/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 6b350264

Historique | Voir | Annoter | Télécharger (54,6 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
28	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
29	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
30	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
31	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
32			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
33			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
34			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
35			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
36	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
37	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
38			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
39	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
40			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
41			and Manager Daemons (MGR).
42	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
43			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
44			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
45			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
46			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
47			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
48			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
49			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
50	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
51	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
52			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
53	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
54	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
55	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
56	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
57			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
58			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
59			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
60	09cba182	Steve Traylen	7000 - afs3-fileserver
61			7002 - afs3-ptserver
62			7003 - vlserver
63	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
64			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
65			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
66			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
67			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
68			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
69			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
70			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
71			* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
72			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
73			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
74			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
75			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
76			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
77			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
78			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
79			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
80			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
81			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
82			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
83	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
84	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
85			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
86			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
87			* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
88			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
89	e17693e3	Steve Traylen
90			### Defined types
91
92	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
93			* [`nftables::config`](#nftables--config): manage a config snippet
94			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
95			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
96			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
97			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
98			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
99			* [`nftables::set`](#nftables--set): manage a named set
100			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
101	4d63adda	Nacho Barrientos
102			### Data types
103
104	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
105			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
106			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
107			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
108			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
109	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
110			add the rule to, the second the rule name and the (optional) third a number.
111			Ex: 'default_in-sshd', 'default_out-my_service-2'.
112	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
113	e17693e3	Steve Traylen
114			## Classes
115
116	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
117	e17693e3	Steve Traylen
118			Configure nftables
119
120			#### Examples
121
122	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
123	e17693e3	Steve Traylen
124			```puppet
125	2063deaf	hashworks	class{ 'nftables':
126			out_ntp => false,
127			out_dns => true,
128	e17693e3	Steve Traylen	}
129			```
130
131	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
132
133			```puppet
134	2063deaf	hashworks	class{ 'nftables':
135			noflush_tables => ['inet-f2b-table'],
136	b9785000	Steve Traylen	}
137			```
138
139	e17693e3	Steve Traylen	#### Parameters
140
141	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
142
143	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
144			* [`out_ntp`](#-nftables--out_ntp)
145			* [`out_http`](#-nftables--out_http)
146			* [`out_dns`](#-nftables--out_dns)
147			* [`out_https`](#-nftables--out_https)
148			* [`out_icmp`](#-nftables--out_icmp)
149			* [`in_ssh`](#-nftables--in_ssh)
150			* [`in_icmp`](#-nftables--in_icmp)
151			* [`inet_filter`](#-nftables--inet_filter)
152			* [`nat`](#-nftables--nat)
153			* [`nat_table_name`](#-nftables--nat_table_name)
154			* [`sets`](#-nftables--sets)
155			* [`log_prefix`](#-nftables--log_prefix)
156			* [`log_limit`](#-nftables--log_limit)
157			* [`reject_with`](#-nftables--reject_with)
158			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
159			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
160			* [`firewalld_enable`](#-nftables--firewalld_enable)
161			* [`noflush_tables`](#-nftables--noflush_tables)
162			* [`rules`](#-nftables--rules)
163			* [`configuration_path`](#-nftables--configuration_path)
164			* [`nft_path`](#-nftables--nft_path)
165			* [`echo`](#-nftables--echo)
166			* [`default_config_mode`](#-nftables--default_config_mode)
167
168			##### <a name="-nftables--out_all"></a>`out_all`
169	e17693e3	Steve Traylen
170			Data type: `Boolean`
171
172			Allow all outbound connections. If `true` then all other
173			out parameters `out_ntp`, `out_dns`, ... will be assuemed
174			false.
175
176	c24d3118	Tim Meusel	Default value: `false`
177	e17693e3	Steve Traylen
178	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
179	e17693e3	Steve Traylen
180			Data type: `Boolean`
181
182			Allow outbound to ntp servers.
183
184	c24d3118	Tim Meusel	Default value: `true`
185	e17693e3	Steve Traylen
186	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
187	e17693e3	Steve Traylen
188			Data type: `Boolean`
189
190			Allow outbound to http servers.
191
192	c24d3118	Tim Meusel	Default value: `true`
193	e17693e3	Steve Traylen
194	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
195	e17693e3	Steve Traylen
196			Data type: `Boolean`
197
198	09cba182	Steve Traylen	Allow outbound to dns servers.
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	Default value: `true`
201	e17693e3	Steve Traylen
202	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
203	09cba182	Steve Traylen
204			Data type: `Boolean`
205	e17693e3	Steve Traylen
206			Allow outbound to https servers.
207
208	c24d3118	Tim Meusel	Default value: `true`
209	e17693e3	Steve Traylen
210	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
211	7f6cacc5	Steve Traylen
212			Data type: `Boolean`
213
214			Allow outbound ICMPv4/v6 traffic.
215
216	c24d3118	Tim Meusel	Default value: `true`
217	7f6cacc5	Steve Traylen
218	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
219	e17693e3	Steve Traylen
220			Data type: `Boolean`
221
222			Allow inbound to ssh servers.
223
224	c24d3118	Tim Meusel	Default value: `true`
225	e17693e3	Steve Traylen
226	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
227	7f6cacc5	Steve Traylen
228			Data type: `Boolean`
229
230			Allow inbound ICMPv4/v6 traffic.
231
232	c24d3118	Tim Meusel	Default value: `true`
233	7f6cacc5	Steve Traylen
234	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
235	7b9d6ffc	Nacho Barrientos
236			Data type: `Boolean`
237
238			Add default tables, chains and rules to process traffic.
239
240	c24d3118	Tim Meusel	Default value: `true`
241	7b9d6ffc	Nacho Barrientos
242	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
243	7f6cacc5	Steve Traylen
244			Data type: `Boolean`
245
246			Add default tables and chains to process NAT traffic.
247
248	c24d3118	Tim Meusel	Default value: `true`
249	7f6cacc5	Steve Traylen
250	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
251	b02d6ea9	Nacho Barrientos
252			Data type: `String[1]`
253
254			The name of the 'nat' table.
255
256			Default value: `'nat'`
257
258	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
259	b9785000	Steve Traylen
260			Data type: `Hash`
261
262			Allows sourcing set definitions directly from Hiera.
263
264			Default value: `{}`
265
266	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
267	7f6cacc5	Steve Traylen
268			Data type: `String`
269
270			String that will be used as prefix when logging packets. It can contain
271			two variables using standard sprintf() string-formatting:
272			* chain: Will be replaced by the name of the chain.
273			* comment: Allows chains to add extra comments.
274
275			Default value: `'[nftables] %<chain>s %<comment>s'`
276
277	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
278	b9785000	Steve Traylen
279			Data type: `Variant[Boolean[false], String]`
280
281			String with the content of a limit statement to be applied
282			to the rules that log discarded traffic. Set to false to
283			disable rate limiting.
284
285			Default value: `'3/minute burst 5 packets'`
286
287	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
288	7f6cacc5	Steve Traylen
289	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
290	7f6cacc5	Steve Traylen
291			How to discard packets not matching any rule. If `false`, the
292			fate of the packet will be defined by the chain policy (normally
293			drop), otherwise the packet will be rejected with the REJECT_WITH
294			policy indicated by the value of this parameter.
295
296			Default value: `'icmpx type port-unreachable'`
297
298	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
299	7f6cacc5	Steve Traylen
300			Data type: `Boolean`
301
302			Adds INPUT and OUTPUT rules to allow traffic that's part of an
303			established connection and also to drop invalid packets.
304
305	c24d3118	Tim Meusel	Default value: `true`
306	7f6cacc5	Steve Traylen
307	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
308	b9785000	Steve Traylen
309			Data type: `Boolean`
310
311			Adds FORWARD rules to allow traffic that's part of an
312			established connection and also to drop invalid packets.
313
314	c24d3118	Tim Meusel	Default value: `false`
315	b9785000	Steve Traylen
316	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
317	7f6cacc5	Steve Traylen
318			Data type: `Variant[Boolean[false], Enum['mask']]`
319
320			Configures how the firewalld systemd service unit is enabled. It might be
321			useful to set this to false if you're externaly removing firewalld from
322			the system completely.
323
324			Default value: `'mask'`
325
326	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
327	b9785000	Steve Traylen
328	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
329	b9785000	Steve Traylen
330			If specified only other existings tables will be flushed.
331			If left unset all tables will be flushed via a `flush ruleset`
332
333	c24d3118	Tim Meusel	Default value: `undef`
334	b9785000	Steve Traylen
335	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
336	7f6cacc5	Steve Traylen
337			Data type: `Hash`
338
339	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
340	7f6cacc5	Steve Traylen
341			Default value: `{}`
342
343	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
344	d0a1ffef	hashworks
345			Data type: `Stdlib::Unixpath`
346
347			The absolute path to the principal nftables configuration file. The default
348			varies depending on the system, and is set in the module's data.
349
350	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
351	8842a597	Tim Meusel
352			Data type: `Stdlib::Unixpath`
353
354			Path to the nft binary
355
356	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
357	821ec83a	Tim Meusel
358			Data type: `Stdlib::Unixpath`
359
360			Path to the echo binary
361
362	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
363	7030bde0	Luis Fernández Álvarez
364			Data type: `Stdlib::Filemode`
365
366			The default file & dir mode for configuration files and directories. The
367			default varies depending on the system, and is set in the module's data.
368
369	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
370	7f6cacc5	Steve Traylen
371			allow forwarding traffic on bridges
372
373			#### Parameters
374
375	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
376	7f6cacc5	Steve Traylen
377	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
378			* [`bridgenames`](#-nftables--bridges--bridgenames)
379	09cba182	Steve Traylen
380	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
381	7f6cacc5	Steve Traylen
382			Data type: `Enum['present','absent']`
383
384
385
386			Default value: `'present'`
387
388	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
389	7f6cacc5	Steve Traylen
390			Data type: `Regexp`
391
392
393
394			Default value: `/^br.+/`
395
396	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
397	e17693e3	Steve Traylen
398			manage basic chains in table inet filter
399
400	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
401	a1f09048	Tim Meusel
402			enable conntrack for fwd
403
404	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
405	a1f09048	Tim Meusel
406			manage input & output conntrack
407
408	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
409	e17693e3	Steve Traylen
410			manage basic chains in table ip nat
411
412	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
413	771b3256	Nacho Barrientos
414			Provides input rules for Apache ActiveMQ
415
416			#### Parameters
417
418			The following parameters are available in the `nftables::rules::activemq` class:
419
420	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
421			* [`udp`](#-nftables--rules--activemq--udp)
422			* [`port`](#-nftables--rules--activemq--port)
423	771b3256	Nacho Barrientos
424	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
425	771b3256	Nacho Barrientos
426			Data type: `Boolean`
427
428			Create the rule for TCP traffic.
429
430	c24d3118	Tim Meusel	Default value: `true`
431	771b3256	Nacho Barrientos
432	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
433	771b3256	Nacho Barrientos
434			Data type: `Boolean`
435
436			Create the rule for UDP traffic.
437
438	c24d3118	Tim Meusel	Default value: `true`
439	771b3256	Nacho Barrientos
440	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
441	771b3256	Nacho Barrientos
442			Data type: `Stdlib::Port`
443
444			The port number for the ActiveMQ daemon.
445
446			Default value: `61616`
447
448	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
449	09cba182	Steve Traylen
450			Open call back port for AFS clients
451	7f6cacc5	Steve Traylen
452	09cba182	Steve Traylen	#### Examples
453
454			##### allow call backs from particular hosts
455
456			```puppet
457	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
458			saddr => ['192.168.0.0/16', '10.0.0.222']
459			}
460	09cba182	Steve Traylen	```
461	7f6cacc5	Steve Traylen
462			#### Parameters
463
464	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
465
466	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
467	7f6cacc5	Steve Traylen
468	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
469	7f6cacc5	Steve Traylen
470			Data type: `Array[Stdlib::IP::Address::V4,1]`
471
472			list of source network ranges to a
473
474			Default value: `['0.0.0.0/0']`
475
476	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
477	b9785000	Steve Traylen
478			Ceph is a distributed object store and file system.
479			Enable this to support Ceph's Object Storage Daemons (OSD),
480			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
481
482	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
483	b9785000	Steve Traylen
484			Ceph is a distributed object store and file system.
485			Enable this option to support Ceph's Monitor Daemon.
486
487			#### Parameters
488
489	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
490	b9785000	Steve Traylen
491	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
492	b9785000	Steve Traylen
493	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
494	b9785000	Steve Traylen
495	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
496	b9785000	Steve Traylen
497	09cba182	Steve Traylen	specify ports for ceph service
498	b9785000	Steve Traylen
499			Default value: `[3300, 6789]`
500
501	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
502	7f6cacc5	Steve Traylen
503	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
504	7f6cacc5	Steve Traylen
505	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
506	7f6cacc5	Steve Traylen
507			manage in dns
508
509			#### Parameters
510
511	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
512	7f6cacc5	Steve Traylen
513	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
514	7f6cacc5	Steve Traylen
515	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
516	7f6cacc5	Steve Traylen
517	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
518	7f6cacc5	Steve Traylen
519	09cba182	Steve Traylen	Specify ports for dns.
520	7f6cacc5	Steve Traylen
521			Default value: `[53]`
522
523	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
524	804b96e4	Nacho Barrientos
525			The configuration distributed in this class represents the default firewall
526			configuration done by docker-ce when the iptables integration is enabled.
527
528			This class is needed as the default docker-ce rules added to ip-filter conflict
529			with the inet-filter forward rules set by default in this module.
530
531			When using this class 'docker::iptables: false' should be set.
532
533			#### Parameters
534
535			The following parameters are available in the `nftables::rules::docker_ce` class:
536
537	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
538			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
539			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
540			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
541	804b96e4	Nacho Barrientos
542	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
543	804b96e4	Nacho Barrientos
544			Data type: `String[1]`
545
546			Interface name used by docker.
547
548			Default value: `'docker0'`
549
550	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
551	804b96e4	Nacho Barrientos
552			Data type: `Stdlib::IP::Address::V4::CIDR`
553
554			The address space used by docker.
555
556			Default value: `'172.17.0.0/16'`
557
558	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
559	804b96e4	Nacho Barrientos
560			Data type: `Boolean`
561
562			Flag to control whether the class should create the docker related chains.
563
564	c24d3118	Tim Meusel	Default value: `true`
565	804b96e4	Nacho Barrientos
566	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
567	804b96e4	Nacho Barrientos
568			Data type: `Boolean`
569
570			Flag to control whether the class should create the base common chains.
571
572	c24d3118	Tim Meusel	Default value: `true`
573	804b96e4	Nacho Barrientos
574	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
575	e17693e3	Steve Traylen
576			manage in http
577
578	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
579	e17693e3	Steve Traylen
580			manage in https
581
582	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
583	e17693e3	Steve Traylen
584			manage in icinga2
585
586			#### Parameters
587
588	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
589	e17693e3	Steve Traylen
590	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
591	e17693e3	Steve Traylen
592	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
593	e17693e3	Steve Traylen
594	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
595	e17693e3	Steve Traylen
596	8db66304	Steve Traylen	Specify ports for icinga2
597	e17693e3	Steve Traylen
598			Default value: `[5665]`
599
600	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
601	7f6cacc5	Steve Traylen
602			The nftables::rules::icmp class.
603
604			#### Parameters
605
606	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
607
608	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
609			* [`v6_types`](#-nftables--rules--icmp--v6_types)
610			* [`order`](#-nftables--rules--icmp--order)
611	7f6cacc5	Steve Traylen
612	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
613	7f6cacc5	Steve Traylen
614			Data type: `Optional[Array[String]]`
615
616
617
618	c24d3118	Tim Meusel	Default value: `undef`
619	7f6cacc5	Steve Traylen
620	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
621	7f6cacc5	Steve Traylen
622			Data type: `Optional[Array[String]]`
623
624
625
626	c24d3118	Tim Meusel	Default value: `undef`
627	7f6cacc5	Steve Traylen
628	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
629	7f6cacc5	Steve Traylen
630			Data type: `String`
631
632
633
634			Default value: `'10'`
635
636	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
637
638			allow incoming IGMP messages
639
640	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
641
642			manage in ldap
643
644			#### Parameters
645
646			The following parameters are available in the `nftables::rules::ldap` class:
647
648			* [`ports`](#-nftables--rules--ldap--ports)
649
650			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
651
652			Data type: `Array[Integer,1]`
653
654			ldap server ports
655
656			Default value: `[389, 636]`
657
658	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
659
660			allow incoming multicast DNS
661
662	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
663
664			The following parameters are available in the `nftables::rules::mdns` class:
665
666			* [`ipv4`](#-nftables--rules--mdns--ipv4)
667			* [`ipv6`](#-nftables--rules--mdns--ipv6)
668
669			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
670
671			Data type: `Boolean`
672
673			Allow mdns over IPv4
674
675			Default value: `true`
676
677			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
678
679			Data type: `Boolean`
680
681			Allow mdns over IPv6
682
683			Default value: `true`
684
685	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
686
687			allow incoming multicast traffic
688
689	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
690	b9785000	Steve Traylen
691			manage in nfs4
692
693	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
694	b9785000	Steve Traylen
695			manage in nfs3
696
697	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
698	7f6cacc5	Steve Traylen
699			manage in node exporter
700
701			#### Parameters
702
703	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
704	7f6cacc5	Steve Traylen
705	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
706			* [`port`](#-nftables--rules--node_exporter--port)
707	7f6cacc5	Steve Traylen
708	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
709	7f6cacc5	Steve Traylen
710	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
711	7f6cacc5	Steve Traylen
712	09cba182	Steve Traylen	Specify server name
713	7f6cacc5	Steve Traylen
714	c24d3118	Tim Meusel	Default value: `undef`
715	7f6cacc5	Steve Traylen
716	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
717	7f6cacc5	Steve Traylen
718	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
719	7f6cacc5	Steve Traylen
720	09cba182	Steve Traylen	Specify port to open
721	7f6cacc5	Steve Traylen
722			Default value: `9100`
723
724	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
725	e17693e3	Steve Traylen
726			manage in ospf
727
728	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
729	e17693e3	Steve Traylen
730			manage in ospf3
731
732	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
733
734			manage outgoing active diectory
735
736			#### Parameters
737
738			The following parameters are available in the `nftables::rules::out::active_directory` class:
739
740			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
741			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
742
743			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
744
745			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
746
747			adserver IPs
748
749			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
750
751			Data type: `Array[Stdlib::Port,1]`
752
753			adserver ports
754
755			Default value: `[389, 636, 3268, 3269]`
756
757	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
758	e17693e3	Steve Traylen
759			allow all outbound
760
761	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
762	b9785000	Steve Traylen
763			Ceph is a distributed object store and file system.
764			Enable this to be a client of Ceph's Monitor (MON),
765			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
766			and Manager Daemons (MGR).
767
768			#### Parameters
769
770	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
771	b9785000	Steve Traylen
772	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
773	b9785000	Steve Traylen
774	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
775	b9785000	Steve Traylen
776	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
777	b9785000	Steve Traylen
778	09cba182	Steve Traylen	Specify ports to open
779	b9785000	Steve Traylen
780			Default value: `[3300, 6789]`
781
782	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
783	e17693e3	Steve Traylen
784			manage out chrony
785
786	7937a13b	Tim Meusel	#### Parameters
787
788			The following parameters are available in the `nftables::rules::out::chrony` class:
789
790	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
791	7937a13b	Tim Meusel
792	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
793	7937a13b	Tim Meusel
794			Data type: `Array[Stdlib::IP::Address]`
795
796			single IP-Address or array of IP-addresses from NTP servers
797
798			Default value: `[]`
799
800	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
801	e17693e3	Steve Traylen
802			manage out dhcp
803
804	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
805	7f6cacc5	Steve Traylen
806	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
807	7f6cacc5	Steve Traylen
808	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
809	e17693e3	Steve Traylen
810			manage out dns
811
812			#### Parameters
813
814	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
815	e17693e3	Steve Traylen
816	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
817	e17693e3	Steve Traylen
818	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
819	e17693e3	Steve Traylen
820	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
821	e17693e3	Steve Traylen
822	09cba182	Steve Traylen	specify dns_server name
823	e17693e3	Steve Traylen
824	c24d3118	Tim Meusel	Default value: `undef`
825	e17693e3	Steve Traylen
826	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
827	a1f09048	Tim Meusel
828			allow outgoing hkp connections to gpg keyservers
829
830	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
831	e17693e3	Steve Traylen
832			manage out http
833
834	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
835	e17693e3	Steve Traylen
836			manage out https
837
838	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
839	7f6cacc5	Steve Traylen
840	09cba182	Steve Traylen	control outbound icmp packages
841	7f6cacc5	Steve Traylen
842			#### Parameters
843
844	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
845
846	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
847			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
848			* [`order`](#-nftables--rules--out--icmp--order)
849	7f6cacc5	Steve Traylen
850	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
851	7f6cacc5	Steve Traylen
852			Data type: `Optional[Array[String]]`
853
854
855
856	c24d3118	Tim Meusel	Default value: `undef`
857	7f6cacc5	Steve Traylen
858	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
859	7f6cacc5	Steve Traylen
860			Data type: `Optional[Array[String]]`
861
862
863
864	c24d3118	Tim Meusel	Default value: `undef`
865	7f6cacc5	Steve Traylen
866	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
867	7f6cacc5	Steve Traylen
868			Data type: `String`
869
870
871
872			Default value: `'10'`
873
874	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
875
876	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
877	020842af	Tim Meusel
878	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
879	19908f41	mh
880			allow outgoing imap
881
882	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
883	7f6cacc5	Steve Traylen
884			allows outbound access for kerberos
885
886	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
887
888			manage outgoing ldap
889
890			#### Parameters
891
892			The following parameters are available in the `nftables::rules::out::ldap` class:
893
894			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
895			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
896
897			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
898
899			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
900
901			ldapserver IPs
902
903			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
904
905			Data type: `Array[Stdlib::Port,1]`
906
907			ldapserver ports
908
909			Default value: `[389, 636]`
910
911	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
912
913			allow outgoing multicast DNS
914
915			#### Parameters
916
917			The following parameters are available in the `nftables::rules::out::mdns` class:
918
919			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
920			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
921
922			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
923
924			Data type: `Boolean`
925
926			Allow mdns over IPv4
927
928			Default value: `true`
929
930			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
931
932			Data type: `Boolean`
933
934			Allow mdns over IPv6
935
936			Default value: `true`
937
938	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
939
940			allow multicast listener requests
941
942	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
943	e17693e3	Steve Traylen
944			manage out mysql
945
946	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
947	b9785000	Steve Traylen
948			manage out nfs
949
950	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
951	b9785000	Steve Traylen
952			manage out nfs3
953
954	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
955	7f6cacc5	Steve Traylen
956	09cba182	Steve Traylen	allows outbound access for afs clients
957	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
958			7002 - afs3-ptserver
959			7003 - vlserver
960
961			* See also
962			* https://wiki.openafs.org/devel/AFSServicePorts/
963			* AFS Service Ports
964
965			#### Parameters
966
967	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
968	7f6cacc5	Steve Traylen
969	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
970	7f6cacc5	Steve Traylen
971	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
972	7f6cacc5	Steve Traylen
973	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
974	7f6cacc5	Steve Traylen
975	09cba182	Steve Traylen	port numbers to use
976	7f6cacc5	Steve Traylen
977			Default value: `[7000, 7002, 7003]`
978
979	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
980	e17693e3	Steve Traylen
981			manage out ospf
982
983	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
984	e17693e3	Steve Traylen
985			manage out ospf3
986
987	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
988	19908f41	mh
989			allow outgoing pop3
990
991	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
992	e17693e3	Steve Traylen
993			manage out postgres
994
995	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
996	e17693e3	Steve Traylen
997			manage outgoing puppet
998
999			#### Parameters
1000
1001	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1002	e17693e3	Steve Traylen
1003	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1004			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1005	e17693e3	Steve Traylen
1006	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1007	e17693e3	Steve Traylen
1008	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1009	e17693e3	Steve Traylen
1010	09cba182	Steve Traylen	puppetserver hostname
1011	e17693e3	Steve Traylen
1012	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1013	e17693e3	Steve Traylen
1014	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1015	e17693e3	Steve Traylen
1016	09cba182	Steve Traylen	puppetserver port
1017	e17693e3	Steve Traylen
1018			Default value: `8140`
1019
1020	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1021	194e05d5	Tim Meusel
1022			manage outgoing pxp-agent
1023
1024			* See also
1025			* also
1026			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1027
1028			#### Parameters
1029
1030			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1031
1032	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1033			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1034	194e05d5	Tim Meusel
1035	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1036	194e05d5	Tim Meusel
1037			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1038
1039			PXP broker IP(s)
1040
1041	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1042	194e05d5	Tim Meusel
1043			Data type: `Stdlib::Port`
1044
1045			PXP broker port
1046
1047			Default value: `8142`
1048
1049	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1050	e17693e3	Steve Traylen
1051	19908f41	mh	allow outgoing smtp
1052
1053	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1054	19908f41	mh
1055			allow outgoing smtp client
1056	e17693e3	Steve Traylen
1057	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1058	e17693e3	Steve Traylen
1059			manage out ssh
1060
1061	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1062	e17693e3	Steve Traylen
1063			disable outgoing ssh
1064
1065	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1066	e17693e3	Steve Traylen
1067			manage out tor
1068
1069	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1070	2b1896c1	Tim Meusel
1071			allow clients to query remote whois server
1072
1073	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1074	e17693e3	Steve Traylen
1075			manage out wireguard
1076
1077			#### Parameters
1078
1079	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1080	e17693e3	Steve Traylen
1081	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1082	e17693e3	Steve Traylen
1083	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1084	e17693e3	Steve Traylen
1085	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1086	e17693e3	Steve Traylen
1087	09cba182	Steve Traylen	specify wireguard ports
1088	e17693e3	Steve Traylen
1089			Default value: `[51820]`
1090
1091	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1092	e17693e3	Steve Traylen
1093			manage in puppet
1094
1095			#### Parameters
1096
1097	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1098	e17693e3	Steve Traylen
1099	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1100	e17693e3	Steve Traylen
1101	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1102	e17693e3	Steve Traylen
1103	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1104	e17693e3	Steve Traylen
1105	09cba182	Steve Traylen	puppet server ports
1106	e17693e3	Steve Traylen
1107			Default value: `[8140]`
1108
1109	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1110	7f74df2e	Tim Meusel
1111			manage in pxp-agent
1112
1113			#### Parameters
1114
1115			The following parameters are available in the `nftables::rules::pxp_agent` class:
1116
1117	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1118	7f74df2e	Tim Meusel
1119	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1120	7f74df2e	Tim Meusel
1121	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1122	7f74df2e	Tim Meusel
1123			pxp server ports
1124
1125			Default value: `[8142]`
1126
1127	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1128	cd2a3cbf	Nacho Barrientos
1129			This class configures the typical firewall setup that libvirt
1130			creates. Depending on your requirements you can switch on and off
1131			several aspects, for instance if you don't do DHCP to your guests
1132			you can disable the rules that accept DHCP traffic on the host or if
1133			you don't want your guests to talk to hosts outside you can disable
1134			forwarding and/or masquerading for IPv4 traffic.
1135
1136			#### Parameters
1137
1138			The following parameters are available in the `nftables::rules::qemu` class:
1139
1140	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1141			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1142			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1143			* [`dns`](#-nftables--rules--qemu--dns)
1144			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1145			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1146			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1147			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1148	cd2a3cbf	Nacho Barrientos
1149	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1150	cd2a3cbf	Nacho Barrientos
1151			Data type: `String[1]`
1152
1153			Interface name used by the bridge.
1154
1155			Default value: `'virbr0'`
1156
1157	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1158	cd2a3cbf	Nacho Barrientos
1159			Data type: `Stdlib::IP::Address::V4::CIDR`
1160
1161			The IPv4 network prefix used in the virtual network.
1162
1163			Default value: `'192.168.122.0/24'`
1164
1165	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1166	cd2a3cbf	Nacho Barrientos
1167			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1168
1169			The IPv6 network prefix used in the virtual network.
1170
1171	c24d3118	Tim Meusel	Default value: `undef`
1172	cd2a3cbf	Nacho Barrientos
1173	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1174	cd2a3cbf	Nacho Barrientos
1175			Data type: `Boolean`
1176
1177			Allow DNS traffic from the guests to the host.
1178
1179	c24d3118	Tim Meusel	Default value: `true`
1180	cd2a3cbf	Nacho Barrientos
1181	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1182	cd2a3cbf	Nacho Barrientos
1183			Data type: `Boolean`
1184
1185			Allow DHCPv4 traffic from the guests to the host.
1186
1187	c24d3118	Tim Meusel	Default value: `true`
1188	cd2a3cbf	Nacho Barrientos
1189	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1190	cd2a3cbf	Nacho Barrientos
1191			Data type: `Boolean`
1192
1193			Allow forwarded traffic (out all, in related/established)
1194			generated by the virtual network.
1195
1196	c24d3118	Tim Meusel	Default value: `true`
1197	cd2a3cbf	Nacho Barrientos
1198	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1199	cd2a3cbf	Nacho Barrientos
1200			Data type: `Boolean`
1201
1202			Allow guests in the virtual network to talk to each other.
1203
1204	c24d3118	Tim Meusel	Default value: `true`
1205	cd2a3cbf	Nacho Barrientos
1206	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1207	cd2a3cbf	Nacho Barrientos
1208			Data type: `Boolean`
1209
1210			Do NAT masquerade on all IPv4 traffic generated by guests
1211			to external networks.
1212
1213	c24d3118	Tim Meusel	Default value: `true`
1214	cd2a3cbf	Nacho Barrientos
1215	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1216	19908f41	mh
1217			manage Samba, the suite to allow Windows file sharing on Linux resources.
1218
1219			#### Parameters
1220
1221			The following parameters are available in the `nftables::rules::samba` class:
1222
1223	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1224	19908f41	mh
1225	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1226	19908f41	mh
1227			Data type: `Boolean`
1228
1229			Enable ctdb-driven clustered Samba setups.
1230
1231	c24d3118	Tim Meusel	Default value: `false`
1232	19908f41	mh
1233	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1234	e17693e3	Steve Traylen
1235			manage in smtp
1236
1237	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1238	e17693e3	Steve Traylen
1239			manage in smtp submission
1240
1241	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1242	e17693e3	Steve Traylen
1243			manage in smtps
1244
1245	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1246
1247			allow incoming spotify
1248
1249	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1250	e17693e3	Steve Traylen
1251			manage in ssh
1252
1253			#### Parameters
1254
1255	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1256	e17693e3	Steve Traylen
1257	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1258	e17693e3	Steve Traylen
1259	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1260	e17693e3	Steve Traylen
1261	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1262	e17693e3	Steve Traylen
1263	09cba182	Steve Traylen	ssh ports
1264	e17693e3	Steve Traylen
1265			Default value: `[22]`
1266
1267	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1268	e17693e3	Steve Traylen
1269			manage in tor
1270
1271			#### Parameters
1272
1273	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1274	e17693e3	Steve Traylen
1275	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1276	e17693e3	Steve Traylen
1277	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1278	e17693e3	Steve Traylen
1279	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1280	e17693e3	Steve Traylen
1281	09cba182	Steve Traylen	ports for tor
1282	e17693e3	Steve Traylen
1283			Default value: `[9001]`
1284
1285	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1286	e17693e3	Steve Traylen
1287			manage in wireguard
1288
1289			#### Parameters
1290
1291	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1292	e17693e3	Steve Traylen
1293	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1294	e17693e3	Steve Traylen
1295	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1296	e17693e3	Steve Traylen
1297	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1298	e17693e3	Steve Traylen
1299	09cba182	Steve Traylen	wiregueard port
1300	e17693e3	Steve Traylen
1301			Default value: `[51820]`
1302
1303	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1304	7f6cacc5	Steve Traylen
1305	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1306	7f6cacc5	Steve Traylen
1307	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1308	7f6cacc5	Steve Traylen
1309	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1310	7f6cacc5	Steve Traylen
1311	e17693e3	Steve Traylen	## Defined types
1312
1313	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1314	e17693e3	Steve Traylen
1315			manage a chain
1316
1317			#### Parameters
1318
1319	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1320
1321	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1322			* [`chain`](#-nftables--chain--chain)
1323			* [`inject`](#-nftables--chain--inject)
1324			* [`inject_iif`](#-nftables--chain--inject_iif)
1325			* [`inject_oif`](#-nftables--chain--inject_oif)
1326	e17693e3	Steve Traylen
1327	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1328	e17693e3	Steve Traylen
1329	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1330	e17693e3	Steve Traylen
1331
1332
1333			Default value: `'inet-filter'`
1334
1335	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1336	e17693e3	Steve Traylen
1337			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1338
1339
1340
1341			Default value: `$title`
1342
1343	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1344	e17693e3	Steve Traylen
1345			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1346
1347
1348
1349	c24d3118	Tim Meusel	Default value: `undef`
1350	e17693e3	Steve Traylen
1351	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1352	e17693e3	Steve Traylen
1353			Data type: `Optional[String]`
1354
1355
1356
1357	c24d3118	Tim Meusel	Default value: `undef`
1358	e17693e3	Steve Traylen
1359	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1360	e17693e3	Steve Traylen
1361			Data type: `Optional[String]`
1362
1363
1364
1365	c24d3118	Tim Meusel	Default value: `undef`
1366	e17693e3	Steve Traylen
1367	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1368	e17693e3	Steve Traylen
1369			manage a config snippet
1370
1371			#### Parameters
1372
1373	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1374	e17693e3	Steve Traylen
1375	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1376			* [`content`](#-nftables--config--content)
1377			* [`source`](#-nftables--config--source)
1378			* [`prefix`](#-nftables--config--prefix)
1379	09cba182	Steve Traylen
1380	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1381	13f4e4c6	Steve Traylen
1382			Data type: `Pattern[/^\w+-\w+$/]`
1383
1384
1385
1386			Default value: `$title`
1387
1388	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1389	e17693e3	Steve Traylen
1390			Data type: `Optional[String]`
1391
1392
1393
1394	c24d3118	Tim Meusel	Default value: `undef`
1395	e17693e3	Steve Traylen
1396	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1397	e17693e3	Steve Traylen
1398			Data type: `Optional[Variant[String,Array[String,1]]]`
1399
1400
1401
1402	c24d3118	Tim Meusel	Default value: `undef`
1403	e17693e3	Steve Traylen
1404	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1405	13f4e4c6	Steve Traylen
1406			Data type: `String`
1407
1408
1409
1410			Default value: `'custom-'`
1411
1412	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1413	331b8d85	Steve Traylen
1414			Insert a file into the nftables configuration
1415
1416			#### Examples
1417
1418			##### Include a file that includes other files
1419
1420			```puppet
1421			nftables::file{'geoip':
1422			content => @(EOT)
1423			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1424			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1425			\|EOT,
1426			}
1427			```
1428
1429			#### Parameters
1430
1431			The following parameters are available in the `nftables::file` defined type:
1432
1433	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1434			* [`content`](#-nftables--file--content)
1435			* [`source`](#-nftables--file--source)
1436			* [`prefix`](#-nftables--file--prefix)
1437	331b8d85	Steve Traylen
1438	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1439	331b8d85	Steve Traylen
1440			Data type: `String[1]`
1441
1442			Unique name to include in filename.
1443
1444			Default value: `$title`
1445
1446	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1447	331b8d85	Steve Traylen
1448			Data type: `Optional[String]`
1449
1450			The content to place in the file.
1451
1452	c24d3118	Tim Meusel	Default value: `undef`
1453	331b8d85	Steve Traylen
1454	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1455	331b8d85	Steve Traylen
1456			Data type: `Optional[Variant[String,Array[String,1]]]`
1457
1458			A source to obtain the file content from.
1459
1460	c24d3118	Tim Meusel	Default value: `undef`
1461	331b8d85	Steve Traylen
1462	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1463	331b8d85	Steve Traylen
1464			Data type: `String`
1465
1466			Prefix of file name to be created, if left as `file-` it will be
1467			auto included in the main nft configuration
1468
1469			Default value: `'file-'`
1470
1471	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1472	e17693e3	Steve Traylen
1473	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1474
1475			#### Examples
1476
1477			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1478
1479			```puppet
1480			nftables::rule {
1481			'default_in-myhttp':
1482			content => 'tcp dport 80 accept',
1483			}
1484			```
1485
1486			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1487
1488			```puppet
1489			nftables::rule {
1490			'PREROUTING6-count':
1491			content => 'counter',
1492			table => 'ip6-nat'
1493			}
1494			```
1495	e17693e3	Steve Traylen
1496			#### Parameters
1497
1498	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1499
1500	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1501			* [`rulename`](#-nftables--rule--rulename)
1502			* [`order`](#-nftables--rule--order)
1503			* [`table`](#-nftables--rule--table)
1504			* [`content`](#-nftables--rule--content)
1505			* [`source`](#-nftables--rule--source)
1506	e17693e3	Steve Traylen
1507	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1508	e17693e3	Steve Traylen
1509			Data type: `Enum['present','absent']`
1510
1511	13f26dfc	Nacho Barrientos	Should the rule be created.
1512	e17693e3	Steve Traylen
1513			Default value: `'present'`
1514
1515	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1516	e17693e3	Steve Traylen
1517	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1518	e17693e3	Steve Traylen
1519	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1520			format is defined by the Nftables::RuleName type.
1521	e17693e3	Steve Traylen
1522			Default value: `$title`
1523
1524	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1525	e17693e3	Steve Traylen
1526			Data type: `Pattern[/^\d\d$/]`
1527
1528	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1529	e17693e3	Steve Traylen
1530			Default value: `'50'`
1531
1532	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1533	e17693e3	Steve Traylen
1534	b02d6ea9	Nacho Barrientos	Data type: `String`
1535	e17693e3	Steve Traylen
1536	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1537	e17693e3	Steve Traylen
1538			Default value: `'inet-filter'`
1539
1540	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1541	e17693e3	Steve Traylen
1542			Data type: `Optional[String]`
1543
1544	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1545			language.
1546	e17693e3	Steve Traylen
1547	c24d3118	Tim Meusel	Default value: `undef`
1548	e17693e3	Steve Traylen
1549	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1550	e17693e3	Steve Traylen
1551			Data type: `Optional[Variant[String,Array[String,1]]]`
1552
1553	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1554	e17693e3	Steve Traylen
1555	c24d3118	Tim Meusel	Default value: `undef`
1556	e17693e3	Steve Traylen
1557	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1558	e17693e3	Steve Traylen
1559			manage a ipv4 dnat rule
1560
1561			#### Parameters
1562
1563	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1564
1565	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1566			* [`port`](#-nftables--rules--dnat4--port)
1567			* [`rulename`](#-nftables--rules--dnat4--rulename)
1568			* [`order`](#-nftables--rules--dnat4--order)
1569			* [`chain`](#-nftables--rules--dnat4--chain)
1570			* [`iif`](#-nftables--rules--dnat4--iif)
1571			* [`proto`](#-nftables--rules--dnat4--proto)
1572			* [`dport`](#-nftables--rules--dnat4--dport)
1573			* [`ensure`](#-nftables--rules--dnat4--ensure)
1574	e17693e3	Steve Traylen
1575	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1576	e17693e3	Steve Traylen
1577			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1578
1579
1580
1581	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1582	e17693e3	Steve Traylen
1583	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1584	e17693e3	Steve Traylen
1585
1586
1587	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1588	e17693e3	Steve Traylen
1589			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1590
1591
1592
1593			Default value: `$title`
1594
1595	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1596	e17693e3	Steve Traylen
1597			Data type: `Pattern[/^\d\d$/]`
1598
1599
1600
1601			Default value: `'50'`
1602
1603	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1604	e17693e3	Steve Traylen
1605			Data type: `String[1]`
1606
1607
1608
1609			Default value: `'default_fwd'`
1610
1611	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1612	e17693e3	Steve Traylen
1613			Data type: `Optional[String[1]]`
1614
1615
1616
1617	c24d3118	Tim Meusel	Default value: `undef`
1618	e17693e3	Steve Traylen
1619	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1620	e17693e3	Steve Traylen
1621			Data type: `Enum['tcp','udp']`
1622
1623
1624
1625			Default value: `'tcp'`
1626
1627	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1628	e17693e3	Steve Traylen
1629	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1630	e17693e3	Steve Traylen
1631
1632
1633	c24d3118	Tim Meusel	Default value: `undef`
1634	e17693e3	Steve Traylen
1635	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1636	e17693e3	Steve Traylen
1637			Data type: `Enum['present','absent']`
1638
1639
1640
1641			Default value: `'present'`
1642
1643	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1644	e17693e3	Steve Traylen
1645			masquerade all outgoing traffic
1646
1647			#### Parameters
1648
1649	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1650	e17693e3	Steve Traylen
1651	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1652			* [`order`](#-nftables--rules--masquerade--order)
1653			* [`chain`](#-nftables--rules--masquerade--chain)
1654			* [`oif`](#-nftables--rules--masquerade--oif)
1655			* [`saddr`](#-nftables--rules--masquerade--saddr)
1656			* [`daddr`](#-nftables--rules--masquerade--daddr)
1657			* [`proto`](#-nftables--rules--masquerade--proto)
1658			* [`dport`](#-nftables--rules--masquerade--dport)
1659			* [`ensure`](#-nftables--rules--masquerade--ensure)
1660	09cba182	Steve Traylen
1661	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1662	e17693e3	Steve Traylen
1663			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1664
1665
1666
1667			Default value: `$title`
1668
1669	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1670	e17693e3	Steve Traylen
1671			Data type: `Pattern[/^\d\d$/]`
1672
1673
1674
1675			Default value: `'70'`
1676
1677	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1678	e17693e3	Steve Traylen
1679			Data type: `String[1]`
1680
1681
1682
1683			Default value: `'POSTROUTING'`
1684
1685	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1686	e17693e3	Steve Traylen
1687			Data type: `Optional[String[1]]`
1688
1689
1690
1691	c24d3118	Tim Meusel	Default value: `undef`
1692	e17693e3	Steve Traylen
1693	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1694	e17693e3	Steve Traylen
1695			Data type: `Optional[String[1]]`
1696
1697
1698
1699	c24d3118	Tim Meusel	Default value: `undef`
1700	e17693e3	Steve Traylen
1701	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1702	e17693e3	Steve Traylen
1703			Data type: `Optional[String[1]]`
1704
1705
1706
1707	c24d3118	Tim Meusel	Default value: `undef`
1708	e17693e3	Steve Traylen
1709	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1710	e17693e3	Steve Traylen
1711			Data type: `Optional[Enum['tcp','udp']]`
1712
1713
1714
1715	c24d3118	Tim Meusel	Default value: `undef`
1716	e17693e3	Steve Traylen
1717	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1718	e17693e3	Steve Traylen
1719	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1720	e17693e3	Steve Traylen
1721
1722
1723	c24d3118	Tim Meusel	Default value: `undef`
1724	e17693e3	Steve Traylen
1725	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1726	e17693e3	Steve Traylen
1727			Data type: `Enum['present','absent']`
1728
1729
1730
1731			Default value: `'present'`
1732
1733	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1734	e17693e3	Steve Traylen
1735			manage a ipv4 snat rule
1736
1737			#### Parameters
1738
1739	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1740
1741	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1742			* [`rulename`](#-nftables--rules--snat4--rulename)
1743			* [`order`](#-nftables--rules--snat4--order)
1744			* [`chain`](#-nftables--rules--snat4--chain)
1745			* [`oif`](#-nftables--rules--snat4--oif)
1746			* [`saddr`](#-nftables--rules--snat4--saddr)
1747			* [`proto`](#-nftables--rules--snat4--proto)
1748			* [`dport`](#-nftables--rules--snat4--dport)
1749			* [`ensure`](#-nftables--rules--snat4--ensure)
1750	e17693e3	Steve Traylen
1751	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1752	e17693e3	Steve Traylen
1753			Data type: `String[1]`
1754
1755
1756
1757	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1758	e17693e3	Steve Traylen
1759			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1760
1761
1762
1763			Default value: `$title`
1764
1765	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1766	e17693e3	Steve Traylen
1767			Data type: `Pattern[/^\d\d$/]`
1768
1769
1770
1771			Default value: `'70'`
1772
1773	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1774	e17693e3	Steve Traylen
1775			Data type: `String[1]`
1776
1777
1778
1779			Default value: `'POSTROUTING'`
1780
1781	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1782	e17693e3	Steve Traylen
1783			Data type: `Optional[String[1]]`
1784
1785
1786
1787	c24d3118	Tim Meusel	Default value: `undef`
1788	e17693e3	Steve Traylen
1789	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1790	e17693e3	Steve Traylen
1791			Data type: `Optional[String[1]]`
1792
1793
1794
1795	c24d3118	Tim Meusel	Default value: `undef`
1796	e17693e3	Steve Traylen
1797	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1798	e17693e3	Steve Traylen
1799			Data type: `Optional[Enum['tcp','udp']]`
1800
1801
1802
1803	c24d3118	Tim Meusel	Default value: `undef`
1804	e17693e3	Steve Traylen
1805	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1806	e17693e3	Steve Traylen
1807	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1808	e17693e3	Steve Traylen
1809
1810
1811	c24d3118	Tim Meusel	Default value: `undef`
1812	e17693e3	Steve Traylen
1813	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1814	e17693e3	Steve Traylen
1815			Data type: `Enum['present','absent']`
1816
1817
1818
1819			Default value: `'present'`
1820
1821	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1822	7f6cacc5	Steve Traylen
1823			manage a named set
1824
1825	13f4e4c6	Steve Traylen	#### Examples
1826
1827			##### simple set
1828
1829			```puppet
1830			nftables::set{'my_set':
1831			type => 'ipv4_addr',
1832			flags => ['interval'],
1833			elements => ['192.168.0.1/24', '10.0.0.2'],
1834			auto_merge => true,
1835			}
1836			```
1837
1838	7f6cacc5	Steve Traylen	#### Parameters
1839
1840	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1841
1842	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1843			* [`setname`](#-nftables--set--setname)
1844			* [`order`](#-nftables--set--order)
1845			* [`type`](#-nftables--set--type)
1846			* [`table`](#-nftables--set--table)
1847			* [`flags`](#-nftables--set--flags)
1848			* [`timeout`](#-nftables--set--timeout)
1849			* [`gc_interval`](#-nftables--set--gc_interval)
1850			* [`elements`](#-nftables--set--elements)
1851			* [`size`](#-nftables--set--size)
1852			* [`policy`](#-nftables--set--policy)
1853			* [`auto_merge`](#-nftables--set--auto_merge)
1854			* [`content`](#-nftables--set--content)
1855			* [`source`](#-nftables--set--source)
1856
1857			##### <a name="-nftables--set--ensure"></a>`ensure`
1858	7f6cacc5	Steve Traylen
1859			Data type: `Enum['present','absent']`
1860
1861	13f4e4c6	Steve Traylen	should the set be created.
1862	7f6cacc5	Steve Traylen
1863			Default value: `'present'`
1864
1865	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1866	7f6cacc5	Steve Traylen
1867			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
1868
1869	13f4e4c6	Steve Traylen	name of set, equal to to title.
1870	7f6cacc5	Steve Traylen
1871			Default value: `$title`
1872
1873	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
1874	7f6cacc5	Steve Traylen
1875			Data type: `Pattern[/^\d\d$/]`
1876
1877	13f4e4c6	Steve Traylen	concat ordering.
1878	7f6cacc5	Steve Traylen
1879			Default value: `'10'`
1880
1881	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
1882	7f6cacc5	Steve Traylen
1883			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
1884
1885	13f4e4c6	Steve Traylen	type of set.
1886	7f6cacc5	Steve Traylen
1887	c24d3118	Tim Meusel	Default value: `undef`
1888	7f6cacc5	Steve Traylen
1889	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
1890	7f6cacc5	Steve Traylen
1891	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
1892	7f6cacc5	Steve Traylen
1893	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
1894	7f6cacc5	Steve Traylen
1895			Default value: `'inet-filter'`
1896
1897	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
1898	7f6cacc5	Steve Traylen
1899			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
1900
1901	13f4e4c6	Steve Traylen	specify flags for set
1902	7f6cacc5	Steve Traylen
1903			Default value: `[]`
1904
1905	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
1906	7f6cacc5	Steve Traylen
1907			Data type: `Optional[Integer]`
1908
1909	13f4e4c6	Steve Traylen	timeout in seconds
1910	7f6cacc5	Steve Traylen
1911	c24d3118	Tim Meusel	Default value: `undef`
1912	7f6cacc5	Steve Traylen
1913	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
1914	7f6cacc5	Steve Traylen
1915			Data type: `Optional[Integer]`
1916
1917	13f4e4c6	Steve Traylen	garbage collection interval.
1918	7f6cacc5	Steve Traylen
1919	c24d3118	Tim Meusel	Default value: `undef`
1920	7f6cacc5	Steve Traylen
1921	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
1922	7f6cacc5	Steve Traylen
1923			Data type: `Optional[Array[String]]`
1924
1925	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
1926	7f6cacc5	Steve Traylen
1927	c24d3118	Tim Meusel	Default value: `undef`
1928	7f6cacc5	Steve Traylen
1929	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
1930	7f6cacc5	Steve Traylen
1931			Data type: `Optional[Integer]`
1932
1933	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
1934	7f6cacc5	Steve Traylen
1935	c24d3118	Tim Meusel	Default value: `undef`
1936	7f6cacc5	Steve Traylen
1937	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
1938	7f6cacc5	Steve Traylen
1939			Data type: `Optional[Enum['performance', 'memory']]`
1940
1941	13f4e4c6	Steve Traylen	determines set selection policy.
1942	7f6cacc5	Steve Traylen
1943	c24d3118	Tim Meusel	Default value: `undef`
1944	7f6cacc5	Steve Traylen
1945	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
1946	7f6cacc5	Steve Traylen
1947			Data type: `Boolean`
1948
1949	13f4e4c6	Steve Traylen	?
1950	7f6cacc5	Steve Traylen
1951	c24d3118	Tim Meusel	Default value: `false`
1952	7f6cacc5	Steve Traylen
1953	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
1954	7f6cacc5	Steve Traylen
1955			Data type: `Optional[String]`
1956
1957	13f4e4c6	Steve Traylen	specify content of set.
1958	7f6cacc5	Steve Traylen
1959	c24d3118	Tim Meusel	Default value: `undef`
1960	7f6cacc5	Steve Traylen
1961	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
1962	7f6cacc5	Steve Traylen
1963			Data type: `Optional[Variant[String,Array[String,1]]]`
1964
1965	13f4e4c6	Steve Traylen	specify source of set.
1966	7f6cacc5	Steve Traylen
1967	c24d3118	Tim Meusel	Default value: `undef`
1968	7f6cacc5	Steve Traylen
1969	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
1970	4d63adda	Nacho Barrientos
1971	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
1972	4d63adda	Nacho Barrientos
1973	b46c9ce9	Nacho Barrientos	#### Examples
1974	4d63adda	Nacho Barrientos
1975	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
1976	4d63adda	Nacho Barrientos
1977	b46c9ce9	Nacho Barrientos	```puppet
1978			nftables::simplerule{'my_service_in':
1979			action => 'accept',
1980			comment => 'allow traffic to port 543',
1981			counter => true,
1982			proto => 'tcp',
1983			dport => 543,
1984			daddr => '2001:1458::/32',
1985			sport => 541,
1986			}
1987			```
1988	4d63adda	Nacho Barrientos
1989	b46c9ce9	Nacho Barrientos	#### Parameters
1990	4d63adda	Nacho Barrientos
1991	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
1992
1993	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
1994			* [`rulename`](#-nftables--simplerule--rulename)
1995			* [`order`](#-nftables--simplerule--order)
1996			* [`chain`](#-nftables--simplerule--chain)
1997			* [`table`](#-nftables--simplerule--table)
1998			* [`action`](#-nftables--simplerule--action)
1999			* [`comment`](#-nftables--simplerule--comment)
2000			* [`dport`](#-nftables--simplerule--dport)
2001			* [`proto`](#-nftables--simplerule--proto)
2002			* [`daddr`](#-nftables--simplerule--daddr)
2003			* [`set_type`](#-nftables--simplerule--set_type)
2004			* [`sport`](#-nftables--simplerule--sport)
2005			* [`saddr`](#-nftables--simplerule--saddr)
2006			* [`counter`](#-nftables--simplerule--counter)
2007
2008			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2009	13f4e4c6	Steve Traylen
2010			Data type: `Enum['present','absent']`
2011
2012			Should the rule be created.
2013
2014			Default value: `'present'`
2015
2016	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2017	4d63adda	Nacho Barrientos
2018	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2019	4d63adda	Nacho Barrientos
2020	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2021	4d63adda	Nacho Barrientos
2022			Default value: `$title`
2023
2024	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2025	4d63adda	Nacho Barrientos
2026			Data type: `Pattern[/^\d\d$/]`
2027
2028	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2029	4d63adda	Nacho Barrientos
2030			Default value: `'50'`
2031
2032	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2033	4d63adda	Nacho Barrientos
2034			Data type: `String`
2035
2036	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2037	4d63adda	Nacho Barrientos
2038			Default value: `'default_in'`
2039
2040	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2041	4d63adda	Nacho Barrientos
2042			Data type: `String`
2043
2044	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2045	4d63adda	Nacho Barrientos
2046			Default value: `'inet-filter'`
2047
2048	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2049	4d63adda	Nacho Barrientos
2050			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2051
2052	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2053	4d63adda	Nacho Barrientos
2054			Default value: `'accept'`
2055
2056	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2057	4d63adda	Nacho Barrientos
2058			Data type: `Optional[String]`
2059
2060	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2061	4d63adda	Nacho Barrientos
2062	c24d3118	Tim Meusel	Default value: `undef`
2063	4d63adda	Nacho Barrientos
2064	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2065	4d63adda	Nacho Barrientos
2066			Data type: `Optional[Nftables::Port]`
2067
2068	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2069	4d63adda	Nacho Barrientos
2070	c24d3118	Tim Meusel	Default value: `undef`
2071	4d63adda	Nacho Barrientos
2072	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2073	4d63adda	Nacho Barrientos
2074			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2075
2076	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2077	4d63adda	Nacho Barrientos
2078	c24d3118	Tim Meusel	Default value: `undef`
2079	4d63adda	Nacho Barrientos
2080	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2081	4d63adda	Nacho Barrientos
2082			Data type: `Optional[Nftables::Addr]`
2083
2084	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2085	4d63adda	Nacho Barrientos
2086	c24d3118	Tim Meusel	Default value: `undef`
2087	4d63adda	Nacho Barrientos
2088	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2089	4d63adda	Nacho Barrientos
2090			Data type: `Enum['ip', 'ip6']`
2091
2092	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2093			Use `ip` for sets of type `ipv4_addr`.
2094	4d63adda	Nacho Barrientos
2095			Default value: `'ip6'`
2096
2097	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2098	4d63adda	Nacho Barrientos
2099			Data type: `Optional[Nftables::Port]`
2100
2101	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2102	4d63adda	Nacho Barrientos
2103	c24d3118	Tim Meusel	Default value: `undef`
2104	4d63adda	Nacho Barrientos
2105	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2106	4d63adda	Nacho Barrientos
2107			Data type: `Optional[Nftables::Addr]`
2108
2109	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2110	4d63adda	Nacho Barrientos
2111	c24d3118	Tim Meusel	Default value: `undef`
2112	4d63adda	Nacho Barrientos
2113	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2114	4d63adda	Nacho Barrientos
2115			Data type: `Boolean`
2116
2117	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2118	4d63adda	Nacho Barrientos
2119	c24d3118	Tim Meusel	Default value: `false`
2120	4d63adda	Nacho Barrientos
2121			## Data types
2122
2123	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2124	4d63adda	Nacho Barrientos
2125			Represents an address expression to be used within a rule.
2126
2127	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2128	09cba182	Steve Traylen
2129	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2130	4d63adda	Nacho Barrientos
2131			Represents a set expression to be used within a rule.
2132
2133	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2134	4d63adda	Nacho Barrientos
2135	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2136	4d63adda	Nacho Barrientos
2137			Represents a port expression to be used within a rule.
2138
2139	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2140	4d63adda	Nacho Barrientos
2141	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2142	4d63adda	Nacho Barrientos
2143			Represents a port range expression to be used within a rule.
2144
2145	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2146	4d63adda	Nacho Barrientos
2147	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2148	8c00b818	Nacho Barrientos
2149			Represents a rule name to be used in a raw rule created via nftables::rule.
2150			It's a dash separated string. The first component describes the chain to
2151			add the rule to, the second the rule name and the (optional) third a number.
2152			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2153
2154	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2155	09cba182	Steve Traylen
2156	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2157	8c00b818	Nacho Barrientos
2158			Represents a simple rule name to be used in a rule created via nftables::simplerule
2159
2160	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 6b350264