/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 5ffd0328

Historique | Voir | Annoter | Télécharger (53 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
28	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
29	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
30	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
31			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
32			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
33			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
34			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
35	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
36	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
37			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
38	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
39			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
40			and Manager Daemons (MGR).
41	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
42			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
43			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
44			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
45			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
46			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
47			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
48			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
49			* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
50			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
51	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
52	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
53			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
54			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
55			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
56	09cba182	Steve Traylen	7000 - afs3-fileserver
57			7002 - afs3-ptserver
58			7003 - vlserver
59	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
60			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
61			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
62			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
63			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
64			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
65			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
66			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
67			* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
68			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
69			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
70			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
71			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
72			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
73			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
74			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
75			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
76			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
77			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
78			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
79	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
80	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
81			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
82			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
83			* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
84			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
85	e17693e3	Steve Traylen
86			### Defined types
87
88	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
89			* [`nftables::config`](#nftables--config): manage a config snippet
90			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
91			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
92			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
93			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
94			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
95			* [`nftables::set`](#nftables--set): manage a named set
96			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
97	4d63adda	Nacho Barrientos
98			### Data types
99
100	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
101			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
102			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
103			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
104			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
105	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
106			add the rule to, the second the rule name and the (optional) third a number.
107			Ex: 'default_in-sshd', 'default_out-my_service-2'.
108	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
109	e17693e3	Steve Traylen
110			## Classes
111
112	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
113	e17693e3	Steve Traylen
114			Configure nftables
115
116			#### Examples
117
118	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
119	e17693e3	Steve Traylen
120			```puppet
121	2063deaf	hashworks	class{ 'nftables':
122			out_ntp => false,
123			out_dns => true,
124	e17693e3	Steve Traylen	}
125			```
126
127	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
128
129			```puppet
130	2063deaf	hashworks	class{ 'nftables':
131			noflush_tables => ['inet-f2b-table'],
132	b9785000	Steve Traylen	}
133			```
134
135	e17693e3	Steve Traylen	#### Parameters
136
137	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
138
139	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
140			* [`out_ntp`](#-nftables--out_ntp)
141			* [`out_http`](#-nftables--out_http)
142			* [`out_dns`](#-nftables--out_dns)
143			* [`out_https`](#-nftables--out_https)
144			* [`out_icmp`](#-nftables--out_icmp)
145			* [`in_ssh`](#-nftables--in_ssh)
146			* [`in_icmp`](#-nftables--in_icmp)
147			* [`inet_filter`](#-nftables--inet_filter)
148			* [`nat`](#-nftables--nat)
149			* [`nat_table_name`](#-nftables--nat_table_name)
150			* [`sets`](#-nftables--sets)
151			* [`log_prefix`](#-nftables--log_prefix)
152			* [`log_limit`](#-nftables--log_limit)
153			* [`reject_with`](#-nftables--reject_with)
154			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
155			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
156			* [`firewalld_enable`](#-nftables--firewalld_enable)
157			* [`noflush_tables`](#-nftables--noflush_tables)
158			* [`rules`](#-nftables--rules)
159			* [`configuration_path`](#-nftables--configuration_path)
160			* [`nft_path`](#-nftables--nft_path)
161			* [`echo`](#-nftables--echo)
162			* [`default_config_mode`](#-nftables--default_config_mode)
163
164			##### <a name="-nftables--out_all"></a>`out_all`
165	e17693e3	Steve Traylen
166			Data type: `Boolean`
167
168			Allow all outbound connections. If `true` then all other
169			out parameters `out_ntp`, `out_dns`, ... will be assuemed
170			false.
171
172	c24d3118	Tim Meusel	Default value: `false`
173	e17693e3	Steve Traylen
174	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
175	e17693e3	Steve Traylen
176			Data type: `Boolean`
177
178			Allow outbound to ntp servers.
179
180	c24d3118	Tim Meusel	Default value: `true`
181	e17693e3	Steve Traylen
182	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow outbound to http servers.
187
188	c24d3118	Tim Meusel	Default value: `true`
189	e17693e3	Steve Traylen
190	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
191	e17693e3	Steve Traylen
192			Data type: `Boolean`
193
194	09cba182	Steve Traylen	Allow outbound to dns servers.
195	e17693e3	Steve Traylen
196	c24d3118	Tim Meusel	Default value: `true`
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
199	09cba182	Steve Traylen
200			Data type: `Boolean`
201	e17693e3	Steve Traylen
202			Allow outbound to https servers.
203
204	c24d3118	Tim Meusel	Default value: `true`
205	e17693e3	Steve Traylen
206	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
207	7f6cacc5	Steve Traylen
208			Data type: `Boolean`
209
210			Allow outbound ICMPv4/v6 traffic.
211
212	c24d3118	Tim Meusel	Default value: `true`
213	7f6cacc5	Steve Traylen
214	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
215	e17693e3	Steve Traylen
216			Data type: `Boolean`
217
218			Allow inbound to ssh servers.
219
220	c24d3118	Tim Meusel	Default value: `true`
221	e17693e3	Steve Traylen
222	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
223	7f6cacc5	Steve Traylen
224			Data type: `Boolean`
225
226			Allow inbound ICMPv4/v6 traffic.
227
228	c24d3118	Tim Meusel	Default value: `true`
229	7f6cacc5	Steve Traylen
230	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
231	7b9d6ffc	Nacho Barrientos
232			Data type: `Boolean`
233
234			Add default tables, chains and rules to process traffic.
235
236	c24d3118	Tim Meusel	Default value: `true`
237	7b9d6ffc	Nacho Barrientos
238	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
239	7f6cacc5	Steve Traylen
240			Data type: `Boolean`
241
242			Add default tables and chains to process NAT traffic.
243
244	c24d3118	Tim Meusel	Default value: `true`
245	7f6cacc5	Steve Traylen
246	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
247	b02d6ea9	Nacho Barrientos
248			Data type: `String[1]`
249
250			The name of the 'nat' table.
251
252			Default value: `'nat'`
253
254	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
255	b9785000	Steve Traylen
256			Data type: `Hash`
257
258			Allows sourcing set definitions directly from Hiera.
259
260			Default value: `{}`
261
262	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
263	7f6cacc5	Steve Traylen
264			Data type: `String`
265
266			String that will be used as prefix when logging packets. It can contain
267			two variables using standard sprintf() string-formatting:
268			* chain: Will be replaced by the name of the chain.
269			* comment: Allows chains to add extra comments.
270
271			Default value: `'[nftables] %<chain>s %<comment>s'`
272
273	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
274	b9785000	Steve Traylen
275			Data type: `Variant[Boolean[false], String]`
276
277			String with the content of a limit statement to be applied
278			to the rules that log discarded traffic. Set to false to
279			disable rate limiting.
280
281			Default value: `'3/minute burst 5 packets'`
282
283	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
284	7f6cacc5	Steve Traylen
285	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
286	7f6cacc5	Steve Traylen
287			How to discard packets not matching any rule. If `false`, the
288			fate of the packet will be defined by the chain policy (normally
289			drop), otherwise the packet will be rejected with the REJECT_WITH
290			policy indicated by the value of this parameter.
291
292			Default value: `'icmpx type port-unreachable'`
293
294	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
295	7f6cacc5	Steve Traylen
296			Data type: `Boolean`
297
298			Adds INPUT and OUTPUT rules to allow traffic that's part of an
299			established connection and also to drop invalid packets.
300
301	c24d3118	Tim Meusel	Default value: `true`
302	7f6cacc5	Steve Traylen
303	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
304	b9785000	Steve Traylen
305			Data type: `Boolean`
306
307			Adds FORWARD rules to allow traffic that's part of an
308			established connection and also to drop invalid packets.
309
310	c24d3118	Tim Meusel	Default value: `false`
311	b9785000	Steve Traylen
312	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
313	7f6cacc5	Steve Traylen
314			Data type: `Variant[Boolean[false], Enum['mask']]`
315
316			Configures how the firewalld systemd service unit is enabled. It might be
317			useful to set this to false if you're externaly removing firewalld from
318			the system completely.
319
320			Default value: `'mask'`
321
322	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
323	b9785000	Steve Traylen
324	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
325	b9785000	Steve Traylen
326			If specified only other existings tables will be flushed.
327			If left unset all tables will be flushed via a `flush ruleset`
328
329	c24d3118	Tim Meusel	Default value: `undef`
330	b9785000	Steve Traylen
331	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
332	7f6cacc5	Steve Traylen
333			Data type: `Hash`
334
335	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
336	7f6cacc5	Steve Traylen
337			Default value: `{}`
338
339	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
340	d0a1ffef	hashworks
341			Data type: `Stdlib::Unixpath`
342
343			The absolute path to the principal nftables configuration file. The default
344			varies depending on the system, and is set in the module's data.
345
346	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
347	8842a597	Tim Meusel
348			Data type: `Stdlib::Unixpath`
349
350			Path to the nft binary
351
352	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
353	821ec83a	Tim Meusel
354			Data type: `Stdlib::Unixpath`
355
356			Path to the echo binary
357
358	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
359	7030bde0	Luis Fernández Álvarez
360			Data type: `Stdlib::Filemode`
361
362			The default file & dir mode for configuration files and directories. The
363			default varies depending on the system, and is set in the module's data.
364
365	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
366	7f6cacc5	Steve Traylen
367			allow forwarding traffic on bridges
368
369			#### Parameters
370
371	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
372	7f6cacc5	Steve Traylen
373	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
374			* [`bridgenames`](#-nftables--bridges--bridgenames)
375	09cba182	Steve Traylen
376	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
377	7f6cacc5	Steve Traylen
378			Data type: `Enum['present','absent']`
379
380
381
382			Default value: `'present'`
383
384	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
385	7f6cacc5	Steve Traylen
386			Data type: `Regexp`
387
388
389
390			Default value: `/^br.+/`
391
392	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
393	e17693e3	Steve Traylen
394			manage basic chains in table inet filter
395
396	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
397	a1f09048	Tim Meusel
398			enable conntrack for fwd
399
400	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
401	a1f09048	Tim Meusel
402			manage input & output conntrack
403
404	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
405	e17693e3	Steve Traylen
406			manage basic chains in table ip nat
407
408	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
409	771b3256	Nacho Barrientos
410			Provides input rules for Apache ActiveMQ
411
412			#### Parameters
413
414			The following parameters are available in the `nftables::rules::activemq` class:
415
416	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
417			* [`udp`](#-nftables--rules--activemq--udp)
418			* [`port`](#-nftables--rules--activemq--port)
419	771b3256	Nacho Barrientos
420	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
421	771b3256	Nacho Barrientos
422			Data type: `Boolean`
423
424			Create the rule for TCP traffic.
425
426	c24d3118	Tim Meusel	Default value: `true`
427	771b3256	Nacho Barrientos
428	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
429	771b3256	Nacho Barrientos
430			Data type: `Boolean`
431
432			Create the rule for UDP traffic.
433
434	c24d3118	Tim Meusel	Default value: `true`
435	771b3256	Nacho Barrientos
436	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
437	771b3256	Nacho Barrientos
438			Data type: `Stdlib::Port`
439
440			The port number for the ActiveMQ daemon.
441
442			Default value: `61616`
443
444	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
445	09cba182	Steve Traylen
446			Open call back port for AFS clients
447	7f6cacc5	Steve Traylen
448	09cba182	Steve Traylen	#### Examples
449
450			##### allow call backs from particular hosts
451
452			```puppet
453	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
454			saddr => ['192.168.0.0/16', '10.0.0.222']
455			}
456	09cba182	Steve Traylen	```
457	7f6cacc5	Steve Traylen
458			#### Parameters
459
460	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
461
462	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
463	7f6cacc5	Steve Traylen
464	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
465	7f6cacc5	Steve Traylen
466			Data type: `Array[Stdlib::IP::Address::V4,1]`
467
468			list of source network ranges to a
469
470			Default value: `['0.0.0.0/0']`
471
472	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
473	b9785000	Steve Traylen
474			Ceph is a distributed object store and file system.
475			Enable this to support Ceph's Object Storage Daemons (OSD),
476			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
477
478	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
479	b9785000	Steve Traylen
480			Ceph is a distributed object store and file system.
481			Enable this option to support Ceph's Monitor Daemon.
482
483			#### Parameters
484
485	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
486	b9785000	Steve Traylen
487	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
488	b9785000	Steve Traylen
489	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
490	b9785000	Steve Traylen
491	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
492	b9785000	Steve Traylen
493	09cba182	Steve Traylen	specify ports for ceph service
494	b9785000	Steve Traylen
495			Default value: `[3300, 6789]`
496
497	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
498	7f6cacc5	Steve Traylen
499	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
500	7f6cacc5	Steve Traylen
501	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
502	7f6cacc5	Steve Traylen
503			manage in dns
504
505			#### Parameters
506
507	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
508	7f6cacc5	Steve Traylen
509	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
510	7f6cacc5	Steve Traylen
511	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
512	7f6cacc5	Steve Traylen
513	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
514	7f6cacc5	Steve Traylen
515	09cba182	Steve Traylen	Specify ports for dns.
516	7f6cacc5	Steve Traylen
517			Default value: `[53]`
518
519	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
520	804b96e4	Nacho Barrientos
521			The configuration distributed in this class represents the default firewall
522			configuration done by docker-ce when the iptables integration is enabled.
523
524			This class is needed as the default docker-ce rules added to ip-filter conflict
525			with the inet-filter forward rules set by default in this module.
526
527			When using this class 'docker::iptables: false' should be set.
528
529			#### Parameters
530
531			The following parameters are available in the `nftables::rules::docker_ce` class:
532
533	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
534			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
535			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
536			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
537	804b96e4	Nacho Barrientos
538	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
539	804b96e4	Nacho Barrientos
540			Data type: `String[1]`
541
542			Interface name used by docker.
543
544			Default value: `'docker0'`
545
546	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
547	804b96e4	Nacho Barrientos
548			Data type: `Stdlib::IP::Address::V4::CIDR`
549
550			The address space used by docker.
551
552			Default value: `'172.17.0.0/16'`
553
554	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
555	804b96e4	Nacho Barrientos
556			Data type: `Boolean`
557
558			Flag to control whether the class should create the docker related chains.
559
560	c24d3118	Tim Meusel	Default value: `true`
561	804b96e4	Nacho Barrientos
562	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
563	804b96e4	Nacho Barrientos
564			Data type: `Boolean`
565
566			Flag to control whether the class should create the base common chains.
567
568	c24d3118	Tim Meusel	Default value: `true`
569	804b96e4	Nacho Barrientos
570	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
571	e17693e3	Steve Traylen
572			manage in http
573
574	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
575	e17693e3	Steve Traylen
576			manage in https
577
578	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
579	e17693e3	Steve Traylen
580			manage in icinga2
581
582			#### Parameters
583
584	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
585	e17693e3	Steve Traylen
586	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
587	e17693e3	Steve Traylen
588	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
589	e17693e3	Steve Traylen
590	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
591	e17693e3	Steve Traylen
592	8db66304	Steve Traylen	Specify ports for icinga2
593	e17693e3	Steve Traylen
594			Default value: `[5665]`
595
596	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
597	7f6cacc5	Steve Traylen
598			The nftables::rules::icmp class.
599
600			#### Parameters
601
602	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
603
604	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
605			* [`v6_types`](#-nftables--rules--icmp--v6_types)
606			* [`order`](#-nftables--rules--icmp--order)
607	7f6cacc5	Steve Traylen
608	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
609	7f6cacc5	Steve Traylen
610			Data type: `Optional[Array[String]]`
611
612
613
614	c24d3118	Tim Meusel	Default value: `undef`
615	7f6cacc5	Steve Traylen
616	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
617	7f6cacc5	Steve Traylen
618			Data type: `Optional[Array[String]]`
619
620
621
622	c24d3118	Tim Meusel	Default value: `undef`
623	7f6cacc5	Steve Traylen
624	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
625	7f6cacc5	Steve Traylen
626			Data type: `String`
627
628
629
630			Default value: `'10'`
631
632	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
633
634			manage in ldap
635
636			#### Parameters
637
638			The following parameters are available in the `nftables::rules::ldap` class:
639
640			* [`ports`](#-nftables--rules--ldap--ports)
641
642			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
643
644			Data type: `Array[Integer,1]`
645
646			ldap server ports
647
648			Default value: `[389, 636]`
649
650	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
651
652			allow incoming multicast DNS
653
654	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
655
656			allow incoming multicast traffic
657
658	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
659	b9785000	Steve Traylen
660			manage in nfs4
661
662	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
663	b9785000	Steve Traylen
664			manage in nfs3
665
666	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
667	7f6cacc5	Steve Traylen
668			manage in node exporter
669
670			#### Parameters
671
672	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
673	7f6cacc5	Steve Traylen
674	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
675			* [`port`](#-nftables--rules--node_exporter--port)
676	7f6cacc5	Steve Traylen
677	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
678	7f6cacc5	Steve Traylen
679	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
680	7f6cacc5	Steve Traylen
681	09cba182	Steve Traylen	Specify server name
682	7f6cacc5	Steve Traylen
683	c24d3118	Tim Meusel	Default value: `undef`
684	7f6cacc5	Steve Traylen
685	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
686	7f6cacc5	Steve Traylen
687	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
688	7f6cacc5	Steve Traylen
689	09cba182	Steve Traylen	Specify port to open
690	7f6cacc5	Steve Traylen
691			Default value: `9100`
692
693	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
694	e17693e3	Steve Traylen
695			manage in ospf
696
697	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
698	e17693e3	Steve Traylen
699			manage in ospf3
700
701	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
702
703			manage outgoing active diectory
704
705			#### Parameters
706
707			The following parameters are available in the `nftables::rules::out::active_directory` class:
708
709			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
710			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
711
712			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
713
714			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
715
716			adserver IPs
717
718			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
719
720			Data type: `Array[Stdlib::Port,1]`
721
722			adserver ports
723
724			Default value: `[389, 636, 3268, 3269]`
725
726	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
727	e17693e3	Steve Traylen
728			allow all outbound
729
730	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
731	b9785000	Steve Traylen
732			Ceph is a distributed object store and file system.
733			Enable this to be a client of Ceph's Monitor (MON),
734			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
735			and Manager Daemons (MGR).
736
737			#### Parameters
738
739	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
740	b9785000	Steve Traylen
741	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
742	b9785000	Steve Traylen
743	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
744	b9785000	Steve Traylen
745	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
746	b9785000	Steve Traylen
747	09cba182	Steve Traylen	Specify ports to open
748	b9785000	Steve Traylen
749			Default value: `[3300, 6789]`
750
751	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
752	e17693e3	Steve Traylen
753			manage out chrony
754
755	7937a13b	Tim Meusel	#### Parameters
756
757			The following parameters are available in the `nftables::rules::out::chrony` class:
758
759	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
760	7937a13b	Tim Meusel
761	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
762	7937a13b	Tim Meusel
763			Data type: `Array[Stdlib::IP::Address]`
764
765			single IP-Address or array of IP-addresses from NTP servers
766
767			Default value: `[]`
768
769	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
770	e17693e3	Steve Traylen
771			manage out dhcp
772
773	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
774	7f6cacc5	Steve Traylen
775	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
776	7f6cacc5	Steve Traylen
777	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
778	e17693e3	Steve Traylen
779			manage out dns
780
781			#### Parameters
782
783	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
784	e17693e3	Steve Traylen
785	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
786	e17693e3	Steve Traylen
787	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
788	e17693e3	Steve Traylen
789	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
790	e17693e3	Steve Traylen
791	09cba182	Steve Traylen	specify dns_server name
792	e17693e3	Steve Traylen
793	c24d3118	Tim Meusel	Default value: `undef`
794	e17693e3	Steve Traylen
795	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
796	a1f09048	Tim Meusel
797			allow outgoing hkp connections to gpg keyservers
798
799	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
800	e17693e3	Steve Traylen
801			manage out http
802
803	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
804	e17693e3	Steve Traylen
805			manage out https
806
807	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
808	7f6cacc5	Steve Traylen
809	09cba182	Steve Traylen	control outbound icmp packages
810	7f6cacc5	Steve Traylen
811			#### Parameters
812
813	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
814
815	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
816			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
817			* [`order`](#-nftables--rules--out--icmp--order)
818	7f6cacc5	Steve Traylen
819	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
820	7f6cacc5	Steve Traylen
821			Data type: `Optional[Array[String]]`
822
823
824
825	c24d3118	Tim Meusel	Default value: `undef`
826	7f6cacc5	Steve Traylen
827	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
828	7f6cacc5	Steve Traylen
829			Data type: `Optional[Array[String]]`
830
831
832
833	c24d3118	Tim Meusel	Default value: `undef`
834	7f6cacc5	Steve Traylen
835	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
836	7f6cacc5	Steve Traylen
837			Data type: `String`
838
839
840
841			Default value: `'10'`
842
843	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
844	19908f41	mh
845			allow outgoing imap
846
847	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
848	7f6cacc5	Steve Traylen
849			allows outbound access for kerberos
850
851	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
852
853			manage outgoing ldap
854
855			#### Parameters
856
857			The following parameters are available in the `nftables::rules::out::ldap` class:
858
859			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
860			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
861
862			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
863
864			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
865
866			ldapserver IPs
867
868			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
869
870			Data type: `Array[Stdlib::Port,1]`
871
872			ldapserver ports
873
874			Default value: `[389, 636]`
875
876	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
877	e17693e3	Steve Traylen
878			manage out mysql
879
880	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
881	b9785000	Steve Traylen
882			manage out nfs
883
884	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
885	b9785000	Steve Traylen
886			manage out nfs3
887
888	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
889	7f6cacc5	Steve Traylen
890	09cba182	Steve Traylen	allows outbound access for afs clients
891	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
892			7002 - afs3-ptserver
893			7003 - vlserver
894
895			* See also
896			* https://wiki.openafs.org/devel/AFSServicePorts/
897			* AFS Service Ports
898
899			#### Parameters
900
901	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
902	7f6cacc5	Steve Traylen
903	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
904	7f6cacc5	Steve Traylen
905	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
906	7f6cacc5	Steve Traylen
907	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
908	7f6cacc5	Steve Traylen
909	09cba182	Steve Traylen	port numbers to use
910	7f6cacc5	Steve Traylen
911			Default value: `[7000, 7002, 7003]`
912
913	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
914	e17693e3	Steve Traylen
915			manage out ospf
916
917	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
918	e17693e3	Steve Traylen
919			manage out ospf3
920
921	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
922	19908f41	mh
923			allow outgoing pop3
924
925	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
926	e17693e3	Steve Traylen
927			manage out postgres
928
929	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
930	e17693e3	Steve Traylen
931			manage outgoing puppet
932
933			#### Parameters
934
935	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
936	e17693e3	Steve Traylen
937	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
938			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
939	e17693e3	Steve Traylen
940	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
941	e17693e3	Steve Traylen
942	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
943	e17693e3	Steve Traylen
944	09cba182	Steve Traylen	puppetserver hostname
945	e17693e3	Steve Traylen
946	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
947	e17693e3	Steve Traylen
948	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
949	e17693e3	Steve Traylen
950	09cba182	Steve Traylen	puppetserver port
951	e17693e3	Steve Traylen
952			Default value: `8140`
953
954	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
955	194e05d5	Tim Meusel
956			manage outgoing pxp-agent
957
958			* See also
959			* also
960			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
961
962			#### Parameters
963
964			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
965
966	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
967			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
968	194e05d5	Tim Meusel
969	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
970	194e05d5	Tim Meusel
971			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
972
973			PXP broker IP(s)
974
975	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
976	194e05d5	Tim Meusel
977			Data type: `Stdlib::Port`
978
979			PXP broker port
980
981			Default value: `8142`
982
983	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
984	e17693e3	Steve Traylen
985	19908f41	mh	allow outgoing smtp
986
987	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
988	19908f41	mh
989			allow outgoing smtp client
990	e17693e3	Steve Traylen
991	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
992	e17693e3	Steve Traylen
993			manage out ssh
994
995	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
996	e17693e3	Steve Traylen
997			disable outgoing ssh
998
999	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1000	e17693e3	Steve Traylen
1001			manage out tor
1002
1003	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1004	2b1896c1	Tim Meusel
1005			allow clients to query remote whois server
1006
1007	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1008	e17693e3	Steve Traylen
1009			manage out wireguard
1010
1011			#### Parameters
1012
1013	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1014	e17693e3	Steve Traylen
1015	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1016	e17693e3	Steve Traylen
1017	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1018	e17693e3	Steve Traylen
1019	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1020	e17693e3	Steve Traylen
1021	09cba182	Steve Traylen	specify wireguard ports
1022	e17693e3	Steve Traylen
1023			Default value: `[51820]`
1024
1025	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1026	e17693e3	Steve Traylen
1027			manage in puppet
1028
1029			#### Parameters
1030
1031	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1032	e17693e3	Steve Traylen
1033	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1034	e17693e3	Steve Traylen
1035	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1036	e17693e3	Steve Traylen
1037	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1038	e17693e3	Steve Traylen
1039	09cba182	Steve Traylen	puppet server ports
1040	e17693e3	Steve Traylen
1041			Default value: `[8140]`
1042
1043	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1044	7f74df2e	Tim Meusel
1045			manage in pxp-agent
1046
1047			#### Parameters
1048
1049			The following parameters are available in the `nftables::rules::pxp_agent` class:
1050
1051	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1052	7f74df2e	Tim Meusel
1053	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1054	7f74df2e	Tim Meusel
1055	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1056	7f74df2e	Tim Meusel
1057			pxp server ports
1058
1059			Default value: `[8142]`
1060
1061	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1062	cd2a3cbf	Nacho Barrientos
1063			This class configures the typical firewall setup that libvirt
1064			creates. Depending on your requirements you can switch on and off
1065			several aspects, for instance if you don't do DHCP to your guests
1066			you can disable the rules that accept DHCP traffic on the host or if
1067			you don't want your guests to talk to hosts outside you can disable
1068			forwarding and/or masquerading for IPv4 traffic.
1069
1070			#### Parameters
1071
1072			The following parameters are available in the `nftables::rules::qemu` class:
1073
1074	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1075			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1076			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1077			* [`dns`](#-nftables--rules--qemu--dns)
1078			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1079			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1080			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1081			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1082	cd2a3cbf	Nacho Barrientos
1083	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1084	cd2a3cbf	Nacho Barrientos
1085			Data type: `String[1]`
1086
1087			Interface name used by the bridge.
1088
1089			Default value: `'virbr0'`
1090
1091	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1092	cd2a3cbf	Nacho Barrientos
1093			Data type: `Stdlib::IP::Address::V4::CIDR`
1094
1095			The IPv4 network prefix used in the virtual network.
1096
1097			Default value: `'192.168.122.0/24'`
1098
1099	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1100	cd2a3cbf	Nacho Barrientos
1101			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1102
1103			The IPv6 network prefix used in the virtual network.
1104
1105	c24d3118	Tim Meusel	Default value: `undef`
1106	cd2a3cbf	Nacho Barrientos
1107	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1108	cd2a3cbf	Nacho Barrientos
1109			Data type: `Boolean`
1110
1111			Allow DNS traffic from the guests to the host.
1112
1113	c24d3118	Tim Meusel	Default value: `true`
1114	cd2a3cbf	Nacho Barrientos
1115	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1116	cd2a3cbf	Nacho Barrientos
1117			Data type: `Boolean`
1118
1119			Allow DHCPv4 traffic from the guests to the host.
1120
1121	c24d3118	Tim Meusel	Default value: `true`
1122	cd2a3cbf	Nacho Barrientos
1123	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1124	cd2a3cbf	Nacho Barrientos
1125			Data type: `Boolean`
1126
1127			Allow forwarded traffic (out all, in related/established)
1128			generated by the virtual network.
1129
1130	c24d3118	Tim Meusel	Default value: `true`
1131	cd2a3cbf	Nacho Barrientos
1132	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1133	cd2a3cbf	Nacho Barrientos
1134			Data type: `Boolean`
1135
1136			Allow guests in the virtual network to talk to each other.
1137
1138	c24d3118	Tim Meusel	Default value: `true`
1139	cd2a3cbf	Nacho Barrientos
1140	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1141	cd2a3cbf	Nacho Barrientos
1142			Data type: `Boolean`
1143
1144			Do NAT masquerade on all IPv4 traffic generated by guests
1145			to external networks.
1146
1147	c24d3118	Tim Meusel	Default value: `true`
1148	cd2a3cbf	Nacho Barrientos
1149	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1150	19908f41	mh
1151			manage Samba, the suite to allow Windows file sharing on Linux resources.
1152
1153			#### Parameters
1154
1155			The following parameters are available in the `nftables::rules::samba` class:
1156
1157	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1158	19908f41	mh
1159	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1160	19908f41	mh
1161			Data type: `Boolean`
1162
1163			Enable ctdb-driven clustered Samba setups.
1164
1165	c24d3118	Tim Meusel	Default value: `false`
1166	19908f41	mh
1167	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1168	e17693e3	Steve Traylen
1169			manage in smtp
1170
1171	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1172	e17693e3	Steve Traylen
1173			manage in smtp submission
1174
1175	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1176	e17693e3	Steve Traylen
1177			manage in smtps
1178
1179	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1180
1181			allow incoming spotify
1182
1183	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1184	e17693e3	Steve Traylen
1185			manage in ssh
1186
1187			#### Parameters
1188
1189	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1190	e17693e3	Steve Traylen
1191	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1192	e17693e3	Steve Traylen
1193	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1194	e17693e3	Steve Traylen
1195	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1196	e17693e3	Steve Traylen
1197	09cba182	Steve Traylen	ssh ports
1198	e17693e3	Steve Traylen
1199			Default value: `[22]`
1200
1201	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1202	e17693e3	Steve Traylen
1203			manage in tor
1204
1205			#### Parameters
1206
1207	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1208	e17693e3	Steve Traylen
1209	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1210	e17693e3	Steve Traylen
1211	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1212	e17693e3	Steve Traylen
1213	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1214	e17693e3	Steve Traylen
1215	09cba182	Steve Traylen	ports for tor
1216	e17693e3	Steve Traylen
1217			Default value: `[9001]`
1218
1219	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1220	e17693e3	Steve Traylen
1221			manage in wireguard
1222
1223			#### Parameters
1224
1225	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1226	e17693e3	Steve Traylen
1227	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1228	e17693e3	Steve Traylen
1229	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1230	e17693e3	Steve Traylen
1231	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1232	e17693e3	Steve Traylen
1233	09cba182	Steve Traylen	wiregueard port
1234	e17693e3	Steve Traylen
1235			Default value: `[51820]`
1236
1237	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1238	7f6cacc5	Steve Traylen
1239	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1240	7f6cacc5	Steve Traylen
1241	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1242	7f6cacc5	Steve Traylen
1243	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1244	7f6cacc5	Steve Traylen
1245	e17693e3	Steve Traylen	## Defined types
1246
1247	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1248	e17693e3	Steve Traylen
1249			manage a chain
1250
1251			#### Parameters
1252
1253	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1254
1255	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1256			* [`chain`](#-nftables--chain--chain)
1257			* [`inject`](#-nftables--chain--inject)
1258			* [`inject_iif`](#-nftables--chain--inject_iif)
1259			* [`inject_oif`](#-nftables--chain--inject_oif)
1260	e17693e3	Steve Traylen
1261	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1262	e17693e3	Steve Traylen
1263	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1264	e17693e3	Steve Traylen
1265
1266
1267			Default value: `'inet-filter'`
1268
1269	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1270	e17693e3	Steve Traylen
1271			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1272
1273
1274
1275			Default value: `$title`
1276
1277	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1278	e17693e3	Steve Traylen
1279			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1280
1281
1282
1283	c24d3118	Tim Meusel	Default value: `undef`
1284	e17693e3	Steve Traylen
1285	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1286	e17693e3	Steve Traylen
1287			Data type: `Optional[String]`
1288
1289
1290
1291	c24d3118	Tim Meusel	Default value: `undef`
1292	e17693e3	Steve Traylen
1293	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1294	e17693e3	Steve Traylen
1295			Data type: `Optional[String]`
1296
1297
1298
1299	c24d3118	Tim Meusel	Default value: `undef`
1300	e17693e3	Steve Traylen
1301	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1302	e17693e3	Steve Traylen
1303			manage a config snippet
1304
1305			#### Parameters
1306
1307	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1308	e17693e3	Steve Traylen
1309	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1310			* [`content`](#-nftables--config--content)
1311			* [`source`](#-nftables--config--source)
1312			* [`prefix`](#-nftables--config--prefix)
1313	09cba182	Steve Traylen
1314	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1315	13f4e4c6	Steve Traylen
1316			Data type: `Pattern[/^\w+-\w+$/]`
1317
1318
1319
1320			Default value: `$title`
1321
1322	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1323	e17693e3	Steve Traylen
1324			Data type: `Optional[String]`
1325
1326
1327
1328	c24d3118	Tim Meusel	Default value: `undef`
1329	e17693e3	Steve Traylen
1330	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1331	e17693e3	Steve Traylen
1332			Data type: `Optional[Variant[String,Array[String,1]]]`
1333
1334
1335
1336	c24d3118	Tim Meusel	Default value: `undef`
1337	e17693e3	Steve Traylen
1338	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1339	13f4e4c6	Steve Traylen
1340			Data type: `String`
1341
1342
1343
1344			Default value: `'custom-'`
1345
1346	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1347	331b8d85	Steve Traylen
1348			Insert a file into the nftables configuration
1349
1350			#### Examples
1351
1352			##### Include a file that includes other files
1353
1354			```puppet
1355			nftables::file{'geoip':
1356			content => @(EOT)
1357			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1358			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1359			\|EOT,
1360			}
1361			```
1362
1363			#### Parameters
1364
1365			The following parameters are available in the `nftables::file` defined type:
1366
1367	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1368			* [`content`](#-nftables--file--content)
1369			* [`source`](#-nftables--file--source)
1370			* [`prefix`](#-nftables--file--prefix)
1371	331b8d85	Steve Traylen
1372	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1373	331b8d85	Steve Traylen
1374			Data type: `String[1]`
1375
1376			Unique name to include in filename.
1377
1378			Default value: `$title`
1379
1380	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1381	331b8d85	Steve Traylen
1382			Data type: `Optional[String]`
1383
1384			The content to place in the file.
1385
1386	c24d3118	Tim Meusel	Default value: `undef`
1387	331b8d85	Steve Traylen
1388	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1389	331b8d85	Steve Traylen
1390			Data type: `Optional[Variant[String,Array[String,1]]]`
1391
1392			A source to obtain the file content from.
1393
1394	c24d3118	Tim Meusel	Default value: `undef`
1395	331b8d85	Steve Traylen
1396	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1397	331b8d85	Steve Traylen
1398			Data type: `String`
1399
1400			Prefix of file name to be created, if left as `file-` it will be
1401			auto included in the main nft configuration
1402
1403			Default value: `'file-'`
1404
1405	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1406	e17693e3	Steve Traylen
1407	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1408
1409			#### Examples
1410
1411			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1412
1413			```puppet
1414			nftables::rule {
1415			'default_in-myhttp':
1416			content => 'tcp dport 80 accept',
1417			}
1418			```
1419
1420			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1421
1422			```puppet
1423			nftables::rule {
1424			'PREROUTING6-count':
1425			content => 'counter',
1426			table => 'ip6-nat'
1427			}
1428			```
1429	e17693e3	Steve Traylen
1430			#### Parameters
1431
1432	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1433
1434	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1435			* [`rulename`](#-nftables--rule--rulename)
1436			* [`order`](#-nftables--rule--order)
1437			* [`table`](#-nftables--rule--table)
1438			* [`content`](#-nftables--rule--content)
1439			* [`source`](#-nftables--rule--source)
1440	e17693e3	Steve Traylen
1441	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1442	e17693e3	Steve Traylen
1443			Data type: `Enum['present','absent']`
1444
1445	13f26dfc	Nacho Barrientos	Should the rule be created.
1446	e17693e3	Steve Traylen
1447			Default value: `'present'`
1448
1449	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1450	e17693e3	Steve Traylen
1451	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1452	e17693e3	Steve Traylen
1453	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1454			format is defined by the Nftables::RuleName type.
1455	e17693e3	Steve Traylen
1456			Default value: `$title`
1457
1458	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1459	e17693e3	Steve Traylen
1460			Data type: `Pattern[/^\d\d$/]`
1461
1462	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1463	e17693e3	Steve Traylen
1464			Default value: `'50'`
1465
1466	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1467	e17693e3	Steve Traylen
1468	b02d6ea9	Nacho Barrientos	Data type: `String`
1469	e17693e3	Steve Traylen
1470	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1471	e17693e3	Steve Traylen
1472			Default value: `'inet-filter'`
1473
1474	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1475	e17693e3	Steve Traylen
1476			Data type: `Optional[String]`
1477
1478	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1479			language.
1480	e17693e3	Steve Traylen
1481	c24d3118	Tim Meusel	Default value: `undef`
1482	e17693e3	Steve Traylen
1483	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1484	e17693e3	Steve Traylen
1485			Data type: `Optional[Variant[String,Array[String,1]]]`
1486
1487	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1488	e17693e3	Steve Traylen
1489	c24d3118	Tim Meusel	Default value: `undef`
1490	e17693e3	Steve Traylen
1491	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1492	e17693e3	Steve Traylen
1493			manage a ipv4 dnat rule
1494
1495			#### Parameters
1496
1497	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1498
1499	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1500			* [`port`](#-nftables--rules--dnat4--port)
1501			* [`rulename`](#-nftables--rules--dnat4--rulename)
1502			* [`order`](#-nftables--rules--dnat4--order)
1503			* [`chain`](#-nftables--rules--dnat4--chain)
1504			* [`iif`](#-nftables--rules--dnat4--iif)
1505			* [`proto`](#-nftables--rules--dnat4--proto)
1506			* [`dport`](#-nftables--rules--dnat4--dport)
1507			* [`ensure`](#-nftables--rules--dnat4--ensure)
1508	e17693e3	Steve Traylen
1509	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1510	e17693e3	Steve Traylen
1511			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1512
1513
1514
1515	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1516	e17693e3	Steve Traylen
1517	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1518	e17693e3	Steve Traylen
1519
1520
1521	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1522	e17693e3	Steve Traylen
1523			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1524
1525
1526
1527			Default value: `$title`
1528
1529	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1530	e17693e3	Steve Traylen
1531			Data type: `Pattern[/^\d\d$/]`
1532
1533
1534
1535			Default value: `'50'`
1536
1537	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1538	e17693e3	Steve Traylen
1539			Data type: `String[1]`
1540
1541
1542
1543			Default value: `'default_fwd'`
1544
1545	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1546	e17693e3	Steve Traylen
1547			Data type: `Optional[String[1]]`
1548
1549
1550
1551	c24d3118	Tim Meusel	Default value: `undef`
1552	e17693e3	Steve Traylen
1553	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1554	e17693e3	Steve Traylen
1555			Data type: `Enum['tcp','udp']`
1556
1557
1558
1559			Default value: `'tcp'`
1560
1561	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1562	e17693e3	Steve Traylen
1563	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1564	e17693e3	Steve Traylen
1565
1566
1567	c24d3118	Tim Meusel	Default value: `undef`
1568	e17693e3	Steve Traylen
1569	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1570	e17693e3	Steve Traylen
1571			Data type: `Enum['present','absent']`
1572
1573
1574
1575			Default value: `'present'`
1576
1577	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1578	e17693e3	Steve Traylen
1579			masquerade all outgoing traffic
1580
1581			#### Parameters
1582
1583	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1584	e17693e3	Steve Traylen
1585	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1586			* [`order`](#-nftables--rules--masquerade--order)
1587			* [`chain`](#-nftables--rules--masquerade--chain)
1588			* [`oif`](#-nftables--rules--masquerade--oif)
1589			* [`saddr`](#-nftables--rules--masquerade--saddr)
1590			* [`daddr`](#-nftables--rules--masquerade--daddr)
1591			* [`proto`](#-nftables--rules--masquerade--proto)
1592			* [`dport`](#-nftables--rules--masquerade--dport)
1593			* [`ensure`](#-nftables--rules--masquerade--ensure)
1594	09cba182	Steve Traylen
1595	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1596	e17693e3	Steve Traylen
1597			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1598
1599
1600
1601			Default value: `$title`
1602
1603	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1604	e17693e3	Steve Traylen
1605			Data type: `Pattern[/^\d\d$/]`
1606
1607
1608
1609			Default value: `'70'`
1610
1611	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1612	e17693e3	Steve Traylen
1613			Data type: `String[1]`
1614
1615
1616
1617			Default value: `'POSTROUTING'`
1618
1619	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1620	e17693e3	Steve Traylen
1621			Data type: `Optional[String[1]]`
1622
1623
1624
1625	c24d3118	Tim Meusel	Default value: `undef`
1626	e17693e3	Steve Traylen
1627	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1628	e17693e3	Steve Traylen
1629			Data type: `Optional[String[1]]`
1630
1631
1632
1633	c24d3118	Tim Meusel	Default value: `undef`
1634	e17693e3	Steve Traylen
1635	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1636	e17693e3	Steve Traylen
1637			Data type: `Optional[String[1]]`
1638
1639
1640
1641	c24d3118	Tim Meusel	Default value: `undef`
1642	e17693e3	Steve Traylen
1643	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1644	e17693e3	Steve Traylen
1645			Data type: `Optional[Enum['tcp','udp']]`
1646
1647
1648
1649	c24d3118	Tim Meusel	Default value: `undef`
1650	e17693e3	Steve Traylen
1651	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1652	e17693e3	Steve Traylen
1653	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1654	e17693e3	Steve Traylen
1655
1656
1657	c24d3118	Tim Meusel	Default value: `undef`
1658	e17693e3	Steve Traylen
1659	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1660	e17693e3	Steve Traylen
1661			Data type: `Enum['present','absent']`
1662
1663
1664
1665			Default value: `'present'`
1666
1667	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1668	e17693e3	Steve Traylen
1669			manage a ipv4 snat rule
1670
1671			#### Parameters
1672
1673	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1674
1675	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1676			* [`rulename`](#-nftables--rules--snat4--rulename)
1677			* [`order`](#-nftables--rules--snat4--order)
1678			* [`chain`](#-nftables--rules--snat4--chain)
1679			* [`oif`](#-nftables--rules--snat4--oif)
1680			* [`saddr`](#-nftables--rules--snat4--saddr)
1681			* [`proto`](#-nftables--rules--snat4--proto)
1682			* [`dport`](#-nftables--rules--snat4--dport)
1683			* [`ensure`](#-nftables--rules--snat4--ensure)
1684	e17693e3	Steve Traylen
1685	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1686	e17693e3	Steve Traylen
1687			Data type: `String[1]`
1688
1689
1690
1691	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1692	e17693e3	Steve Traylen
1693			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1694
1695
1696
1697			Default value: `$title`
1698
1699	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1700	e17693e3	Steve Traylen
1701			Data type: `Pattern[/^\d\d$/]`
1702
1703
1704
1705			Default value: `'70'`
1706
1707	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1708	e17693e3	Steve Traylen
1709			Data type: `String[1]`
1710
1711
1712
1713			Default value: `'POSTROUTING'`
1714
1715	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1716	e17693e3	Steve Traylen
1717			Data type: `Optional[String[1]]`
1718
1719
1720
1721	c24d3118	Tim Meusel	Default value: `undef`
1722	e17693e3	Steve Traylen
1723	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1724	e17693e3	Steve Traylen
1725			Data type: `Optional[String[1]]`
1726
1727
1728
1729	c24d3118	Tim Meusel	Default value: `undef`
1730	e17693e3	Steve Traylen
1731	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1732	e17693e3	Steve Traylen
1733			Data type: `Optional[Enum['tcp','udp']]`
1734
1735
1736
1737	c24d3118	Tim Meusel	Default value: `undef`
1738	e17693e3	Steve Traylen
1739	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1740	e17693e3	Steve Traylen
1741	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1742	e17693e3	Steve Traylen
1743
1744
1745	c24d3118	Tim Meusel	Default value: `undef`
1746	e17693e3	Steve Traylen
1747	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1748	e17693e3	Steve Traylen
1749			Data type: `Enum['present','absent']`
1750
1751
1752
1753			Default value: `'present'`
1754
1755	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1756	7f6cacc5	Steve Traylen
1757			manage a named set
1758
1759	13f4e4c6	Steve Traylen	#### Examples
1760
1761			##### simple set
1762
1763			```puppet
1764			nftables::set{'my_set':
1765			type => 'ipv4_addr',
1766			flags => ['interval'],
1767			elements => ['192.168.0.1/24', '10.0.0.2'],
1768			auto_merge => true,
1769			}
1770			```
1771
1772	7f6cacc5	Steve Traylen	#### Parameters
1773
1774	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1775
1776	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1777			* [`setname`](#-nftables--set--setname)
1778			* [`order`](#-nftables--set--order)
1779			* [`type`](#-nftables--set--type)
1780			* [`table`](#-nftables--set--table)
1781			* [`flags`](#-nftables--set--flags)
1782			* [`timeout`](#-nftables--set--timeout)
1783			* [`gc_interval`](#-nftables--set--gc_interval)
1784			* [`elements`](#-nftables--set--elements)
1785			* [`size`](#-nftables--set--size)
1786			* [`policy`](#-nftables--set--policy)
1787			* [`auto_merge`](#-nftables--set--auto_merge)
1788			* [`content`](#-nftables--set--content)
1789			* [`source`](#-nftables--set--source)
1790
1791			##### <a name="-nftables--set--ensure"></a>`ensure`
1792	7f6cacc5	Steve Traylen
1793			Data type: `Enum['present','absent']`
1794
1795	13f4e4c6	Steve Traylen	should the set be created.
1796	7f6cacc5	Steve Traylen
1797			Default value: `'present'`
1798
1799	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1800	7f6cacc5	Steve Traylen
1801			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
1802
1803	13f4e4c6	Steve Traylen	name of set, equal to to title.
1804	7f6cacc5	Steve Traylen
1805			Default value: `$title`
1806
1807	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
1808	7f6cacc5	Steve Traylen
1809			Data type: `Pattern[/^\d\d$/]`
1810
1811	13f4e4c6	Steve Traylen	concat ordering.
1812	7f6cacc5	Steve Traylen
1813			Default value: `'10'`
1814
1815	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
1816	7f6cacc5	Steve Traylen
1817			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
1818
1819	13f4e4c6	Steve Traylen	type of set.
1820	7f6cacc5	Steve Traylen
1821	c24d3118	Tim Meusel	Default value: `undef`
1822	7f6cacc5	Steve Traylen
1823	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
1824	7f6cacc5	Steve Traylen
1825	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
1826	7f6cacc5	Steve Traylen
1827	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
1828	7f6cacc5	Steve Traylen
1829			Default value: `'inet-filter'`
1830
1831	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
1832	7f6cacc5	Steve Traylen
1833			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
1834
1835	13f4e4c6	Steve Traylen	specify flags for set
1836	7f6cacc5	Steve Traylen
1837			Default value: `[]`
1838
1839	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
1840	7f6cacc5	Steve Traylen
1841			Data type: `Optional[Integer]`
1842
1843	13f4e4c6	Steve Traylen	timeout in seconds
1844	7f6cacc5	Steve Traylen
1845	c24d3118	Tim Meusel	Default value: `undef`
1846	7f6cacc5	Steve Traylen
1847	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
1848	7f6cacc5	Steve Traylen
1849			Data type: `Optional[Integer]`
1850
1851	13f4e4c6	Steve Traylen	garbage collection interval.
1852	7f6cacc5	Steve Traylen
1853	c24d3118	Tim Meusel	Default value: `undef`
1854	7f6cacc5	Steve Traylen
1855	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
1856	7f6cacc5	Steve Traylen
1857			Data type: `Optional[Array[String]]`
1858
1859	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
1860	7f6cacc5	Steve Traylen
1861	c24d3118	Tim Meusel	Default value: `undef`
1862	7f6cacc5	Steve Traylen
1863	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
1864	7f6cacc5	Steve Traylen
1865			Data type: `Optional[Integer]`
1866
1867	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
1868	7f6cacc5	Steve Traylen
1869	c24d3118	Tim Meusel	Default value: `undef`
1870	7f6cacc5	Steve Traylen
1871	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
1872	7f6cacc5	Steve Traylen
1873			Data type: `Optional[Enum['performance', 'memory']]`
1874
1875	13f4e4c6	Steve Traylen	determines set selection policy.
1876	7f6cacc5	Steve Traylen
1877	c24d3118	Tim Meusel	Default value: `undef`
1878	7f6cacc5	Steve Traylen
1879	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
1880	7f6cacc5	Steve Traylen
1881			Data type: `Boolean`
1882
1883	13f4e4c6	Steve Traylen	?
1884	7f6cacc5	Steve Traylen
1885	c24d3118	Tim Meusel	Default value: `false`
1886	7f6cacc5	Steve Traylen
1887	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
1888	7f6cacc5	Steve Traylen
1889			Data type: `Optional[String]`
1890
1891	13f4e4c6	Steve Traylen	specify content of set.
1892	7f6cacc5	Steve Traylen
1893	c24d3118	Tim Meusel	Default value: `undef`
1894	7f6cacc5	Steve Traylen
1895	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
1896	7f6cacc5	Steve Traylen
1897			Data type: `Optional[Variant[String,Array[String,1]]]`
1898
1899	13f4e4c6	Steve Traylen	specify source of set.
1900	7f6cacc5	Steve Traylen
1901	c24d3118	Tim Meusel	Default value: `undef`
1902	7f6cacc5	Steve Traylen
1903	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
1904	4d63adda	Nacho Barrientos
1905	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
1906	4d63adda	Nacho Barrientos
1907	b46c9ce9	Nacho Barrientos	#### Examples
1908	4d63adda	Nacho Barrientos
1909	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
1910	4d63adda	Nacho Barrientos
1911	b46c9ce9	Nacho Barrientos	```puppet
1912			nftables::simplerule{'my_service_in':
1913			action => 'accept',
1914			comment => 'allow traffic to port 543',
1915			counter => true,
1916			proto => 'tcp',
1917			dport => 543,
1918			daddr => '2001:1458::/32',
1919			sport => 541,
1920			}
1921			```
1922	4d63adda	Nacho Barrientos
1923	b46c9ce9	Nacho Barrientos	#### Parameters
1924	4d63adda	Nacho Barrientos
1925	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
1926
1927	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
1928			* [`rulename`](#-nftables--simplerule--rulename)
1929			* [`order`](#-nftables--simplerule--order)
1930			* [`chain`](#-nftables--simplerule--chain)
1931			* [`table`](#-nftables--simplerule--table)
1932			* [`action`](#-nftables--simplerule--action)
1933			* [`comment`](#-nftables--simplerule--comment)
1934			* [`dport`](#-nftables--simplerule--dport)
1935			* [`proto`](#-nftables--simplerule--proto)
1936			* [`daddr`](#-nftables--simplerule--daddr)
1937			* [`set_type`](#-nftables--simplerule--set_type)
1938			* [`sport`](#-nftables--simplerule--sport)
1939			* [`saddr`](#-nftables--simplerule--saddr)
1940			* [`counter`](#-nftables--simplerule--counter)
1941
1942			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
1943	13f4e4c6	Steve Traylen
1944			Data type: `Enum['present','absent']`
1945
1946			Should the rule be created.
1947
1948			Default value: `'present'`
1949
1950	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
1951	4d63adda	Nacho Barrientos
1952	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
1953	4d63adda	Nacho Barrientos
1954	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
1955	4d63adda	Nacho Barrientos
1956			Default value: `$title`
1957
1958	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
1959	4d63adda	Nacho Barrientos
1960			Data type: `Pattern[/^\d\d$/]`
1961
1962	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
1963	4d63adda	Nacho Barrientos
1964			Default value: `'50'`
1965
1966	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
1967	4d63adda	Nacho Barrientos
1968			Data type: `String`
1969
1970	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
1971	4d63adda	Nacho Barrientos
1972			Default value: `'default_in'`
1973
1974	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
1975	4d63adda	Nacho Barrientos
1976			Data type: `String`
1977
1978	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
1979	4d63adda	Nacho Barrientos
1980			Default value: `'inet-filter'`
1981
1982	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
1983	4d63adda	Nacho Barrientos
1984			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
1985
1986	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
1987	4d63adda	Nacho Barrientos
1988			Default value: `'accept'`
1989
1990	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
1991	4d63adda	Nacho Barrientos
1992			Data type: `Optional[String]`
1993
1994	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
1995	4d63adda	Nacho Barrientos
1996	c24d3118	Tim Meusel	Default value: `undef`
1997	4d63adda	Nacho Barrientos
1998	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
1999	4d63adda	Nacho Barrientos
2000			Data type: `Optional[Nftables::Port]`
2001
2002	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2003	4d63adda	Nacho Barrientos
2004	c24d3118	Tim Meusel	Default value: `undef`
2005	4d63adda	Nacho Barrientos
2006	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2007	4d63adda	Nacho Barrientos
2008			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2009
2010	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2011	4d63adda	Nacho Barrientos
2012	c24d3118	Tim Meusel	Default value: `undef`
2013	4d63adda	Nacho Barrientos
2014	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2015	4d63adda	Nacho Barrientos
2016			Data type: `Optional[Nftables::Addr]`
2017
2018	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2019	4d63adda	Nacho Barrientos
2020	c24d3118	Tim Meusel	Default value: `undef`
2021	4d63adda	Nacho Barrientos
2022	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2023	4d63adda	Nacho Barrientos
2024			Data type: `Enum['ip', 'ip6']`
2025
2026	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2027			Use `ip` for sets of type `ipv4_addr`.
2028	4d63adda	Nacho Barrientos
2029			Default value: `'ip6'`
2030
2031	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2032	4d63adda	Nacho Barrientos
2033			Data type: `Optional[Nftables::Port]`
2034
2035	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2036	4d63adda	Nacho Barrientos
2037	c24d3118	Tim Meusel	Default value: `undef`
2038	4d63adda	Nacho Barrientos
2039	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2040	4d63adda	Nacho Barrientos
2041			Data type: `Optional[Nftables::Addr]`
2042
2043	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2044	4d63adda	Nacho Barrientos
2045	c24d3118	Tim Meusel	Default value: `undef`
2046	4d63adda	Nacho Barrientos
2047	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2048	4d63adda	Nacho Barrientos
2049			Data type: `Boolean`
2050
2051	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2052	4d63adda	Nacho Barrientos
2053	c24d3118	Tim Meusel	Default value: `false`
2054	4d63adda	Nacho Barrientos
2055			## Data types
2056
2057	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2058	4d63adda	Nacho Barrientos
2059			Represents an address expression to be used within a rule.
2060
2061	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2062	09cba182	Steve Traylen
2063	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2064	4d63adda	Nacho Barrientos
2065			Represents a set expression to be used within a rule.
2066
2067	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2068	4d63adda	Nacho Barrientos
2069	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2070	4d63adda	Nacho Barrientos
2071			Represents a port expression to be used within a rule.
2072
2073	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2074	4d63adda	Nacho Barrientos
2075	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2076	4d63adda	Nacho Barrientos
2077			Represents a port range expression to be used within a rule.
2078
2079	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2080	4d63adda	Nacho Barrientos
2081	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2082	8c00b818	Nacho Barrientos
2083			Represents a rule name to be used in a raw rule created via nftables::rule.
2084			It's a dash separated string. The first component describes the chain to
2085			add the rule to, the second the rule name and the (optional) third a number.
2086			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2087
2088	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2089	09cba182	Steve Traylen
2090	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2091	8c00b818	Nacho Barrientos
2092			Represents a simple rule name to be used in a rule created via nftables::simplerule
2093
2094	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 5ffd0328