2445	4d63adda	Nacho Barrientos
2446	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2447	4d63adda	Nacho Barrientos
2448			Represents a port range expression to be used within a rule.
2449
2450	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2451	4d63adda	Nacho Barrientos
2452	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2453	8c00b818	Nacho Barrientos
2454			Represents a rule name to be used in a raw rule created via nftables::rule.
2455			It's a dash separated string. The first component describes the chain to
2456			add the rule to, the second the rule name and the (optional) third a number.
2457			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2458
2459	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2460	09cba182	Steve Traylen
2461	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2462	8c00b818	Nacho Barrientos
2463			Represents a simple rule name to be used in a rule created via nftables::simplerule
2464
2465	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 51850192