puppet nftables

# Reference

<!-- DO NOT EDIT: This document was generated by Puppet Strings -->

## Table of Contents

### Classes

* [`nftables`](#nftables): Configure nftables

* [`nftables::bridges`](#nftablesbridges): allow forwarding traffic on bridges

* [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter

* [`nftables::inet_filter::fwd_conntrack`](#nftablesinet_filterfwd_conntrack): enable conntrack for fwd

* [`nftables::inet_filter::in_out_conntrack`](#nftablesinet_filterin_out_conntrack): manage input & output conntrack

* [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat

* [`nftables::rules::activemq`](#nftablesrulesactivemq): Provides input rules for Apache ActiveMQ

* [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients

* [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)

* [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system.

Enable this option to support Ceph's Monitor Daemon.

* [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client): allow DHCPv6 requests in to a host

* [`nftables::rules::dns`](#nftablesrulesdns): manage in dns

* [`nftables::rules::docker_ce`](#nftablesrulesdocker_ce): Default firewall configuration for Docker-CE

* [`nftables::rules::http`](#nftablesruleshttp): manage in http

* [`nftables::rules::https`](#nftablesruleshttps): manage in https

* [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2

* [`nftables::rules::icmp`](#nftablesrulesicmp)

* [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4

* [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3

* [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter

* [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf

* [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3

* [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound

* [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system.

Enable this to be a client of Ceph's Monitor (MON),

Object Storage Daemons (OSD), Metadata Server Daemons (MDS),

and Manager Daemons (MGR).

* [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony

* [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp

* [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client): Allow DHCPv6 requests out of a host

* [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns

* [`nftables::rules::out::hkp`](#nftablesrulesouthkp): allow outgoing hkp connections to gpg keyservers

* [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http

* [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https

* [`nftables::rules::out::icmp`](#nftablesrulesouticmp): control outbound icmp packages

* [`nftables::rules::out::imap`](#nftablesrulesoutimap): allow outgoing imap

* [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos

* [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql

* [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs

* [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3

* [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients

7000 - afs3-fileserver

7002 - afs3-ptserver

7003 - vlserver

* [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf

* [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3

* [`nftables::rules::out::pop3`](#nftablesrulesoutpop3): allow outgoing pop3

* [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres

* [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet

* [`nftables::rules::out::pxp_agent`](#nftablesrulesoutpxp_agent): manage outgoing pxp-agent

* [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): allow outgoing smtp

* [`nftables::rules::out::smtp_client`](#nftablesrulesoutsmtp_client): allow outgoing smtp client

* [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh

* [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh

* [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor

* [`nftables::rules::out::whois`](#nftablesrulesoutwhois): allow clients to query remote whois server

* [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard

* [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet

* [`nftables::rules::pxp_agent`](#nftablesrulespxp_agent): manage in pxp-agent

* [`nftables::rules::qemu`](#nftablesrulesqemu): Bridged network configuration for qemu/libvirt

* [`nftables::rules::samba`](#nftablesrulessamba): manage Samba, the suite to allow Windows file sharing on Linux resources.

* [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp

* [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission

* [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps

* [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh

* [`nftables::rules::tor`](#nftablesrulestor): manage in tor

* [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard

* [`nftables::services::dhcpv6_client`](#nftablesservicesdhcpv6_client): Allow in and outbound traffic for DHCPv6 server

* [`nftables::services::openafs_client`](#nftablesservicesopenafs_client): Open inbound and outbound ports for an AFS client

### Defined types

* [`nftables::chain`](#nftableschain): manage a chain

* [`nftables::config`](#nftablesconfig): manage a config snippet

* [`nftables::file`](#nftablesfile): Insert a file into the nftables configuration

* [`nftables::rule`](#nftablesrule): Provides an interface to create a firewall rule

* [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule

* [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic

* [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule

* [`nftables::set`](#nftablesset): manage a named set

* [`nftables::simplerule`](#nftablessimplerule): Provides a simplified interface to nftables::rule

### Data types

* [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule.

* [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule.

* [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule.

* [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule.

* [`Nftables::RuleName`](#nftablesrulename): Represents a rule name to be used in a raw rule created via nftables::rule.

It's a dash separated string. The first component describes the chain to

add the rule to, the second the rule name and the (optional) third a number.

Ex: 'default_in-sshd', 'default_out-my_service-2'.

* [`Nftables::SimpleRuleName`](#nftablessimplerulename): Represents a simple rule name to be used in a rule created via nftables::simplerule

## Classes

### <a name="nftables"></a>`nftables`

Configure nftables

#### Examples

##### allow dns out and do not allow ntp out

```puppet

class{ 'nftables':

  out_ntp => false,

  out_dns => true,

}

```

##### do not flush particular tables, fail2ban in this case

```puppet

class{ 'nftables':

  noflush_tables => ['inet-f2b-table'],

}

```

#### Parameters

The following parameters are available in the `nftables` class:

* [`out_all`](#out_all)

* [`out_ntp`](#out_ntp)

* [`out_http`](#out_http)

* [`out_dns`](#out_dns)

* [`out_https`](#out_https)

* [`out_icmp`](#out_icmp)

* [`in_ssh`](#in_ssh)

* [`in_icmp`](#in_icmp)

* [`inet_filter`](#inet_filter)

* [`nat`](#nat)

* [`nat_table_name`](#nat_table_name)

* [`sets`](#sets)

* [`log_prefix`](#log_prefix)

* [`log_limit`](#log_limit)

* [`reject_with`](#reject_with)

* [`in_out_conntrack`](#in_out_conntrack)

* [`fwd_conntrack`](#fwd_conntrack)

* [`firewalld_enable`](#firewalld_enable)

* [`noflush_tables`](#noflush_tables)

* [`rules`](#rules)

* [`configuration_path`](#configuration_path)

* [`nft_path`](#nft_path)

* [`echo`](#echo)

##### <a name="out_all"></a>`out_all`

Data type: `Boolean`

Allow all outbound connections. If `true` then all other

out parameters `out_ntp`, `out_dns`, ... will be assuemed

false.

Default value: ``false``

##### <a name="out_ntp"></a>`out_ntp`

Data type: `Boolean`

Allow outbound to ntp servers.

Default value: ``true``

##### <a name="out_http"></a>`out_http`

Data type: `Boolean`

Allow outbound to http servers.

Default value: ``true``

##### <a name="out_dns"></a>`out_dns`

Data type: `Boolean`

Allow outbound to dns servers.

Default value: ``true``

##### <a name="out_https"></a>`out_https`

Data type: `Boolean`

Allow outbound to https servers.

Default value: ``true``

##### <a name="out_icmp"></a>`out_icmp`

Data type: `Boolean`

Allow outbound ICMPv4/v6 traffic.

Default value: ``true``

##### <a name="in_ssh"></a>`in_ssh`

Data type: `Boolean`

Allow inbound to ssh servers.

Default value: ``true``

##### <a name="in_icmp"></a>`in_icmp`

Data type: `Boolean`

Allow inbound ICMPv4/v6 traffic.

Default value: ``true``

##### <a name="inet_filter"></a>`inet_filter`

Data type: `Boolean`

Add default tables, chains and rules to process traffic.

Default value: ``true``

##### <a name="nat"></a>`nat`

Data type: `Boolean`

Add default tables and chains to process NAT traffic.

Default value: ``true``

##### <a name="nat_table_name"></a>`nat_table_name`

Data type: `String[1]`

The name of the 'nat' table.

Default value: `'nat'`

##### <a name="sets"></a>`sets`

Data type: `Hash`

Allows sourcing set definitions directly from Hiera.

Default value: `{}`

##### <a name="log_prefix"></a>`log_prefix`

Data type: `String`

String that will be used as prefix when logging packets. It can contain

two variables using standard sprintf() string-formatting:

 * chain: Will be replaced by the name of the chain.

 * comment: Allows chains to add extra comments.

Default value: `'[nftables] %<chain>s %<comment>s'`

##### <a name="log_limit"></a>`log_limit`

Data type: `Variant[Boolean[false], String]`

String with the content of a limit statement to be applied

to the rules that log discarded traffic. Set to false to

disable rate limiting.

Default value: `'3/minute burst 5 packets'`

##### <a name="reject_with"></a>`reject_with`

Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`

How to discard packets not matching any rule. If `false`, the

fate of the packet will be defined by the chain policy (normally

drop), otherwise the packet will be rejected with the REJECT_WITH

policy indicated by the value of this parameter.

Default value: `'icmpx type port-unreachable'`

##### <a name="in_out_conntrack"></a>`in_out_conntrack`

Data type: `Boolean`

Adds INPUT and OUTPUT rules to allow traffic that's part of an

established connection and also to drop invalid packets.

Default value: ``true``

##### <a name="fwd_conntrack"></a>`fwd_conntrack`

Data type: `Boolean`

Adds FORWARD rules to allow traffic that's part of an

established connection and also to drop invalid packets.

Default value: ``false``

##### <a name="firewalld_enable"></a>`firewalld_enable`

Data type: `Variant[Boolean[false], Enum['mask']]`

Configures how the firewalld systemd service unit is enabled. It might be

useful to set this to false if you're externaly removing firewalld from

the system completely.

Default value: `'mask'`

##### <a name="noflush_tables"></a>`noflush_tables`

Data type: `Optional[Array[Pattern[/^(ip|ip6|inet|arp|bridge|netdev)-[-a-zA-Z0-9_]+$/],1]]`

If specified only other existings tables will be flushed.

If left unset all tables will be flushed via a `flush ruleset`

Default value: ``undef``

##### <a name="rules"></a>`rules`

Data type: `Hash`

Specify hashes of `nftables::rule`s via hiera

Default value: `{}`

##### <a name="configuration_path"></a>`configuration_path`

Data type: `Stdlib::Unixpath`

The absolute path to the principal nftables configuration file. The default

varies depending on the system, and is set in the module's data.

##### <a name="nft_path"></a>`nft_path`

Data type: `Stdlib::Unixpath`

Path to the nft binary

##### <a name="echo"></a>`echo`

Data type: `Stdlib::Unixpath`

Path to the echo binary

### <a name="nftablesbridges"></a>`nftables::bridges`

allow forwarding traffic on bridges

#### Parameters

The following parameters are available in the `nftables::bridges` class:

* [`ensure`](#ensure)

* [`bridgenames`](#bridgenames)

##### <a name="ensure"></a>`ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

##### <a name="bridgenames"></a>`bridgenames`

Data type: `Regexp`

Default value: `/^br.+/`

### <a name="nftablesinet_filter"></a>`nftables::inet_filter`

manage basic chains in table inet filter

### <a name="nftablesinet_filterfwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`

enable conntrack for fwd

### <a name="nftablesinet_filterin_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`

manage input & output conntrack

### <a name="nftablesip_nat"></a>`nftables::ip_nat`

manage basic chains in table ip nat

### <a name="nftablesrulesactivemq"></a>`nftables::rules::activemq`

Provides input rules for Apache ActiveMQ

#### Parameters

The following parameters are available in the `nftables::rules::activemq` class:

* [`tcp`](#tcp)

* [`udp`](#udp)

* [`port`](#port)

##### <a name="tcp"></a>`tcp`

Data type: `Boolean`

Create the rule for TCP traffic.

Default value: ``true``

##### <a name="udp"></a>`udp`

Data type: `Boolean`

Create the rule for UDP traffic.

Default value: ``true``

##### <a name="port"></a>`port`

Data type: `Stdlib::Port`

The port number for the ActiveMQ daemon.

Default value: `61616`

### <a name="nftablesrulesafs3_callback"></a>`nftables::rules::afs3_callback`

Open call back port for AFS clients

#### Examples

##### allow call backs from particular hosts

```puppet

class{'nftables::rules::afs3_callback':

  saddr => ['192.168.0.0/16', '10.0.0.222']

}

```

#### Parameters

The following parameters are available in the `nftables::rules::afs3_callback` class:

* [`saddr`](#saddr)

##### <a name="saddr"></a>`saddr`

Data type: `Array[Stdlib::IP::Address::V4,1]`

list of source network ranges to a

Default value: `['0.0.0.0/0']`

### <a name="nftablesrulesceph"></a>`nftables::rules::ceph`

Ceph is a distributed object store and file system.

Enable this to support Ceph's Object Storage Daemons (OSD),

Metadata Server Daemons (MDS), or Manager Daemons (MGR).

### <a name="nftablesrulesceph_mon"></a>`nftables::rules::ceph_mon`

Ceph is a distributed object store and file system.

Enable this option to support Ceph's Monitor Daemon.

#### Parameters

The following parameters are available in the `nftables::rules::ceph_mon` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

specify ports for ceph service

Default value: `[3300, 6789]`

### <a name="nftablesrulesdhcpv6_client"></a>`nftables::rules::dhcpv6_client`

allow DHCPv6 requests in to a host

### <a name="nftablesrulesdns"></a>`nftables::rules::dns`

manage in dns

#### Parameters

The following parameters are available in the `nftables::rules::dns` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

Specify ports for dns.

Default value: `[53]`

### <a name="nftablesrulesdocker_ce"></a>`nftables::rules::docker_ce`

The configuration distributed in this class represents the default firewall

configuration done by docker-ce when the iptables integration is enabled.

This class is needed as the default docker-ce rules added to ip-filter conflict

with the inet-filter forward rules set by default in this module.

When using this class 'docker::iptables: false' should be set.

#### Parameters

The following parameters are available in the `nftables::rules::docker_ce` class:

* [`docker_interface`](#docker_interface)

* [`docker_prefix`](#docker_prefix)

* [`manage_docker_chains`](#manage_docker_chains)

* [`manage_base_chains`](#manage_base_chains)

##### <a name="docker_interface"></a>`docker_interface`

Data type: `String[1]`

Interface name used by docker.

Default value: `'docker0'`

##### <a name="docker_prefix"></a>`docker_prefix`

Data type: `Stdlib::IP::Address::V4::CIDR`

The address space used by docker.

Default value: `'172.17.0.0/16'`

##### <a name="manage_docker_chains"></a>`manage_docker_chains`

Data type: `Boolean`

Flag to control whether the class should create the docker related chains.

Default value: ``true``

##### <a name="manage_base_chains"></a>`manage_base_chains`

Data type: `Boolean`

Flag to control whether the class should create the base common chains.

Default value: ``true``

### <a name="nftablesruleshttp"></a>`nftables::rules::http`

manage in http

### <a name="nftablesruleshttps"></a>`nftables::rules::https`

manage in https

### <a name="nftablesrulesicinga2"></a>`nftables::rules::icinga2`

manage in icinga2

#### Parameters

The following parameters are available in the `nftables::rules::icinga2` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

Specify ports for icinga1

Default value: `[5665]`

### <a name="nftablesrulesicmp"></a>`nftables::rules::icmp`

The nftables::rules::icmp class.

#### Parameters

The following parameters are available in the `nftables::rules::icmp` class:

* [`v4_types`](#v4_types)

* [`v6_types`](#v6_types)

* [`order`](#order)

##### <a name="v4_types"></a>`v4_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="v6_types"></a>`v6_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="order"></a>`order`

Data type: `String`

Default value: `'10'`

### <a name="nftablesrulesnfs"></a>`nftables::rules::nfs`

manage in nfs4

### <a name="nftablesrulesnfs3"></a>`nftables::rules::nfs3`

manage in nfs3

### <a name="nftablesrulesnode_exporter"></a>`nftables::rules::node_exporter`

manage in node exporter

#### Parameters

The following parameters are available in the `nftables::rules::node_exporter` class:

* [`prometheus_server`](#prometheus_server)

* [`port`](#port)

##### <a name="prometheus_server"></a>`prometheus_server`

Data type: `Optional[Variant[String,Array[String,1]]]`

Specify server name

Default value: ``undef``

##### <a name="port"></a>`port`

Data type: `Stdlib::Port`

Specify port to open

Default value: `9100`

### <a name="nftablesrulesospf"></a>`nftables::rules::ospf`

manage in ospf

### <a name="nftablesrulesospf3"></a>`nftables::rules::ospf3`

manage in ospf3

### <a name="nftablesrulesoutall"></a>`nftables::rules::out::all`

allow all outbound

### <a name="nftablesrulesoutceph_client"></a>`nftables::rules::out::ceph_client`

Ceph is a distributed object store and file system.

Enable this to be a client of Ceph's Monitor (MON),

Object Storage Daemons (OSD), Metadata Server Daemons (MDS),

and Manager Daemons (MGR).

#### Parameters

The following parameters are available in the `nftables::rules::out::ceph_client` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

Specify ports to open

Default value: `[3300, 6789]`

### <a name="nftablesrulesoutchrony"></a>`nftables::rules::out::chrony`

manage out chrony

#### Parameters

The following parameters are available in the `nftables::rules::out::chrony` class:

* [`servers`](#servers)

##### <a name="servers"></a>`servers`

Data type: `Array[Stdlib::IP::Address]`

single IP-Address or array of IP-addresses from NTP servers

Default value: `[]`

### <a name="nftablesrulesoutdhcp"></a>`nftables::rules::out::dhcp`

manage out dhcp

### <a name="nftablesrulesoutdhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`

Allow DHCPv6 requests out of a host

### <a name="nftablesrulesoutdns"></a>`nftables::rules::out::dns`

manage out dns

#### Parameters

The following parameters are available in the `nftables::rules::out::dns` class:

* [`dns_server`](#dns_server)

##### <a name="dns_server"></a>`dns_server`

Data type: `Optional[Variant[String,Array[String,1]]]`

specify dns_server name

Default value: ``undef``

### <a name="nftablesrulesouthkp"></a>`nftables::rules::out::hkp`

allow outgoing hkp connections to gpg keyservers

### <a name="nftablesrulesouthttp"></a>`nftables::rules::out::http`

manage out http

### <a name="nftablesrulesouthttps"></a>`nftables::rules::out::https`

manage out https

### <a name="nftablesrulesouticmp"></a>`nftables::rules::out::icmp`

control outbound icmp packages

#### Parameters

The following parameters are available in the `nftables::rules::out::icmp` class:

* [`v4_types`](#v4_types)

* [`v6_types`](#v6_types)

* [`order`](#order)

##### <a name="v4_types"></a>`v4_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="v6_types"></a>`v6_types`

Data type: `Optional[Array[String]]`

Default value: ``undef``

##### <a name="order"></a>`order`

Data type: `String`

Default value: `'10'`

### <a name="nftablesrulesoutimap"></a>`nftables::rules::out::imap`

allow outgoing imap

### <a name="nftablesrulesoutkerberos"></a>`nftables::rules::out::kerberos`

allows outbound access for kerberos

### <a name="nftablesrulesoutmysql"></a>`nftables::rules::out::mysql`

manage out mysql

### <a name="nftablesrulesoutnfs"></a>`nftables::rules::out::nfs`

manage out nfs

### <a name="nftablesrulesoutnfs3"></a>`nftables::rules::out::nfs3`

manage out nfs3

### <a name="nftablesrulesoutopenafs_client"></a>`nftables::rules::out::openafs_client`

allows outbound access for afs clients

7000 - afs3-fileserver

7002 - afs3-ptserver

7003 - vlserver

* **See also**

  * https://wiki.openafs.org/devel/AFSServicePorts/

    * AFS Service Ports

#### Parameters

The following parameters are available in the `nftables::rules::out::openafs_client` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

port numbers to use

Default value: `[7000, 7002, 7003]`

### <a name="nftablesrulesoutospf"></a>`nftables::rules::out::ospf`

manage out ospf

### <a name="nftablesrulesoutospf3"></a>`nftables::rules::out::ospf3`

manage out ospf3

### <a name="nftablesrulesoutpop3"></a>`nftables::rules::out::pop3`

allow outgoing pop3

### <a name="nftablesrulesoutpostgres"></a>`nftables::rules::out::postgres`

manage out postgres

### <a name="nftablesrulesoutpuppet"></a>`nftables::rules::out::puppet`

manage outgoing puppet

#### Parameters

The following parameters are available in the `nftables::rules::out::puppet` class:

* [`puppetserver`](#puppetserver)

* [`puppetserver_port`](#puppetserver_port)

##### <a name="puppetserver"></a>`puppetserver`

Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`

puppetserver hostname

##### <a name="puppetserver_port"></a>`puppetserver_port`

Data type: `Stdlib::Port`

puppetserver port

Default value: `8140`

### <a name="nftablesrulesoutpxp_agent"></a>`nftables::rules::out::pxp_agent`

manage outgoing pxp-agent

* **See also**

  * also

    * take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver

#### Parameters

The following parameters are available in the `nftables::rules::out::pxp_agent` class:

* [`broker`](#broker)

* [`broker_port`](#broker_port)

##### <a name="broker"></a>`broker`

Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`

PXP broker IP(s)

##### <a name="broker_port"></a>`broker_port`

Data type: `Stdlib::Port`

PXP broker port

Default value: `8142`

### <a name="nftablesrulesoutsmtp"></a>`nftables::rules::out::smtp`

allow outgoing smtp

### <a name="nftablesrulesoutsmtp_client"></a>`nftables::rules::out::smtp_client`

allow outgoing smtp client

### <a name="nftablesrulesoutssh"></a>`nftables::rules::out::ssh`

manage out ssh

### <a name="nftablesrulesoutsshremove"></a>`nftables::rules::out::ssh::remove`

disable outgoing ssh

### <a name="nftablesrulesouttor"></a>`nftables::rules::out::tor`

manage out tor

### <a name="nftablesrulesoutwhois"></a>`nftables::rules::out::whois`

allow clients to query remote whois server

### <a name="nftablesrulesoutwireguard"></a>`nftables::rules::out::wireguard`

manage out wireguard

#### Parameters

The following parameters are available in the `nftables::rules::out::wireguard` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Integer,1]`

specify wireguard ports

Default value: `[51820]`

### <a name="nftablesrulespuppet"></a>`nftables::rules::puppet`

manage in puppet

#### Parameters

The following parameters are available in the `nftables::rules::puppet` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Integer,1]`

puppet server ports

Default value: `[8140]`

### <a name="nftablesrulespxp_agent"></a>`nftables::rules::pxp_agent`

manage in pxp-agent

#### Parameters

The following parameters are available in the `nftables::rules::pxp_agent` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

pxp server ports

Default value: `[8142]`

### <a name="nftablesrulesqemu"></a>`nftables::rules::qemu`

This class configures the typical firewall setup that libvirt

creates. Depending on your requirements you can switch on and off

several aspects, for instance if you don't do DHCP to your guests

you can disable the rules that accept DHCP traffic on the host or if

you don't want your guests to talk to hosts outside you can disable

forwarding and/or masquerading for IPv4 traffic.

#### Parameters

The following parameters are available in the `nftables::rules::qemu` class:

* [`interface`](#interface)

* [`network_v4`](#network_v4)

* [`network_v6`](#network_v6)

* [`dns`](#dns)

* [`dhcpv4`](#dhcpv4)

* [`forward_traffic`](#forward_traffic)

* [`internal_traffic`](#internal_traffic)

* [`masquerade`](#masquerade)

##### <a name="interface"></a>`interface`

Data type: `String[1]`

Interface name used by the bridge.

Default value: `'virbr0'`

##### <a name="network_v4"></a>`network_v4`

Data type: `Stdlib::IP::Address::V4::CIDR`

The IPv4 network prefix used in the virtual network.

Default value: `'192.168.122.0/24'`

##### <a name="network_v6"></a>`network_v6`

Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`

The IPv6 network prefix used in the virtual network.

Default value: ``undef``

##### <a name="dns"></a>`dns`

Data type: `Boolean`

Allow DNS traffic from the guests to the host.

Default value: ``true``

##### <a name="dhcpv4"></a>`dhcpv4`

Data type: `Boolean`

Allow DHCPv4 traffic from the guests to the host.

Default value: ``true``

##### <a name="forward_traffic"></a>`forward_traffic`

Data type: `Boolean`

Allow forwarded traffic (out all, in related/established)

generated by the virtual network.

Default value: ``true``

##### <a name="internal_traffic"></a>`internal_traffic`

Data type: `Boolean`

Allow guests in the virtual network to talk to each other.

Default value: ``true``

##### <a name="masquerade"></a>`masquerade`

Data type: `Boolean`

Do NAT masquerade on all IPv4 traffic generated by guests

to external networks.

Default value: ``true``

### <a name="nftablesrulessamba"></a>`nftables::rules::samba`

manage Samba, the suite to allow Windows file sharing on Linux resources.

#### Parameters

The following parameters are available in the `nftables::rules::samba` class:

* [`ctdb`](#ctdb)

##### <a name="ctdb"></a>`ctdb`

Data type: `Boolean`

Enable ctdb-driven clustered Samba setups.

Default value: ``false``

### <a name="nftablesrulessmtp"></a>`nftables::rules::smtp`

manage in smtp

### <a name="nftablesrulessmtp_submission"></a>`nftables::rules::smtp_submission`

manage in smtp submission

### <a name="nftablesrulessmtps"></a>`nftables::rules::smtps`

manage in smtps

### <a name="nftablesrulesssh"></a>`nftables::rules::ssh`

manage in ssh

#### Parameters

The following parameters are available in the `nftables::rules::ssh` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

ssh ports

Default value: `[22]`

### <a name="nftablesrulestor"></a>`nftables::rules::tor`

manage in tor

#### Parameters

The following parameters are available in the `nftables::rules::tor` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

ports for tor

Default value: `[9001]`

### <a name="nftablesruleswireguard"></a>`nftables::rules::wireguard`

manage in wireguard

#### Parameters

The following parameters are available in the `nftables::rules::wireguard` class:

* [`ports`](#ports)

##### <a name="ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

wiregueard port

Default value: `[51820]`

### <a name="nftablesservicesdhcpv6_client"></a>`nftables::services::dhcpv6_client`

Allow in and outbound traffic for DHCPv6 server

### <a name="nftablesservicesopenafs_client"></a>`nftables::services::openafs_client`

Open inbound and outbound ports for an AFS client

## Defined types

### <a name="nftableschain"></a>`nftables::chain`

manage a chain

#### Parameters

The following parameters are available in the `nftables::chain` defined type:

* [`table`](#table)

* [`chain`](#chain)

* [`inject`](#inject)

* [`inject_iif`](#inject_iif)

* [`inject_oif`](#inject_oif)

##### <a name="table"></a>`table`

Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`

Default value: `'inet-filter'`

##### <a name="chain"></a>`chain`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### <a name="inject"></a>`inject`

Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`

Default value: ``undef``

##### <a name="inject_iif"></a>`inject_iif`

Data type: `Optional[String]`

Default value: ``undef``

##### <a name="inject_oif"></a>`inject_oif`

Data type: `Optional[String]`

Default value: ``undef``

### <a name="nftablesconfig"></a>`nftables::config`

manage a config snippet

#### Parameters

The following parameters are available in the `nftables::config` defined type:

* [`tablespec`](#tablespec)

* [`content`](#content)

* [`source`](#source)

* [`prefix`](#prefix)

##### <a name="tablespec"></a>`tablespec`

Data type: `Pattern[/^\w+-\w+$/]`

Default value: `$title`

##### <a name="content"></a>`content`

Data type: `Optional[String]`

Default value: ``undef``

##### <a name="source"></a>`source`

Data type: `Optional[Variant[String,Array[String,1]]]`

Default value: ``undef``

##### <a name="prefix"></a>`prefix`

Data type: `String`

Default value: `'custom-'`

### <a name="nftablesfile"></a>`nftables::file`

Insert a file into the nftables configuration

#### Examples

##### Include a file that includes other files

```puppet

nftables::file{'geoip':

  content => @(EOT)

    include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"

    include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"

    |EOT,

}

```

#### Parameters

The following parameters are available in the `nftables::file` defined type:

* [`label`](#label)

* [`content`](#content)

* [`source`](#source)

* [`prefix`](#prefix)

##### <a name="label"></a>`label`

Data type: `String[1]`

Unique name to include in filename.

Default value: `$title`

##### <a name="content"></a>`content`

Data type: `Optional[String]`

The content to place in the file.

Default value: ``undef``

##### <a name="source"></a>`source`

Data type: `Optional[Variant[String,Array[String,1]]]`

A source to obtain the file content from.

Default value: ``undef``

##### <a name="prefix"></a>`prefix`

Data type: `String`

Prefix of file name to be created, if left as `file-` it will be

auto included in the main nft configuration

Default value: `'file-'`

### <a name="nftablesrule"></a>`nftables::rule`

Provides an interface to create a firewall rule

#### Examples

##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80

```puppet

nftables::rule {

  'default_in-myhttp':

    content => 'tcp dport 80 accept',

}

```

##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic

```puppet

nftables::rule {

  'PREROUTING6-count':

    content => 'counter',

    table   => 'ip6-nat'

}

```

#### Parameters

The following parameters are available in the `nftables::rule` defined type:

* [`ensure`](#ensure)

* [`rulename`](#rulename)

* [`order`](#order)

* [`table`](#table)

* [`content`](#content)

* [`source`](#source)

##### <a name="ensure"></a>`ensure`

Data type: `Enum['present','absent']`

Should the rule be created.

Default value: `'present'`

##### <a name="rulename"></a>`rulename`

Data type: `Nftables::RuleName`

The symbolic name for the rule and to what chain to add it. The

format is defined by the Nftables::RuleName type.

Default value: `$title`

##### <a name="order"></a>`order`

Data type: `Pattern[/^\d\d$/]`

A number representing the order of the rule.

Default value: `'50'`

##### <a name="table"></a>`table`

Data type: `String`

The name of the table to add this rule to.

Default value: `'inet-filter'`

##### <a name="content"></a>`content`

Data type: `Optional[String]`

The raw statements that compose the rule represented using the nftables

language.

Default value: ``undef``

##### <a name="source"></a>`source`

Data type: `Optional[Variant[String,Array[String,1]]]`

Same goal as content but sourcing the value from a file.

Default value: ``undef``

### <a name="nftablesrulesdnat4"></a>`nftables::rules::dnat4`

manage a ipv4 dnat rule

#### Parameters

The following parameters are available in the `nftables::rules::dnat4` defined type:

* [`daddr`](#daddr)

* [`port`](#port)

* [`rulename`](#rulename)

* [`order`](#order)

* [`chain`](#chain)

* [`iif`](#iif)

* [`proto`](#proto)

* [`dport`](#dport)

* [`ensure`](#ensure)

##### <a name="daddr"></a>`daddr`

Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`

##### <a name="port"></a>`port`

Data type: `Variant[String,Stdlib::Port]`

##### <a name="rulename"></a>`rulename`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### <a name="order"></a>`order`

Data type: `Pattern[/^\d\d$/]`

Default value: `'50'`

##### <a name="chain"></a>`chain`

Data type: `String[1]`

Default value: `'default_fwd'`

##### <a name="iif"></a>`iif`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### <a name="proto"></a>`proto`

Data type: `Enum['tcp','udp']`

Default value: `'tcp'`

##### <a name="dport"></a>`dport`

Data type: `Optional[Variant[String,Stdlib::Port]]`

Default value: ``undef``

##### <a name="ensure"></a>`ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

### <a name="nftablesrulesmasquerade"></a>`nftables::rules::masquerade`

masquerade all outgoing traffic

#### Parameters

The following parameters are available in the `nftables::rules::masquerade` defined type:

* [`rulename`](#rulename)

* [`order`](#order)

* [`chain`](#chain)

* [`oif`](#oif)

* [`saddr`](#saddr)

* [`daddr`](#daddr)

* [`proto`](#proto)

* [`dport`](#dport)

* [`ensure`](#ensure)

##### <a name="rulename"></a>`rulename`

Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`

Default value: `$title`

##### <a name="order"></a>`order`

Data type: `Pattern[/^\d\d$/]`

Default value: `'70'`

##### <a name="chain"></a>`chain`

Data type: `String[1]`

Default value: `'POSTROUTING'`

##### <a name="oif"></a>`oif`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### <a name="saddr"></a>`saddr`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### <a name="daddr"></a>`daddr`

Data type: `Optional[String[1]]`

Default value: ``undef``

##### <a name="proto"></a>`proto`

Data type: `Optional[Enum['tcp','udp']]`

Default value: ``undef``

##### <a name="dport"></a>`dport`

Data type: `Optional[Variant[String,Stdlib::Port]]`

Default value: ``undef``

##### <a name="ensure"></a>`ensure`

Data type: `Enum['present','absent']`

Default value: `'present'`

### <a name="nftablesrulessnat4"></a>`nftables::rules::snat4`

manage a ipv4 snat rule

#### Parameters

The following parameters are available in the `nftables::rules::snat4` defined type: