/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 5dedf86c

Historique | Voir | Annoter | Télécharger (66,2 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36	5dedf86c	Steve Traylen	* [`nftables::rules::nomad`](#nftables--rules--nomad): manage port openings for a nomad cluster
37	c24d3118	Tim Meusel	* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
38			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
39	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
40	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
41			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
42	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
43			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
44			and Manager Daemons (MGR).
45	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
46			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
47			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
48			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
49			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
50			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
51			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
52	ee93f2de	Simon Hoenscheid	* [`nftables::rules::out::icinga2`](#nftables--rules--out--icinga2): allow outgoing icinga2
53	c24d3118	Tim Meusel	* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
54	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
55	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
56			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
57	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
58	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
59	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
60	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
61			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
62			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
63			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
64	09cba182	Steve Traylen	7000 - afs3-fileserver
65			7002 - afs3-ptserver
66			7003 - vlserver
67	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
68			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
69			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
70			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
71			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
72			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
73			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
74			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
75	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
76	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
77			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
78			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
79			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
80			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
81	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
82			This class defines additional forwarding rules to let root containers
83			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
84			At the time of writing, Podman supports automatic configuration
85			of firewall rules with iptables and firewalld only.
86	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
87			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
88			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
89	53aa1fa8	Tim Meusel	* [`nftables::rules::rsync`](#nftables--rules--rsync): allow rsync connections
90	c24d3118	Tim Meusel	* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
91			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
92			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
93			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
94	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
95	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
96	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
97			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
98			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
99	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
100	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
101			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
102	e17693e3	Steve Traylen
103			### Defined types
104
105	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
106			* [`nftables::config`](#nftables--config): manage a config snippet
107			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
108	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
109	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
110			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
111			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
112			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
113			* [`nftables::set`](#nftables--set): manage a named set
114			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
115	4d63adda	Nacho Barrientos
116			### Data types
117
118	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
119			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
120			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
121			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
122			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
123	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
124			add the rule to, the second the rule name and the (optional) third a number.
125			Ex: 'default_in-sshd', 'default_out-my_service-2'.
126	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
127	e17693e3	Steve Traylen
128			## Classes
129
130	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
131	e17693e3	Steve Traylen
132			Configure nftables
133
134			#### Examples
135
136	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
137	e17693e3	Steve Traylen
138			```puppet
139	2063deaf	hashworks	class{ 'nftables':
140			out_ntp => false,
141			out_dns => true,
142	e17693e3	Steve Traylen	}
143			```
144
145	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
146
147			```puppet
148	2063deaf	hashworks	class{ 'nftables':
149			noflush_tables => ['inet-f2b-table'],
150	b9785000	Steve Traylen	}
151			```
152
153	e17693e3	Steve Traylen	#### Parameters
154
155	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
156
157	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
158			* [`out_ntp`](#-nftables--out_ntp)
159			* [`out_http`](#-nftables--out_http)
160			* [`out_dns`](#-nftables--out_dns)
161			* [`out_https`](#-nftables--out_https)
162			* [`out_icmp`](#-nftables--out_icmp)
163			* [`in_ssh`](#-nftables--in_ssh)
164			* [`in_icmp`](#-nftables--in_icmp)
165			* [`inet_filter`](#-nftables--inet_filter)
166			* [`nat`](#-nftables--nat)
167			* [`nat_table_name`](#-nftables--nat_table_name)
168	3f278f1c	canihavethisone	* [`purge_unmanaged_rules`](#-nftables--purge_unmanaged_rules)
169			* [`inmem_rules_hash_file`](#-nftables--inmem_rules_hash_file)
170	c24d3118	Tim Meusel	* [`sets`](#-nftables--sets)
171			* [`log_prefix`](#-nftables--log_prefix)
172	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
173	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
174			* [`reject_with`](#-nftables--reject_with)
175			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
176	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
177	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
178	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
179	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
180			* [`noflush_tables`](#-nftables--noflush_tables)
181			* [`rules`](#-nftables--rules)
182			* [`configuration_path`](#-nftables--configuration_path)
183			* [`nft_path`](#-nftables--nft_path)
184			* [`echo`](#-nftables--echo)
185			* [`default_config_mode`](#-nftables--default_config_mode)
186	a528bf59	Steve Traylen	* [`clobber_default_config`](#-nftables--clobber_default_config)
187	c24d3118	Tim Meusel
188			##### <a name="-nftables--out_all"></a>`out_all`
189	e17693e3	Steve Traylen
190			Data type: `Boolean`
191
192			Allow all outbound connections. If `true` then all other
193			out parameters `out_ntp`, `out_dns`, ... will be assuemed
194			false.
195
196	c24d3118	Tim Meusel	Default value: `false`
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
199	e17693e3	Steve Traylen
200			Data type: `Boolean`
201
202			Allow outbound to ntp servers.
203
204	c24d3118	Tim Meusel	Default value: `true`
205	e17693e3	Steve Traylen
206	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
207	e17693e3	Steve Traylen
208			Data type: `Boolean`
209
210			Allow outbound to http servers.
211
212	c24d3118	Tim Meusel	Default value: `true`
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
215	e17693e3	Steve Traylen
216			Data type: `Boolean`
217
218	09cba182	Steve Traylen	Allow outbound to dns servers.
219	e17693e3	Steve Traylen
220	c24d3118	Tim Meusel	Default value: `true`
221	e17693e3	Steve Traylen
222	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
223	09cba182	Steve Traylen
224			Data type: `Boolean`
225	e17693e3	Steve Traylen
226			Allow outbound to https servers.
227
228	c24d3118	Tim Meusel	Default value: `true`
229	e17693e3	Steve Traylen
230	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
231	7f6cacc5	Steve Traylen
232			Data type: `Boolean`
233
234			Allow outbound ICMPv4/v6 traffic.
235
236	c24d3118	Tim Meusel	Default value: `true`
237	7f6cacc5	Steve Traylen
238	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
239	e17693e3	Steve Traylen
240			Data type: `Boolean`
241
242			Allow inbound to ssh servers.
243
244	c24d3118	Tim Meusel	Default value: `true`
245	e17693e3	Steve Traylen
246	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
247	7f6cacc5	Steve Traylen
248			Data type: `Boolean`
249
250			Allow inbound ICMPv4/v6 traffic.
251
252	c24d3118	Tim Meusel	Default value: `true`
253	7f6cacc5	Steve Traylen
254	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
255	7b9d6ffc	Nacho Barrientos
256			Data type: `Boolean`
257
258			Add default tables, chains and rules to process traffic.
259
260	c24d3118	Tim Meusel	Default value: `true`
261	7b9d6ffc	Nacho Barrientos
262	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
263	7f6cacc5	Steve Traylen
264			Data type: `Boolean`
265
266			Add default tables and chains to process NAT traffic.
267
268	c24d3118	Tim Meusel	Default value: `true`
269	7f6cacc5	Steve Traylen
270	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
271	b02d6ea9	Nacho Barrientos
272			Data type: `String[1]`
273
274			The name of the 'nat' table.
275
276			Default value: `'nat'`
277
278	3f278f1c	canihavethisone	##### <a name="-nftables--purge_unmanaged_rules"></a>`purge_unmanaged_rules`
279
280			Data type: `Boolean`
281
282			Prohibits in-memory rules that are not declared in Puppet
283			code. Setting this to true activates a check that reloads nftables
284			if the rules in memory have been modified without Puppet.
285
286			Default value: `false`
287
288			##### <a name="-nftables--inmem_rules_hash_file"></a>`inmem_rules_hash_file`
289
290			Data type: `Stdlib::Unixpath`
291
292			The name of the file where the hash of the in-memory rules
293			will be stored.
294
295	efb04acd	canihavethisone	Default value: `'/var/tmp/puppet-nft-memhash'`
296	3f278f1c	canihavethisone
297	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
298	b9785000	Steve Traylen
299			Data type: `Hash`
300
301			Allows sourcing set definitions directly from Hiera.
302
303			Default value: `{}`
304
305	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
306	7f6cacc5	Steve Traylen
307			Data type: `String`
308
309			String that will be used as prefix when logging packets. It can contain
310			two variables using standard sprintf() string-formatting:
311			* chain: Will be replaced by the name of the chain.
312			* comment: Allows chains to add extra comments.
313
314			Default value: `'[nftables] %<chain>s %<comment>s'`
315
316	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
317
318			Data type: `Boolean`
319
320			Allow to log discarded packets
321
322			Default value: `true`
323
324	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
325	b9785000	Steve Traylen
326			Data type: `Variant[Boolean[false], String]`
327
328			String with the content of a limit statement to be applied
329			to the rules that log discarded traffic. Set to false to
330			disable rate limiting.
331
332			Default value: `'3/minute burst 5 packets'`
333
334	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
335	7f6cacc5	Steve Traylen
336	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
337	7f6cacc5	Steve Traylen
338			How to discard packets not matching any rule. If `false`, the
339			fate of the packet will be defined by the chain policy (normally
340			drop), otherwise the packet will be rejected with the REJECT_WITH
341			policy indicated by the value of this parameter.
342
343			Default value: `'icmpx type port-unreachable'`
344
345	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
346	7f6cacc5	Steve Traylen
347			Data type: `Boolean`
348
349			Adds INPUT and OUTPUT rules to allow traffic that's part of an
350			established connection and also to drop invalid packets.
351
352	c24d3118	Tim Meusel	Default value: `true`
353	7f6cacc5	Steve Traylen
354	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
355
356			Data type: `Boolean`
357
358			Drops invalid packets in INPUT and OUTPUT
359
360			Default value: `$in_out_conntrack`
361
362	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
363	b9785000	Steve Traylen
364			Data type: `Boolean`
365
366			Adds FORWARD rules to allow traffic that's part of an
367			established connection and also to drop invalid packets.
368
369	c24d3118	Tim Meusel	Default value: `false`
370	b9785000	Steve Traylen
371	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
372
373			Data type: `Boolean`
374
375			Drops invalid packets in FORWARD
376
377			Default value: `$fwd_conntrack`
378
379	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
380	7f6cacc5	Steve Traylen
381			Data type: `Variant[Boolean[false], Enum['mask']]`
382
383			Configures how the firewalld systemd service unit is enabled. It might be
384			useful to set this to false if you're externaly removing firewalld from
385			the system completely.
386
387			Default value: `'mask'`
388
389	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
390	b9785000	Steve Traylen
391	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
392	b9785000	Steve Traylen
393			If specified only other existings tables will be flushed.
394			If left unset all tables will be flushed via a `flush ruleset`
395
396	c24d3118	Tim Meusel	Default value: `undef`
397	b9785000	Steve Traylen
398	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
399	7f6cacc5	Steve Traylen
400			Data type: `Hash`
401
402	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
403	7f6cacc5	Steve Traylen
404			Default value: `{}`
405
406	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
407	d0a1ffef	hashworks
408			Data type: `Stdlib::Unixpath`
409
410			The absolute path to the principal nftables configuration file. The default
411			varies depending on the system, and is set in the module's data.
412
413	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
414	8842a597	Tim Meusel
415			Data type: `Stdlib::Unixpath`
416
417			Path to the nft binary
418
419	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
420	821ec83a	Tim Meusel
421			Data type: `Stdlib::Unixpath`
422
423			Path to the echo binary
424
425	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
426	7030bde0	Luis Fernández Álvarez
427			Data type: `Stdlib::Filemode`
428
429			The default file & dir mode for configuration files and directories. The
430			default varies depending on the system, and is set in the module's data.
431
432	a528bf59	Steve Traylen	##### <a name="-nftables--clobber_default_config"></a>`clobber_default_config`
433
434			Data type: `Boolean`
435
436			Should the existing OS provided rules in the `configuration_path` be removed? If
437			they are not being removed this module will add all of its configuration to the end of
438			the existing rules.
439
440			Default value: `false`
441
442	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
443	7f6cacc5	Steve Traylen
444			allow forwarding traffic on bridges
445
446			#### Parameters
447
448	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
449	7f6cacc5	Steve Traylen
450	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
451			* [`bridgenames`](#-nftables--bridges--bridgenames)
452	09cba182	Steve Traylen
453	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
454	7f6cacc5	Steve Traylen
455			Data type: `Enum['present','absent']`
456
457
458
459			Default value: `'present'`
460
461	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
462	7f6cacc5	Steve Traylen
463			Data type: `Regexp`
464
465
466
467			Default value: `/^br.+/`
468
469	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
470	e17693e3	Steve Traylen
471			manage basic chains in table inet filter
472
473	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
474	a1f09048	Tim Meusel
475			enable conntrack for fwd
476
477	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
478	a1f09048	Tim Meusel
479			manage input & output conntrack
480
481	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
482	e17693e3	Steve Traylen
483			manage basic chains in table ip nat
484
485	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
486	771b3256	Nacho Barrientos
487			Provides input rules for Apache ActiveMQ
488
489			#### Parameters
490
491			The following parameters are available in the `nftables::rules::activemq` class:
492
493	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
494			* [`udp`](#-nftables--rules--activemq--udp)
495			* [`port`](#-nftables--rules--activemq--port)
496	771b3256	Nacho Barrientos
497	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
498	771b3256	Nacho Barrientos
499			Data type: `Boolean`
500
501			Create the rule for TCP traffic.
502
503	c24d3118	Tim Meusel	Default value: `true`
504	771b3256	Nacho Barrientos
505	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
506	771b3256	Nacho Barrientos
507			Data type: `Boolean`
508
509			Create the rule for UDP traffic.
510
511	c24d3118	Tim Meusel	Default value: `true`
512	771b3256	Nacho Barrientos
513	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
514	771b3256	Nacho Barrientos
515			Data type: `Stdlib::Port`
516
517			The port number for the ActiveMQ daemon.
518
519			Default value: `61616`
520
521	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
522	09cba182	Steve Traylen
523			Open call back port for AFS clients
524	7f6cacc5	Steve Traylen
525	09cba182	Steve Traylen	#### Examples
526
527			##### allow call backs from particular hosts
528
529			```puppet
530	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
531			saddr => ['192.168.0.0/16', '10.0.0.222']
532			}
533	09cba182	Steve Traylen	```
534	7f6cacc5	Steve Traylen
535			#### Parameters
536
537	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
538
539	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
540	7f6cacc5	Steve Traylen
541	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
542	7f6cacc5	Steve Traylen
543			Data type: `Array[Stdlib::IP::Address::V4,1]`
544
545			list of source network ranges to a
546
547			Default value: `['0.0.0.0/0']`
548
549	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
550	b9785000	Steve Traylen
551			Ceph is a distributed object store and file system.
552			Enable this to support Ceph's Object Storage Daemons (OSD),
553			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
554
555	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
556	b9785000	Steve Traylen
557			Ceph is a distributed object store and file system.
558			Enable this option to support Ceph's Monitor Daemon.
559
560			#### Parameters
561
562	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
563	b9785000	Steve Traylen
564	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
565	b9785000	Steve Traylen
566	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
567	b9785000	Steve Traylen
568	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
569	b9785000	Steve Traylen
570	09cba182	Steve Traylen	specify ports for ceph service
571	b9785000	Steve Traylen
572			Default value: `[3300, 6789]`
573
574	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
575	7f6cacc5	Steve Traylen
576	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
577	7f6cacc5	Steve Traylen
578	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
579	7f6cacc5	Steve Traylen
580			manage in dns
581
582	67cdcf15	Steve Traylen	#### Examples
583
584			##### Allow access to stub dns resolver from docker containers
585
586			```puppet
587			class { 'nftables::rules::dns':
588			iifname => ['docker0'],
589			}
590			```
591
592	7f6cacc5	Steve Traylen	#### Parameters
593
594	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
595	7f6cacc5	Steve Traylen
596	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
597	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
598	7f6cacc5	Steve Traylen
599	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
600	7f6cacc5	Steve Traylen
601	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
602	7f6cacc5	Steve Traylen
603	09cba182	Steve Traylen	Specify ports for dns.
604	7f6cacc5	Steve Traylen
605			Default value: `[53]`
606
607	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
608
609			Data type: `Optional[Array[String[1],1]]`
610
611			Specify input interface names.
612
613			Default value: `undef`
614
615	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
616	804b96e4	Nacho Barrientos
617			The configuration distributed in this class represents the default firewall
618			configuration done by docker-ce when the iptables integration is enabled.
619
620			This class is needed as the default docker-ce rules added to ip-filter conflict
621			with the inet-filter forward rules set by default in this module.
622
623			When using this class 'docker::iptables: false' should be set.
624
625			#### Parameters
626
627			The following parameters are available in the `nftables::rules::docker_ce` class:
628
629	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
630			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
631			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
632			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
633	804b96e4	Nacho Barrientos
634	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
635	804b96e4	Nacho Barrientos
636			Data type: `String[1]`
637
638			Interface name used by docker.
639
640			Default value: `'docker0'`
641
642	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
643	804b96e4	Nacho Barrientos
644			Data type: `Stdlib::IP::Address::V4::CIDR`
645
646			The address space used by docker.
647
648			Default value: `'172.17.0.0/16'`
649
650	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
651	804b96e4	Nacho Barrientos
652			Data type: `Boolean`
653
654			Flag to control whether the class should create the docker related chains.
655
656	c24d3118	Tim Meusel	Default value: `true`
657	804b96e4	Nacho Barrientos
658	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
659	804b96e4	Nacho Barrientos
660			Data type: `Boolean`
661
662			Flag to control whether the class should create the base common chains.
663
664	c24d3118	Tim Meusel	Default value: `true`
665	804b96e4	Nacho Barrientos
666	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
667
668			manage in ftp (with conntrack helper)
669
670			#### Parameters
671
672			The following parameters are available in the `nftables::rules::ftp` class:
673
674			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
675			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
676
677			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
678
679			Data type: `Boolean`
680
681			Enable FTP passive mode support
682
683			Default value: `true`
684
685			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
686
687			Data type: `Nftables::Port::Range`
688
689			Set the FTP passive mode port range
690
691			Default value: `'10090-10100'`
692
693	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
694	e17693e3	Steve Traylen
695			manage in http
696
697	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
698	e17693e3	Steve Traylen
699			manage in https
700
701	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
702	e17693e3	Steve Traylen
703			manage in icinga2
704
705			#### Parameters
706
707	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
708	e17693e3	Steve Traylen
709	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
710	e17693e3	Steve Traylen
711	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
712	e17693e3	Steve Traylen
713	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
714	e17693e3	Steve Traylen
715	8db66304	Steve Traylen	Specify ports for icinga2
716	e17693e3	Steve Traylen
717			Default value: `[5665]`
718
719	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
720	7f6cacc5	Steve Traylen
721	8cdd24a5	Tim Meusel	allows incoming ICMP
722	7f6cacc5	Steve Traylen
723			#### Parameters
724
725	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
726
727	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
728			* [`v6_types`](#-nftables--rules--icmp--v6_types)
729			* [`order`](#-nftables--rules--icmp--order)
730	7f6cacc5	Steve Traylen
731	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
732	7f6cacc5	Steve Traylen
733			Data type: `Optional[Array[String]]`
734
735	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
736	7f6cacc5	Steve Traylen
737	c24d3118	Tim Meusel	Default value: `undef`
738	7f6cacc5	Steve Traylen
739	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
740	7f6cacc5	Steve Traylen
741			Data type: `Optional[Array[String]]`
742
743	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
744	7f6cacc5	Steve Traylen
745	c24d3118	Tim Meusel	Default value: `undef`
746	7f6cacc5	Steve Traylen
747	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
748	7f6cacc5	Steve Traylen
749			Data type: `String`
750
751	8cdd24a5	Tim Meusel	the ordering of the rules
752	7f6cacc5	Steve Traylen
753			Default value: `'10'`
754
755	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
756
757			allow incoming IGMP messages
758
759	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
760
761			manage in ldap
762
763			#### Parameters
764
765			The following parameters are available in the `nftables::rules::ldap` class:
766
767			* [`ports`](#-nftables--rules--ldap--ports)
768
769			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
770
771			Data type: `Array[Integer,1]`
772
773			ldap server ports
774
775			Default value: `[389, 636]`
776
777	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
778
779			allow incoming Link-Local Multicast Name Resolution
780
781			* See also
782			* https://datatracker.ietf.org/doc/html/rfc4795
783
784			#### Parameters
785
786			The following parameters are available in the `nftables::rules::llmnr` class:
787
788			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
789			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
790	1ef7d5c4	Tim Meusel	* [`iifname`](#-nftables--rules--llmnr--iifname)
791	3b26826f	Tim Meusel
792			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
793
794			Data type: `Boolean`
795
796			Allow LLMNR over IPv4
797
798			Default value: `true`
799
800			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
801
802			Data type: `Boolean`
803
804			Allow LLMNR over IPv6
805
806			Default value: `true`
807
808	1ef7d5c4	Tim Meusel	##### <a name="-nftables--rules--llmnr--iifname"></a>`iifname`
809
810			Data type: `Array[String[1]]`
811
812			optional list of incoming interfaces to filter on
813
814			Default value: `[]`
815
816	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
817
818			allow incoming multicast DNS
819
820	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
821
822			The following parameters are available in the `nftables::rules::mdns` class:
823
824			* [`ipv4`](#-nftables--rules--mdns--ipv4)
825			* [`ipv6`](#-nftables--rules--mdns--ipv6)
826	4c3d5d6b	Tim Meusel	* [`iifname`](#-nftables--rules--mdns--iifname)
827	ad3dbd7d	Ewoud Kohl van Wijngaarden
828			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
829
830			Data type: `Boolean`
831
832			Allow mdns over IPv4
833
834			Default value: `true`
835
836			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
837
838			Data type: `Boolean`
839
840			Allow mdns over IPv6
841
842			Default value: `true`
843
844	4c3d5d6b	Tim Meusel	##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
845
846			Data type: `Array[String[1]]`
847
848			name for incoming interfaces to filter
849
850			Default value: `[]`
851
852	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
853
854			allow incoming multicast traffic
855
856	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
857	b9785000	Steve Traylen
858			manage in nfs4
859
860	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
861	b9785000	Steve Traylen
862			manage in nfs3
863
864	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
865	7f6cacc5	Steve Traylen
866			manage in node exporter
867
868			#### Parameters
869
870	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
871	7f6cacc5	Steve Traylen
872	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
873			* [`port`](#-nftables--rules--node_exporter--port)
874	7f6cacc5	Steve Traylen
875	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
876	7f6cacc5	Steve Traylen
877	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
878	7f6cacc5	Steve Traylen
879	09cba182	Steve Traylen	Specify server name
880	7f6cacc5	Steve Traylen
881	c24d3118	Tim Meusel	Default value: `undef`
882	7f6cacc5	Steve Traylen
883	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
884	7f6cacc5	Steve Traylen
885	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
886	7f6cacc5	Steve Traylen
887	09cba182	Steve Traylen	Specify port to open
888	7f6cacc5	Steve Traylen
889			Default value: `9100`
890
891	5dedf86c	Steve Traylen	### <a name="nftables--rules--nomad"></a>`nftables::rules::nomad`
892
893			manage port openings for a nomad cluster
894
895			#### Examples
896
897			##### Simple two node nomad cluster
898
899			```puppet
900			class{ 'nftables::rules::nomad':
901			cluster_elements = [
902			'10.0.0.1','10.0.0.2',
903			'::1', '::2'',
904			],
905			}
906			```
907
908			#### Parameters
909
910			The following parameters are available in the `nftables::rules::nomad` class:
911
912			* [`cluster_elements`](#-nftables--rules--nomad--cluster_elements)
913			* [`http`](#-nftables--rules--nomad--http)
914			* [`rpc`](#-nftables--rules--nomad--rpc)
915			* [`serf`](#-nftables--rules--nomad--serf)
916
917			##### <a name="-nftables--rules--nomad--cluster_elements"></a>`cluster_elements`
918
919			Data type: `Array[Stdlib::IP::Address,1]`
920
921			IP addreses of nomad cluster nodes
922
923			Default value: `['127.0.0.1','::1']`
924
925			##### <a name="-nftables--rules--nomad--http"></a>`http`
926
927			Data type: `Stdlib::Port`
928
929			Specify http api port to open to the world.
930
931			Default value: `4646`
932
933			##### <a name="-nftables--rules--nomad--rpc"></a>`rpc`
934
935			Data type: `Stdlib::Port`
936
937			Specify rpc port to open within the nomad cluster
938
939			Default value: `4647`
940
941			##### <a name="-nftables--rules--nomad--serf"></a>`serf`
942
943			Data type: `Stdlib::Port`
944
945			Specify serf port to open within the nomad cluster
946
947			Default value: `4648`
948
949	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
950	e17693e3	Steve Traylen
951			manage in ospf
952
953	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
954	e17693e3	Steve Traylen
955			manage in ospf3
956
957	3e2b5119	Tim Meusel	#### Parameters
958
959			The following parameters are available in the `nftables::rules::ospf3` class:
960
961			* [`iifname`](#-nftables--rules--ospf3--iifname)
962
963			##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
964
965			Data type: `Array[String[1]]`
966
967			optional list of incoming interfaces to allow traffic
968
969			Default value: `[]`
970
971	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
972
973			manage outgoing active diectory
974
975			#### Parameters
976
977			The following parameters are available in the `nftables::rules::out::active_directory` class:
978
979			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
980			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
981
982			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
983
984			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
985
986			adserver IPs
987
988			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
989
990			Data type: `Array[Stdlib::Port,1]`
991
992			adserver ports
993
994			Default value: `[389, 636, 3268, 3269]`
995
996	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
997	e17693e3	Steve Traylen
998			allow all outbound
999
1000	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
1001	b9785000	Steve Traylen
1002			Ceph is a distributed object store and file system.
1003			Enable this to be a client of Ceph's Monitor (MON),
1004			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
1005			and Manager Daemons (MGR).
1006
1007			#### Parameters
1008
1009	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
1010	b9785000	Steve Traylen
1011	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
1012	b9785000	Steve Traylen
1013	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
1014	b9785000	Steve Traylen
1015	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1016	b9785000	Steve Traylen
1017	09cba182	Steve Traylen	Specify ports to open
1018	b9785000	Steve Traylen
1019			Default value: `[3300, 6789]`
1020
1021	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
1022	e17693e3	Steve Traylen
1023			manage out chrony
1024
1025	7937a13b	Tim Meusel	#### Parameters
1026
1027			The following parameters are available in the `nftables::rules::out::chrony` class:
1028
1029	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
1030	7937a13b	Tim Meusel
1031	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
1032	7937a13b	Tim Meusel
1033			Data type: `Array[Stdlib::IP::Address]`
1034
1035			single IP-Address or array of IP-addresses from NTP servers
1036
1037			Default value: `[]`
1038
1039	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
1040	e17693e3	Steve Traylen
1041			manage out dhcp
1042
1043	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
1044	7f6cacc5	Steve Traylen
1045	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
1046	7f6cacc5	Steve Traylen
1047	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
1048	e17693e3	Steve Traylen
1049			manage out dns
1050
1051			#### Parameters
1052
1053	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
1054	e17693e3	Steve Traylen
1055	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
1056	e17693e3	Steve Traylen
1057	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
1058	e17693e3	Steve Traylen
1059	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
1060	e17693e3	Steve Traylen
1061	09cba182	Steve Traylen	specify dns_server name
1062	e17693e3	Steve Traylen
1063	9d1ee648	Tim Meusel	Default value: `[]`
1064	e17693e3	Steve Traylen
1065	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
1066	a1f09048	Tim Meusel
1067			allow outgoing hkp connections to gpg keyservers
1068
1069	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
1070	e17693e3	Steve Traylen
1071			manage out http
1072
1073	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
1074	e17693e3	Steve Traylen
1075			manage out https
1076
1077	ee93f2de	Simon Hoenscheid	### <a name="nftables--rules--out--icinga2"></a>`nftables::rules::out::icinga2`
1078
1079			allow outgoing icinga2
1080
1081			#### Parameters
1082
1083			The following parameters are available in the `nftables::rules::out::icinga2` class:
1084
1085			* [`ports`](#-nftables--rules--out--icinga2--ports)
1086
1087			##### <a name="-nftables--rules--out--icinga2--ports"></a>`ports`
1088
1089			Data type: `Array[Stdlib::Port,1]`
1090
1091			icinga2 ports
1092
1093			Default value: `[5665]`
1094
1095	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
1096	7f6cacc5	Steve Traylen
1097	09cba182	Steve Traylen	control outbound icmp packages
1098	7f6cacc5	Steve Traylen
1099			#### Parameters
1100
1101	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
1102
1103	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
1104			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
1105			* [`order`](#-nftables--rules--out--icmp--order)
1106	7f6cacc5	Steve Traylen
1107	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
1108	7f6cacc5	Steve Traylen
1109			Data type: `Optional[Array[String]]`
1110
1111	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
1112	7f6cacc5	Steve Traylen
1113	c24d3118	Tim Meusel	Default value: `undef`
1114	7f6cacc5	Steve Traylen
1115	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
1116	7f6cacc5	Steve Traylen
1117			Data type: `Optional[Array[String]]`
1118
1119	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
1120	7f6cacc5	Steve Traylen
1121	c24d3118	Tim Meusel	Default value: `undef`
1122	7f6cacc5	Steve Traylen
1123	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
1124	7f6cacc5	Steve Traylen
1125			Data type: `String`
1126
1127	5d554e75	Tim Meusel	the ordering of the rules
1128	7f6cacc5	Steve Traylen
1129			Default value: `'10'`
1130
1131	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
1132
1133	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
1134	020842af	Tim Meusel
1135	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
1136	19908f41	mh
1137			allow outgoing imap
1138
1139	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
1140	7f6cacc5	Steve Traylen
1141			allows outbound access for kerberos
1142
1143	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1144
1145			manage outgoing ldap
1146
1147			#### Parameters
1148
1149			The following parameters are available in the `nftables::rules::out::ldap` class:
1150
1151			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1152			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1153
1154			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1155
1156			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1157
1158			ldapserver IPs
1159
1160			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1161
1162			Data type: `Array[Stdlib::Port,1]`
1163
1164			ldapserver ports
1165
1166			Default value: `[389, 636]`
1167
1168	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1169
1170			allow outgoing multicast DNS
1171
1172			#### Parameters
1173
1174			The following parameters are available in the `nftables::rules::out::mdns` class:
1175
1176			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1177			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1178	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1179	6b350264	Tim Meusel
1180			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1181
1182			Data type: `Boolean`
1183
1184			Allow mdns over IPv4
1185
1186			Default value: `true`
1187
1188			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1189
1190			Data type: `Boolean`
1191
1192			Allow mdns over IPv6
1193
1194			Default value: `true`
1195
1196	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1197
1198			Data type: `Array[String[1]]`
1199
1200			optional name for outgoing interfaces
1201
1202			Default value: `[]`
1203
1204	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1205
1206			allow multicast listener requests
1207
1208	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1209	e17693e3	Steve Traylen
1210			manage out mysql
1211
1212	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1213	b9785000	Steve Traylen
1214			manage out nfs
1215
1216	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1217	b9785000	Steve Traylen
1218			manage out nfs3
1219
1220	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1221	7f6cacc5	Steve Traylen
1222	09cba182	Steve Traylen	allows outbound access for afs clients
1223	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1224			7002 - afs3-ptserver
1225			7003 - vlserver
1226
1227			* See also
1228			* https://wiki.openafs.org/devel/AFSServicePorts/
1229			* AFS Service Ports
1230
1231			#### Parameters
1232
1233	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1234	7f6cacc5	Steve Traylen
1235	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1236	7f6cacc5	Steve Traylen
1237	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1238	7f6cacc5	Steve Traylen
1239	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1240	7f6cacc5	Steve Traylen
1241	09cba182	Steve Traylen	port numbers to use
1242	7f6cacc5	Steve Traylen
1243			Default value: `[7000, 7002, 7003]`
1244
1245	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1246	e17693e3	Steve Traylen
1247			manage out ospf
1248
1249	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1250	e17693e3	Steve Traylen
1251			manage out ospf3
1252
1253	925c358d	Tim Meusel	#### Parameters
1254
1255			The following parameters are available in the `nftables::rules::out::ospf3` class:
1256
1257			* [`oifname`](#-nftables--rules--out--ospf3--oifname)
1258
1259			##### <a name="-nftables--rules--out--ospf3--oifname"></a>`oifname`
1260
1261			Data type: `Array[String[1]]`
1262
1263			optional list of outgoing interfaces to filter on
1264
1265			Default value: `[]`
1266
1267	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1268	19908f41	mh
1269			allow outgoing pop3
1270
1271	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1272	e17693e3	Steve Traylen
1273			manage out postgres
1274
1275	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1276	e17693e3	Steve Traylen
1277			manage outgoing puppet
1278
1279			#### Parameters
1280
1281	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1282	e17693e3	Steve Traylen
1283	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1284			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1285	e17693e3	Steve Traylen
1286	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1287	e17693e3	Steve Traylen
1288	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1289	e17693e3	Steve Traylen
1290	09cba182	Steve Traylen	puppetserver hostname
1291	e17693e3	Steve Traylen
1292	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1293	e17693e3	Steve Traylen
1294	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1295	e17693e3	Steve Traylen
1296	09cba182	Steve Traylen	puppetserver port
1297	e17693e3	Steve Traylen
1298			Default value: `8140`
1299
1300	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1301	194e05d5	Tim Meusel
1302			manage outgoing pxp-agent
1303
1304			* See also
1305			* also
1306			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1307
1308			#### Parameters
1309
1310			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1311
1312	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1313			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1314	194e05d5	Tim Meusel
1315	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1316	194e05d5	Tim Meusel
1317			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1318
1319			PXP broker IP(s)
1320
1321	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1322	194e05d5	Tim Meusel
1323			Data type: `Stdlib::Port`
1324
1325			PXP broker port
1326
1327			Default value: `8142`
1328
1329	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1330	e17693e3	Steve Traylen
1331	19908f41	mh	allow outgoing smtp
1332
1333	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1334	19908f41	mh
1335			allow outgoing smtp client
1336	e17693e3	Steve Traylen
1337	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1338
1339			allow outgoing SSDP
1340
1341			* See also
1342			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1343
1344			#### Parameters
1345
1346			The following parameters are available in the `nftables::rules::out::ssdp` class:
1347
1348			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1349			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1350
1351			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1352
1353			Data type: `Boolean`
1354
1355			Allow SSDP over IPv4
1356
1357			Default value: `true`
1358
1359			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1360
1361			Data type: `Boolean`
1362
1363			Allow SSDP over IPv6
1364
1365			Default value: `true`
1366
1367	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1368	e17693e3	Steve Traylen
1369			manage out ssh
1370
1371	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1372	e17693e3	Steve Traylen
1373			disable outgoing ssh
1374
1375	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1376	e17693e3	Steve Traylen
1377			manage out tor
1378
1379	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1380	2b1896c1	Tim Meusel
1381			allow clients to query remote whois server
1382
1383	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1384	e17693e3	Steve Traylen
1385			manage out wireguard
1386
1387			#### Parameters
1388
1389	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1390	e17693e3	Steve Traylen
1391	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1392	e17693e3	Steve Traylen
1393	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1394	e17693e3	Steve Traylen
1395	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1396	e17693e3	Steve Traylen
1397	09cba182	Steve Traylen	specify wireguard ports
1398	e17693e3	Steve Traylen
1399			Default value: `[51820]`
1400
1401	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1402
1403			Rules for Podman, a tool for managing OCI containers and pods.
1404			This class defines additional forwarding rules to let root containers
1405			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1406			At the time of writing, Podman supports automatic configuration
1407			of firewall rules with iptables and firewalld only.
1408
1409	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1410	e17693e3	Steve Traylen
1411			manage in puppet
1412
1413			#### Parameters
1414
1415	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1416	e17693e3	Steve Traylen
1417	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1418	e17693e3	Steve Traylen
1419	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1420	e17693e3	Steve Traylen
1421	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1422	e17693e3	Steve Traylen
1423	09cba182	Steve Traylen	puppet server ports
1424	e17693e3	Steve Traylen
1425			Default value: `[8140]`
1426
1427	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1428	7f74df2e	Tim Meusel
1429			manage in pxp-agent
1430
1431			#### Parameters
1432
1433			The following parameters are available in the `nftables::rules::pxp_agent` class:
1434
1435	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1436	7f74df2e	Tim Meusel
1437	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1438	7f74df2e	Tim Meusel
1439	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1440	7f74df2e	Tim Meusel
1441			pxp server ports
1442
1443			Default value: `[8142]`
1444
1445	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1446	cd2a3cbf	Nacho Barrientos
1447			This class configures the typical firewall setup that libvirt
1448			creates. Depending on your requirements you can switch on and off
1449			several aspects, for instance if you don't do DHCP to your guests
1450			you can disable the rules that accept DHCP traffic on the host or if
1451			you don't want your guests to talk to hosts outside you can disable
1452			forwarding and/or masquerading for IPv4 traffic.
1453
1454			#### Parameters
1455
1456			The following parameters are available in the `nftables::rules::qemu` class:
1457
1458	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1459			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1460			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1461			* [`dns`](#-nftables--rules--qemu--dns)
1462			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1463			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1464			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1465			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1466	cd2a3cbf	Nacho Barrientos
1467	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1468	cd2a3cbf	Nacho Barrientos
1469			Data type: `String[1]`
1470
1471			Interface name used by the bridge.
1472
1473			Default value: `'virbr0'`
1474
1475	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1476	cd2a3cbf	Nacho Barrientos
1477			Data type: `Stdlib::IP::Address::V4::CIDR`
1478
1479			The IPv4 network prefix used in the virtual network.
1480
1481			Default value: `'192.168.122.0/24'`
1482
1483	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1484	cd2a3cbf	Nacho Barrientos
1485			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1486
1487			The IPv6 network prefix used in the virtual network.
1488
1489	c24d3118	Tim Meusel	Default value: `undef`
1490	cd2a3cbf	Nacho Barrientos
1491	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1492	cd2a3cbf	Nacho Barrientos
1493			Data type: `Boolean`
1494
1495			Allow DNS traffic from the guests to the host.
1496
1497	c24d3118	Tim Meusel	Default value: `true`
1498	cd2a3cbf	Nacho Barrientos
1499	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1500	cd2a3cbf	Nacho Barrientos
1501			Data type: `Boolean`
1502
1503			Allow DHCPv4 traffic from the guests to the host.
1504
1505	c24d3118	Tim Meusel	Default value: `true`
1506	cd2a3cbf	Nacho Barrientos
1507	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1508	cd2a3cbf	Nacho Barrientos
1509			Data type: `Boolean`
1510
1511			Allow forwarded traffic (out all, in related/established)
1512			generated by the virtual network.
1513
1514	c24d3118	Tim Meusel	Default value: `true`
1515	cd2a3cbf	Nacho Barrientos
1516	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1517	cd2a3cbf	Nacho Barrientos
1518			Data type: `Boolean`
1519
1520			Allow guests in the virtual network to talk to each other.
1521
1522	c24d3118	Tim Meusel	Default value: `true`
1523	cd2a3cbf	Nacho Barrientos
1524	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1525	cd2a3cbf	Nacho Barrientos
1526			Data type: `Boolean`
1527
1528			Do NAT masquerade on all IPv4 traffic generated by guests
1529			to external networks.
1530
1531	c24d3118	Tim Meusel	Default value: `true`
1532	cd2a3cbf	Nacho Barrientos
1533	53aa1fa8	Tim Meusel	### <a name="nftables--rules--rsync"></a>`nftables::rules::rsync`
1534
1535			allow rsync connections
1536
1537	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1538	19908f41	mh
1539			manage Samba, the suite to allow Windows file sharing on Linux resources.
1540
1541			#### Parameters
1542
1543			The following parameters are available in the `nftables::rules::samba` class:
1544
1545	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1546	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1547	19908f41	mh
1548	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1549	19908f41	mh
1550			Data type: `Boolean`
1551
1552	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1553	19908f41	mh
1554	c24d3118	Tim Meusel	Default value: `false`
1555	19908f41	mh
1556	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1557
1558			Data type: `Enum['accept', 'drop']`
1559
1560			if the traffic should be allowed or dropped
1561
1562			Default value: `'accept'`
1563
1564	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1565	e17693e3	Steve Traylen
1566			manage in smtp
1567
1568	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1569	e17693e3	Steve Traylen
1570			manage in smtp submission
1571
1572	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1573	e17693e3	Steve Traylen
1574			manage in smtps
1575
1576	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1577
1578			allow incoming spotify
1579
1580	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1581
1582			allow incoming SSDP
1583
1584			* See also
1585			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1586
1587			#### Parameters
1588
1589			The following parameters are available in the `nftables::rules::ssdp` class:
1590
1591			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1592			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1593
1594			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1595
1596			Data type: `Boolean`
1597
1598			Allow SSDP over IPv4
1599
1600			Default value: `true`
1601
1602			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1603
1604			Data type: `Boolean`
1605
1606			Allow SSDP over IPv6
1607
1608			Default value: `true`
1609
1610	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1611	e17693e3	Steve Traylen
1612			manage in ssh
1613
1614			#### Parameters
1615
1616	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1617	e17693e3	Steve Traylen
1618	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1619	e17693e3	Steve Traylen
1620	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1621	e17693e3	Steve Traylen
1622	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1623	e17693e3	Steve Traylen
1624	09cba182	Steve Traylen	ssh ports
1625	e17693e3	Steve Traylen
1626			Default value: `[22]`
1627
1628	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1629	e17693e3	Steve Traylen
1630			manage in tor
1631
1632			#### Parameters
1633
1634	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1635	e17693e3	Steve Traylen
1636	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1637	e17693e3	Steve Traylen
1638	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1639	e17693e3	Steve Traylen
1640	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1641	e17693e3	Steve Traylen
1642	09cba182	Steve Traylen	ports for tor
1643	e17693e3	Steve Traylen
1644			Default value: `[9001]`
1645
1646	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1647	e17693e3	Steve Traylen
1648			manage in wireguard
1649
1650			#### Parameters
1651
1652	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1653	e17693e3	Steve Traylen
1654	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1655	e17693e3	Steve Traylen
1656	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1657	e17693e3	Steve Traylen
1658	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1659	e17693e3	Steve Traylen
1660	09cba182	Steve Traylen	wiregueard port
1661	e17693e3	Steve Traylen
1662			Default value: `[51820]`
1663
1664	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1665
1666			allow incoming webservice discovery
1667
1668			* See also
1669			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1670
1671			#### Parameters
1672
1673			The following parameters are available in the `nftables::rules::wsd` class:
1674
1675			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1676			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1677
1678			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1679
1680			Data type: `Boolean`
1681
1682			Allow ws-discovery over IPv4
1683
1684			Default value: `true`
1685
1686			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1687
1688			Data type: `Boolean`
1689
1690			Allow ws-discovery over IPv6
1691
1692			Default value: `true`
1693
1694	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1695	7f6cacc5	Steve Traylen
1696	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1697	7f6cacc5	Steve Traylen
1698	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1699	7f6cacc5	Steve Traylen
1700	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1701	7f6cacc5	Steve Traylen
1702	e17693e3	Steve Traylen	## Defined types
1703
1704	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1705	e17693e3	Steve Traylen
1706			manage a chain
1707
1708			#### Parameters
1709
1710	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1711
1712	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1713			* [`chain`](#-nftables--chain--chain)
1714			* [`inject`](#-nftables--chain--inject)
1715			* [`inject_iif`](#-nftables--chain--inject_iif)
1716			* [`inject_oif`](#-nftables--chain--inject_oif)
1717	e17693e3	Steve Traylen
1718	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1719	e17693e3	Steve Traylen
1720	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1721	e17693e3	Steve Traylen
1722
1723
1724			Default value: `'inet-filter'`
1725
1726	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1727	e17693e3	Steve Traylen
1728			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1729
1730
1731
1732			Default value: `$title`
1733
1734	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1735	e17693e3	Steve Traylen
1736			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1737
1738
1739
1740	c24d3118	Tim Meusel	Default value: `undef`
1741	e17693e3	Steve Traylen
1742	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1743	e17693e3	Steve Traylen
1744			Data type: `Optional[String]`
1745
1746
1747
1748	c24d3118	Tim Meusel	Default value: `undef`
1749	e17693e3	Steve Traylen
1750	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1751	e17693e3	Steve Traylen
1752			Data type: `Optional[String]`
1753
1754
1755
1756	c24d3118	Tim Meusel	Default value: `undef`
1757	e17693e3	Steve Traylen
1758	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1759	e17693e3	Steve Traylen
1760			manage a config snippet
1761
1762			#### Parameters
1763
1764	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1765	e17693e3	Steve Traylen
1766	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1767			* [`content`](#-nftables--config--content)
1768			* [`source`](#-nftables--config--source)
1769			* [`prefix`](#-nftables--config--prefix)
1770	09cba182	Steve Traylen
1771	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1772	13f4e4c6	Steve Traylen
1773			Data type: `Pattern[/^\w+-\w+$/]`
1774
1775
1776
1777			Default value: `$title`
1778
1779	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1780	e17693e3	Steve Traylen
1781			Data type: `Optional[String]`
1782
1783
1784
1785	c24d3118	Tim Meusel	Default value: `undef`
1786	e17693e3	Steve Traylen
1787	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1788	e17693e3	Steve Traylen
1789			Data type: `Optional[Variant[String,Array[String,1]]]`
1790
1791
1792
1793	c24d3118	Tim Meusel	Default value: `undef`
1794	e17693e3	Steve Traylen
1795	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1796	13f4e4c6	Steve Traylen
1797			Data type: `String`
1798
1799
1800
1801			Default value: `'custom-'`
1802
1803	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1804	331b8d85	Steve Traylen
1805			Insert a file into the nftables configuration
1806
1807			#### Examples
1808
1809			##### Include a file that includes other files
1810
1811			```puppet
1812			nftables::file{'geoip':
1813	dab19d29	Kenyon Ralph	content => @(EOT),
1814	331b8d85	Steve Traylen	include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1815			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1816	dab19d29	Kenyon Ralph	\|EOT
1817	331b8d85	Steve Traylen	}
1818			```
1819
1820			#### Parameters
1821
1822			The following parameters are available in the `nftables::file` defined type:
1823
1824	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1825			* [`content`](#-nftables--file--content)
1826			* [`source`](#-nftables--file--source)
1827			* [`prefix`](#-nftables--file--prefix)
1828	331b8d85	Steve Traylen
1829	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1830	331b8d85	Steve Traylen
1831			Data type: `String[1]`
1832
1833			Unique name to include in filename.
1834
1835			Default value: `$title`
1836
1837	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1838	331b8d85	Steve Traylen
1839			Data type: `Optional[String]`
1840
1841			The content to place in the file.
1842
1843	c24d3118	Tim Meusel	Default value: `undef`
1844	331b8d85	Steve Traylen
1845	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1846	331b8d85	Steve Traylen
1847			Data type: `Optional[Variant[String,Array[String,1]]]`
1848
1849			A source to obtain the file content from.
1850
1851	c24d3118	Tim Meusel	Default value: `undef`
1852	331b8d85	Steve Traylen
1853	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1854	331b8d85	Steve Traylen
1855			Data type: `String`
1856
1857			Prefix of file name to be created, if left as `file-` it will be
1858			auto included in the main nft configuration
1859
1860			Default value: `'file-'`
1861
1862	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1863
1864			manage a conntrack helper
1865
1866			#### Examples
1867
1868			##### FTP helper
1869
1870			```puppet
1871			nftables::helper { 'ftp-standard':
1872			content => 'type "ftp" protocol tcp;',
1873			}
1874			```
1875
1876			#### Parameters
1877
1878			The following parameters are available in the `nftables::helper` defined type:
1879
1880			* [`content`](#-nftables--helper--content)
1881			* [`table`](#-nftables--helper--table)
1882			* [`helper`](#-nftables--helper--helper)
1883
1884			##### <a name="-nftables--helper--content"></a>`content`
1885
1886			Data type: `String`
1887
1888			Conntrack helper definition.
1889
1890			##### <a name="-nftables--helper--table"></a>`table`
1891
1892			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1893
1894			The name of the table to add this helper to.
1895
1896			Default value: `'inet-filter'`
1897
1898			##### <a name="-nftables--helper--helper"></a>`helper`
1899
1900			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1901
1902			The symbolic name for the helper.
1903
1904			Default value: `$title`
1905
1906	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1907	e17693e3	Steve Traylen
1908	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1909
1910			#### Examples
1911
1912			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1913
1914			```puppet
1915			nftables::rule {
1916			'default_in-myhttp':
1917			content => 'tcp dport 80 accept',
1918			}
1919			```
1920
1921			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1922
1923			```puppet
1924			nftables::rule {
1925			'PREROUTING6-count':
1926			content => 'counter',
1927			table => 'ip6-nat'
1928			}
1929			```
1930	e17693e3	Steve Traylen
1931	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1932
1933			```puppet
1934			nftables::rule { 'PREROUTING-redirect':
1935			content => 'tcp dport 443 redirect to :8443',
1936			table => 'ip-nat',
1937			}
1938			nftables::rule{'PREROUTING6-redirect':
1939			content => 'tcp dport 443 redirect to :8443',
1940			table => 'ip6-nat',
1941			}
1942			```
1943
1944	e17693e3	Steve Traylen	#### Parameters
1945
1946	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1947
1948	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1949			* [`rulename`](#-nftables--rule--rulename)
1950			* [`order`](#-nftables--rule--order)
1951			* [`table`](#-nftables--rule--table)
1952			* [`content`](#-nftables--rule--content)
1953			* [`source`](#-nftables--rule--source)
1954	e17693e3	Steve Traylen
1955	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1956	e17693e3	Steve Traylen
1957			Data type: `Enum['present','absent']`
1958
1959	13f26dfc	Nacho Barrientos	Should the rule be created.
1960	e17693e3	Steve Traylen
1961			Default value: `'present'`
1962
1963	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1964	e17693e3	Steve Traylen
1965	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1966	e17693e3	Steve Traylen
1967	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1968			format is defined by the Nftables::RuleName type.
1969	e17693e3	Steve Traylen
1970			Default value: `$title`
1971
1972	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1973	e17693e3	Steve Traylen
1974			Data type: `Pattern[/^\d\d$/]`
1975
1976	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1977	e17693e3	Steve Traylen
1978			Default value: `'50'`
1979
1980	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1981	e17693e3	Steve Traylen
1982	b02d6ea9	Nacho Barrientos	Data type: `String`
1983	e17693e3	Steve Traylen
1984	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1985	e17693e3	Steve Traylen
1986			Default value: `'inet-filter'`
1987
1988	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1989	e17693e3	Steve Traylen
1990			Data type: `Optional[String]`
1991
1992	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1993			language.
1994	e17693e3	Steve Traylen
1995	c24d3118	Tim Meusel	Default value: `undef`
1996	e17693e3	Steve Traylen
1997	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1998	e17693e3	Steve Traylen
1999			Data type: `Optional[Variant[String,Array[String,1]]]`
2000
2001	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
2002	e17693e3	Steve Traylen
2003	c24d3118	Tim Meusel	Default value: `undef`
2004	e17693e3	Steve Traylen
2005	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
2006	e17693e3	Steve Traylen
2007			manage a ipv4 dnat rule
2008
2009			#### Parameters
2010
2011	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
2012
2013	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
2014			* [`port`](#-nftables--rules--dnat4--port)
2015			* [`rulename`](#-nftables--rules--dnat4--rulename)
2016			* [`order`](#-nftables--rules--dnat4--order)
2017			* [`chain`](#-nftables--rules--dnat4--chain)
2018			* [`iif`](#-nftables--rules--dnat4--iif)
2019			* [`proto`](#-nftables--rules--dnat4--proto)
2020			* [`dport`](#-nftables--rules--dnat4--dport)
2021			* [`ensure`](#-nftables--rules--dnat4--ensure)
2022	e17693e3	Steve Traylen
2023	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
2024	e17693e3	Steve Traylen
2025			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
2026
2027
2028
2029	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
2030	e17693e3	Steve Traylen
2031	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
2032	e17693e3	Steve Traylen
2033
2034
2035	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
2036	e17693e3	Steve Traylen
2037			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2038
2039
2040
2041			Default value: `$title`
2042
2043	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
2044	e17693e3	Steve Traylen
2045			Data type: `Pattern[/^\d\d$/]`
2046
2047
2048
2049			Default value: `'50'`
2050
2051	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
2052	e17693e3	Steve Traylen
2053			Data type: `String[1]`
2054
2055
2056
2057			Default value: `'default_fwd'`
2058
2059	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
2060	e17693e3	Steve Traylen
2061			Data type: `Optional[String[1]]`
2062
2063
2064
2065	c24d3118	Tim Meusel	Default value: `undef`
2066	e17693e3	Steve Traylen
2067	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
2068	e17693e3	Steve Traylen
2069			Data type: `Enum['tcp','udp']`
2070
2071
2072
2073			Default value: `'tcp'`
2074
2075	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
2076	e17693e3	Steve Traylen
2077	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2078	e17693e3	Steve Traylen
2079
2080
2081	c24d3118	Tim Meusel	Default value: `undef`
2082	e17693e3	Steve Traylen
2083	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
2084	e17693e3	Steve Traylen
2085			Data type: `Enum['present','absent']`
2086
2087
2088
2089			Default value: `'present'`
2090
2091	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
2092	e17693e3	Steve Traylen
2093			masquerade all outgoing traffic
2094
2095			#### Parameters
2096
2097	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
2098	e17693e3	Steve Traylen
2099	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
2100			* [`order`](#-nftables--rules--masquerade--order)
2101			* [`chain`](#-nftables--rules--masquerade--chain)
2102			* [`oif`](#-nftables--rules--masquerade--oif)
2103			* [`saddr`](#-nftables--rules--masquerade--saddr)
2104			* [`daddr`](#-nftables--rules--masquerade--daddr)
2105			* [`proto`](#-nftables--rules--masquerade--proto)
2106			* [`dport`](#-nftables--rules--masquerade--dport)
2107			* [`ensure`](#-nftables--rules--masquerade--ensure)
2108	09cba182	Steve Traylen
2109	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
2110	e17693e3	Steve Traylen
2111			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2112
2113
2114
2115			Default value: `$title`
2116
2117	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
2118	e17693e3	Steve Traylen
2119			Data type: `Pattern[/^\d\d$/]`
2120
2121
2122
2123			Default value: `'70'`
2124
2125	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
2126	e17693e3	Steve Traylen
2127			Data type: `String[1]`
2128
2129
2130
2131			Default value: `'POSTROUTING'`
2132
2133	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
2134	e17693e3	Steve Traylen
2135			Data type: `Optional[String[1]]`
2136
2137
2138
2139	c24d3118	Tim Meusel	Default value: `undef`
2140	e17693e3	Steve Traylen
2141	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
2142	e17693e3	Steve Traylen
2143			Data type: `Optional[String[1]]`
2144
2145
2146
2147	c24d3118	Tim Meusel	Default value: `undef`
2148	e17693e3	Steve Traylen
2149	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
2150	e17693e3	Steve Traylen
2151			Data type: `Optional[String[1]]`
2152
2153
2154
2155	c24d3118	Tim Meusel	Default value: `undef`
2156	e17693e3	Steve Traylen
2157	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
2158	e17693e3	Steve Traylen
2159			Data type: `Optional[Enum['tcp','udp']]`
2160
2161
2162
2163	c24d3118	Tim Meusel	Default value: `undef`
2164	e17693e3	Steve Traylen
2165	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2166	e17693e3	Steve Traylen
2167	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2168	e17693e3	Steve Traylen
2169
2170
2171	c24d3118	Tim Meusel	Default value: `undef`
2172	e17693e3	Steve Traylen
2173	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2174	e17693e3	Steve Traylen
2175			Data type: `Enum['present','absent']`
2176
2177
2178
2179			Default value: `'present'`
2180
2181	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2182	e17693e3	Steve Traylen
2183			manage a ipv4 snat rule
2184
2185			#### Parameters
2186
2187	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2188
2189	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2190			* [`rulename`](#-nftables--rules--snat4--rulename)
2191			* [`order`](#-nftables--rules--snat4--order)
2192			* [`chain`](#-nftables--rules--snat4--chain)
2193			* [`oif`](#-nftables--rules--snat4--oif)
2194			* [`saddr`](#-nftables--rules--snat4--saddr)
2195			* [`proto`](#-nftables--rules--snat4--proto)
2196			* [`dport`](#-nftables--rules--snat4--dport)
2197			* [`ensure`](#-nftables--rules--snat4--ensure)
2198	e17693e3	Steve Traylen
2199	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2200	e17693e3	Steve Traylen
2201			Data type: `String[1]`
2202
2203
2204
2205	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2206	e17693e3	Steve Traylen
2207			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2208
2209
2210
2211			Default value: `$title`
2212
2213	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2214	e17693e3	Steve Traylen
2215			Data type: `Pattern[/^\d\d$/]`
2216
2217
2218
2219			Default value: `'70'`
2220
2221	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2222	e17693e3	Steve Traylen
2223			Data type: `String[1]`
2224
2225
2226
2227			Default value: `'POSTROUTING'`
2228
2229	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2230	e17693e3	Steve Traylen
2231			Data type: `Optional[String[1]]`
2232
2233
2234
2235	c24d3118	Tim Meusel	Default value: `undef`
2236	e17693e3	Steve Traylen
2237	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2238	e17693e3	Steve Traylen
2239			Data type: `Optional[String[1]]`
2240
2241
2242
2243	c24d3118	Tim Meusel	Default value: `undef`
2244	e17693e3	Steve Traylen
2245	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2246	e17693e3	Steve Traylen
2247			Data type: `Optional[Enum['tcp','udp']]`
2248
2249
2250
2251	c24d3118	Tim Meusel	Default value: `undef`
2252	e17693e3	Steve Traylen
2253	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2254	e17693e3	Steve Traylen
2255	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2256	e17693e3	Steve Traylen
2257
2258
2259	c24d3118	Tim Meusel	Default value: `undef`
2260	e17693e3	Steve Traylen
2261	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2262	e17693e3	Steve Traylen
2263			Data type: `Enum['present','absent']`
2264
2265
2266
2267			Default value: `'present'`
2268
2269	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2270	7f6cacc5	Steve Traylen
2271			manage a named set
2272
2273	13f4e4c6	Steve Traylen	#### Examples
2274
2275			##### simple set
2276
2277			```puppet
2278			nftables::set{'my_set':
2279			type => 'ipv4_addr',
2280			flags => ['interval'],
2281			elements => ['192.168.0.1/24', '10.0.0.2'],
2282			auto_merge => true,
2283			}
2284			```
2285
2286	7f6cacc5	Steve Traylen	#### Parameters
2287
2288	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2289
2290	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2291			* [`setname`](#-nftables--set--setname)
2292			* [`order`](#-nftables--set--order)
2293			* [`type`](#-nftables--set--type)
2294			* [`table`](#-nftables--set--table)
2295			* [`flags`](#-nftables--set--flags)
2296			* [`timeout`](#-nftables--set--timeout)
2297			* [`gc_interval`](#-nftables--set--gc_interval)
2298			* [`elements`](#-nftables--set--elements)
2299			* [`size`](#-nftables--set--size)
2300			* [`policy`](#-nftables--set--policy)
2301			* [`auto_merge`](#-nftables--set--auto_merge)
2302			* [`content`](#-nftables--set--content)
2303			* [`source`](#-nftables--set--source)
2304
2305			##### <a name="-nftables--set--ensure"></a>`ensure`
2306	7f6cacc5	Steve Traylen
2307			Data type: `Enum['present','absent']`
2308
2309	13f4e4c6	Steve Traylen	should the set be created.
2310	7f6cacc5	Steve Traylen
2311			Default value: `'present'`
2312
2313	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2314	7f6cacc5	Steve Traylen
2315			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2316
2317	13f4e4c6	Steve Traylen	name of set, equal to to title.
2318	7f6cacc5	Steve Traylen
2319			Default value: `$title`
2320
2321	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2322	7f6cacc5	Steve Traylen
2323			Data type: `Pattern[/^\d\d$/]`
2324
2325	13f4e4c6	Steve Traylen	concat ordering.
2326	7f6cacc5	Steve Traylen
2327			Default value: `'10'`
2328
2329	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2330	7f6cacc5	Steve Traylen
2331			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2332
2333	13f4e4c6	Steve Traylen	type of set.
2334	7f6cacc5	Steve Traylen
2335	c24d3118	Tim Meusel	Default value: `undef`
2336	7f6cacc5	Steve Traylen
2337	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2338	7f6cacc5	Steve Traylen
2339	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2340	7f6cacc5	Steve Traylen
2341	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2342	7f6cacc5	Steve Traylen
2343			Default value: `'inet-filter'`
2344
2345	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2346	7f6cacc5	Steve Traylen
2347			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2348
2349	13f4e4c6	Steve Traylen	specify flags for set
2350	7f6cacc5	Steve Traylen
2351			Default value: `[]`
2352
2353	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2354	7f6cacc5	Steve Traylen
2355			Data type: `Optional[Integer]`
2356
2357	13f4e4c6	Steve Traylen	timeout in seconds
2358	7f6cacc5	Steve Traylen
2359	c24d3118	Tim Meusel	Default value: `undef`
2360	7f6cacc5	Steve Traylen
2361	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2362	7f6cacc5	Steve Traylen
2363			Data type: `Optional[Integer]`
2364
2365	13f4e4c6	Steve Traylen	garbage collection interval.
2366	7f6cacc5	Steve Traylen
2367	c24d3118	Tim Meusel	Default value: `undef`
2368	7f6cacc5	Steve Traylen
2369	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2370	7f6cacc5	Steve Traylen
2371			Data type: `Optional[Array[String]]`
2372
2373	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2374	7f6cacc5	Steve Traylen
2375	c24d3118	Tim Meusel	Default value: `undef`
2376	7f6cacc5	Steve Traylen
2377	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2378	7f6cacc5	Steve Traylen
2379			Data type: `Optional[Integer]`
2380
2381	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2382	7f6cacc5	Steve Traylen
2383	c24d3118	Tim Meusel	Default value: `undef`
2384	7f6cacc5	Steve Traylen
2385	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2386	7f6cacc5	Steve Traylen
2387			Data type: `Optional[Enum['performance', 'memory']]`
2388
2389	13f4e4c6	Steve Traylen	determines set selection policy.
2390	7f6cacc5	Steve Traylen
2391	c24d3118	Tim Meusel	Default value: `undef`
2392	7f6cacc5	Steve Traylen
2393	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2394	7f6cacc5	Steve Traylen
2395			Data type: `Boolean`
2396
2397	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2398	7f6cacc5	Steve Traylen
2399	c24d3118	Tim Meusel	Default value: `false`
2400	7f6cacc5	Steve Traylen
2401	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2402	7f6cacc5	Steve Traylen
2403			Data type: `Optional[String]`
2404
2405	13f4e4c6	Steve Traylen	specify content of set.
2406	7f6cacc5	Steve Traylen
2407	c24d3118	Tim Meusel	Default value: `undef`
2408	7f6cacc5	Steve Traylen
2409	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2410	7f6cacc5	Steve Traylen
2411			Data type: `Optional[Variant[String,Array[String,1]]]`
2412
2413	13f4e4c6	Steve Traylen	specify source of set.
2414	7f6cacc5	Steve Traylen
2415	c24d3118	Tim Meusel	Default value: `undef`
2416	7f6cacc5	Steve Traylen
2417	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2418	4d63adda	Nacho Barrientos
2419	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2420	4d63adda	Nacho Barrientos
2421	b46c9ce9	Nacho Barrientos	#### Examples
2422	4d63adda	Nacho Barrientos
2423	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2424	4d63adda	Nacho Barrientos
2425	b46c9ce9	Nacho Barrientos	```puppet
2426			nftables::simplerule{'my_service_in':
2427			action => 'accept',
2428			comment => 'allow traffic to port 543',
2429			counter => true,
2430			proto => 'tcp',
2431			dport => 543,
2432			daddr => '2001:1458::/32',
2433			sport => 541,
2434			}
2435			```
2436	4d63adda	Nacho Barrientos
2437	b46c9ce9	Nacho Barrientos	#### Parameters
2438	4d63adda	Nacho Barrientos
2439	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2440
2441	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2442			* [`rulename`](#-nftables--simplerule--rulename)
2443			* [`order`](#-nftables--simplerule--order)
2444			* [`chain`](#-nftables--simplerule--chain)
2445			* [`table`](#-nftables--simplerule--table)
2446			* [`action`](#-nftables--simplerule--action)
2447			* [`comment`](#-nftables--simplerule--comment)
2448			* [`dport`](#-nftables--simplerule--dport)
2449			* [`proto`](#-nftables--simplerule--proto)
2450			* [`daddr`](#-nftables--simplerule--daddr)
2451			* [`set_type`](#-nftables--simplerule--set_type)
2452			* [`sport`](#-nftables--simplerule--sport)
2453			* [`saddr`](#-nftables--simplerule--saddr)
2454			* [`counter`](#-nftables--simplerule--counter)
2455	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2456	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2457	c24d3118	Tim Meusel
2458			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2459	13f4e4c6	Steve Traylen
2460			Data type: `Enum['present','absent']`
2461
2462			Should the rule be created.
2463
2464			Default value: `'present'`
2465
2466	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2467	4d63adda	Nacho Barrientos
2468	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2469	4d63adda	Nacho Barrientos
2470	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2471	4d63adda	Nacho Barrientos
2472			Default value: `$title`
2473
2474	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2475	4d63adda	Nacho Barrientos
2476			Data type: `Pattern[/^\d\d$/]`
2477
2478	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2479	4d63adda	Nacho Barrientos
2480			Default value: `'50'`
2481
2482	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2483	4d63adda	Nacho Barrientos
2484			Data type: `String`
2485
2486	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2487	4d63adda	Nacho Barrientos
2488			Default value: `'default_in'`
2489
2490	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2491	4d63adda	Nacho Barrientos
2492			Data type: `String`
2493
2494	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2495	4d63adda	Nacho Barrientos
2496			Default value: `'inet-filter'`
2497
2498	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2499	4d63adda	Nacho Barrientos
2500			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2501
2502	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2503	4d63adda	Nacho Barrientos
2504			Default value: `'accept'`
2505
2506	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2507	4d63adda	Nacho Barrientos
2508			Data type: `Optional[String]`
2509
2510	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2511	4d63adda	Nacho Barrientos
2512	c24d3118	Tim Meusel	Default value: `undef`
2513	4d63adda	Nacho Barrientos
2514	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2515	4d63adda	Nacho Barrientos
2516			Data type: `Optional[Nftables::Port]`
2517
2518	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2519	4d63adda	Nacho Barrientos
2520	c24d3118	Tim Meusel	Default value: `undef`
2521	4d63adda	Nacho Barrientos
2522	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2523	4d63adda	Nacho Barrientos
2524			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2525
2526	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2527	4d63adda	Nacho Barrientos
2528	c24d3118	Tim Meusel	Default value: `undef`
2529	4d63adda	Nacho Barrientos
2530	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2531	4d63adda	Nacho Barrientos
2532			Data type: `Optional[Nftables::Addr]`
2533
2534	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2535	4d63adda	Nacho Barrientos
2536	c24d3118	Tim Meusel	Default value: `undef`
2537	4d63adda	Nacho Barrientos
2538	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2539	4d63adda	Nacho Barrientos
2540			Data type: `Enum['ip', 'ip6']`
2541
2542	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2543			Use `ip` for sets of type `ipv4_addr`.
2544	4d63adda	Nacho Barrientos
2545			Default value: `'ip6'`
2546
2547	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2548	4d63adda	Nacho Barrientos
2549			Data type: `Optional[Nftables::Port]`
2550
2551	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2552	4d63adda	Nacho Barrientos
2553	c24d3118	Tim Meusel	Default value: `undef`
2554	4d63adda	Nacho Barrientos
2555	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2556	4d63adda	Nacho Barrientos
2557			Data type: `Optional[Nftables::Addr]`
2558
2559	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2560	4d63adda	Nacho Barrientos
2561	c24d3118	Tim Meusel	Default value: `undef`
2562	4d63adda	Nacho Barrientos
2563	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2564	4d63adda	Nacho Barrientos
2565			Data type: `Boolean`
2566
2567	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2568	4d63adda	Nacho Barrientos
2569	c24d3118	Tim Meusel	Default value: `false`
2570	4d63adda	Nacho Barrientos
2571	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2572
2573	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2574	25b3f3f4	Tim Meusel
2575			Optional filter for the incoming interface
2576
2577	e846c98b	Tim Meusel	Default value: `[]`
2578	25b3f3f4	Tim Meusel
2579	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2580
2581	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2582	d7d6d5d3	Tim Meusel
2583			Optional filter for the outgoing interface
2584
2585	e846c98b	Tim Meusel	Default value: `[]`
2586	d7d6d5d3	Tim Meusel
2587	4d63adda	Nacho Barrientos	## Data types
2588
2589	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2590	4d63adda	Nacho Barrientos
2591			Represents an address expression to be used within a rule.
2592
2593	9d02e9f8	Stéphanie Jaumotte	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set, Array[Stdlib::IP::Address::V6], Array[Stdlib::IP::Address::V4], Array[Nftables::Addr::Set]]`
2594	09cba182	Steve Traylen
2595	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2596	4d63adda	Nacho Barrientos
2597			Represents a set expression to be used within a rule.
2598
2599	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2600	4d63adda	Nacho Barrientos
2601	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2602	4d63adda	Nacho Barrientos
2603			Represents a port expression to be used within a rule.
2604
2605	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2606	4d63adda	Nacho Barrientos
2607	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2608	4d63adda	Nacho Barrientos
2609			Represents a port range expression to be used within a rule.
2610
2611	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2612	4d63adda	Nacho Barrientos
2613	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2614	8c00b818	Nacho Barrientos
2615			Represents a rule name to be used in a raw rule created via nftables::rule.
2616			It's a dash separated string. The first component describes the chain to
2617			add the rule to, the second the rule name and the (optional) third a number.
2618			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2619
2620	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2621	09cba182	Steve Traylen
2622	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2623	8c00b818	Nacho Barrientos
2624			Represents a simple rule name to be used in a rule created via nftables::simplerule
2625
2626	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 5dedf86c