/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 5d554e75

Historique | Voir | Annoter | Télécharger (61,8 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27			* [`nftables::rules::icmp`](#nftables--rules--icmp)
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
172	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
173	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
174	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
175			* [`noflush_tables`](#-nftables--noflush_tables)
176			* [`rules`](#-nftables--rules)
177			* [`configuration_path`](#-nftables--configuration_path)
178			* [`nft_path`](#-nftables--nft_path)
179			* [`echo`](#-nftables--echo)
180			* [`default_config_mode`](#-nftables--default_config_mode)
181
182			##### <a name="-nftables--out_all"></a>`out_all`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow all outbound connections. If `true` then all other
187			out parameters `out_ntp`, `out_dns`, ... will be assuemed
188			false.
189
190	c24d3118	Tim Meusel	Default value: `false`
191	e17693e3	Steve Traylen
192	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
193	e17693e3	Steve Traylen
194			Data type: `Boolean`
195
196			Allow outbound to ntp servers.
197
198	c24d3118	Tim Meusel	Default value: `true`
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
201	e17693e3	Steve Traylen
202			Data type: `Boolean`
203
204			Allow outbound to http servers.
205
206	c24d3118	Tim Meusel	Default value: `true`
207	e17693e3	Steve Traylen
208	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
209	e17693e3	Steve Traylen
210			Data type: `Boolean`
211
212	09cba182	Steve Traylen	Allow outbound to dns servers.
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	Default value: `true`
215	e17693e3	Steve Traylen
216	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
217	09cba182	Steve Traylen
218			Data type: `Boolean`
219	e17693e3	Steve Traylen
220			Allow outbound to https servers.
221
222	c24d3118	Tim Meusel	Default value: `true`
223	e17693e3	Steve Traylen
224	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
225	7f6cacc5	Steve Traylen
226			Data type: `Boolean`
227
228			Allow outbound ICMPv4/v6 traffic.
229
230	c24d3118	Tim Meusel	Default value: `true`
231	7f6cacc5	Steve Traylen
232	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
233	e17693e3	Steve Traylen
234			Data type: `Boolean`
235
236			Allow inbound to ssh servers.
237
238	c24d3118	Tim Meusel	Default value: `true`
239	e17693e3	Steve Traylen
240	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
241	7f6cacc5	Steve Traylen
242			Data type: `Boolean`
243
244			Allow inbound ICMPv4/v6 traffic.
245
246	c24d3118	Tim Meusel	Default value: `true`
247	7f6cacc5	Steve Traylen
248	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
249	7b9d6ffc	Nacho Barrientos
250			Data type: `Boolean`
251
252			Add default tables, chains and rules to process traffic.
253
254	c24d3118	Tim Meusel	Default value: `true`
255	7b9d6ffc	Nacho Barrientos
256	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
257	7f6cacc5	Steve Traylen
258			Data type: `Boolean`
259
260			Add default tables and chains to process NAT traffic.
261
262	c24d3118	Tim Meusel	Default value: `true`
263	7f6cacc5	Steve Traylen
264	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
265	b02d6ea9	Nacho Barrientos
266			Data type: `String[1]`
267
268			The name of the 'nat' table.
269
270			Default value: `'nat'`
271
272	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
273	b9785000	Steve Traylen
274			Data type: `Hash`
275
276			Allows sourcing set definitions directly from Hiera.
277
278			Default value: `{}`
279
280	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
281	7f6cacc5	Steve Traylen
282			Data type: `String`
283
284			String that will be used as prefix when logging packets. It can contain
285			two variables using standard sprintf() string-formatting:
286			* chain: Will be replaced by the name of the chain.
287			* comment: Allows chains to add extra comments.
288
289			Default value: `'[nftables] %<chain>s %<comment>s'`
290
291	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
292
293			Data type: `Boolean`
294
295			Allow to log discarded packets
296
297			Default value: `true`
298
299	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
300	b9785000	Steve Traylen
301			Data type: `Variant[Boolean[false], String]`
302
303			String with the content of a limit statement to be applied
304			to the rules that log discarded traffic. Set to false to
305			disable rate limiting.
306
307			Default value: `'3/minute burst 5 packets'`
308
309	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
310	7f6cacc5	Steve Traylen
311	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
312	7f6cacc5	Steve Traylen
313			How to discard packets not matching any rule. If `false`, the
314			fate of the packet will be defined by the chain policy (normally
315			drop), otherwise the packet will be rejected with the REJECT_WITH
316			policy indicated by the value of this parameter.
317
318			Default value: `'icmpx type port-unreachable'`
319
320	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
321	7f6cacc5	Steve Traylen
322			Data type: `Boolean`
323
324			Adds INPUT and OUTPUT rules to allow traffic that's part of an
325			established connection and also to drop invalid packets.
326
327	c24d3118	Tim Meusel	Default value: `true`
328	7f6cacc5	Steve Traylen
329	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
330
331			Data type: `Boolean`
332
333			Drops invalid packets in INPUT and OUTPUT
334
335			Default value: `$in_out_conntrack`
336
337	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
338	b9785000	Steve Traylen
339			Data type: `Boolean`
340
341			Adds FORWARD rules to allow traffic that's part of an
342			established connection and also to drop invalid packets.
343
344	c24d3118	Tim Meusel	Default value: `false`
345	b9785000	Steve Traylen
346	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
347
348			Data type: `Boolean`
349
350			Drops invalid packets in FORWARD
351
352			Default value: `$fwd_conntrack`
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
355	7f6cacc5	Steve Traylen
356			Data type: `Variant[Boolean[false], Enum['mask']]`
357
358			Configures how the firewalld systemd service unit is enabled. It might be
359			useful to set this to false if you're externaly removing firewalld from
360			the system completely.
361
362			Default value: `'mask'`
363
364	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
365	b9785000	Steve Traylen
366	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
367	b9785000	Steve Traylen
368			If specified only other existings tables will be flushed.
369			If left unset all tables will be flushed via a `flush ruleset`
370
371	c24d3118	Tim Meusel	Default value: `undef`
372	b9785000	Steve Traylen
373	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
374	7f6cacc5	Steve Traylen
375			Data type: `Hash`
376
377	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
378	7f6cacc5	Steve Traylen
379			Default value: `{}`
380
381	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
382	d0a1ffef	hashworks
383			Data type: `Stdlib::Unixpath`
384
385			The absolute path to the principal nftables configuration file. The default
386			varies depending on the system, and is set in the module's data.
387
388	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
389	8842a597	Tim Meusel
390			Data type: `Stdlib::Unixpath`
391
392			Path to the nft binary
393
394	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
395	821ec83a	Tim Meusel
396			Data type: `Stdlib::Unixpath`
397
398			Path to the echo binary
399
400	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
401	7030bde0	Luis Fernández Álvarez
402			Data type: `Stdlib::Filemode`
403
404			The default file & dir mode for configuration files and directories. The
405			default varies depending on the system, and is set in the module's data.
406
407	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
408	7f6cacc5	Steve Traylen
409			allow forwarding traffic on bridges
410
411			#### Parameters
412
413	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
414	7f6cacc5	Steve Traylen
415	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
416			* [`bridgenames`](#-nftables--bridges--bridgenames)
417	09cba182	Steve Traylen
418	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
419	7f6cacc5	Steve Traylen
420			Data type: `Enum['present','absent']`
421
422
423
424			Default value: `'present'`
425
426	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
427	7f6cacc5	Steve Traylen
428			Data type: `Regexp`
429
430
431
432			Default value: `/^br.+/`
433
434	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
435	e17693e3	Steve Traylen
436			manage basic chains in table inet filter
437
438	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
439	a1f09048	Tim Meusel
440			enable conntrack for fwd
441
442	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
443	a1f09048	Tim Meusel
444			manage input & output conntrack
445
446	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
447	e17693e3	Steve Traylen
448			manage basic chains in table ip nat
449
450	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
451	771b3256	Nacho Barrientos
452			Provides input rules for Apache ActiveMQ
453
454			#### Parameters
455
456			The following parameters are available in the `nftables::rules::activemq` class:
457
458	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
459			* [`udp`](#-nftables--rules--activemq--udp)
460			* [`port`](#-nftables--rules--activemq--port)
461	771b3256	Nacho Barrientos
462	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
463	771b3256	Nacho Barrientos
464			Data type: `Boolean`
465
466			Create the rule for TCP traffic.
467
468	c24d3118	Tim Meusel	Default value: `true`
469	771b3256	Nacho Barrientos
470	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
471	771b3256	Nacho Barrientos
472			Data type: `Boolean`
473
474			Create the rule for UDP traffic.
475
476	c24d3118	Tim Meusel	Default value: `true`
477	771b3256	Nacho Barrientos
478	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
479	771b3256	Nacho Barrientos
480			Data type: `Stdlib::Port`
481
482			The port number for the ActiveMQ daemon.
483
484			Default value: `61616`
485
486	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
487	09cba182	Steve Traylen
488			Open call back port for AFS clients
489	7f6cacc5	Steve Traylen
490	09cba182	Steve Traylen	#### Examples
491
492			##### allow call backs from particular hosts
493
494			```puppet
495	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
496			saddr => ['192.168.0.0/16', '10.0.0.222']
497			}
498	09cba182	Steve Traylen	```
499	7f6cacc5	Steve Traylen
500			#### Parameters
501
502	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
503
504	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
505	7f6cacc5	Steve Traylen
506	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
507	7f6cacc5	Steve Traylen
508			Data type: `Array[Stdlib::IP::Address::V4,1]`
509
510			list of source network ranges to a
511
512			Default value: `['0.0.0.0/0']`
513
514	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
515	b9785000	Steve Traylen
516			Ceph is a distributed object store and file system.
517			Enable this to support Ceph's Object Storage Daemons (OSD),
518			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
519
520	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
521	b9785000	Steve Traylen
522			Ceph is a distributed object store and file system.
523			Enable this option to support Ceph's Monitor Daemon.
524
525			#### Parameters
526
527	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
528	b9785000	Steve Traylen
529	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
530	b9785000	Steve Traylen
531	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
532	b9785000	Steve Traylen
533	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
534	b9785000	Steve Traylen
535	09cba182	Steve Traylen	specify ports for ceph service
536	b9785000	Steve Traylen
537			Default value: `[3300, 6789]`
538
539	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
540	7f6cacc5	Steve Traylen
541	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
542	7f6cacc5	Steve Traylen
543	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
544	7f6cacc5	Steve Traylen
545			manage in dns
546
547	67cdcf15	Steve Traylen	#### Examples
548
549			##### Allow access to stub dns resolver from docker containers
550
551			```puppet
552			class { 'nftables::rules::dns':
553			iifname => ['docker0'],
554			}
555			```
556
557	7f6cacc5	Steve Traylen	#### Parameters
558
559	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
560	7f6cacc5	Steve Traylen
561	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
562	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
563	7f6cacc5	Steve Traylen
564	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
565	7f6cacc5	Steve Traylen
566	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
567	7f6cacc5	Steve Traylen
568	09cba182	Steve Traylen	Specify ports for dns.
569	7f6cacc5	Steve Traylen
570			Default value: `[53]`
571
572	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
573
574			Data type: `Optional[Array[String[1],1]]`
575
576			Specify input interface names.
577
578			Default value: `undef`
579
580	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
581	804b96e4	Nacho Barrientos
582			The configuration distributed in this class represents the default firewall
583			configuration done by docker-ce when the iptables integration is enabled.
584
585			This class is needed as the default docker-ce rules added to ip-filter conflict
586			with the inet-filter forward rules set by default in this module.
587
588			When using this class 'docker::iptables: false' should be set.
589
590			#### Parameters
591
592			The following parameters are available in the `nftables::rules::docker_ce` class:
593
594	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
595			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
596			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
597			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
598	804b96e4	Nacho Barrientos
599	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
600	804b96e4	Nacho Barrientos
601			Data type: `String[1]`
602
603			Interface name used by docker.
604
605			Default value: `'docker0'`
606
607	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
608	804b96e4	Nacho Barrientos
609			Data type: `Stdlib::IP::Address::V4::CIDR`
610
611			The address space used by docker.
612
613			Default value: `'172.17.0.0/16'`
614
615	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
616	804b96e4	Nacho Barrientos
617			Data type: `Boolean`
618
619			Flag to control whether the class should create the docker related chains.
620
621	c24d3118	Tim Meusel	Default value: `true`
622	804b96e4	Nacho Barrientos
623	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
624	804b96e4	Nacho Barrientos
625			Data type: `Boolean`
626
627			Flag to control whether the class should create the base common chains.
628
629	c24d3118	Tim Meusel	Default value: `true`
630	804b96e4	Nacho Barrientos
631	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
632
633			manage in ftp (with conntrack helper)
634
635			#### Parameters
636
637			The following parameters are available in the `nftables::rules::ftp` class:
638
639			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
640			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
641
642			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
643
644			Data type: `Boolean`
645
646			Enable FTP passive mode support
647
648			Default value: `true`
649
650			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
651
652			Data type: `Nftables::Port::Range`
653
654			Set the FTP passive mode port range
655
656			Default value: `'10090-10100'`
657
658	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
659	e17693e3	Steve Traylen
660			manage in http
661
662	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
663	e17693e3	Steve Traylen
664			manage in https
665
666	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
667	e17693e3	Steve Traylen
668			manage in icinga2
669
670			#### Parameters
671
672	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
673	e17693e3	Steve Traylen
674	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
675	e17693e3	Steve Traylen
676	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
677	e17693e3	Steve Traylen
678	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
679	e17693e3	Steve Traylen
680	8db66304	Steve Traylen	Specify ports for icinga2
681	e17693e3	Steve Traylen
682			Default value: `[5665]`
683
684	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
685	7f6cacc5	Steve Traylen
686			The nftables::rules::icmp class.
687
688			#### Parameters
689
690	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
691
692	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
693			* [`v6_types`](#-nftables--rules--icmp--v6_types)
694			* [`order`](#-nftables--rules--icmp--order)
695	7f6cacc5	Steve Traylen
696	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
697	7f6cacc5	Steve Traylen
698			Data type: `Optional[Array[String]]`
699
700
701
702	c24d3118	Tim Meusel	Default value: `undef`
703	7f6cacc5	Steve Traylen
704	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
705	7f6cacc5	Steve Traylen
706			Data type: `Optional[Array[String]]`
707
708
709
710	c24d3118	Tim Meusel	Default value: `undef`
711	7f6cacc5	Steve Traylen
712	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
713	7f6cacc5	Steve Traylen
714			Data type: `String`
715
716
717
718			Default value: `'10'`
719
720	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
721
722			allow incoming IGMP messages
723
724	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
725
726			manage in ldap
727
728			#### Parameters
729
730			The following parameters are available in the `nftables::rules::ldap` class:
731
732			* [`ports`](#-nftables--rules--ldap--ports)
733
734			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
735
736			Data type: `Array[Integer,1]`
737
738			ldap server ports
739
740			Default value: `[389, 636]`
741
742	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
743
744			allow incoming Link-Local Multicast Name Resolution
745
746			* See also
747			* https://datatracker.ietf.org/doc/html/rfc4795
748
749			#### Parameters
750
751			The following parameters are available in the `nftables::rules::llmnr` class:
752
753			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
754			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
755
756			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
757
758			Data type: `Boolean`
759
760			Allow LLMNR over IPv4
761
762			Default value: `true`
763
764			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
765
766			Data type: `Boolean`
767
768			Allow LLMNR over IPv6
769
770			Default value: `true`
771
772	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
773
774			allow incoming multicast DNS
775
776	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
777
778			The following parameters are available in the `nftables::rules::mdns` class:
779
780			* [`ipv4`](#-nftables--rules--mdns--ipv4)
781			* [`ipv6`](#-nftables--rules--mdns--ipv6)
782
783			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
784
785			Data type: `Boolean`
786
787			Allow mdns over IPv4
788
789			Default value: `true`
790
791			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
792
793			Data type: `Boolean`
794
795			Allow mdns over IPv6
796
797			Default value: `true`
798
799	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
800
801			allow incoming multicast traffic
802
803	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
804	b9785000	Steve Traylen
805			manage in nfs4
806
807	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
808	b9785000	Steve Traylen
809			manage in nfs3
810
811	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
812	7f6cacc5	Steve Traylen
813			manage in node exporter
814
815			#### Parameters
816
817	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
818	7f6cacc5	Steve Traylen
819	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
820			* [`port`](#-nftables--rules--node_exporter--port)
821	7f6cacc5	Steve Traylen
822	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
823	7f6cacc5	Steve Traylen
824	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
825	7f6cacc5	Steve Traylen
826	09cba182	Steve Traylen	Specify server name
827	7f6cacc5	Steve Traylen
828	c24d3118	Tim Meusel	Default value: `undef`
829	7f6cacc5	Steve Traylen
830	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
831	7f6cacc5	Steve Traylen
832	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
833	7f6cacc5	Steve Traylen
834	09cba182	Steve Traylen	Specify port to open
835	7f6cacc5	Steve Traylen
836			Default value: `9100`
837
838	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
839	e17693e3	Steve Traylen
840			manage in ospf
841
842	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
843	e17693e3	Steve Traylen
844			manage in ospf3
845
846	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
847
848			manage outgoing active diectory
849
850			#### Parameters
851
852			The following parameters are available in the `nftables::rules::out::active_directory` class:
853
854			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
855			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
856
857			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
858
859			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
860
861			adserver IPs
862
863			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
864
865			Data type: `Array[Stdlib::Port,1]`
866
867			adserver ports
868
869			Default value: `[389, 636, 3268, 3269]`
870
871	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
872	e17693e3	Steve Traylen
873			allow all outbound
874
875	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
876	b9785000	Steve Traylen
877			Ceph is a distributed object store and file system.
878			Enable this to be a client of Ceph's Monitor (MON),
879			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
880			and Manager Daemons (MGR).
881
882			#### Parameters
883
884	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
885	b9785000	Steve Traylen
886	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
887	b9785000	Steve Traylen
888	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
889	b9785000	Steve Traylen
890	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
891	b9785000	Steve Traylen
892	09cba182	Steve Traylen	Specify ports to open
893	b9785000	Steve Traylen
894			Default value: `[3300, 6789]`
895
896	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
897	e17693e3	Steve Traylen
898			manage out chrony
899
900	7937a13b	Tim Meusel	#### Parameters
901
902			The following parameters are available in the `nftables::rules::out::chrony` class:
903
904	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
905	7937a13b	Tim Meusel
906	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
907	7937a13b	Tim Meusel
908			Data type: `Array[Stdlib::IP::Address]`
909
910			single IP-Address or array of IP-addresses from NTP servers
911
912			Default value: `[]`
913
914	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
915	e17693e3	Steve Traylen
916			manage out dhcp
917
918	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
919	7f6cacc5	Steve Traylen
920	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
921	7f6cacc5	Steve Traylen
922	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
923	e17693e3	Steve Traylen
924			manage out dns
925
926			#### Parameters
927
928	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
929	e17693e3	Steve Traylen
930	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
931	e17693e3	Steve Traylen
932	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
933	e17693e3	Steve Traylen
934	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
935	e17693e3	Steve Traylen
936	09cba182	Steve Traylen	specify dns_server name
937	e17693e3	Steve Traylen
938	9d1ee648	Tim Meusel	Default value: `[]`
939	e17693e3	Steve Traylen
940	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
941	a1f09048	Tim Meusel
942			allow outgoing hkp connections to gpg keyservers
943
944	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
945	e17693e3	Steve Traylen
946			manage out http
947
948	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
949	e17693e3	Steve Traylen
950			manage out https
951
952	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
953	7f6cacc5	Steve Traylen
954	09cba182	Steve Traylen	control outbound icmp packages
955	7f6cacc5	Steve Traylen
956			#### Parameters
957
958	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
959
960	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
961			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
962			* [`order`](#-nftables--rules--out--icmp--order)
963	7f6cacc5	Steve Traylen
964	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
965	7f6cacc5	Steve Traylen
966			Data type: `Optional[Array[String]]`
967
968	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
969	7f6cacc5	Steve Traylen
970	c24d3118	Tim Meusel	Default value: `undef`
971	7f6cacc5	Steve Traylen
972	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
973	7f6cacc5	Steve Traylen
974			Data type: `Optional[Array[String]]`
975
976	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
977	7f6cacc5	Steve Traylen
978	c24d3118	Tim Meusel	Default value: `undef`
979	7f6cacc5	Steve Traylen
980	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
981	7f6cacc5	Steve Traylen
982			Data type: `String`
983
984	5d554e75	Tim Meusel	the ordering of the rules
985	7f6cacc5	Steve Traylen
986			Default value: `'10'`
987
988	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
989
990	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
991	020842af	Tim Meusel
992	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
993	19908f41	mh
994			allow outgoing imap
995
996	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
997	7f6cacc5	Steve Traylen
998			allows outbound access for kerberos
999
1000	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1001
1002			manage outgoing ldap
1003
1004			#### Parameters
1005
1006			The following parameters are available in the `nftables::rules::out::ldap` class:
1007
1008			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1009			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1010
1011			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1012
1013			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1014
1015			ldapserver IPs
1016
1017			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1018
1019			Data type: `Array[Stdlib::Port,1]`
1020
1021			ldapserver ports
1022
1023			Default value: `[389, 636]`
1024
1025	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1026
1027			allow outgoing multicast DNS
1028
1029			#### Parameters
1030
1031			The following parameters are available in the `nftables::rules::out::mdns` class:
1032
1033			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1034			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1035
1036			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1037
1038			Data type: `Boolean`
1039
1040			Allow mdns over IPv4
1041
1042			Default value: `true`
1043
1044			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1045
1046			Data type: `Boolean`
1047
1048			Allow mdns over IPv6
1049
1050			Default value: `true`
1051
1052	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1053
1054			allow multicast listener requests
1055
1056	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1057	e17693e3	Steve Traylen
1058			manage out mysql
1059
1060	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1061	b9785000	Steve Traylen
1062			manage out nfs
1063
1064	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1065	b9785000	Steve Traylen
1066			manage out nfs3
1067
1068	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1069	7f6cacc5	Steve Traylen
1070	09cba182	Steve Traylen	allows outbound access for afs clients
1071	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1072			7002 - afs3-ptserver
1073			7003 - vlserver
1074
1075			* See also
1076			* https://wiki.openafs.org/devel/AFSServicePorts/
1077			* AFS Service Ports
1078
1079			#### Parameters
1080
1081	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1082	7f6cacc5	Steve Traylen
1083	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1084	7f6cacc5	Steve Traylen
1085	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1086	7f6cacc5	Steve Traylen
1087	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1088	7f6cacc5	Steve Traylen
1089	09cba182	Steve Traylen	port numbers to use
1090	7f6cacc5	Steve Traylen
1091			Default value: `[7000, 7002, 7003]`
1092
1093	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1094	e17693e3	Steve Traylen
1095			manage out ospf
1096
1097	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1098	e17693e3	Steve Traylen
1099			manage out ospf3
1100
1101	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1102	19908f41	mh
1103			allow outgoing pop3
1104
1105	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1106	e17693e3	Steve Traylen
1107			manage out postgres
1108
1109	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1110	e17693e3	Steve Traylen
1111			manage outgoing puppet
1112
1113			#### Parameters
1114
1115	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1116	e17693e3	Steve Traylen
1117	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1118			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1119	e17693e3	Steve Traylen
1120	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1121	e17693e3	Steve Traylen
1122	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1123	e17693e3	Steve Traylen
1124	09cba182	Steve Traylen	puppetserver hostname
1125	e17693e3	Steve Traylen
1126	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1127	e17693e3	Steve Traylen
1128	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1129	e17693e3	Steve Traylen
1130	09cba182	Steve Traylen	puppetserver port
1131	e17693e3	Steve Traylen
1132			Default value: `8140`
1133
1134	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1135	194e05d5	Tim Meusel
1136			manage outgoing pxp-agent
1137
1138			* See also
1139			* also
1140			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1141
1142			#### Parameters
1143
1144			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1145
1146	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1147			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1148	194e05d5	Tim Meusel
1149	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1150	194e05d5	Tim Meusel
1151			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1152
1153			PXP broker IP(s)
1154
1155	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1156	194e05d5	Tim Meusel
1157			Data type: `Stdlib::Port`
1158
1159			PXP broker port
1160
1161			Default value: `8142`
1162
1163	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1164	e17693e3	Steve Traylen
1165	19908f41	mh	allow outgoing smtp
1166
1167	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1168	19908f41	mh
1169			allow outgoing smtp client
1170	e17693e3	Steve Traylen
1171	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1172
1173			allow outgoing SSDP
1174
1175			* See also
1176			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1177
1178			#### Parameters
1179
1180			The following parameters are available in the `nftables::rules::out::ssdp` class:
1181
1182			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1183			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1184
1185			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1186
1187			Data type: `Boolean`
1188
1189			Allow SSDP over IPv4
1190
1191			Default value: `true`
1192
1193			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1194
1195			Data type: `Boolean`
1196
1197			Allow SSDP over IPv6
1198
1199			Default value: `true`
1200
1201	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1202	e17693e3	Steve Traylen
1203			manage out ssh
1204
1205	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1206	e17693e3	Steve Traylen
1207			disable outgoing ssh
1208
1209	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1210	e17693e3	Steve Traylen
1211			manage out tor
1212
1213	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1214	2b1896c1	Tim Meusel
1215			allow clients to query remote whois server
1216
1217	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1218	e17693e3	Steve Traylen
1219			manage out wireguard
1220
1221			#### Parameters
1222
1223	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1224	e17693e3	Steve Traylen
1225	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1226	e17693e3	Steve Traylen
1227	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1228	e17693e3	Steve Traylen
1229	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1230	e17693e3	Steve Traylen
1231	09cba182	Steve Traylen	specify wireguard ports
1232	e17693e3	Steve Traylen
1233			Default value: `[51820]`
1234
1235	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1236
1237			Rules for Podman, a tool for managing OCI containers and pods.
1238			This class defines additional forwarding rules to let root containers
1239			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1240			At the time of writing, Podman supports automatic configuration
1241			of firewall rules with iptables and firewalld only.
1242
1243	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1244	e17693e3	Steve Traylen
1245			manage in puppet
1246
1247			#### Parameters
1248
1249	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1250	e17693e3	Steve Traylen
1251	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1252	e17693e3	Steve Traylen
1253	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1254	e17693e3	Steve Traylen
1255	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1256	e17693e3	Steve Traylen
1257	09cba182	Steve Traylen	puppet server ports
1258	e17693e3	Steve Traylen
1259			Default value: `[8140]`
1260
1261	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1262	7f74df2e	Tim Meusel
1263			manage in pxp-agent
1264
1265			#### Parameters
1266
1267			The following parameters are available in the `nftables::rules::pxp_agent` class:
1268
1269	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1270	7f74df2e	Tim Meusel
1271	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1272	7f74df2e	Tim Meusel
1273	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1274	7f74df2e	Tim Meusel
1275			pxp server ports
1276
1277			Default value: `[8142]`
1278
1279	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1280	cd2a3cbf	Nacho Barrientos
1281			This class configures the typical firewall setup that libvirt
1282			creates. Depending on your requirements you can switch on and off
1283			several aspects, for instance if you don't do DHCP to your guests
1284			you can disable the rules that accept DHCP traffic on the host or if
1285			you don't want your guests to talk to hosts outside you can disable
1286			forwarding and/or masquerading for IPv4 traffic.
1287
1288			#### Parameters
1289
1290			The following parameters are available in the `nftables::rules::qemu` class:
1291
1292	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1293			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1294			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1295			* [`dns`](#-nftables--rules--qemu--dns)
1296			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1297			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1298			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1299			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1300	cd2a3cbf	Nacho Barrientos
1301	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1302	cd2a3cbf	Nacho Barrientos
1303			Data type: `String[1]`
1304
1305			Interface name used by the bridge.
1306
1307			Default value: `'virbr0'`
1308
1309	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1310	cd2a3cbf	Nacho Barrientos
1311			Data type: `Stdlib::IP::Address::V4::CIDR`
1312
1313			The IPv4 network prefix used in the virtual network.
1314
1315			Default value: `'192.168.122.0/24'`
1316
1317	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1318	cd2a3cbf	Nacho Barrientos
1319			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1320
1321			The IPv6 network prefix used in the virtual network.
1322
1323	c24d3118	Tim Meusel	Default value: `undef`
1324	cd2a3cbf	Nacho Barrientos
1325	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1326	cd2a3cbf	Nacho Barrientos
1327			Data type: `Boolean`
1328
1329			Allow DNS traffic from the guests to the host.
1330
1331	c24d3118	Tim Meusel	Default value: `true`
1332	cd2a3cbf	Nacho Barrientos
1333	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1334	cd2a3cbf	Nacho Barrientos
1335			Data type: `Boolean`
1336
1337			Allow DHCPv4 traffic from the guests to the host.
1338
1339	c24d3118	Tim Meusel	Default value: `true`
1340	cd2a3cbf	Nacho Barrientos
1341	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1342	cd2a3cbf	Nacho Barrientos
1343			Data type: `Boolean`
1344
1345			Allow forwarded traffic (out all, in related/established)
1346			generated by the virtual network.
1347
1348	c24d3118	Tim Meusel	Default value: `true`
1349	cd2a3cbf	Nacho Barrientos
1350	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1351	cd2a3cbf	Nacho Barrientos
1352			Data type: `Boolean`
1353
1354			Allow guests in the virtual network to talk to each other.
1355
1356	c24d3118	Tim Meusel	Default value: `true`
1357	cd2a3cbf	Nacho Barrientos
1358	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1359	cd2a3cbf	Nacho Barrientos
1360			Data type: `Boolean`
1361
1362			Do NAT masquerade on all IPv4 traffic generated by guests
1363			to external networks.
1364
1365	c24d3118	Tim Meusel	Default value: `true`
1366	cd2a3cbf	Nacho Barrientos
1367	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1368	19908f41	mh
1369			manage Samba, the suite to allow Windows file sharing on Linux resources.
1370
1371			#### Parameters
1372
1373			The following parameters are available in the `nftables::rules::samba` class:
1374
1375	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1376	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1377	19908f41	mh
1378	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1379	19908f41	mh
1380			Data type: `Boolean`
1381
1382	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1383	19908f41	mh
1384	c24d3118	Tim Meusel	Default value: `false`
1385	19908f41	mh
1386	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1387
1388			Data type: `Enum['accept', 'drop']`
1389
1390			if the traffic should be allowed or dropped
1391
1392			Default value: `'accept'`
1393
1394	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1395	e17693e3	Steve Traylen
1396			manage in smtp
1397
1398	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1399	e17693e3	Steve Traylen
1400			manage in smtp submission
1401
1402	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1403	e17693e3	Steve Traylen
1404			manage in smtps
1405
1406	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1407
1408			allow incoming spotify
1409
1410	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1411
1412			allow incoming SSDP
1413
1414			* See also
1415			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1416
1417			#### Parameters
1418
1419			The following parameters are available in the `nftables::rules::ssdp` class:
1420
1421			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1422			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1423
1424			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1425
1426			Data type: `Boolean`
1427
1428			Allow SSDP over IPv4
1429
1430			Default value: `true`
1431
1432			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1433
1434			Data type: `Boolean`
1435
1436			Allow SSDP over IPv6
1437
1438			Default value: `true`
1439
1440	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1441	e17693e3	Steve Traylen
1442			manage in ssh
1443
1444			#### Parameters
1445
1446	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1447	e17693e3	Steve Traylen
1448	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1449	e17693e3	Steve Traylen
1450	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1451	e17693e3	Steve Traylen
1452	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1453	e17693e3	Steve Traylen
1454	09cba182	Steve Traylen	ssh ports
1455	e17693e3	Steve Traylen
1456			Default value: `[22]`
1457
1458	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1459	e17693e3	Steve Traylen
1460			manage in tor
1461
1462			#### Parameters
1463
1464	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1465	e17693e3	Steve Traylen
1466	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1467	e17693e3	Steve Traylen
1468	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1469	e17693e3	Steve Traylen
1470	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1471	e17693e3	Steve Traylen
1472	09cba182	Steve Traylen	ports for tor
1473	e17693e3	Steve Traylen
1474			Default value: `[9001]`
1475
1476	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1477	e17693e3	Steve Traylen
1478			manage in wireguard
1479
1480			#### Parameters
1481
1482	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1483	e17693e3	Steve Traylen
1484	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1485	e17693e3	Steve Traylen
1486	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1487	e17693e3	Steve Traylen
1488	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1489	e17693e3	Steve Traylen
1490	09cba182	Steve Traylen	wiregueard port
1491	e17693e3	Steve Traylen
1492			Default value: `[51820]`
1493
1494	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1495
1496			allow incoming webservice discovery
1497
1498			* See also
1499			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1500
1501			#### Parameters
1502
1503			The following parameters are available in the `nftables::rules::wsd` class:
1504
1505			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1506			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1507
1508			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1509
1510			Data type: `Boolean`
1511
1512			Allow ws-discovery over IPv4
1513
1514			Default value: `true`
1515
1516			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1517
1518			Data type: `Boolean`
1519
1520			Allow ws-discovery over IPv6
1521
1522			Default value: `true`
1523
1524	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1525	7f6cacc5	Steve Traylen
1526	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1527	7f6cacc5	Steve Traylen
1528	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1529	7f6cacc5	Steve Traylen
1530	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1531	7f6cacc5	Steve Traylen
1532	e17693e3	Steve Traylen	## Defined types
1533
1534	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1535	e17693e3	Steve Traylen
1536			manage a chain
1537
1538			#### Parameters
1539
1540	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1541
1542	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1543			* [`chain`](#-nftables--chain--chain)
1544			* [`inject`](#-nftables--chain--inject)
1545			* [`inject_iif`](#-nftables--chain--inject_iif)
1546			* [`inject_oif`](#-nftables--chain--inject_oif)
1547	e17693e3	Steve Traylen
1548	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1549	e17693e3	Steve Traylen
1550	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1551	e17693e3	Steve Traylen
1552
1553
1554			Default value: `'inet-filter'`
1555
1556	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1557	e17693e3	Steve Traylen
1558			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1559
1560
1561
1562			Default value: `$title`
1563
1564	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1565	e17693e3	Steve Traylen
1566			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1567
1568
1569
1570	c24d3118	Tim Meusel	Default value: `undef`
1571	e17693e3	Steve Traylen
1572	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1573	e17693e3	Steve Traylen
1574			Data type: `Optional[String]`
1575
1576
1577
1578	c24d3118	Tim Meusel	Default value: `undef`
1579	e17693e3	Steve Traylen
1580	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1581	e17693e3	Steve Traylen
1582			Data type: `Optional[String]`
1583
1584
1585
1586	c24d3118	Tim Meusel	Default value: `undef`
1587	e17693e3	Steve Traylen
1588	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1589	e17693e3	Steve Traylen
1590			manage a config snippet
1591
1592			#### Parameters
1593
1594	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1595	e17693e3	Steve Traylen
1596	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1597			* [`content`](#-nftables--config--content)
1598			* [`source`](#-nftables--config--source)
1599			* [`prefix`](#-nftables--config--prefix)
1600	09cba182	Steve Traylen
1601	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1602	13f4e4c6	Steve Traylen
1603			Data type: `Pattern[/^\w+-\w+$/]`
1604
1605
1606
1607			Default value: `$title`
1608
1609	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1610	e17693e3	Steve Traylen
1611			Data type: `Optional[String]`
1612
1613
1614
1615	c24d3118	Tim Meusel	Default value: `undef`
1616	e17693e3	Steve Traylen
1617	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1618	e17693e3	Steve Traylen
1619			Data type: `Optional[Variant[String,Array[String,1]]]`
1620
1621
1622
1623	c24d3118	Tim Meusel	Default value: `undef`
1624	e17693e3	Steve Traylen
1625	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1626	13f4e4c6	Steve Traylen
1627			Data type: `String`
1628
1629
1630
1631			Default value: `'custom-'`
1632
1633	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1634	331b8d85	Steve Traylen
1635			Insert a file into the nftables configuration
1636
1637			#### Examples
1638
1639			##### Include a file that includes other files
1640
1641			```puppet
1642			nftables::file{'geoip':
1643			content => @(EOT)
1644			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1645			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1646			\|EOT,
1647			}
1648			```
1649
1650			#### Parameters
1651
1652			The following parameters are available in the `nftables::file` defined type:
1653
1654	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1655			* [`content`](#-nftables--file--content)
1656			* [`source`](#-nftables--file--source)
1657			* [`prefix`](#-nftables--file--prefix)
1658	331b8d85	Steve Traylen
1659	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1660	331b8d85	Steve Traylen
1661			Data type: `String[1]`
1662
1663			Unique name to include in filename.
1664
1665			Default value: `$title`
1666
1667	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1668	331b8d85	Steve Traylen
1669			Data type: `Optional[String]`
1670
1671			The content to place in the file.
1672
1673	c24d3118	Tim Meusel	Default value: `undef`
1674	331b8d85	Steve Traylen
1675	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1676	331b8d85	Steve Traylen
1677			Data type: `Optional[Variant[String,Array[String,1]]]`
1678
1679			A source to obtain the file content from.
1680
1681	c24d3118	Tim Meusel	Default value: `undef`
1682	331b8d85	Steve Traylen
1683	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1684	331b8d85	Steve Traylen
1685			Data type: `String`
1686
1687			Prefix of file name to be created, if left as `file-` it will be
1688			auto included in the main nft configuration
1689
1690			Default value: `'file-'`
1691
1692	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1693
1694			manage a conntrack helper
1695
1696			#### Examples
1697
1698			##### FTP helper
1699
1700			```puppet
1701			nftables::helper { 'ftp-standard':
1702			content => 'type "ftp" protocol tcp;',
1703			}
1704			```
1705
1706			#### Parameters
1707
1708			The following parameters are available in the `nftables::helper` defined type:
1709
1710			* [`content`](#-nftables--helper--content)
1711			* [`table`](#-nftables--helper--table)
1712			* [`helper`](#-nftables--helper--helper)
1713
1714			##### <a name="-nftables--helper--content"></a>`content`
1715
1716			Data type: `String`
1717
1718			Conntrack helper definition.
1719
1720			##### <a name="-nftables--helper--table"></a>`table`
1721
1722			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1723
1724			The name of the table to add this helper to.
1725
1726			Default value: `'inet-filter'`
1727
1728			##### <a name="-nftables--helper--helper"></a>`helper`
1729
1730			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1731
1732			The symbolic name for the helper.
1733
1734			Default value: `$title`
1735
1736	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1737	e17693e3	Steve Traylen
1738	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1739
1740			#### Examples
1741
1742			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1743
1744			```puppet
1745			nftables::rule {
1746			'default_in-myhttp':
1747			content => 'tcp dport 80 accept',
1748			}
1749			```
1750
1751			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1752
1753			```puppet
1754			nftables::rule {
1755			'PREROUTING6-count':
1756			content => 'counter',
1757			table => 'ip6-nat'
1758			}
1759			```
1760	e17693e3	Steve Traylen
1761	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1762
1763			```puppet
1764			nftables::rule { 'PREROUTING-redirect':
1765			content => 'tcp dport 443 redirect to :8443',
1766			table => 'ip-nat',
1767			}
1768			nftables::rule{'PREROUTING6-redirect':
1769			content => 'tcp dport 443 redirect to :8443',
1770			table => 'ip6-nat',
1771			}
1772			```
1773
1774	e17693e3	Steve Traylen	#### Parameters
1775
1776	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1777
1778	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1779			* [`rulename`](#-nftables--rule--rulename)
1780			* [`order`](#-nftables--rule--order)
1781			* [`table`](#-nftables--rule--table)
1782			* [`content`](#-nftables--rule--content)
1783			* [`source`](#-nftables--rule--source)
1784	e17693e3	Steve Traylen
1785	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1786	e17693e3	Steve Traylen
1787			Data type: `Enum['present','absent']`
1788
1789	13f26dfc	Nacho Barrientos	Should the rule be created.
1790	e17693e3	Steve Traylen
1791			Default value: `'present'`
1792
1793	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1794	e17693e3	Steve Traylen
1795	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1796	e17693e3	Steve Traylen
1797	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1798			format is defined by the Nftables::RuleName type.
1799	e17693e3	Steve Traylen
1800			Default value: `$title`
1801
1802	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1803	e17693e3	Steve Traylen
1804			Data type: `Pattern[/^\d\d$/]`
1805
1806	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1807	e17693e3	Steve Traylen
1808			Default value: `'50'`
1809
1810	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1811	e17693e3	Steve Traylen
1812	b02d6ea9	Nacho Barrientos	Data type: `String`
1813	e17693e3	Steve Traylen
1814	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1815	e17693e3	Steve Traylen
1816			Default value: `'inet-filter'`
1817
1818	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1819	e17693e3	Steve Traylen
1820			Data type: `Optional[String]`
1821
1822	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1823			language.
1824	e17693e3	Steve Traylen
1825	c24d3118	Tim Meusel	Default value: `undef`
1826	e17693e3	Steve Traylen
1827	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1828	e17693e3	Steve Traylen
1829			Data type: `Optional[Variant[String,Array[String,1]]]`
1830
1831	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1832	e17693e3	Steve Traylen
1833	c24d3118	Tim Meusel	Default value: `undef`
1834	e17693e3	Steve Traylen
1835	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1836	e17693e3	Steve Traylen
1837			manage a ipv4 dnat rule
1838
1839			#### Parameters
1840
1841	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1842
1843	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1844			* [`port`](#-nftables--rules--dnat4--port)
1845			* [`rulename`](#-nftables--rules--dnat4--rulename)
1846			* [`order`](#-nftables--rules--dnat4--order)
1847			* [`chain`](#-nftables--rules--dnat4--chain)
1848			* [`iif`](#-nftables--rules--dnat4--iif)
1849			* [`proto`](#-nftables--rules--dnat4--proto)
1850			* [`dport`](#-nftables--rules--dnat4--dport)
1851			* [`ensure`](#-nftables--rules--dnat4--ensure)
1852	e17693e3	Steve Traylen
1853	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1854	e17693e3	Steve Traylen
1855			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1856
1857
1858
1859	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1860	e17693e3	Steve Traylen
1861	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1862	e17693e3	Steve Traylen
1863
1864
1865	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1866	e17693e3	Steve Traylen
1867			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1868
1869
1870
1871			Default value: `$title`
1872
1873	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1874	e17693e3	Steve Traylen
1875			Data type: `Pattern[/^\d\d$/]`
1876
1877
1878
1879			Default value: `'50'`
1880
1881	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1882	e17693e3	Steve Traylen
1883			Data type: `String[1]`
1884
1885
1886
1887			Default value: `'default_fwd'`
1888
1889	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1890	e17693e3	Steve Traylen
1891			Data type: `Optional[String[1]]`
1892
1893
1894
1895	c24d3118	Tim Meusel	Default value: `undef`
1896	e17693e3	Steve Traylen
1897	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1898	e17693e3	Steve Traylen
1899			Data type: `Enum['tcp','udp']`
1900
1901
1902
1903			Default value: `'tcp'`
1904
1905	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1906	e17693e3	Steve Traylen
1907	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1908	e17693e3	Steve Traylen
1909
1910
1911	c24d3118	Tim Meusel	Default value: `undef`
1912	e17693e3	Steve Traylen
1913	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1914	e17693e3	Steve Traylen
1915			Data type: `Enum['present','absent']`
1916
1917
1918
1919			Default value: `'present'`
1920
1921	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1922	e17693e3	Steve Traylen
1923			masquerade all outgoing traffic
1924
1925			#### Parameters
1926
1927	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1928	e17693e3	Steve Traylen
1929	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1930			* [`order`](#-nftables--rules--masquerade--order)
1931			* [`chain`](#-nftables--rules--masquerade--chain)
1932			* [`oif`](#-nftables--rules--masquerade--oif)
1933			* [`saddr`](#-nftables--rules--masquerade--saddr)
1934			* [`daddr`](#-nftables--rules--masquerade--daddr)
1935			* [`proto`](#-nftables--rules--masquerade--proto)
1936			* [`dport`](#-nftables--rules--masquerade--dport)
1937			* [`ensure`](#-nftables--rules--masquerade--ensure)
1938	09cba182	Steve Traylen
1939	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1940	e17693e3	Steve Traylen
1941			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1942
1943
1944
1945			Default value: `$title`
1946
1947	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1948	e17693e3	Steve Traylen
1949			Data type: `Pattern[/^\d\d$/]`
1950
1951
1952
1953			Default value: `'70'`
1954
1955	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1956	e17693e3	Steve Traylen
1957			Data type: `String[1]`
1958
1959
1960
1961			Default value: `'POSTROUTING'`
1962
1963	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1964	e17693e3	Steve Traylen
1965			Data type: `Optional[String[1]]`
1966
1967
1968
1969	c24d3118	Tim Meusel	Default value: `undef`
1970	e17693e3	Steve Traylen
1971	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1972	e17693e3	Steve Traylen
1973			Data type: `Optional[String[1]]`
1974
1975
1976
1977	c24d3118	Tim Meusel	Default value: `undef`
1978	e17693e3	Steve Traylen
1979	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1980	e17693e3	Steve Traylen
1981			Data type: `Optional[String[1]]`
1982
1983
1984
1985	c24d3118	Tim Meusel	Default value: `undef`
1986	e17693e3	Steve Traylen
1987	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1988	e17693e3	Steve Traylen
1989			Data type: `Optional[Enum['tcp','udp']]`
1990
1991
1992
1993	c24d3118	Tim Meusel	Default value: `undef`
1994	e17693e3	Steve Traylen
1995	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1996	e17693e3	Steve Traylen
1997	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1998	e17693e3	Steve Traylen
1999
2000
2001	c24d3118	Tim Meusel	Default value: `undef`
2002	e17693e3	Steve Traylen
2003	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2004	e17693e3	Steve Traylen
2005			Data type: `Enum['present','absent']`
2006
2007
2008
2009			Default value: `'present'`
2010
2011	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2012	e17693e3	Steve Traylen
2013			manage a ipv4 snat rule
2014
2015			#### Parameters
2016
2017	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2018
2019	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2020			* [`rulename`](#-nftables--rules--snat4--rulename)
2021			* [`order`](#-nftables--rules--snat4--order)
2022			* [`chain`](#-nftables--rules--snat4--chain)
2023			* [`oif`](#-nftables--rules--snat4--oif)
2024			* [`saddr`](#-nftables--rules--snat4--saddr)
2025			* [`proto`](#-nftables--rules--snat4--proto)
2026			* [`dport`](#-nftables--rules--snat4--dport)
2027			* [`ensure`](#-nftables--rules--snat4--ensure)
2028	e17693e3	Steve Traylen
2029	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2030	e17693e3	Steve Traylen
2031			Data type: `String[1]`
2032
2033
2034
2035	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2036	e17693e3	Steve Traylen
2037			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2038
2039
2040
2041			Default value: `$title`
2042
2043	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2044	e17693e3	Steve Traylen
2045			Data type: `Pattern[/^\d\d$/]`
2046
2047
2048
2049			Default value: `'70'`
2050
2051	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2052	e17693e3	Steve Traylen
2053			Data type: `String[1]`
2054
2055
2056
2057			Default value: `'POSTROUTING'`
2058
2059	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2060	e17693e3	Steve Traylen
2061			Data type: `Optional[String[1]]`
2062
2063
2064
2065	c24d3118	Tim Meusel	Default value: `undef`
2066	e17693e3	Steve Traylen
2067	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2068	e17693e3	Steve Traylen
2069			Data type: `Optional[String[1]]`
2070
2071
2072
2073	c24d3118	Tim Meusel	Default value: `undef`
2074	e17693e3	Steve Traylen
2075	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2076	e17693e3	Steve Traylen
2077			Data type: `Optional[Enum['tcp','udp']]`
2078
2079
2080
2081	c24d3118	Tim Meusel	Default value: `undef`
2082	e17693e3	Steve Traylen
2083	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2084	e17693e3	Steve Traylen
2085	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2086	e17693e3	Steve Traylen
2087
2088
2089	c24d3118	Tim Meusel	Default value: `undef`
2090	e17693e3	Steve Traylen
2091	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2092	e17693e3	Steve Traylen
2093			Data type: `Enum['present','absent']`
2094
2095
2096
2097			Default value: `'present'`
2098
2099	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2100	7f6cacc5	Steve Traylen
2101			manage a named set
2102
2103	13f4e4c6	Steve Traylen	#### Examples
2104
2105			##### simple set
2106
2107			```puppet
2108			nftables::set{'my_set':
2109			type => 'ipv4_addr',
2110			flags => ['interval'],
2111			elements => ['192.168.0.1/24', '10.0.0.2'],
2112			auto_merge => true,
2113			}
2114			```
2115
2116	7f6cacc5	Steve Traylen	#### Parameters
2117
2118	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2119
2120	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2121			* [`setname`](#-nftables--set--setname)
2122			* [`order`](#-nftables--set--order)
2123			* [`type`](#-nftables--set--type)
2124			* [`table`](#-nftables--set--table)
2125			* [`flags`](#-nftables--set--flags)
2126			* [`timeout`](#-nftables--set--timeout)
2127			* [`gc_interval`](#-nftables--set--gc_interval)
2128			* [`elements`](#-nftables--set--elements)
2129			* [`size`](#-nftables--set--size)
2130			* [`policy`](#-nftables--set--policy)
2131			* [`auto_merge`](#-nftables--set--auto_merge)
2132			* [`content`](#-nftables--set--content)
2133			* [`source`](#-nftables--set--source)
2134
2135			##### <a name="-nftables--set--ensure"></a>`ensure`
2136	7f6cacc5	Steve Traylen
2137			Data type: `Enum['present','absent']`
2138
2139	13f4e4c6	Steve Traylen	should the set be created.
2140	7f6cacc5	Steve Traylen
2141			Default value: `'present'`
2142
2143	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2144	7f6cacc5	Steve Traylen
2145			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2146
2147	13f4e4c6	Steve Traylen	name of set, equal to to title.
2148	7f6cacc5	Steve Traylen
2149			Default value: `$title`
2150
2151	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2152	7f6cacc5	Steve Traylen
2153			Data type: `Pattern[/^\d\d$/]`
2154
2155	13f4e4c6	Steve Traylen	concat ordering.
2156	7f6cacc5	Steve Traylen
2157			Default value: `'10'`
2158
2159	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2160	7f6cacc5	Steve Traylen
2161			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2162
2163	13f4e4c6	Steve Traylen	type of set.
2164	7f6cacc5	Steve Traylen
2165	c24d3118	Tim Meusel	Default value: `undef`
2166	7f6cacc5	Steve Traylen
2167	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2168	7f6cacc5	Steve Traylen
2169	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2170	7f6cacc5	Steve Traylen
2171	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2172	7f6cacc5	Steve Traylen
2173			Default value: `'inet-filter'`
2174
2175	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2176	7f6cacc5	Steve Traylen
2177			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2178
2179	13f4e4c6	Steve Traylen	specify flags for set
2180	7f6cacc5	Steve Traylen
2181			Default value: `[]`
2182
2183	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2184	7f6cacc5	Steve Traylen
2185			Data type: `Optional[Integer]`
2186
2187	13f4e4c6	Steve Traylen	timeout in seconds
2188	7f6cacc5	Steve Traylen
2189	c24d3118	Tim Meusel	Default value: `undef`
2190	7f6cacc5	Steve Traylen
2191	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2192	7f6cacc5	Steve Traylen
2193			Data type: `Optional[Integer]`
2194
2195	13f4e4c6	Steve Traylen	garbage collection interval.
2196	7f6cacc5	Steve Traylen
2197	c24d3118	Tim Meusel	Default value: `undef`
2198	7f6cacc5	Steve Traylen
2199	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2200	7f6cacc5	Steve Traylen
2201			Data type: `Optional[Array[String]]`
2202
2203	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2204	7f6cacc5	Steve Traylen
2205	c24d3118	Tim Meusel	Default value: `undef`
2206	7f6cacc5	Steve Traylen
2207	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2208	7f6cacc5	Steve Traylen
2209			Data type: `Optional[Integer]`
2210
2211	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2212	7f6cacc5	Steve Traylen
2213	c24d3118	Tim Meusel	Default value: `undef`
2214	7f6cacc5	Steve Traylen
2215	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2216	7f6cacc5	Steve Traylen
2217			Data type: `Optional[Enum['performance', 'memory']]`
2218
2219	13f4e4c6	Steve Traylen	determines set selection policy.
2220	7f6cacc5	Steve Traylen
2221	c24d3118	Tim Meusel	Default value: `undef`
2222	7f6cacc5	Steve Traylen
2223	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2224	7f6cacc5	Steve Traylen
2225			Data type: `Boolean`
2226
2227	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2228	7f6cacc5	Steve Traylen
2229	c24d3118	Tim Meusel	Default value: `false`
2230	7f6cacc5	Steve Traylen
2231	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2232	7f6cacc5	Steve Traylen
2233			Data type: `Optional[String]`
2234
2235	13f4e4c6	Steve Traylen	specify content of set.
2236	7f6cacc5	Steve Traylen
2237	c24d3118	Tim Meusel	Default value: `undef`
2238	7f6cacc5	Steve Traylen
2239	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2240	7f6cacc5	Steve Traylen
2241			Data type: `Optional[Variant[String,Array[String,1]]]`
2242
2243	13f4e4c6	Steve Traylen	specify source of set.
2244	7f6cacc5	Steve Traylen
2245	c24d3118	Tim Meusel	Default value: `undef`
2246	7f6cacc5	Steve Traylen
2247	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2248	4d63adda	Nacho Barrientos
2249	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2250	4d63adda	Nacho Barrientos
2251	b46c9ce9	Nacho Barrientos	#### Examples
2252	4d63adda	Nacho Barrientos
2253	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2254	4d63adda	Nacho Barrientos
2255	b46c9ce9	Nacho Barrientos	```puppet
2256			nftables::simplerule{'my_service_in':
2257			action => 'accept',
2258			comment => 'allow traffic to port 543',
2259			counter => true,
2260			proto => 'tcp',
2261			dport => 543,
2262			daddr => '2001:1458::/32',
2263			sport => 541,
2264			}
2265			```
2266	4d63adda	Nacho Barrientos
2267	b46c9ce9	Nacho Barrientos	#### Parameters
2268	4d63adda	Nacho Barrientos
2269	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2270
2271	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2272			* [`rulename`](#-nftables--simplerule--rulename)
2273			* [`order`](#-nftables--simplerule--order)
2274			* [`chain`](#-nftables--simplerule--chain)
2275			* [`table`](#-nftables--simplerule--table)
2276			* [`action`](#-nftables--simplerule--action)
2277			* [`comment`](#-nftables--simplerule--comment)
2278			* [`dport`](#-nftables--simplerule--dport)
2279			* [`proto`](#-nftables--simplerule--proto)
2280			* [`daddr`](#-nftables--simplerule--daddr)
2281			* [`set_type`](#-nftables--simplerule--set_type)
2282			* [`sport`](#-nftables--simplerule--sport)
2283			* [`saddr`](#-nftables--simplerule--saddr)
2284			* [`counter`](#-nftables--simplerule--counter)
2285	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2286	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2287	c24d3118	Tim Meusel
2288			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2289	13f4e4c6	Steve Traylen
2290			Data type: `Enum['present','absent']`
2291
2292			Should the rule be created.
2293
2294			Default value: `'present'`
2295
2296	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2297	4d63adda	Nacho Barrientos
2298	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2299	4d63adda	Nacho Barrientos
2300	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2301	4d63adda	Nacho Barrientos
2302			Default value: `$title`
2303
2304	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2305	4d63adda	Nacho Barrientos
2306			Data type: `Pattern[/^\d\d$/]`
2307
2308	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2309	4d63adda	Nacho Barrientos
2310			Default value: `'50'`
2311
2312	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2313	4d63adda	Nacho Barrientos
2314			Data type: `String`
2315
2316	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2317	4d63adda	Nacho Barrientos
2318			Default value: `'default_in'`
2319
2320	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2321	4d63adda	Nacho Barrientos
2322			Data type: `String`
2323
2324	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2325	4d63adda	Nacho Barrientos
2326			Default value: `'inet-filter'`
2327
2328	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2329	4d63adda	Nacho Barrientos
2330			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2331
2332	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2333	4d63adda	Nacho Barrientos
2334			Default value: `'accept'`
2335
2336	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2337	4d63adda	Nacho Barrientos
2338			Data type: `Optional[String]`
2339
2340	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2341	4d63adda	Nacho Barrientos
2342	c24d3118	Tim Meusel	Default value: `undef`
2343	4d63adda	Nacho Barrientos
2344	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2345	4d63adda	Nacho Barrientos
2346			Data type: `Optional[Nftables::Port]`
2347
2348	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2349	4d63adda	Nacho Barrientos
2350	c24d3118	Tim Meusel	Default value: `undef`
2351	4d63adda	Nacho Barrientos
2352	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2353	4d63adda	Nacho Barrientos
2354			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2355
2356	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2357	4d63adda	Nacho Barrientos
2358	c24d3118	Tim Meusel	Default value: `undef`
2359	4d63adda	Nacho Barrientos
2360	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2361	4d63adda	Nacho Barrientos
2362			Data type: `Optional[Nftables::Addr]`
2363
2364	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2365	4d63adda	Nacho Barrientos
2366	c24d3118	Tim Meusel	Default value: `undef`
2367	4d63adda	Nacho Barrientos
2368	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2369	4d63adda	Nacho Barrientos
2370			Data type: `Enum['ip', 'ip6']`
2371
2372	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2373			Use `ip` for sets of type `ipv4_addr`.
2374	4d63adda	Nacho Barrientos
2375			Default value: `'ip6'`
2376
2377	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2378	4d63adda	Nacho Barrientos
2379			Data type: `Optional[Nftables::Port]`
2380
2381	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2382	4d63adda	Nacho Barrientos
2383	c24d3118	Tim Meusel	Default value: `undef`
2384	4d63adda	Nacho Barrientos
2385	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2386	4d63adda	Nacho Barrientos
2387			Data type: `Optional[Nftables::Addr]`
2388
2389	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2390	4d63adda	Nacho Barrientos
2391	c24d3118	Tim Meusel	Default value: `undef`
2392	4d63adda	Nacho Barrientos
2393	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2394	4d63adda	Nacho Barrientos
2395			Data type: `Boolean`
2396
2397	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2398	4d63adda	Nacho Barrientos
2399	c24d3118	Tim Meusel	Default value: `false`
2400	4d63adda	Nacho Barrientos
2401	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2402
2403	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2404	25b3f3f4	Tim Meusel
2405			Optional filter for the incoming interface
2406
2407	e846c98b	Tim Meusel	Default value: `[]`
2408	25b3f3f4	Tim Meusel
2409	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2410
2411	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2412	d7d6d5d3	Tim Meusel
2413			Optional filter for the outgoing interface
2414
2415	e846c98b	Tim Meusel	Default value: `[]`
2416	d7d6d5d3	Tim Meusel
2417	4d63adda	Nacho Barrientos	## Data types
2418
2419	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2420	4d63adda	Nacho Barrientos
2421			Represents an address expression to be used within a rule.
2422
2423	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2424	09cba182	Steve Traylen
2425	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2426	4d63adda	Nacho Barrientos
2427			Represents a set expression to be used within a rule.
2428
2429	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2430	4d63adda	Nacho Barrientos
2431	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2432	4d63adda	Nacho Barrientos
2433			Represents a port expression to be used within a rule.
2434
2435	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2436	4d63adda	Nacho Barrientos
2437	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2438	4d63adda	Nacho Barrientos
2439			Represents a port range expression to be used within a rule.
2440
2441	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2442	4d63adda	Nacho Barrientos
2443	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2444	8c00b818	Nacho Barrientos
2445			Represents a rule name to be used in a raw rule created via nftables::rule.
2446			It's a dash separated string. The first component describes the chain to
2447			add the rule to, the second the rule name and the (optional) third a number.
2448			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2449
2450	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2451	09cba182	Steve Traylen
2452	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2453	8c00b818	Nacho Barrientos
2454			Represents a simple rule name to be used in a rule created via nftables::simplerule
2455
2456	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 5d554e75