/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 64404839

Historique | Voir | Annoter | Télécharger (57,5 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
28	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
29	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
30	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
31	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
32	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
33			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
34			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
35			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
36			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
37	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
38	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
39			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
40	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
41			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
42			and Manager Daemons (MGR).
43	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
44			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
45			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
46			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
47			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
48			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
49			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
50			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
51	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
52	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
53			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
54	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
55	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
56	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
57	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
58			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
59			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
60			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
61	09cba182	Steve Traylen	7000 - afs3-fileserver
62			7002 - afs3-ptserver
63			7003 - vlserver
64	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
65			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
66			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
67			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
68			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
69			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
70			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
71			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
72	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
73	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
74			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
75			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
76			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
77			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
78			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
79			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
80			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
81			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
82			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
83			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
84			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
85	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
86	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
87	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
88			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
89			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
90	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
91	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
92			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
93	e17693e3	Steve Traylen
94			### Defined types
95
96	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
97			* [`nftables::config`](#nftables--config): manage a config snippet
98			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
99			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
100			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
101			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
102			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
103			* [`nftables::set`](#nftables--set): manage a named set
104			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
105	4d63adda	Nacho Barrientos
106			### Data types
107
108	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
109			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
110			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
111			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
112			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
113	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
114			add the rule to, the second the rule name and the (optional) third a number.
115			Ex: 'default_in-sshd', 'default_out-my_service-2'.
116	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
117	e17693e3	Steve Traylen
118			## Classes
119
120	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
121	e17693e3	Steve Traylen
122			Configure nftables
123
124			#### Examples
125
126	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
127	e17693e3	Steve Traylen
128			```puppet
129	2063deaf	hashworks	class{ 'nftables':
130			out_ntp => false,
131			out_dns => true,
132	e17693e3	Steve Traylen	}
133			```
134
135	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
136
137			```puppet
138	2063deaf	hashworks	class{ 'nftables':
139			noflush_tables => ['inet-f2b-table'],
140	b9785000	Steve Traylen	}
141			```
142
143	e17693e3	Steve Traylen	#### Parameters
144
145	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
146
147	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
148			* [`out_ntp`](#-nftables--out_ntp)
149			* [`out_http`](#-nftables--out_http)
150			* [`out_dns`](#-nftables--out_dns)
151			* [`out_https`](#-nftables--out_https)
152			* [`out_icmp`](#-nftables--out_icmp)
153			* [`in_ssh`](#-nftables--in_ssh)
154			* [`in_icmp`](#-nftables--in_icmp)
155			* [`inet_filter`](#-nftables--inet_filter)
156			* [`nat`](#-nftables--nat)
157			* [`nat_table_name`](#-nftables--nat_table_name)
158			* [`sets`](#-nftables--sets)
159			* [`log_prefix`](#-nftables--log_prefix)
160			* [`log_limit`](#-nftables--log_limit)
161			* [`reject_with`](#-nftables--reject_with)
162			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
163			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
164			* [`firewalld_enable`](#-nftables--firewalld_enable)
165			* [`noflush_tables`](#-nftables--noflush_tables)
166			* [`rules`](#-nftables--rules)
167			* [`configuration_path`](#-nftables--configuration_path)
168			* [`nft_path`](#-nftables--nft_path)
169			* [`echo`](#-nftables--echo)
170			* [`default_config_mode`](#-nftables--default_config_mode)
171
172			##### <a name="-nftables--out_all"></a>`out_all`
173	e17693e3	Steve Traylen
174			Data type: `Boolean`
175
176			Allow all outbound connections. If `true` then all other
177			out parameters `out_ntp`, `out_dns`, ... will be assuemed
178			false.
179
180	c24d3118	Tim Meusel	Default value: `false`
181	e17693e3	Steve Traylen
182	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow outbound to ntp servers.
187
188	c24d3118	Tim Meusel	Default value: `true`
189	e17693e3	Steve Traylen
190	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
191	e17693e3	Steve Traylen
192			Data type: `Boolean`
193
194			Allow outbound to http servers.
195
196	c24d3118	Tim Meusel	Default value: `true`
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
199	e17693e3	Steve Traylen
200			Data type: `Boolean`
201
202	09cba182	Steve Traylen	Allow outbound to dns servers.
203	e17693e3	Steve Traylen
204	c24d3118	Tim Meusel	Default value: `true`
205	e17693e3	Steve Traylen
206	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
207	09cba182	Steve Traylen
208			Data type: `Boolean`
209	e17693e3	Steve Traylen
210			Allow outbound to https servers.
211
212	c24d3118	Tim Meusel	Default value: `true`
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
215	7f6cacc5	Steve Traylen
216			Data type: `Boolean`
217
218			Allow outbound ICMPv4/v6 traffic.
219
220	c24d3118	Tim Meusel	Default value: `true`
221	7f6cacc5	Steve Traylen
222	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
223	e17693e3	Steve Traylen
224			Data type: `Boolean`
225
226			Allow inbound to ssh servers.
227
228	c24d3118	Tim Meusel	Default value: `true`
229	e17693e3	Steve Traylen
230	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
231	7f6cacc5	Steve Traylen
232			Data type: `Boolean`
233
234			Allow inbound ICMPv4/v6 traffic.
235
236	c24d3118	Tim Meusel	Default value: `true`
237	7f6cacc5	Steve Traylen
238	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
239	7b9d6ffc	Nacho Barrientos
240			Data type: `Boolean`
241
242			Add default tables, chains and rules to process traffic.
243
244	c24d3118	Tim Meusel	Default value: `true`
245	7b9d6ffc	Nacho Barrientos
246	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
247	7f6cacc5	Steve Traylen
248			Data type: `Boolean`
249
250			Add default tables and chains to process NAT traffic.
251
252	c24d3118	Tim Meusel	Default value: `true`
253	7f6cacc5	Steve Traylen
254	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
255	b02d6ea9	Nacho Barrientos
256			Data type: `String[1]`
257
258			The name of the 'nat' table.
259
260			Default value: `'nat'`
261
262	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
263	b9785000	Steve Traylen
264			Data type: `Hash`
265
266			Allows sourcing set definitions directly from Hiera.
267
268			Default value: `{}`
269
270	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
271	7f6cacc5	Steve Traylen
272			Data type: `String`
273
274			String that will be used as prefix when logging packets. It can contain
275			two variables using standard sprintf() string-formatting:
276			* chain: Will be replaced by the name of the chain.
277			* comment: Allows chains to add extra comments.
278
279			Default value: `'[nftables] %<chain>s %<comment>s'`
280
281	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
282	b9785000	Steve Traylen
283			Data type: `Variant[Boolean[false], String]`
284
285			String with the content of a limit statement to be applied
286			to the rules that log discarded traffic. Set to false to
287			disable rate limiting.
288
289			Default value: `'3/minute burst 5 packets'`
290
291	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
292	7f6cacc5	Steve Traylen
293	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
294	7f6cacc5	Steve Traylen
295			How to discard packets not matching any rule. If `false`, the
296			fate of the packet will be defined by the chain policy (normally
297			drop), otherwise the packet will be rejected with the REJECT_WITH
298			policy indicated by the value of this parameter.
299
300			Default value: `'icmpx type port-unreachable'`
301
302	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
303	7f6cacc5	Steve Traylen
304			Data type: `Boolean`
305
306			Adds INPUT and OUTPUT rules to allow traffic that's part of an
307			established connection and also to drop invalid packets.
308
309	c24d3118	Tim Meusel	Default value: `true`
310	7f6cacc5	Steve Traylen
311	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
312	b9785000	Steve Traylen
313			Data type: `Boolean`
314
315			Adds FORWARD rules to allow traffic that's part of an
316			established connection and also to drop invalid packets.
317
318	c24d3118	Tim Meusel	Default value: `false`
319	b9785000	Steve Traylen
320	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
321	7f6cacc5	Steve Traylen
322			Data type: `Variant[Boolean[false], Enum['mask']]`
323
324			Configures how the firewalld systemd service unit is enabled. It might be
325			useful to set this to false if you're externaly removing firewalld from
326			the system completely.
327
328			Default value: `'mask'`
329
330	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
331	b9785000	Steve Traylen
332	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
333	b9785000	Steve Traylen
334			If specified only other existings tables will be flushed.
335			If left unset all tables will be flushed via a `flush ruleset`
336
337	c24d3118	Tim Meusel	Default value: `undef`
338	b9785000	Steve Traylen
339	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
340	7f6cacc5	Steve Traylen
341			Data type: `Hash`
342
343	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
344	7f6cacc5	Steve Traylen
345			Default value: `{}`
346
347	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
348	d0a1ffef	hashworks
349			Data type: `Stdlib::Unixpath`
350
351			The absolute path to the principal nftables configuration file. The default
352			varies depending on the system, and is set in the module's data.
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
355	8842a597	Tim Meusel
356			Data type: `Stdlib::Unixpath`
357
358			Path to the nft binary
359
360	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
361	821ec83a	Tim Meusel
362			Data type: `Stdlib::Unixpath`
363
364			Path to the echo binary
365
366	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
367	7030bde0	Luis Fernández Álvarez
368			Data type: `Stdlib::Filemode`
369
370			The default file & dir mode for configuration files and directories. The
371			default varies depending on the system, and is set in the module's data.
372
373	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
374	7f6cacc5	Steve Traylen
375			allow forwarding traffic on bridges
376
377			#### Parameters
378
379	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
380	7f6cacc5	Steve Traylen
381	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
382			* [`bridgenames`](#-nftables--bridges--bridgenames)
383	09cba182	Steve Traylen
384	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
385	7f6cacc5	Steve Traylen
386			Data type: `Enum['present','absent']`
387
388
389
390			Default value: `'present'`
391
392	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
393	7f6cacc5	Steve Traylen
394			Data type: `Regexp`
395
396
397
398			Default value: `/^br.+/`
399
400	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
401	e17693e3	Steve Traylen
402			manage basic chains in table inet filter
403
404	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
405	a1f09048	Tim Meusel
406			enable conntrack for fwd
407
408	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
409	a1f09048	Tim Meusel
410			manage input & output conntrack
411
412	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
413	e17693e3	Steve Traylen
414			manage basic chains in table ip nat
415
416	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
417	771b3256	Nacho Barrientos
418			Provides input rules for Apache ActiveMQ
419
420			#### Parameters
421
422			The following parameters are available in the `nftables::rules::activemq` class:
423
424	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
425			* [`udp`](#-nftables--rules--activemq--udp)
426			* [`port`](#-nftables--rules--activemq--port)
427	771b3256	Nacho Barrientos
428	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
429	771b3256	Nacho Barrientos
430			Data type: `Boolean`
431
432			Create the rule for TCP traffic.
433
434	c24d3118	Tim Meusel	Default value: `true`
435	771b3256	Nacho Barrientos
436	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
437	771b3256	Nacho Barrientos
438			Data type: `Boolean`
439
440			Create the rule for UDP traffic.
441
442	c24d3118	Tim Meusel	Default value: `true`
443	771b3256	Nacho Barrientos
444	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
445	771b3256	Nacho Barrientos
446			Data type: `Stdlib::Port`
447
448			The port number for the ActiveMQ daemon.
449
450			Default value: `61616`
451
452	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
453	09cba182	Steve Traylen
454			Open call back port for AFS clients
455	7f6cacc5	Steve Traylen
456	09cba182	Steve Traylen	#### Examples
457
458			##### allow call backs from particular hosts
459
460			```puppet
461	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
462			saddr => ['192.168.0.0/16', '10.0.0.222']
463			}
464	09cba182	Steve Traylen	```
465	7f6cacc5	Steve Traylen
466			#### Parameters
467
468	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
469
470	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
471	7f6cacc5	Steve Traylen
472	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
473	7f6cacc5	Steve Traylen
474			Data type: `Array[Stdlib::IP::Address::V4,1]`
475
476			list of source network ranges to a
477
478			Default value: `['0.0.0.0/0']`
479
480	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
481	b9785000	Steve Traylen
482			Ceph is a distributed object store and file system.
483			Enable this to support Ceph's Object Storage Daemons (OSD),
484			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
485
486	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
487	b9785000	Steve Traylen
488			Ceph is a distributed object store and file system.
489			Enable this option to support Ceph's Monitor Daemon.
490
491			#### Parameters
492
493	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
494	b9785000	Steve Traylen
495	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
496	b9785000	Steve Traylen
497	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
498	b9785000	Steve Traylen
499	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
500	b9785000	Steve Traylen
501	09cba182	Steve Traylen	specify ports for ceph service
502	b9785000	Steve Traylen
503			Default value: `[3300, 6789]`
504
505	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
506	7f6cacc5	Steve Traylen
507	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
508	7f6cacc5	Steve Traylen
509	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
510	7f6cacc5	Steve Traylen
511			manage in dns
512
513			#### Parameters
514
515	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
516	7f6cacc5	Steve Traylen
517	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
518	7f6cacc5	Steve Traylen
519	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
520	7f6cacc5	Steve Traylen
521	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
522	7f6cacc5	Steve Traylen
523	09cba182	Steve Traylen	Specify ports for dns.
524	7f6cacc5	Steve Traylen
525			Default value: `[53]`
526
527	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
528	804b96e4	Nacho Barrientos
529			The configuration distributed in this class represents the default firewall
530			configuration done by docker-ce when the iptables integration is enabled.
531
532			This class is needed as the default docker-ce rules added to ip-filter conflict
533			with the inet-filter forward rules set by default in this module.
534
535			When using this class 'docker::iptables: false' should be set.
536
537			#### Parameters
538
539			The following parameters are available in the `nftables::rules::docker_ce` class:
540
541	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
542			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
543			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
544			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
545	804b96e4	Nacho Barrientos
546	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
547	804b96e4	Nacho Barrientos
548			Data type: `String[1]`
549
550			Interface name used by docker.
551
552			Default value: `'docker0'`
553
554	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
555	804b96e4	Nacho Barrientos
556			Data type: `Stdlib::IP::Address::V4::CIDR`
557
558			The address space used by docker.
559
560			Default value: `'172.17.0.0/16'`
561
562	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
563	804b96e4	Nacho Barrientos
564			Data type: `Boolean`
565
566			Flag to control whether the class should create the docker related chains.
567
568	c24d3118	Tim Meusel	Default value: `true`
569	804b96e4	Nacho Barrientos
570	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
571	804b96e4	Nacho Barrientos
572			Data type: `Boolean`
573
574			Flag to control whether the class should create the base common chains.
575
576	c24d3118	Tim Meusel	Default value: `true`
577	804b96e4	Nacho Barrientos
578	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
579	e17693e3	Steve Traylen
580			manage in http
581
582	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
583	e17693e3	Steve Traylen
584			manage in https
585
586	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
587	e17693e3	Steve Traylen
588			manage in icinga2
589
590			#### Parameters
591
592	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
593	e17693e3	Steve Traylen
594	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
595	e17693e3	Steve Traylen
596	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
597	e17693e3	Steve Traylen
598	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
599	e17693e3	Steve Traylen
600	8db66304	Steve Traylen	Specify ports for icinga2
601	e17693e3	Steve Traylen
602			Default value: `[5665]`
603
604	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
605	7f6cacc5	Steve Traylen
606			The nftables::rules::icmp class.
607
608			#### Parameters
609
610	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
611
612	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
613			* [`v6_types`](#-nftables--rules--icmp--v6_types)
614			* [`order`](#-nftables--rules--icmp--order)
615	7f6cacc5	Steve Traylen
616	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
617	7f6cacc5	Steve Traylen
618			Data type: `Optional[Array[String]]`
619
620
621
622	c24d3118	Tim Meusel	Default value: `undef`
623	7f6cacc5	Steve Traylen
624	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
625	7f6cacc5	Steve Traylen
626			Data type: `Optional[Array[String]]`
627
628
629
630	c24d3118	Tim Meusel	Default value: `undef`
631	7f6cacc5	Steve Traylen
632	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
633	7f6cacc5	Steve Traylen
634			Data type: `String`
635
636
637
638			Default value: `'10'`
639
640	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
641
642			allow incoming IGMP messages
643
644	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
645
646			manage in ldap
647
648			#### Parameters
649
650			The following parameters are available in the `nftables::rules::ldap` class:
651
652			* [`ports`](#-nftables--rules--ldap--ports)
653
654			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
655
656			Data type: `Array[Integer,1]`
657
658			ldap server ports
659
660			Default value: `[389, 636]`
661
662	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
663
664			allow incoming Link-Local Multicast Name Resolution
665
666			* See also
667			* https://datatracker.ietf.org/doc/html/rfc4795
668
669			#### Parameters
670
671			The following parameters are available in the `nftables::rules::llmnr` class:
672
673			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
674			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
675
676			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
677
678			Data type: `Boolean`
679
680			Allow LLMNR over IPv4
681
682			Default value: `true`
683
684			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
685
686			Data type: `Boolean`
687
688			Allow LLMNR over IPv6
689
690			Default value: `true`
691
692	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
693
694			allow incoming multicast DNS
695
696	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
697
698			The following parameters are available in the `nftables::rules::mdns` class:
699
700			* [`ipv4`](#-nftables--rules--mdns--ipv4)
701			* [`ipv6`](#-nftables--rules--mdns--ipv6)
702
703			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
704
705			Data type: `Boolean`
706
707			Allow mdns over IPv4
708
709			Default value: `true`
710
711			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
712
713			Data type: `Boolean`
714
715			Allow mdns over IPv6
716
717			Default value: `true`
718
719	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
720
721			allow incoming multicast traffic
722
723	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
724	b9785000	Steve Traylen
725			manage in nfs4
726
727	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
728	b9785000	Steve Traylen
729			manage in nfs3
730
731	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
732	7f6cacc5	Steve Traylen
733			manage in node exporter
734
735			#### Parameters
736
737	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
738	7f6cacc5	Steve Traylen
739	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
740			* [`port`](#-nftables--rules--node_exporter--port)
741	7f6cacc5	Steve Traylen
742	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
743	7f6cacc5	Steve Traylen
744	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
745	7f6cacc5	Steve Traylen
746	09cba182	Steve Traylen	Specify server name
747	7f6cacc5	Steve Traylen
748	c24d3118	Tim Meusel	Default value: `undef`
749	7f6cacc5	Steve Traylen
750	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
751	7f6cacc5	Steve Traylen
752	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
753	7f6cacc5	Steve Traylen
754	09cba182	Steve Traylen	Specify port to open
755	7f6cacc5	Steve Traylen
756			Default value: `9100`
757
758	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
759	e17693e3	Steve Traylen
760			manage in ospf
761
762	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
763	e17693e3	Steve Traylen
764			manage in ospf3
765
766	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
767
768			manage outgoing active diectory
769
770			#### Parameters
771
772			The following parameters are available in the `nftables::rules::out::active_directory` class:
773
774			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
775			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
776
777			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
778
779			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
780
781			adserver IPs
782
783			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
784
785			Data type: `Array[Stdlib::Port,1]`
786
787			adserver ports
788
789			Default value: `[389, 636, 3268, 3269]`
790
791	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
792	e17693e3	Steve Traylen
793			allow all outbound
794
795	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
796	b9785000	Steve Traylen
797			Ceph is a distributed object store and file system.
798			Enable this to be a client of Ceph's Monitor (MON),
799			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
800			and Manager Daemons (MGR).
801
802			#### Parameters
803
804	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
805	b9785000	Steve Traylen
806	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
807	b9785000	Steve Traylen
808	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
809	b9785000	Steve Traylen
810	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
811	b9785000	Steve Traylen
812	09cba182	Steve Traylen	Specify ports to open
813	b9785000	Steve Traylen
814			Default value: `[3300, 6789]`
815
816	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
817	e17693e3	Steve Traylen
818			manage out chrony
819
820	7937a13b	Tim Meusel	#### Parameters
821
822			The following parameters are available in the `nftables::rules::out::chrony` class:
823
824	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
825	7937a13b	Tim Meusel
826	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
827	7937a13b	Tim Meusel
828			Data type: `Array[Stdlib::IP::Address]`
829
830			single IP-Address or array of IP-addresses from NTP servers
831
832			Default value: `[]`
833
834	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
835	e17693e3	Steve Traylen
836			manage out dhcp
837
838	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
839	7f6cacc5	Steve Traylen
840	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
841	7f6cacc5	Steve Traylen
842	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
843	e17693e3	Steve Traylen
844			manage out dns
845
846			#### Parameters
847
848	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
849	e17693e3	Steve Traylen
850	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
851	e17693e3	Steve Traylen
852	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
853	e17693e3	Steve Traylen
854	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
855	e17693e3	Steve Traylen
856	09cba182	Steve Traylen	specify dns_server name
857	e17693e3	Steve Traylen
858	c24d3118	Tim Meusel	Default value: `undef`
859	e17693e3	Steve Traylen
860	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
861	a1f09048	Tim Meusel
862			allow outgoing hkp connections to gpg keyservers
863
864	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
865	e17693e3	Steve Traylen
866			manage out http
867
868	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
869	e17693e3	Steve Traylen
870			manage out https
871
872	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
873	7f6cacc5	Steve Traylen
874	09cba182	Steve Traylen	control outbound icmp packages
875	7f6cacc5	Steve Traylen
876			#### Parameters
877
878	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
879
880	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
881			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
882			* [`order`](#-nftables--rules--out--icmp--order)
883	7f6cacc5	Steve Traylen
884	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
885	7f6cacc5	Steve Traylen
886			Data type: `Optional[Array[String]]`
887
888
889
890	c24d3118	Tim Meusel	Default value: `undef`
891	7f6cacc5	Steve Traylen
892	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
893	7f6cacc5	Steve Traylen
894			Data type: `Optional[Array[String]]`
895
896
897
898	c24d3118	Tim Meusel	Default value: `undef`
899	7f6cacc5	Steve Traylen
900	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
901	7f6cacc5	Steve Traylen
902			Data type: `String`
903
904
905
906			Default value: `'10'`
907
908	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
909
910	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
911	020842af	Tim Meusel
912	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
913	19908f41	mh
914			allow outgoing imap
915
916	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
917	7f6cacc5	Steve Traylen
918			allows outbound access for kerberos
919
920	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
921
922			manage outgoing ldap
923
924			#### Parameters
925
926			The following parameters are available in the `nftables::rules::out::ldap` class:
927
928			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
929			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
930
931			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
932
933			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
934
935			ldapserver IPs
936
937			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
938
939			Data type: `Array[Stdlib::Port,1]`
940
941			ldapserver ports
942
943			Default value: `[389, 636]`
944
945	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
946
947			allow outgoing multicast DNS
948
949			#### Parameters
950
951			The following parameters are available in the `nftables::rules::out::mdns` class:
952
953			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
954			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
955
956			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
957
958			Data type: `Boolean`
959
960			Allow mdns over IPv4
961
962			Default value: `true`
963
964			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
965
966			Data type: `Boolean`
967
968			Allow mdns over IPv6
969
970			Default value: `true`
971
972	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
973
974			allow multicast listener requests
975
976	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
977	e17693e3	Steve Traylen
978			manage out mysql
979
980	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
981	b9785000	Steve Traylen
982			manage out nfs
983
984	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
985	b9785000	Steve Traylen
986			manage out nfs3
987
988	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
989	7f6cacc5	Steve Traylen
990	09cba182	Steve Traylen	allows outbound access for afs clients
991	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
992			7002 - afs3-ptserver
993			7003 - vlserver
994
995			* See also
996			* https://wiki.openafs.org/devel/AFSServicePorts/
997			* AFS Service Ports
998
999			#### Parameters
1000
1001	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1002	7f6cacc5	Steve Traylen
1003	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1004	7f6cacc5	Steve Traylen
1005	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1006	7f6cacc5	Steve Traylen
1007	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1008	7f6cacc5	Steve Traylen
1009	09cba182	Steve Traylen	port numbers to use
1010	7f6cacc5	Steve Traylen
1011			Default value: `[7000, 7002, 7003]`
1012
1013	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1014	e17693e3	Steve Traylen
1015			manage out ospf
1016
1017	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1018	e17693e3	Steve Traylen
1019			manage out ospf3
1020
1021	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1022	19908f41	mh
1023			allow outgoing pop3
1024
1025	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1026	e17693e3	Steve Traylen
1027			manage out postgres
1028
1029	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1030	e17693e3	Steve Traylen
1031			manage outgoing puppet
1032
1033			#### Parameters
1034
1035	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1036	e17693e3	Steve Traylen
1037	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1038			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1039	e17693e3	Steve Traylen
1040	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1041	e17693e3	Steve Traylen
1042	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1043	e17693e3	Steve Traylen
1044	09cba182	Steve Traylen	puppetserver hostname
1045	e17693e3	Steve Traylen
1046	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1047	e17693e3	Steve Traylen
1048	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1049	e17693e3	Steve Traylen
1050	09cba182	Steve Traylen	puppetserver port
1051	e17693e3	Steve Traylen
1052			Default value: `8140`
1053
1054	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1055	194e05d5	Tim Meusel
1056			manage outgoing pxp-agent
1057
1058			* See also
1059			* also
1060			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1061
1062			#### Parameters
1063
1064			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1065
1066	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1067			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1068	194e05d5	Tim Meusel
1069	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1070	194e05d5	Tim Meusel
1071			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1072
1073			PXP broker IP(s)
1074
1075	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1076	194e05d5	Tim Meusel
1077			Data type: `Stdlib::Port`
1078
1079			PXP broker port
1080
1081			Default value: `8142`
1082
1083	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1084	e17693e3	Steve Traylen
1085	19908f41	mh	allow outgoing smtp
1086
1087	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1088	19908f41	mh
1089			allow outgoing smtp client
1090	e17693e3	Steve Traylen
1091	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1092
1093			allow outgoing SSDP
1094
1095			* See also
1096			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1097
1098			#### Parameters
1099
1100			The following parameters are available in the `nftables::rules::out::ssdp` class:
1101
1102			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1103			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1104
1105			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1106
1107			Data type: `Boolean`
1108
1109			Allow SSDP over IPv4
1110
1111			Default value: `true`
1112
1113			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1114
1115			Data type: `Boolean`
1116
1117			Allow SSDP over IPv6
1118
1119			Default value: `true`
1120
1121	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1122	e17693e3	Steve Traylen
1123			manage out ssh
1124
1125	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1126	e17693e3	Steve Traylen
1127			disable outgoing ssh
1128
1129	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1130	e17693e3	Steve Traylen
1131			manage out tor
1132
1133	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1134	2b1896c1	Tim Meusel
1135			allow clients to query remote whois server
1136
1137	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1138	e17693e3	Steve Traylen
1139			manage out wireguard
1140
1141			#### Parameters
1142
1143	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1144	e17693e3	Steve Traylen
1145	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1146	e17693e3	Steve Traylen
1147	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1148	e17693e3	Steve Traylen
1149	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1150	e17693e3	Steve Traylen
1151	09cba182	Steve Traylen	specify wireguard ports
1152	e17693e3	Steve Traylen
1153			Default value: `[51820]`
1154
1155	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1156	e17693e3	Steve Traylen
1157			manage in puppet
1158
1159			#### Parameters
1160
1161	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1162	e17693e3	Steve Traylen
1163	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1164	e17693e3	Steve Traylen
1165	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1166	e17693e3	Steve Traylen
1167	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1168	e17693e3	Steve Traylen
1169	09cba182	Steve Traylen	puppet server ports
1170	e17693e3	Steve Traylen
1171			Default value: `[8140]`
1172
1173	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1174	7f74df2e	Tim Meusel
1175			manage in pxp-agent
1176
1177			#### Parameters
1178
1179			The following parameters are available in the `nftables::rules::pxp_agent` class:
1180
1181	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1182	7f74df2e	Tim Meusel
1183	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1184	7f74df2e	Tim Meusel
1185	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1186	7f74df2e	Tim Meusel
1187			pxp server ports
1188
1189			Default value: `[8142]`
1190
1191	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1192	cd2a3cbf	Nacho Barrientos
1193			This class configures the typical firewall setup that libvirt
1194			creates. Depending on your requirements you can switch on and off
1195			several aspects, for instance if you don't do DHCP to your guests
1196			you can disable the rules that accept DHCP traffic on the host or if
1197			you don't want your guests to talk to hosts outside you can disable
1198			forwarding and/or masquerading for IPv4 traffic.
1199
1200			#### Parameters
1201
1202			The following parameters are available in the `nftables::rules::qemu` class:
1203
1204	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1205			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1206			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1207			* [`dns`](#-nftables--rules--qemu--dns)
1208			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1209			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1210			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1211			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1212	cd2a3cbf	Nacho Barrientos
1213	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1214	cd2a3cbf	Nacho Barrientos
1215			Data type: `String[1]`
1216
1217			Interface name used by the bridge.
1218
1219			Default value: `'virbr0'`
1220
1221	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1222	cd2a3cbf	Nacho Barrientos
1223			Data type: `Stdlib::IP::Address::V4::CIDR`
1224
1225			The IPv4 network prefix used in the virtual network.
1226
1227			Default value: `'192.168.122.0/24'`
1228
1229	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1230	cd2a3cbf	Nacho Barrientos
1231			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1232
1233			The IPv6 network prefix used in the virtual network.
1234
1235	c24d3118	Tim Meusel	Default value: `undef`
1236	cd2a3cbf	Nacho Barrientos
1237	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1238	cd2a3cbf	Nacho Barrientos
1239			Data type: `Boolean`
1240
1241			Allow DNS traffic from the guests to the host.
1242
1243	c24d3118	Tim Meusel	Default value: `true`
1244	cd2a3cbf	Nacho Barrientos
1245	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1246	cd2a3cbf	Nacho Barrientos
1247			Data type: `Boolean`
1248
1249			Allow DHCPv4 traffic from the guests to the host.
1250
1251	c24d3118	Tim Meusel	Default value: `true`
1252	cd2a3cbf	Nacho Barrientos
1253	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1254	cd2a3cbf	Nacho Barrientos
1255			Data type: `Boolean`
1256
1257			Allow forwarded traffic (out all, in related/established)
1258			generated by the virtual network.
1259
1260	c24d3118	Tim Meusel	Default value: `true`
1261	cd2a3cbf	Nacho Barrientos
1262	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1263	cd2a3cbf	Nacho Barrientos
1264			Data type: `Boolean`
1265
1266			Allow guests in the virtual network to talk to each other.
1267
1268	c24d3118	Tim Meusel	Default value: `true`
1269	cd2a3cbf	Nacho Barrientos
1270	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1271	cd2a3cbf	Nacho Barrientos
1272			Data type: `Boolean`
1273
1274			Do NAT masquerade on all IPv4 traffic generated by guests
1275			to external networks.
1276
1277	c24d3118	Tim Meusel	Default value: `true`
1278	cd2a3cbf	Nacho Barrientos
1279	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1280	19908f41	mh
1281			manage Samba, the suite to allow Windows file sharing on Linux resources.
1282
1283			#### Parameters
1284
1285			The following parameters are available in the `nftables::rules::samba` class:
1286
1287	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1288	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1289	19908f41	mh
1290	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1291	19908f41	mh
1292			Data type: `Boolean`
1293
1294	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1295	19908f41	mh
1296	c24d3118	Tim Meusel	Default value: `false`
1297	19908f41	mh
1298	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1299
1300			Data type: `Enum['accept', 'drop']`
1301
1302			if the traffic should be allowed or dropped
1303
1304			Default value: `'accept'`
1305
1306	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1307	e17693e3	Steve Traylen
1308			manage in smtp
1309
1310	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1311	e17693e3	Steve Traylen
1312			manage in smtp submission
1313
1314	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1315	e17693e3	Steve Traylen
1316			manage in smtps
1317
1318	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1319
1320			allow incoming spotify
1321
1322	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1323
1324			allow incoming SSDP
1325
1326			* See also
1327			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1328
1329			#### Parameters
1330
1331			The following parameters are available in the `nftables::rules::ssdp` class:
1332
1333			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1334			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1335
1336			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1337
1338			Data type: `Boolean`
1339
1340			Allow SSDP over IPv4
1341
1342			Default value: `true`
1343
1344			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1345
1346			Data type: `Boolean`
1347
1348			Allow SSDP over IPv6
1349
1350			Default value: `true`
1351
1352	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1353	e17693e3	Steve Traylen
1354			manage in ssh
1355
1356			#### Parameters
1357
1358	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1359	e17693e3	Steve Traylen
1360	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1361	e17693e3	Steve Traylen
1362	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1363	e17693e3	Steve Traylen
1364	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1365	e17693e3	Steve Traylen
1366	09cba182	Steve Traylen	ssh ports
1367	e17693e3	Steve Traylen
1368			Default value: `[22]`
1369
1370	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1371	e17693e3	Steve Traylen
1372			manage in tor
1373
1374			#### Parameters
1375
1376	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1377	e17693e3	Steve Traylen
1378	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1379	e17693e3	Steve Traylen
1380	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1381	e17693e3	Steve Traylen
1382	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1383	e17693e3	Steve Traylen
1384	09cba182	Steve Traylen	ports for tor
1385	e17693e3	Steve Traylen
1386			Default value: `[9001]`
1387
1388	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1389	e17693e3	Steve Traylen
1390			manage in wireguard
1391
1392			#### Parameters
1393
1394	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1395	e17693e3	Steve Traylen
1396	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1397	e17693e3	Steve Traylen
1398	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1399	e17693e3	Steve Traylen
1400	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1401	e17693e3	Steve Traylen
1402	09cba182	Steve Traylen	wiregueard port
1403	e17693e3	Steve Traylen
1404			Default value: `[51820]`
1405
1406	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1407
1408			allow incoming webservice discovery
1409
1410			* See also
1411			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1412
1413			#### Parameters
1414
1415			The following parameters are available in the `nftables::rules::wsd` class:
1416
1417			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1418			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1419
1420			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1421
1422			Data type: `Boolean`
1423
1424			Allow ws-discovery over IPv4
1425
1426			Default value: `true`
1427
1428			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1429
1430			Data type: `Boolean`
1431
1432			Allow ws-discovery over IPv6
1433
1434			Default value: `true`
1435
1436	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1437	7f6cacc5	Steve Traylen
1438	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1439	7f6cacc5	Steve Traylen
1440	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1441	7f6cacc5	Steve Traylen
1442	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1443	7f6cacc5	Steve Traylen
1444	e17693e3	Steve Traylen	## Defined types
1445
1446	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1447	e17693e3	Steve Traylen
1448			manage a chain
1449
1450			#### Parameters
1451
1452	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1453
1454	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1455			* [`chain`](#-nftables--chain--chain)
1456			* [`inject`](#-nftables--chain--inject)
1457			* [`inject_iif`](#-nftables--chain--inject_iif)
1458			* [`inject_oif`](#-nftables--chain--inject_oif)
1459	e17693e3	Steve Traylen
1460	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1461	e17693e3	Steve Traylen
1462	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1463	e17693e3	Steve Traylen
1464
1465
1466			Default value: `'inet-filter'`
1467
1468	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1469	e17693e3	Steve Traylen
1470			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1471
1472
1473
1474			Default value: `$title`
1475
1476	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1477	e17693e3	Steve Traylen
1478			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1479
1480
1481
1482	c24d3118	Tim Meusel	Default value: `undef`
1483	e17693e3	Steve Traylen
1484	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1485	e17693e3	Steve Traylen
1486			Data type: `Optional[String]`
1487
1488
1489
1490	c24d3118	Tim Meusel	Default value: `undef`
1491	e17693e3	Steve Traylen
1492	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1493	e17693e3	Steve Traylen
1494			Data type: `Optional[String]`
1495
1496
1497
1498	c24d3118	Tim Meusel	Default value: `undef`
1499	e17693e3	Steve Traylen
1500	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1501	e17693e3	Steve Traylen
1502			manage a config snippet
1503
1504			#### Parameters
1505
1506	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1507	e17693e3	Steve Traylen
1508	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1509			* [`content`](#-nftables--config--content)
1510			* [`source`](#-nftables--config--source)
1511			* [`prefix`](#-nftables--config--prefix)
1512	09cba182	Steve Traylen
1513	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1514	13f4e4c6	Steve Traylen
1515			Data type: `Pattern[/^\w+-\w+$/]`
1516
1517
1518
1519			Default value: `$title`
1520
1521	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1522	e17693e3	Steve Traylen
1523			Data type: `Optional[String]`
1524
1525
1526
1527	c24d3118	Tim Meusel	Default value: `undef`
1528	e17693e3	Steve Traylen
1529	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1530	e17693e3	Steve Traylen
1531			Data type: `Optional[Variant[String,Array[String,1]]]`
1532
1533
1534
1535	c24d3118	Tim Meusel	Default value: `undef`
1536	e17693e3	Steve Traylen
1537	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1538	13f4e4c6	Steve Traylen
1539			Data type: `String`
1540
1541
1542
1543			Default value: `'custom-'`
1544
1545	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1546	331b8d85	Steve Traylen
1547			Insert a file into the nftables configuration
1548
1549			#### Examples
1550
1551			##### Include a file that includes other files
1552
1553			```puppet
1554			nftables::file{'geoip':
1555			content => @(EOT)
1556			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1557			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1558			\|EOT,
1559			}
1560			```
1561
1562			#### Parameters
1563
1564			The following parameters are available in the `nftables::file` defined type:
1565
1566	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1567			* [`content`](#-nftables--file--content)
1568			* [`source`](#-nftables--file--source)
1569			* [`prefix`](#-nftables--file--prefix)
1570	331b8d85	Steve Traylen
1571	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1572	331b8d85	Steve Traylen
1573			Data type: `String[1]`
1574
1575			Unique name to include in filename.
1576
1577			Default value: `$title`
1578
1579	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1580	331b8d85	Steve Traylen
1581			Data type: `Optional[String]`
1582
1583			The content to place in the file.
1584
1585	c24d3118	Tim Meusel	Default value: `undef`
1586	331b8d85	Steve Traylen
1587	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1588	331b8d85	Steve Traylen
1589			Data type: `Optional[Variant[String,Array[String,1]]]`
1590
1591			A source to obtain the file content from.
1592
1593	c24d3118	Tim Meusel	Default value: `undef`
1594	331b8d85	Steve Traylen
1595	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1596	331b8d85	Steve Traylen
1597			Data type: `String`
1598
1599			Prefix of file name to be created, if left as `file-` it will be
1600			auto included in the main nft configuration
1601
1602			Default value: `'file-'`
1603
1604	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1605	e17693e3	Steve Traylen
1606	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1607
1608			#### Examples
1609
1610			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1611
1612			```puppet
1613			nftables::rule {
1614			'default_in-myhttp':
1615			content => 'tcp dport 80 accept',
1616			}
1617			```
1618
1619			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1620
1621			```puppet
1622			nftables::rule {
1623			'PREROUTING6-count':
1624			content => 'counter',
1625			table => 'ip6-nat'
1626			}
1627			```
1628	e17693e3	Steve Traylen
1629			#### Parameters
1630
1631	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1632
1633	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1634			* [`rulename`](#-nftables--rule--rulename)
1635			* [`order`](#-nftables--rule--order)
1636			* [`table`](#-nftables--rule--table)
1637			* [`content`](#-nftables--rule--content)
1638			* [`source`](#-nftables--rule--source)
1639	e17693e3	Steve Traylen
1640	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1641	e17693e3	Steve Traylen
1642			Data type: `Enum['present','absent']`
1643
1644	13f26dfc	Nacho Barrientos	Should the rule be created.
1645	e17693e3	Steve Traylen
1646			Default value: `'present'`
1647
1648	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1649	e17693e3	Steve Traylen
1650	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1651	e17693e3	Steve Traylen
1652	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1653			format is defined by the Nftables::RuleName type.
1654	e17693e3	Steve Traylen
1655			Default value: `$title`
1656
1657	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1658	e17693e3	Steve Traylen
1659			Data type: `Pattern[/^\d\d$/]`
1660
1661	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1662	e17693e3	Steve Traylen
1663			Default value: `'50'`
1664
1665	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1666	e17693e3	Steve Traylen
1667	b02d6ea9	Nacho Barrientos	Data type: `String`
1668	e17693e3	Steve Traylen
1669	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1670	e17693e3	Steve Traylen
1671			Default value: `'inet-filter'`
1672
1673	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1674	e17693e3	Steve Traylen
1675			Data type: `Optional[String]`
1676
1677	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1678			language.
1679	e17693e3	Steve Traylen
1680	c24d3118	Tim Meusel	Default value: `undef`
1681	e17693e3	Steve Traylen
1682	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1683	e17693e3	Steve Traylen
1684			Data type: `Optional[Variant[String,Array[String,1]]]`
1685
1686	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1687	e17693e3	Steve Traylen
1688	c24d3118	Tim Meusel	Default value: `undef`
1689	e17693e3	Steve Traylen
1690	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1691	e17693e3	Steve Traylen
1692			manage a ipv4 dnat rule
1693
1694			#### Parameters
1695
1696	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1697
1698	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1699			* [`port`](#-nftables--rules--dnat4--port)
1700			* [`rulename`](#-nftables--rules--dnat4--rulename)
1701			* [`order`](#-nftables--rules--dnat4--order)
1702			* [`chain`](#-nftables--rules--dnat4--chain)
1703			* [`iif`](#-nftables--rules--dnat4--iif)
1704			* [`proto`](#-nftables--rules--dnat4--proto)
1705			* [`dport`](#-nftables--rules--dnat4--dport)
1706			* [`ensure`](#-nftables--rules--dnat4--ensure)
1707	e17693e3	Steve Traylen
1708	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1709	e17693e3	Steve Traylen
1710			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1711
1712
1713
1714	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1715	e17693e3	Steve Traylen
1716	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1717	e17693e3	Steve Traylen
1718
1719
1720	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1721	e17693e3	Steve Traylen
1722			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1723
1724
1725
1726			Default value: `$title`
1727
1728	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1729	e17693e3	Steve Traylen
1730			Data type: `Pattern[/^\d\d$/]`
1731
1732
1733
1734			Default value: `'50'`
1735
1736	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1737	e17693e3	Steve Traylen
1738			Data type: `String[1]`
1739
1740
1741
1742			Default value: `'default_fwd'`
1743
1744	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1745	e17693e3	Steve Traylen
1746			Data type: `Optional[String[1]]`
1747
1748
1749
1750	c24d3118	Tim Meusel	Default value: `undef`
1751	e17693e3	Steve Traylen
1752	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1753	e17693e3	Steve Traylen
1754			Data type: `Enum['tcp','udp']`
1755
1756
1757
1758			Default value: `'tcp'`
1759
1760	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1761	e17693e3	Steve Traylen
1762	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1763	e17693e3	Steve Traylen
1764
1765
1766	c24d3118	Tim Meusel	Default value: `undef`
1767	e17693e3	Steve Traylen
1768	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1769	e17693e3	Steve Traylen
1770			Data type: `Enum['present','absent']`
1771
1772
1773
1774			Default value: `'present'`
1775
1776	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1777	e17693e3	Steve Traylen
1778			masquerade all outgoing traffic
1779
1780			#### Parameters
1781
1782	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1783	e17693e3	Steve Traylen
1784	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1785			* [`order`](#-nftables--rules--masquerade--order)
1786			* [`chain`](#-nftables--rules--masquerade--chain)
1787			* [`oif`](#-nftables--rules--masquerade--oif)
1788			* [`saddr`](#-nftables--rules--masquerade--saddr)
1789			* [`daddr`](#-nftables--rules--masquerade--daddr)
1790			* [`proto`](#-nftables--rules--masquerade--proto)
1791			* [`dport`](#-nftables--rules--masquerade--dport)
1792			* [`ensure`](#-nftables--rules--masquerade--ensure)
1793	09cba182	Steve Traylen
1794	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1795	e17693e3	Steve Traylen
1796			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1797
1798
1799
1800			Default value: `$title`
1801
1802	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1803	e17693e3	Steve Traylen
1804			Data type: `Pattern[/^\d\d$/]`
1805
1806
1807
1808			Default value: `'70'`
1809
1810	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1811	e17693e3	Steve Traylen
1812			Data type: `String[1]`
1813
1814
1815
1816			Default value: `'POSTROUTING'`
1817
1818	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1819	e17693e3	Steve Traylen
1820			Data type: `Optional[String[1]]`
1821
1822
1823
1824	c24d3118	Tim Meusel	Default value: `undef`
1825	e17693e3	Steve Traylen
1826	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1827	e17693e3	Steve Traylen
1828			Data type: `Optional[String[1]]`
1829
1830
1831
1832	c24d3118	Tim Meusel	Default value: `undef`
1833	e17693e3	Steve Traylen
1834	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1835	e17693e3	Steve Traylen
1836			Data type: `Optional[String[1]]`
1837
1838
1839
1840	c24d3118	Tim Meusel	Default value: `undef`
1841	e17693e3	Steve Traylen
1842	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1843	e17693e3	Steve Traylen
1844			Data type: `Optional[Enum['tcp','udp']]`
1845
1846
1847
1848	c24d3118	Tim Meusel	Default value: `undef`
1849	e17693e3	Steve Traylen
1850	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1851	e17693e3	Steve Traylen
1852	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1853	e17693e3	Steve Traylen
1854
1855
1856	c24d3118	Tim Meusel	Default value: `undef`
1857	e17693e3	Steve Traylen
1858	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1859	e17693e3	Steve Traylen
1860			Data type: `Enum['present','absent']`
1861
1862
1863
1864			Default value: `'present'`
1865
1866	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1867	e17693e3	Steve Traylen
1868			manage a ipv4 snat rule
1869
1870			#### Parameters
1871
1872	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1873
1874	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1875			* [`rulename`](#-nftables--rules--snat4--rulename)
1876			* [`order`](#-nftables--rules--snat4--order)
1877			* [`chain`](#-nftables--rules--snat4--chain)
1878			* [`oif`](#-nftables--rules--snat4--oif)
1879			* [`saddr`](#-nftables--rules--snat4--saddr)
1880			* [`proto`](#-nftables--rules--snat4--proto)
1881			* [`dport`](#-nftables--rules--snat4--dport)
1882			* [`ensure`](#-nftables--rules--snat4--ensure)
1883	e17693e3	Steve Traylen
1884	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1885	e17693e3	Steve Traylen
1886			Data type: `String[1]`
1887
1888
1889
1890	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1891	e17693e3	Steve Traylen
1892			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1893
1894
1895
1896			Default value: `$title`
1897
1898	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1899	e17693e3	Steve Traylen
1900			Data type: `Pattern[/^\d\d$/]`
1901
1902
1903
1904			Default value: `'70'`
1905
1906	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1907	e17693e3	Steve Traylen
1908			Data type: `String[1]`
1909
1910
1911
1912			Default value: `'POSTROUTING'`
1913
1914	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1915	e17693e3	Steve Traylen
1916			Data type: `Optional[String[1]]`
1917
1918
1919
1920	c24d3118	Tim Meusel	Default value: `undef`
1921	e17693e3	Steve Traylen
1922	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1923	e17693e3	Steve Traylen
1924			Data type: `Optional[String[1]]`
1925
1926
1927
1928	c24d3118	Tim Meusel	Default value: `undef`
1929	e17693e3	Steve Traylen
1930	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1931	e17693e3	Steve Traylen
1932			Data type: `Optional[Enum['tcp','udp']]`
1933
1934
1935
1936	c24d3118	Tim Meusel	Default value: `undef`
1937	e17693e3	Steve Traylen
1938	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1939	e17693e3	Steve Traylen
1940	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1941	e17693e3	Steve Traylen
1942
1943
1944	c24d3118	Tim Meusel	Default value: `undef`
1945	e17693e3	Steve Traylen
1946	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1947	e17693e3	Steve Traylen
1948			Data type: `Enum['present','absent']`
1949
1950
1951
1952			Default value: `'present'`
1953
1954	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1955	7f6cacc5	Steve Traylen
1956			manage a named set
1957
1958	13f4e4c6	Steve Traylen	#### Examples
1959
1960			##### simple set
1961
1962			```puppet
1963			nftables::set{'my_set':
1964			type => 'ipv4_addr',
1965			flags => ['interval'],
1966			elements => ['192.168.0.1/24', '10.0.0.2'],
1967			auto_merge => true,
1968			}
1969			```
1970
1971	7f6cacc5	Steve Traylen	#### Parameters
1972
1973	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1974
1975	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1976			* [`setname`](#-nftables--set--setname)
1977			* [`order`](#-nftables--set--order)
1978			* [`type`](#-nftables--set--type)
1979			* [`table`](#-nftables--set--table)
1980			* [`flags`](#-nftables--set--flags)
1981			* [`timeout`](#-nftables--set--timeout)
1982			* [`gc_interval`](#-nftables--set--gc_interval)
1983			* [`elements`](#-nftables--set--elements)
1984			* [`size`](#-nftables--set--size)
1985			* [`policy`](#-nftables--set--policy)
1986			* [`auto_merge`](#-nftables--set--auto_merge)
1987			* [`content`](#-nftables--set--content)
1988			* [`source`](#-nftables--set--source)
1989
1990			##### <a name="-nftables--set--ensure"></a>`ensure`
1991	7f6cacc5	Steve Traylen
1992			Data type: `Enum['present','absent']`
1993
1994	13f4e4c6	Steve Traylen	should the set be created.
1995	7f6cacc5	Steve Traylen
1996			Default value: `'present'`
1997
1998	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1999	7f6cacc5	Steve Traylen
2000			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2001
2002	13f4e4c6	Steve Traylen	name of set, equal to to title.
2003	7f6cacc5	Steve Traylen
2004			Default value: `$title`
2005
2006	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2007	7f6cacc5	Steve Traylen
2008			Data type: `Pattern[/^\d\d$/]`
2009
2010	13f4e4c6	Steve Traylen	concat ordering.
2011	7f6cacc5	Steve Traylen
2012			Default value: `'10'`
2013
2014	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2015	7f6cacc5	Steve Traylen
2016			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2017
2018	13f4e4c6	Steve Traylen	type of set.
2019	7f6cacc5	Steve Traylen
2020	c24d3118	Tim Meusel	Default value: `undef`
2021	7f6cacc5	Steve Traylen
2022	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2023	7f6cacc5	Steve Traylen
2024	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2025	7f6cacc5	Steve Traylen
2026	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2027	7f6cacc5	Steve Traylen
2028			Default value: `'inet-filter'`
2029
2030	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2031	7f6cacc5	Steve Traylen
2032			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2033
2034	13f4e4c6	Steve Traylen	specify flags for set
2035	7f6cacc5	Steve Traylen
2036			Default value: `[]`
2037
2038	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2039	7f6cacc5	Steve Traylen
2040			Data type: `Optional[Integer]`
2041
2042	13f4e4c6	Steve Traylen	timeout in seconds
2043	7f6cacc5	Steve Traylen
2044	c24d3118	Tim Meusel	Default value: `undef`
2045	7f6cacc5	Steve Traylen
2046	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2047	7f6cacc5	Steve Traylen
2048			Data type: `Optional[Integer]`
2049
2050	13f4e4c6	Steve Traylen	garbage collection interval.
2051	7f6cacc5	Steve Traylen
2052	c24d3118	Tim Meusel	Default value: `undef`
2053	7f6cacc5	Steve Traylen
2054	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2055	7f6cacc5	Steve Traylen
2056			Data type: `Optional[Array[String]]`
2057
2058	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2059	7f6cacc5	Steve Traylen
2060	c24d3118	Tim Meusel	Default value: `undef`
2061	7f6cacc5	Steve Traylen
2062	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2063	7f6cacc5	Steve Traylen
2064			Data type: `Optional[Integer]`
2065
2066	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2067	7f6cacc5	Steve Traylen
2068	c24d3118	Tim Meusel	Default value: `undef`
2069	7f6cacc5	Steve Traylen
2070	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2071	7f6cacc5	Steve Traylen
2072			Data type: `Optional[Enum['performance', 'memory']]`
2073
2074	13f4e4c6	Steve Traylen	determines set selection policy.
2075	7f6cacc5	Steve Traylen
2076	c24d3118	Tim Meusel	Default value: `undef`
2077	7f6cacc5	Steve Traylen
2078	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2079	7f6cacc5	Steve Traylen
2080			Data type: `Boolean`
2081
2082	13f4e4c6	Steve Traylen	?
2083	7f6cacc5	Steve Traylen
2084	c24d3118	Tim Meusel	Default value: `false`
2085	7f6cacc5	Steve Traylen
2086	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2087	7f6cacc5	Steve Traylen
2088			Data type: `Optional[String]`
2089
2090	13f4e4c6	Steve Traylen	specify content of set.
2091	7f6cacc5	Steve Traylen
2092	c24d3118	Tim Meusel	Default value: `undef`
2093	7f6cacc5	Steve Traylen
2094	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2095	7f6cacc5	Steve Traylen
2096			Data type: `Optional[Variant[String,Array[String,1]]]`
2097
2098	13f4e4c6	Steve Traylen	specify source of set.
2099	7f6cacc5	Steve Traylen
2100	c24d3118	Tim Meusel	Default value: `undef`
2101	7f6cacc5	Steve Traylen
2102	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2103	4d63adda	Nacho Barrientos
2104	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2105	4d63adda	Nacho Barrientos
2106	b46c9ce9	Nacho Barrientos	#### Examples
2107	4d63adda	Nacho Barrientos
2108	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2109	4d63adda	Nacho Barrientos
2110	b46c9ce9	Nacho Barrientos	```puppet
2111			nftables::simplerule{'my_service_in':
2112			action => 'accept',
2113			comment => 'allow traffic to port 543',
2114			counter => true,
2115			proto => 'tcp',
2116			dport => 543,
2117			daddr => '2001:1458::/32',
2118			sport => 541,
2119			}
2120			```
2121	4d63adda	Nacho Barrientos
2122	b46c9ce9	Nacho Barrientos	#### Parameters
2123	4d63adda	Nacho Barrientos
2124	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2125
2126	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2127			* [`rulename`](#-nftables--simplerule--rulename)
2128			* [`order`](#-nftables--simplerule--order)
2129			* [`chain`](#-nftables--simplerule--chain)
2130			* [`table`](#-nftables--simplerule--table)
2131			* [`action`](#-nftables--simplerule--action)
2132			* [`comment`](#-nftables--simplerule--comment)
2133			* [`dport`](#-nftables--simplerule--dport)
2134			* [`proto`](#-nftables--simplerule--proto)
2135			* [`daddr`](#-nftables--simplerule--daddr)
2136			* [`set_type`](#-nftables--simplerule--set_type)
2137			* [`sport`](#-nftables--simplerule--sport)
2138			* [`saddr`](#-nftables--simplerule--saddr)
2139			* [`counter`](#-nftables--simplerule--counter)
2140
2141			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2142	13f4e4c6	Steve Traylen
2143			Data type: `Enum['present','absent']`
2144
2145			Should the rule be created.
2146
2147			Default value: `'present'`
2148
2149	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2150	4d63adda	Nacho Barrientos
2151	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2152	4d63adda	Nacho Barrientos
2153	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2154	4d63adda	Nacho Barrientos
2155			Default value: `$title`
2156
2157	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2158	4d63adda	Nacho Barrientos
2159			Data type: `Pattern[/^\d\d$/]`
2160
2161	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2162	4d63adda	Nacho Barrientos
2163			Default value: `'50'`
2164
2165	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2166	4d63adda	Nacho Barrientos
2167			Data type: `String`
2168
2169	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2170	4d63adda	Nacho Barrientos
2171			Default value: `'default_in'`
2172
2173	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2174	4d63adda	Nacho Barrientos
2175			Data type: `String`
2176
2177	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2178	4d63adda	Nacho Barrientos
2179			Default value: `'inet-filter'`
2180
2181	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2182	4d63adda	Nacho Barrientos
2183			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2184
2185	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2186	4d63adda	Nacho Barrientos
2187			Default value: `'accept'`
2188
2189	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2190	4d63adda	Nacho Barrientos
2191			Data type: `Optional[String]`
2192
2193	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2194	4d63adda	Nacho Barrientos
2195	c24d3118	Tim Meusel	Default value: `undef`
2196	4d63adda	Nacho Barrientos
2197	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2198	4d63adda	Nacho Barrientos
2199			Data type: `Optional[Nftables::Port]`
2200
2201	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2202	4d63adda	Nacho Barrientos
2203	c24d3118	Tim Meusel	Default value: `undef`
2204	4d63adda	Nacho Barrientos
2205	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2206	4d63adda	Nacho Barrientos
2207			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2208
2209	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2210	4d63adda	Nacho Barrientos
2211	c24d3118	Tim Meusel	Default value: `undef`
2212	4d63adda	Nacho Barrientos
2213	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2214	4d63adda	Nacho Barrientos
2215			Data type: `Optional[Nftables::Addr]`
2216
2217	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2218	4d63adda	Nacho Barrientos
2219	c24d3118	Tim Meusel	Default value: `undef`
2220	4d63adda	Nacho Barrientos
2221	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2222	4d63adda	Nacho Barrientos
2223			Data type: `Enum['ip', 'ip6']`
2224
2225	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2226			Use `ip` for sets of type `ipv4_addr`.
2227	4d63adda	Nacho Barrientos
2228			Default value: `'ip6'`
2229
2230	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2231	4d63adda	Nacho Barrientos
2232			Data type: `Optional[Nftables::Port]`
2233
2234	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2235	4d63adda	Nacho Barrientos
2236	c24d3118	Tim Meusel	Default value: `undef`
2237	4d63adda	Nacho Barrientos
2238	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2239	4d63adda	Nacho Barrientos
2240			Data type: `Optional[Nftables::Addr]`
2241
2242	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2243	4d63adda	Nacho Barrientos
2244	c24d3118	Tim Meusel	Default value: `undef`
2245	4d63adda	Nacho Barrientos
2246	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2247	4d63adda	Nacho Barrientos
2248			Data type: `Boolean`
2249
2250	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2251	4d63adda	Nacho Barrientos
2252	c24d3118	Tim Meusel	Default value: `false`
2253	4d63adda	Nacho Barrientos
2254			## Data types
2255
2256	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2257	4d63adda	Nacho Barrientos
2258			Represents an address expression to be used within a rule.
2259
2260	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2261	09cba182	Steve Traylen
2262	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2263	4d63adda	Nacho Barrientos
2264			Represents a set expression to be used within a rule.
2265
2266	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2267	4d63adda	Nacho Barrientos
2268	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2269	4d63adda	Nacho Barrientos
2270			Represents a port expression to be used within a rule.
2271
2272	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2273	4d63adda	Nacho Barrientos
2274	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2275	4d63adda	Nacho Barrientos
2276			Represents a port range expression to be used within a rule.
2277
2278	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2279	4d63adda	Nacho Barrientos
2280	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2281	8c00b818	Nacho Barrientos
2282			Represents a rule name to be used in a raw rule created via nftables::rule.
2283			It's a dash separated string. The first component describes the chain to
2284			add the rule to, the second the rule name and the (optional) third a number.
2285			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2286
2287	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2288	09cba182	Steve Traylen
2289	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2290	8c00b818	Nacho Barrientos
2291			Represents a simple rule name to be used in a rule created via nftables::simplerule
2292
2293	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 64404839