/REFERENCE.md - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 8842a597

Historique | Voir | Annoter | Télécharger (40 ko)

       # Reference
       <!-- DO NOT EDIT: This document was generated by Puppet Strings -->
       ## Table of Contents
       ### Classes
       * [`nftables`](#nftables): Configure nftables
       * [`nftables::bridges`](#nftablesbridges): allow forwarding traffic on bridges
       * [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter
       * [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat
       * [`nftables::rules::activemq`](#nftablesrulesactivemq): Provides input rules for Apache ActiveMQ
       * [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients
       * [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
       * [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system.
       Enable this option to support Ceph's Monitor Daemon.
       * [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client): allow DHCPv6 requests in to a host
       * [`nftables::rules::dns`](#nftablesrulesdns): manage in dns
       * [`nftables::rules::docker_ce`](#nftablesrulesdocker_ce): Default firewall configuration for Docker-CE
       * [`nftables::rules::http`](#nftablesruleshttp): manage in http
       * [`nftables::rules::https`](#nftablesruleshttps): manage in https
       * [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2
       * [`nftables::rules::icmp`](#nftablesrulesicmp)
       * [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4
       * [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3
       * [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter
       * [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf
       * [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3
       * [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound
       * [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system.
       Enable this to be a client of Ceph's Monitor (MON),
       Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
       and Manager Daemons (MGR).
       * [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony
       * [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp
       * [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client): Allow DHCPv6 requests out of a host
       * [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns
       * [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http
       * [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https
       * [`nftables::rules::out::icmp`](#nftablesrulesouticmp): control outbound icmp packages
       * [`nftables::rules::out::imap`](#nftablesrulesoutimap): allow outgoing imap
       * [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos
       * [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql
       * [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs
       * [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3
       * [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
       * [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf
       * [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3
       * [`nftables::rules::out::pop3`](#nftablesrulesoutpop3): allow outgoing pop3
       * [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres
       * [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet
       * [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): allow outgoing smtp
       * [`nftables::rules::out::smtp_client`](#nftablesrulesoutsmtp_client): allow outgoing smtp client
       * [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh
       * [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh
       * [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor
       * [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard
       * [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet
       * [`nftables::rules::qemu`](#nftablesrulesqemu): Bridged network configuration for qemu/libvirt
       * [`nftables::rules::samba`](#nftablesrulessamba): manage Samba, the suite to allow Windows file sharing on Linux resources.
       * [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp
       * [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission
       * [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps
       * [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh
       * [`nftables::rules::tor`](#nftablesrulestor): manage in tor
       * [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard
       * [`nftables::services::dhcpv6_client`](#nftablesservicesdhcpv6_client): Allow in and outbound traffic for DHCPv6 server
       * [`nftables::services::openafs_client`](#nftablesservicesopenafs_client): Open inbound and outbound ports for an AFS client
       ### Defined types
       * [`nftables::chain`](#nftableschain): manage a chain
       * [`nftables::config`](#nftablesconfig): manage a config snippet
       * [`nftables::rule`](#nftablesrule): Provides an interface to create a firewall rule
       * [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule
       * [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic
       * [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule
       * [`nftables::set`](#nftablesset): manage a named set
       * [`nftables::simplerule`](#nftablessimplerule): Provides a simplified interface to nftables::rule
       ### Data types
       * [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule.
       * [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule.
       * [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule.
       * [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule.
       * [`Nftables::RuleName`](#nftablesrulename): Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       * [`Nftables::SimpleRuleName`](#nftablessimplerulename): Represents a simple rule name to be used in a rule created via nftables::simplerule
       ## Classes
       ### <a name="nftables"></a>`nftables`
       Configure nftables
       #### Examples
       ##### allow dns out and do not allow ntp out
       ```puppet
       class{ 'nftables':
         out_ntp => false,
         out_dns => true,
+      }
       ```
       ##### do not flush particular tables, fail2ban in this case
       ```puppet
       class{ 'nftables':
         noflush_tables => ['inet-f2b-table'],
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables` class:
       * [`out_all`](#out_all)
       * [`out_ntp`](#out_ntp)
       * [`out_http`](#out_http)
       * [`out_dns`](#out_dns)
       * [`out_https`](#out_https)
       * [`out_icmp`](#out_icmp)
       * [`in_ssh`](#in_ssh)
       * [`in_icmp`](#in_icmp)
       * [`inet_filter`](#inet_filter)
       * [`nat`](#nat)
       * [`nat_table_name`](#nat_table_name)
       * [`sets`](#sets)
       * [`log_prefix`](#log_prefix)
       * [`log_limit`](#log_limit)
       * [`reject_with`](#reject_with)
       * [`in_out_conntrack`](#in_out_conntrack)
       * [`fwd_conntrack`](#fwd_conntrack)
       * [`firewalld_enable`](#firewalld_enable)
       * [`noflush_tables`](#noflush_tables)
       * [`rules`](#rules)
       * [`configuration_path`](#configuration_path)
       * [`nft_path`](#nft_path)
       ##### <a name="out_all"></a>`out_all`
       Data type: `Boolean`
       Allow all outbound connections. If `true` then all other
       out parameters `out_ntp`, `out_dns`, ... will be assuemed
       false.
       Default value: ``false``
       ##### <a name="out_ntp"></a>`out_ntp`
       Data type: `Boolean`
       Allow outbound to ntp servers.
       Default value: ``true``
       ##### <a name="out_http"></a>`out_http`
       Data type: `Boolean`
       Allow outbound to http servers.
       Default value: ``true``
       ##### <a name="out_dns"></a>`out_dns`
       Data type: `Boolean`
       Allow outbound to dns servers.
       Default value: ``true``
       ##### <a name="out_https"></a>`out_https`
       Data type: `Boolean`
       Allow outbound to https servers.
       Default value: ``true``
       ##### <a name="out_icmp"></a>`out_icmp`
       Data type: `Boolean`
       Allow outbound ICMPv4/v6 traffic.
       Default value: ``true``
       ##### <a name="in_ssh"></a>`in_ssh`
       Data type: `Boolean`
       Allow inbound to ssh servers.
       Default value: ``true``
       ##### <a name="in_icmp"></a>`in_icmp`
       Data type: `Boolean`
       Allow inbound ICMPv4/v6 traffic.
       Default value: ``true``
       ##### <a name="inet_filter"></a>`inet_filter`
       Data type: `Boolean`
       Add default tables, chains and rules to process traffic.
       Default value: ``true``
       ##### <a name="nat"></a>`nat`
       Data type: `Boolean`
       Add default tables and chains to process NAT traffic.
       Default value: ``true``
       ##### <a name="nat_table_name"></a>`nat_table_name`
       Data type: `String[1]`
       The name of the 'nat' table.
       Default value: `'nat'`
       ##### <a name="sets"></a>`sets`
       Data type: `Hash`
       Allows sourcing set definitions directly from Hiera.
       Default value: `{}`
       ##### <a name="log_prefix"></a>`log_prefix`
       Data type: `String`
       String that will be used as prefix when logging packets. It can contain
       two variables using standard sprintf() string-formatting:
        * chain: Will be replaced by the name of the chain.
        * comment: Allows chains to add extra comments.
       Default value: `'[nftables] %<chain>s %<comment>s'`
       ##### <a name="log_limit"></a>`log_limit`
       Data type: `Variant[Boolean[false], String]`
       String with the content of a limit statement to be applied
       to the rules that log discarded traffic. Set to false to
       disable rate limiting.
       Default value: `'3/minute burst 5 packets'`
       ##### <a name="reject_with"></a>`reject_with`
       Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`
       How to discard packets not matching any rule. If `false`, the
       fate of the packet will be defined by the chain policy (normally
       drop), otherwise the packet will be rejected with the REJECT_WITH
       policy indicated by the value of this parameter.
       Default value: `'icmpx type port-unreachable'`
       ##### <a name="in_out_conntrack"></a>`in_out_conntrack`
       Data type: `Boolean`
       Adds INPUT and OUTPUT rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: ``true``
       ##### <a name="fwd_conntrack"></a>`fwd_conntrack`
       Data type: `Boolean`
       Adds FORWARD rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: ``false``
       ##### <a name="firewalld_enable"></a>`firewalld_enable`
       Data type: `Variant[Boolean[false], Enum['mask']]`
       Configures how the firewalld systemd service unit is enabled. It might be
       useful to set this to false if you're externaly removing firewalld from
       the system completely.
       Default value: `'mask'`
       ##### <a name="noflush_tables"></a>`noflush_tables`
       Data type: `Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]`
       If specified only other existings tables will be flushed.
       If left unset all tables will be flushed via a `flush ruleset`
       Default value: ``undef``
       ##### <a name="rules"></a>`rules`
       Data type: `Hash`
       Specify hashes of `nftables::rule`s via hiera
       Default value: `{}`
       ##### <a name="configuration_path"></a>`configuration_path`
       Data type: `Stdlib::Unixpath`
       The absolute path to the principal nftables configuration file. The default
       varies depending on the system, and is set in the module's data.
       ##### <a name="nft_path"></a>`nft_path`
       Data type: `Stdlib::Unixpath`
       Path to the nft binary
       ### <a name="nftablesbridges"></a>`nftables::bridges`
       allow forwarding traffic on bridges
       #### Parameters
       The following parameters are available in the `nftables::bridges` class:
       * [`ensure`](#ensure)
       * [`bridgenames`](#bridgenames)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ##### <a name="bridgenames"></a>`bridgenames`
       Data type: `Regexp`
       Default value: `/^br.+/`
       ### <a name="nftablesinet_filter"></a>`nftables::inet_filter`
       manage basic chains in table inet filter
       ### <a name="nftablesip_nat"></a>`nftables::ip_nat`
       manage basic chains in table ip nat
       ### <a name="nftablesrulesactivemq"></a>`nftables::rules::activemq`
       Provides input rules for Apache ActiveMQ
       #### Parameters
       The following parameters are available in the `nftables::rules::activemq` class:
       * [`tcp`](#tcp)
       * [`udp`](#udp)
       * [`port`](#port)
       ##### <a name="tcp"></a>`tcp`
       Data type: `Boolean`
       Create the rule for TCP traffic.
       Default value: ``true``
       ##### <a name="udp"></a>`udp`
       Data type: `Boolean`
       Create the rule for UDP traffic.
       Default value: ``true``
       ##### <a name="port"></a>`port`
       Data type: `Stdlib::Port`
       The port number for the ActiveMQ daemon.
       Default value: `61616`
       ### <a name="nftablesrulesafs3_callback"></a>`nftables::rules::afs3_callback`
       Open call back port for AFS clients
       #### Examples
       ##### allow call backs from particular hosts
       ```puppet
       class{'nftables::rules::afs3_callback':
         saddr => ['192.168.0.0/16', '10.0.0.222']
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::rules::afs3_callback` class:
       * [`saddr`](#saddr)
       ##### <a name="saddr"></a>`saddr`
       Data type: `Array[Stdlib::IP::Address::V4,1]`
       list of source network ranges to a
       Default value: `['0.0.0.0/0']`
       ### <a name="nftablesrulesceph"></a>`nftables::rules::ceph`
       Ceph is a distributed object store and file system.
       Enable this to support Ceph's Object Storage Daemons (OSD),
       Metadata Server Daemons (MDS), or Manager Daemons (MGR).
       ### <a name="nftablesrulesceph_mon"></a>`nftables::rules::ceph_mon`
       Ceph is a distributed object store and file system.
       Enable this option to support Ceph's Monitor Daemon.
       #### Parameters
       The following parameters are available in the `nftables::rules::ceph_mon` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       specify ports for ceph service
       Default value: `[3300, 6789]`
       ### <a name="nftablesrulesdhcpv6_client"></a>`nftables::rules::dhcpv6_client`
       allow DHCPv6 requests in to a host
       ### <a name="nftablesrulesdns"></a>`nftables::rules::dns`
       manage in dns
       #### Parameters
       The following parameters are available in the `nftables::rules::dns` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports for dns.
       Default value: `[53]`
       ### <a name="nftablesrulesdocker_ce"></a>`nftables::rules::docker_ce`
       The configuration distributed in this class represents the default firewall
       configuration done by docker-ce when the iptables integration is enabled.
       This class is needed as the default docker-ce rules added to ip-filter conflict
       with the inet-filter forward rules set by default in this module.
       When using this class 'docker::iptables: false' should be set.
       #### Parameters
       The following parameters are available in the `nftables::rules::docker_ce` class:
       * [`docker_interface`](#docker_interface)
       * [`docker_prefix`](#docker_prefix)
       * [`manage_docker_chains`](#manage_docker_chains)
       * [`manage_base_chains`](#manage_base_chains)
       ##### <a name="docker_interface"></a>`docker_interface`
       Data type: `String[1]`
       Interface name used by docker.
       Default value: `'docker0'`
       ##### <a name="docker_prefix"></a>`docker_prefix`
       Data type: `Stdlib::IP::Address::V4::CIDR`
       The address space used by docker.
       Default value: `'172.17.0.0/16'`
       ##### <a name="manage_docker_chains"></a>`manage_docker_chains`
       Data type: `Boolean`
       Flag to control whether the class should create the docker related chains.
       Default value: ``true``
       ##### <a name="manage_base_chains"></a>`manage_base_chains`
       Data type: `Boolean`
       Flag to control whether the class should create the base common chains.
       Default value: ``true``
       ### <a name="nftablesruleshttp"></a>`nftables::rules::http`
       manage in http
       ### <a name="nftablesruleshttps"></a>`nftables::rules::https`
       manage in https
       ### <a name="nftablesrulesicinga2"></a>`nftables::rules::icinga2`
       manage in icinga2
       #### Parameters
       The following parameters are available in the `nftables::rules::icinga2` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports for icinga1
       Default value: `[5665]`
       ### <a name="nftablesrulesicmp"></a>`nftables::rules::icmp`
       The nftables::rules::icmp class.
       #### Parameters
       The following parameters are available in the `nftables::rules::icmp` class:
       * [`v4_types`](#v4_types)
       * [`v6_types`](#v6_types)
       * [`order`](#order)
       ##### <a name="v4_types"></a>`v4_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="v6_types"></a>`v6_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="order"></a>`order`
       Data type: `String`
       Default value: `'10'`
       ### <a name="nftablesrulesnfs"></a>`nftables::rules::nfs`
       manage in nfs4
       ### <a name="nftablesrulesnfs3"></a>`nftables::rules::nfs3`
       manage in nfs3
       ### <a name="nftablesrulesnode_exporter"></a>`nftables::rules::node_exporter`
       manage in node exporter
       #### Parameters
       The following parameters are available in the `nftables::rules::node_exporter` class:
       * [`prometheus_server`](#prometheus_server)
       * [`port`](#port)
       ##### <a name="prometheus_server"></a>`prometheus_server`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Specify server name
       Default value: ``undef``
       ##### <a name="port"></a>`port`
       Data type: `Stdlib::Port`
       Specify port to open
       Default value: `9100`
       ### <a name="nftablesrulesospf"></a>`nftables::rules::ospf`
       manage in ospf
       ### <a name="nftablesrulesospf3"></a>`nftables::rules::ospf3`
       manage in ospf3
       ### <a name="nftablesrulesoutall"></a>`nftables::rules::out::all`
       allow all outbound
       ### <a name="nftablesrulesoutceph_client"></a>`nftables::rules::out::ceph_client`
       Ceph is a distributed object store and file system.
       Enable this to be a client of Ceph's Monitor (MON),
       Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
       and Manager Daemons (MGR).
       #### Parameters
       The following parameters are available in the `nftables::rules::out::ceph_client` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports to open
       Default value: `[3300, 6789]`
       ### <a name="nftablesrulesoutchrony"></a>`nftables::rules::out::chrony`
       manage out chrony
       ### <a name="nftablesrulesoutdhcp"></a>`nftables::rules::out::dhcp`
       manage out dhcp
       ### <a name="nftablesrulesoutdhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
       Allow DHCPv6 requests out of a host
       ### <a name="nftablesrulesoutdns"></a>`nftables::rules::out::dns`
       manage out dns
       #### Parameters
       The following parameters are available in the `nftables::rules::out::dns` class:
       * [`dns_server`](#dns_server)
       ##### <a name="dns_server"></a>`dns_server`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       specify dns_server name
       Default value: ``undef``
       ### <a name="nftablesrulesouthttp"></a>`nftables::rules::out::http`
       manage out http
       ### <a name="nftablesrulesouthttps"></a>`nftables::rules::out::https`
       manage out https
       ### <a name="nftablesrulesouticmp"></a>`nftables::rules::out::icmp`
       control outbound icmp packages
       #### Parameters
       The following parameters are available in the `nftables::rules::out::icmp` class:
       * [`v4_types`](#v4_types)
       * [`v6_types`](#v6_types)
       * [`order`](#order)
       ##### <a name="v4_types"></a>`v4_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="v6_types"></a>`v6_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### <a name="order"></a>`order`
       Data type: `String`
       Default value: `'10'`
       ### <a name="nftablesrulesoutimap"></a>`nftables::rules::out::imap`
       allow outgoing imap
       ### <a name="nftablesrulesoutkerberos"></a>`nftables::rules::out::kerberos`
       allows outbound access for kerberos
       ### <a name="nftablesrulesoutmysql"></a>`nftables::rules::out::mysql`
       manage out mysql
       ### <a name="nftablesrulesoutnfs"></a>`nftables::rules::out::nfs`
       manage out nfs
       ### <a name="nftablesrulesoutnfs3"></a>`nftables::rules::out::nfs3`
       manage out nfs3
       ### <a name="nftablesrulesoutopenafs_client"></a>`nftables::rules::out::openafs_client`
       allows outbound access for afs clients
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
       * **See also**
         * https://wiki.openafs.org/devel/AFSServicePorts/
           * AFS Service Ports
       #### Parameters
       The following parameters are available in the `nftables::rules::out::openafs_client` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       port numbers to use
       Default value: `[7000, 7002, 7003]`
       ### <a name="nftablesrulesoutospf"></a>`nftables::rules::out::ospf`
       manage out ospf
       ### <a name="nftablesrulesoutospf3"></a>`nftables::rules::out::ospf3`
       manage out ospf3
       ### <a name="nftablesrulesoutpop3"></a>`nftables::rules::out::pop3`
       allow outgoing pop3
       ### <a name="nftablesrulesoutpostgres"></a>`nftables::rules::out::postgres`
       manage out postgres
       ### <a name="nftablesrulesoutpuppet"></a>`nftables::rules::out::puppet`
       manage outgoing puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::out::puppet` class:
       * [`puppetserver`](#puppetserver)
       * [`puppetserver_port`](#puppetserver_port)
       ##### <a name="puppetserver"></a>`puppetserver`
       Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
       puppetserver hostname
       ##### <a name="puppetserver_port"></a>`puppetserver_port`
       Data type: `Stdlib::Port`
       puppetserver port
       Default value: `8140`
       ### <a name="nftablesrulesoutsmtp"></a>`nftables::rules::out::smtp`
       allow outgoing smtp
       ### <a name="nftablesrulesoutsmtp_client"></a>`nftables::rules::out::smtp_client`
       allow outgoing smtp client
       ### <a name="nftablesrulesoutssh"></a>`nftables::rules::out::ssh`
       manage out ssh
       ### <a name="nftablesrulesoutsshremove"></a>`nftables::rules::out::ssh::remove`
       disable outgoing ssh
       ### <a name="nftablesrulesouttor"></a>`nftables::rules::out::tor`
       manage out tor
       ### <a name="nftablesrulesoutwireguard"></a>`nftables::rules::out::wireguard`
       manage out wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::out::wireguard` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Integer,1]`
       specify wireguard ports
       Default value: `[51820]`
       ### <a name="nftablesrulespuppet"></a>`nftables::rules::puppet`
       manage in puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::puppet` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Integer,1]`
       puppet server ports
       Default value: `[8140]`
       ### <a name="nftablesrulesqemu"></a>`nftables::rules::qemu`
       This class configures the typical firewall setup that libvirt
       creates. Depending on your requirements you can switch on and off
       several aspects, for instance if you don't do DHCP to your guests
       you can disable the rules that accept DHCP traffic on the host or if
       you don't want your guests to talk to hosts outside you can disable
       forwarding and/or masquerading for IPv4 traffic.
       #### Parameters
       The following parameters are available in the `nftables::rules::qemu` class:
       * [`interface`](#interface)
       * [`network_v4`](#network_v4)
       * [`network_v6`](#network_v6)
       * [`dns`](#dns)
       * [`dhcpv4`](#dhcpv4)
       * [`forward_traffic`](#forward_traffic)
       * [`internal_traffic`](#internal_traffic)
       * [`masquerade`](#masquerade)
       ##### <a name="interface"></a>`interface`
       Data type: `String[1]`
       Interface name used by the bridge.
       Default value: `'virbr0'`
       ##### <a name="network_v4"></a>`network_v4`
       Data type: `Stdlib::IP::Address::V4::CIDR`
       The IPv4 network prefix used in the virtual network.
       Default value: `'192.168.122.0/24'`
       ##### <a name="network_v6"></a>`network_v6`
       Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
       The IPv6 network prefix used in the virtual network.
       Default value: ``undef``
       ##### <a name="dns"></a>`dns`
       Data type: `Boolean`
       Allow DNS traffic from the guests to the host.
       Default value: ``true``
       ##### <a name="dhcpv4"></a>`dhcpv4`
       Data type: `Boolean`
       Allow DHCPv4 traffic from the guests to the host.
       Default value: ``true``
       ##### <a name="forward_traffic"></a>`forward_traffic`
       Data type: `Boolean`
       Allow forwarded traffic (out all, in related/established)
       generated by the virtual network.
       Default value: ``true``
       ##### <a name="internal_traffic"></a>`internal_traffic`
       Data type: `Boolean`
       Allow guests in the virtual network to talk to each other.
       Default value: ``true``
       ##### <a name="masquerade"></a>`masquerade`
       Data type: `Boolean`
       Do NAT masquerade on all IPv4 traffic generated by guests
       to external networks.
       Default value: ``true``
       ### <a name="nftablesrulessamba"></a>`nftables::rules::samba`
       manage Samba, the suite to allow Windows file sharing on Linux resources.
       #### Parameters
       The following parameters are available in the `nftables::rules::samba` class:
       * [`ctdb`](#ctdb)
       ##### <a name="ctdb"></a>`ctdb`
       Data type: `Boolean`
       Enable ctdb-driven clustered Samba setups.
       Default value: ``false``
       ### <a name="nftablesrulessmtp"></a>`nftables::rules::smtp`
       manage in smtp
       ### <a name="nftablesrulessmtp_submission"></a>`nftables::rules::smtp_submission`
       manage in smtp submission
       ### <a name="nftablesrulessmtps"></a>`nftables::rules::smtps`
       manage in smtps
       ### <a name="nftablesrulesssh"></a>`nftables::rules::ssh`
       manage in ssh
       #### Parameters
       The following parameters are available in the `nftables::rules::ssh` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       ssh ports
       Default value: `[22]`
       ### <a name="nftablesrulestor"></a>`nftables::rules::tor`
       manage in tor
       #### Parameters
       The following parameters are available in the `nftables::rules::tor` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       ports for tor
       Default value: `[9001]`
       ### <a name="nftablesruleswireguard"></a>`nftables::rules::wireguard`
       manage in wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::wireguard` class:
       * [`ports`](#ports)
       ##### <a name="ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       wiregueard port
       Default value: `[51820]`
       ### <a name="nftablesservicesdhcpv6_client"></a>`nftables::services::dhcpv6_client`
       Allow in and outbound traffic for DHCPv6 server
       ### <a name="nftablesservicesopenafs_client"></a>`nftables::services::openafs_client`
       Open inbound and outbound ports for an AFS client
       ## Defined types
       ### <a name="nftableschain"></a>`nftables::chain`
       manage a chain
       #### Parameters
       The following parameters are available in the `nftables::chain` defined type:
       * [`table`](#table)
       * [`chain`](#chain)
       * [`inject`](#inject)
       * [`inject_iif`](#inject_iif)
       * [`inject_oif`](#inject_oif)
       ##### <a name="table"></a>`table`
       Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`
       Default value: `'inet-filter'`
       ##### <a name="chain"></a>`chain`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="inject"></a>`inject`
       Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
       Default value: ``undef``
       ##### <a name="inject_iif"></a>`inject_iif`
       Data type: `Optional[String]`
       Default value: ``undef``
       ##### <a name="inject_oif"></a>`inject_oif`
       Data type: `Optional[String]`
       Default value: ``undef``
       ### <a name="nftablesconfig"></a>`nftables::config`
       manage a config snippet
       #### Parameters
       The following parameters are available in the `nftables::config` defined type:
       * [`tablespec`](#tablespec)
       * [`content`](#content)
       * [`source`](#source)
       * [`prefix`](#prefix)
       ##### <a name="tablespec"></a>`tablespec`
       Data type: `Pattern[/^\w+-\w+$/]`
       Default value: `$title`
       ##### <a name="content"></a>`content`
       Data type: `Optional[String]`
       Default value: ``undef``
       ##### <a name="source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Default value: ``undef``
       ##### <a name="prefix"></a>`prefix`
       Data type: `String`
       Default value: `'custom-'`
       ### <a name="nftablesrule"></a>`nftables::rule`
       Provides an interface to create a firewall rule
       #### Examples
       ##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
       ```puppet
       nftables::rule {
         'default_in-myhttp':
           content => 'tcp dport 80 accept',
+      }
       ```
       ##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
       ```puppet
       nftables::rule {
         'PREROUTING6-count':
           content => 'counter',
           table   => 'ip6-nat'
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::rule` defined type:
       * [`ensure`](#ensure)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`table`](#table)
       * [`content`](#content)
       * [`source`](#source)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Should the rule be created.
       Default value: `'present'`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Nftables::RuleName`
       The symbolic name for the rule and to what chain to add it. The
       format is defined by the Nftables::RuleName type.
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       A number representing the order of the rule.
       Default value: `'50'`
       ##### <a name="table"></a>`table`
       Data type: `String`
       The name of the table to add this rule to.
       Default value: `'inet-filter'`
       ##### <a name="content"></a>`content`
       Data type: `Optional[String]`
       The raw statements that compose the rule represented using the nftables
       language.
       Default value: ``undef``
       ##### <a name="source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Same goal as content but sourcing the value from a file.
       Default value: ``undef``
       ### <a name="nftablesrulesdnat4"></a>`nftables::rules::dnat4`
       manage a ipv4 dnat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::dnat4` defined type:
       * [`daddr`](#daddr)
       * [`port`](#port)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`iif`](#iif)
       * [`proto`](#proto)
       * [`dport`](#dport)
       * [`ensure`](#ensure)
       ##### <a name="daddr"></a>`daddr`
       Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
       ##### <a name="port"></a>`port`
       Data type: `Variant[String,Stdlib::Port]`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'50'`
       ##### <a name="chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'default_fwd'`
       ##### <a name="iif"></a>`iif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Enum['tcp','udp']`
       Default value: `'tcp'`
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: ``undef``
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftablesrulesmasquerade"></a>`nftables::rules::masquerade`
       masquerade all outgoing traffic
       #### Parameters
       The following parameters are available in the `nftables::rules::masquerade` defined type:
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`oif`](#oif)
       * [`saddr`](#saddr)
       * [`daddr`](#daddr)
       * [`proto`](#proto)
       * [`dport`](#dport)
       * [`ensure`](#ensure)
       ##### <a name="rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### <a name="chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### <a name="oif"></a>`oif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="saddr"></a>`saddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="daddr"></a>`daddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: ``undef``
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: ``undef``
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftablesrulessnat4"></a>`nftables::rules::snat4`
       manage a ipv4 snat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::snat4` defined type:
       * [`snat`](#snat)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`oif`](#oif)
       * [`saddr`](#saddr)
       * [`proto`](#proto)
       * [`dport`](#dport)
       * [`ensure`](#ensure)
       ##### <a name="snat"></a>`snat`
       Data type: `String[1]`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### <a name="chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### <a name="oif"></a>`oif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="saddr"></a>`saddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: ``undef``
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: ``undef``
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftablesset"></a>`nftables::set`
       manage a named set
       #### Examples
       ##### simple set
       ```puppet
       nftables::set{'my_set':
         type       => 'ipv4_addr',
         flags      => ['interval'],
         elements   => ['192.168.0.1/24', '10.0.0.2'],
         auto_merge => true,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::set` defined type:
       * [`ensure`](#ensure)
       * [`setname`](#setname)
       * [`order`](#order)
       * [`type`](#type)
       * [`table`](#table)
       * [`flags`](#flags)
       * [`timeout`](#timeout)
       * [`gc_interval`](#gc_interval)
       * [`elements`](#elements)
       * [`size`](#size)
       * [`policy`](#policy)
       * [`auto_merge`](#auto_merge)
       * [`content`](#content)
       * [`source`](#source)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       should the set be created.
       Default value: `'present'`
       ##### <a name="setname"></a>`setname`
       Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
       name of set, equal to to title.
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       concat ordering.
       Default value: `'10'`
       ##### <a name="type"></a>`type`
       Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
       type of set.
       Default value: ``undef``
       ##### <a name="table"></a>`table`
       Data type: `Variant[String, Array[String, 1]]`
       table or array of tables to add the set to.
       Default value: `'inet-filter'`
       ##### <a name="flags"></a>`flags`
       Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
       specify flags for set
       Default value: `[]`
       ##### <a name="timeout"></a>`timeout`
       Data type: `Optional[Integer]`
       timeout in seconds
       Default value: ``undef``
       ##### <a name="gc_interval"></a>`gc_interval`
       Data type: `Optional[Integer]`
       garbage collection interval.
       Default value: ``undef``
       ##### <a name="elements"></a>`elements`
       Data type: `Optional[Array[String]]`
       initialize the set with some elements in it.
       Default value: ``undef``
       ##### <a name="size"></a>`size`
       Data type: `Optional[Integer]`
       limits the maximum number of elements of the set.
       Default value: ``undef``
       ##### <a name="policy"></a>`policy`
       Data type: `Optional[Enum['performance', 'memory']]`
       determines set selection policy.
       Default value: ``undef``
       ##### <a name="auto_merge"></a>`auto_merge`
       Data type: `Boolean`
+      ?
       Default value: ``false``
       ##### <a name="content"></a>`content`
       Data type: `Optional[String]`
       specify content of set.
       Default value: ``undef``
       ##### <a name="source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       specify source of set.
       Default value: ``undef``
       ### <a name="nftablessimplerule"></a>`nftables::simplerule`
       Provides a simplified interface to nftables::rule
       #### Examples
       ##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
       ```puppet
       nftables::simplerule{'my_service_in':
         action  => 'accept',
         comment => 'allow traffic to port 543',
         counter => true,
         proto   => 'tcp',
         dport   => 543,
         daddr   => '2001:1458::/32',
         sport   => 541,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::simplerule` defined type:
       * [`ensure`](#ensure)
       * [`rulename`](#rulename)
       * [`order`](#order)
       * [`chain`](#chain)
       * [`table`](#table)
       * [`action`](#action)
       * [`comment`](#comment)
       * [`dport`](#dport)
       * [`proto`](#proto)
       * [`daddr`](#daddr)
       * [`set_type`](#set_type)
       * [`sport`](#sport)
       * [`saddr`](#saddr)
       * [`counter`](#counter)
       ##### <a name="ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Should the rule be created.
       Default value: `'present'`
       ##### <a name="rulename"></a>`rulename`
       Data type: `Nftables::SimpleRuleName`
       The symbolic name for the rule to add. Defaults to the resource's title.
       Default value: `$title`
       ##### <a name="order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       A number representing the order of the rule.
       Default value: `'50'`
       ##### <a name="chain"></a>`chain`
       Data type: `String`
       The name of the chain to add this rule to.
       Default value: `'default_in'`
       ##### <a name="table"></a>`table`
       Data type: `String`
       The name of the table to add this rule to.
       Default value: `'inet-filter'`
       ##### <a name="action"></a>`action`
       Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
       The verdict for the matched traffic.
       Default value: `'accept'`
       ##### <a name="comment"></a>`comment`
       Data type: `Optional[String]`
       A typically human-readable comment for the rule.
       Default value: ``undef``
       ##### <a name="dport"></a>`dport`
       Data type: `Optional[Nftables::Port]`
       The destination port, ports or port range.
       Default value: ``undef``
       ##### <a name="proto"></a>`proto`
       Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
       The transport-layer protocol to match.
       Default value: ``undef``
       ##### <a name="daddr"></a>`daddr`
       Data type: `Optional[Nftables::Addr]`
       The destination address, CIDR or set to match.
       Default value: ``undef``
       ##### <a name="set_type"></a>`set_type`
       Data type: `Enum['ip', 'ip6']`
       When using sets as saddr or daddr, the type of the set.
       Use `ip` for sets of type `ipv4_addr`.
       Default value: `'ip6'`
       ##### <a name="sport"></a>`sport`
       Data type: `Optional[Nftables::Port]`
       The source port, ports or port range.
       Default value: ``undef``
       ##### <a name="saddr"></a>`saddr`
       Data type: `Optional[Nftables::Addr]`
       The source address, CIDR or set to match.
       Default value: ``undef``
       ##### <a name="counter"></a>`counter`
       Data type: `Boolean`
       Enable traffic counters for the matched traffic.
       Default value: ``false``
       ## Data types
       ### <a name="nftablesaddr"></a>`Nftables::Addr`
       Represents an address expression to be used within a rule.
       Alias of
       ```puppet
       Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]
       ```
       ### <a name="nftablesaddrset"></a>`Nftables::Addr::Set`
       Represents a set expression to be used within a rule.
       Alias of
       ```puppet
       Pattern[/^@[-a-zA-Z0-9_]+$/]
       ```
       ### <a name="nftablesport"></a>`Nftables::Port`
       Represents a port expression to be used within a rule.
       Alias of
       ```puppet
       Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]
       ```
       ### <a name="nftablesportrange"></a>`Nftables::Port::Range`
       Represents a port range expression to be used within a rule.
       Alias of
       ```puppet
       Pattern[/^\d+-\d+$/]
       ```
       ### <a name="nftablesrulename"></a>`Nftables::RuleName`
       Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       Alias of
       ```puppet
       Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]
       ```
       ### <a name="nftablessimplerulename"></a>`Nftables::SimpleRuleName`
       Represents a simple rule name to be used in a rule created via nftables::simplerule
       Alias of
       ```puppet
       Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]
       ```

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 8842a597