/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ 94285e5f

Historique | Voir | Annoter | Télécharger (59,6 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27			* [`nftables::rules::icmp`](#nftables--rules--icmp)
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
80			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
81			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
82			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
83			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
84			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
85			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
86	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
87	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
88	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
89			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
90			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
91	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
92	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
93			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
94	e17693e3	Steve Traylen
95			### Defined types
96
97	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
98			* [`nftables::config`](#nftables--config): manage a config snippet
99			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
100	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
101	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
102			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
103			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
104			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
105			* [`nftables::set`](#nftables--set): manage a named set
106			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
107	4d63adda	Nacho Barrientos
108			### Data types
109
110	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
111			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
112			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
113			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
114			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
115	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
116			add the rule to, the second the rule name and the (optional) third a number.
117			Ex: 'default_in-sshd', 'default_out-my_service-2'.
118	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
119	e17693e3	Steve Traylen
120			## Classes
121
122	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
123	e17693e3	Steve Traylen
124			Configure nftables
125
126			#### Examples
127
128	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
129	e17693e3	Steve Traylen
130			```puppet
131	2063deaf	hashworks	class{ 'nftables':
132			out_ntp => false,
133			out_dns => true,
134	e17693e3	Steve Traylen	}
135			```
136
137	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
138
139			```puppet
140	2063deaf	hashworks	class{ 'nftables':
141			noflush_tables => ['inet-f2b-table'],
142	b9785000	Steve Traylen	}
143			```
144
145	e17693e3	Steve Traylen	#### Parameters
146
147	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
148
149	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
150			* [`out_ntp`](#-nftables--out_ntp)
151			* [`out_http`](#-nftables--out_http)
152			* [`out_dns`](#-nftables--out_dns)
153			* [`out_https`](#-nftables--out_https)
154			* [`out_icmp`](#-nftables--out_icmp)
155			* [`in_ssh`](#-nftables--in_ssh)
156			* [`in_icmp`](#-nftables--in_icmp)
157			* [`inet_filter`](#-nftables--inet_filter)
158			* [`nat`](#-nftables--nat)
159			* [`nat_table_name`](#-nftables--nat_table_name)
160			* [`sets`](#-nftables--sets)
161			* [`log_prefix`](#-nftables--log_prefix)
162	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
163	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
164			* [`reject_with`](#-nftables--reject_with)
165			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
166			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
167			* [`firewalld_enable`](#-nftables--firewalld_enable)
168			* [`noflush_tables`](#-nftables--noflush_tables)
169			* [`rules`](#-nftables--rules)
170			* [`configuration_path`](#-nftables--configuration_path)
171			* [`nft_path`](#-nftables--nft_path)
172			* [`echo`](#-nftables--echo)
173			* [`default_config_mode`](#-nftables--default_config_mode)
174
175			##### <a name="-nftables--out_all"></a>`out_all`
176	e17693e3	Steve Traylen
177			Data type: `Boolean`
178
179			Allow all outbound connections. If `true` then all other
180			out parameters `out_ntp`, `out_dns`, ... will be assuemed
181			false.
182
183	c24d3118	Tim Meusel	Default value: `false`
184	e17693e3	Steve Traylen
185	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
186	e17693e3	Steve Traylen
187			Data type: `Boolean`
188
189			Allow outbound to ntp servers.
190
191	c24d3118	Tim Meusel	Default value: `true`
192	e17693e3	Steve Traylen
193	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
194	e17693e3	Steve Traylen
195			Data type: `Boolean`
196
197			Allow outbound to http servers.
198
199	c24d3118	Tim Meusel	Default value: `true`
200	e17693e3	Steve Traylen
201	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
202	e17693e3	Steve Traylen
203			Data type: `Boolean`
204
205	09cba182	Steve Traylen	Allow outbound to dns servers.
206	e17693e3	Steve Traylen
207	c24d3118	Tim Meusel	Default value: `true`
208	e17693e3	Steve Traylen
209	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
210	09cba182	Steve Traylen
211			Data type: `Boolean`
212	e17693e3	Steve Traylen
213			Allow outbound to https servers.
214
215	c24d3118	Tim Meusel	Default value: `true`
216	e17693e3	Steve Traylen
217	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
218	7f6cacc5	Steve Traylen
219			Data type: `Boolean`
220
221			Allow outbound ICMPv4/v6 traffic.
222
223	c24d3118	Tim Meusel	Default value: `true`
224	7f6cacc5	Steve Traylen
225	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
226	e17693e3	Steve Traylen
227			Data type: `Boolean`
228
229			Allow inbound to ssh servers.
230
231	c24d3118	Tim Meusel	Default value: `true`
232	e17693e3	Steve Traylen
233	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
234	7f6cacc5	Steve Traylen
235			Data type: `Boolean`
236
237			Allow inbound ICMPv4/v6 traffic.
238
239	c24d3118	Tim Meusel	Default value: `true`
240	7f6cacc5	Steve Traylen
241	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
242	7b9d6ffc	Nacho Barrientos
243			Data type: `Boolean`
244
245			Add default tables, chains and rules to process traffic.
246
247	c24d3118	Tim Meusel	Default value: `true`
248	7b9d6ffc	Nacho Barrientos
249	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
250	7f6cacc5	Steve Traylen
251			Data type: `Boolean`
252
253			Add default tables and chains to process NAT traffic.
254
255	c24d3118	Tim Meusel	Default value: `true`
256	7f6cacc5	Steve Traylen
257	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
258	b02d6ea9	Nacho Barrientos
259			Data type: `String[1]`
260
261			The name of the 'nat' table.
262
263			Default value: `'nat'`
264
265	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
266	b9785000	Steve Traylen
267			Data type: `Hash`
268
269			Allows sourcing set definitions directly from Hiera.
270
271			Default value: `{}`
272
273	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
274	7f6cacc5	Steve Traylen
275			Data type: `String`
276
277			String that will be used as prefix when logging packets. It can contain
278			two variables using standard sprintf() string-formatting:
279			* chain: Will be replaced by the name of the chain.
280			* comment: Allows chains to add extra comments.
281
282			Default value: `'[nftables] %<chain>s %<comment>s'`
283
284	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
285
286			Data type: `Boolean`
287
288			Allow to log discarded packets
289
290			Default value: `true`
291
292	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
293	b9785000	Steve Traylen
294			Data type: `Variant[Boolean[false], String]`
295
296			String with the content of a limit statement to be applied
297			to the rules that log discarded traffic. Set to false to
298			disable rate limiting.
299
300			Default value: `'3/minute burst 5 packets'`
301
302	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
303	7f6cacc5	Steve Traylen
304	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
305	7f6cacc5	Steve Traylen
306			How to discard packets not matching any rule. If `false`, the
307			fate of the packet will be defined by the chain policy (normally
308			drop), otherwise the packet will be rejected with the REJECT_WITH
309			policy indicated by the value of this parameter.
310
311			Default value: `'icmpx type port-unreachable'`
312
313	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
314	7f6cacc5	Steve Traylen
315			Data type: `Boolean`
316
317			Adds INPUT and OUTPUT rules to allow traffic that's part of an
318			established connection and also to drop invalid packets.
319
320	c24d3118	Tim Meusel	Default value: `true`
321	7f6cacc5	Steve Traylen
322	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
323	b9785000	Steve Traylen
324			Data type: `Boolean`
325
326			Adds FORWARD rules to allow traffic that's part of an
327			established connection and also to drop invalid packets.
328
329	c24d3118	Tim Meusel	Default value: `false`
330	b9785000	Steve Traylen
331	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
332	7f6cacc5	Steve Traylen
333			Data type: `Variant[Boolean[false], Enum['mask']]`
334
335			Configures how the firewalld systemd service unit is enabled. It might be
336			useful to set this to false if you're externaly removing firewalld from
337			the system completely.
338
339			Default value: `'mask'`
340
341	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
342	b9785000	Steve Traylen
343	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
344	b9785000	Steve Traylen
345			If specified only other existings tables will be flushed.
346			If left unset all tables will be flushed via a `flush ruleset`
347
348	c24d3118	Tim Meusel	Default value: `undef`
349	b9785000	Steve Traylen
350	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
351	7f6cacc5	Steve Traylen
352			Data type: `Hash`
353
354	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
355	7f6cacc5	Steve Traylen
356			Default value: `{}`
357
358	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
359	d0a1ffef	hashworks
360			Data type: `Stdlib::Unixpath`
361
362			The absolute path to the principal nftables configuration file. The default
363			varies depending on the system, and is set in the module's data.
364
365	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
366	8842a597	Tim Meusel
367			Data type: `Stdlib::Unixpath`
368
369			Path to the nft binary
370
371	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
372	821ec83a	Tim Meusel
373			Data type: `Stdlib::Unixpath`
374
375			Path to the echo binary
376
377	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
378	7030bde0	Luis Fernández Álvarez
379			Data type: `Stdlib::Filemode`
380
381			The default file & dir mode for configuration files and directories. The
382			default varies depending on the system, and is set in the module's data.
383
384	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
385	7f6cacc5	Steve Traylen
386			allow forwarding traffic on bridges
387
388			#### Parameters
389
390	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
391	7f6cacc5	Steve Traylen
392	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
393			* [`bridgenames`](#-nftables--bridges--bridgenames)
394	09cba182	Steve Traylen
395	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
396	7f6cacc5	Steve Traylen
397			Data type: `Enum['present','absent']`
398
399
400
401			Default value: `'present'`
402
403	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
404	7f6cacc5	Steve Traylen
405			Data type: `Regexp`
406
407
408
409			Default value: `/^br.+/`
410
411	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
412	e17693e3	Steve Traylen
413			manage basic chains in table inet filter
414
415	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
416	a1f09048	Tim Meusel
417			enable conntrack for fwd
418
419	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
420	a1f09048	Tim Meusel
421			manage input & output conntrack
422
423	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
424	e17693e3	Steve Traylen
425			manage basic chains in table ip nat
426
427	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
428	771b3256	Nacho Barrientos
429			Provides input rules for Apache ActiveMQ
430
431			#### Parameters
432
433			The following parameters are available in the `nftables::rules::activemq` class:
434
435	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
436			* [`udp`](#-nftables--rules--activemq--udp)
437			* [`port`](#-nftables--rules--activemq--port)
438	771b3256	Nacho Barrientos
439	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
440	771b3256	Nacho Barrientos
441			Data type: `Boolean`
442
443			Create the rule for TCP traffic.
444
445	c24d3118	Tim Meusel	Default value: `true`
446	771b3256	Nacho Barrientos
447	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
448	771b3256	Nacho Barrientos
449			Data type: `Boolean`
450
451			Create the rule for UDP traffic.
452
453	c24d3118	Tim Meusel	Default value: `true`
454	771b3256	Nacho Barrientos
455	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
456	771b3256	Nacho Barrientos
457			Data type: `Stdlib::Port`
458
459			The port number for the ActiveMQ daemon.
460
461			Default value: `61616`
462
463	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
464	09cba182	Steve Traylen
465			Open call back port for AFS clients
466	7f6cacc5	Steve Traylen
467	09cba182	Steve Traylen	#### Examples
468
469			##### allow call backs from particular hosts
470
471			```puppet
472	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
473			saddr => ['192.168.0.0/16', '10.0.0.222']
474			}
475	09cba182	Steve Traylen	```
476	7f6cacc5	Steve Traylen
477			#### Parameters
478
479	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
480
481	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
482	7f6cacc5	Steve Traylen
483	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
484	7f6cacc5	Steve Traylen
485			Data type: `Array[Stdlib::IP::Address::V4,1]`
486
487			list of source network ranges to a
488
489			Default value: `['0.0.0.0/0']`
490
491	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
492	b9785000	Steve Traylen
493			Ceph is a distributed object store and file system.
494			Enable this to support Ceph's Object Storage Daemons (OSD),
495			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
496
497	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
498	b9785000	Steve Traylen
499			Ceph is a distributed object store and file system.
500			Enable this option to support Ceph's Monitor Daemon.
501
502			#### Parameters
503
504	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
505	b9785000	Steve Traylen
506	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
507	b9785000	Steve Traylen
508	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
509	b9785000	Steve Traylen
510	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
511	b9785000	Steve Traylen
512	09cba182	Steve Traylen	specify ports for ceph service
513	b9785000	Steve Traylen
514			Default value: `[3300, 6789]`
515
516	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
517	7f6cacc5	Steve Traylen
518	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
519	7f6cacc5	Steve Traylen
520	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
521	7f6cacc5	Steve Traylen
522			manage in dns
523
524			#### Parameters
525
526	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
527	7f6cacc5	Steve Traylen
528	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
529	7f6cacc5	Steve Traylen
530	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
531	7f6cacc5	Steve Traylen
532	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
533	7f6cacc5	Steve Traylen
534	09cba182	Steve Traylen	Specify ports for dns.
535	7f6cacc5	Steve Traylen
536			Default value: `[53]`
537
538	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
539	804b96e4	Nacho Barrientos
540			The configuration distributed in this class represents the default firewall
541			configuration done by docker-ce when the iptables integration is enabled.
542
543			This class is needed as the default docker-ce rules added to ip-filter conflict
544			with the inet-filter forward rules set by default in this module.
545
546			When using this class 'docker::iptables: false' should be set.
547
548			#### Parameters
549
550			The following parameters are available in the `nftables::rules::docker_ce` class:
551
552	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
553			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
554			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
555			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
556	804b96e4	Nacho Barrientos
557	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
558	804b96e4	Nacho Barrientos
559			Data type: `String[1]`
560
561			Interface name used by docker.
562
563			Default value: `'docker0'`
564
565	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
566	804b96e4	Nacho Barrientos
567			Data type: `Stdlib::IP::Address::V4::CIDR`
568
569			The address space used by docker.
570
571			Default value: `'172.17.0.0/16'`
572
573	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
574	804b96e4	Nacho Barrientos
575			Data type: `Boolean`
576
577			Flag to control whether the class should create the docker related chains.
578
579	c24d3118	Tim Meusel	Default value: `true`
580	804b96e4	Nacho Barrientos
581	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
582	804b96e4	Nacho Barrientos
583			Data type: `Boolean`
584
585			Flag to control whether the class should create the base common chains.
586
587	c24d3118	Tim Meusel	Default value: `true`
588	804b96e4	Nacho Barrientos
589	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
590
591			manage in ftp (with conntrack helper)
592
593			#### Parameters
594
595			The following parameters are available in the `nftables::rules::ftp` class:
596
597			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
598			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
599
600			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
601
602			Data type: `Boolean`
603
604			Enable FTP passive mode support
605
606			Default value: `true`
607
608			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
609
610			Data type: `Nftables::Port::Range`
611
612			Set the FTP passive mode port range
613
614			Default value: `'10090-10100'`
615
616	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
617	e17693e3	Steve Traylen
618			manage in http
619
620	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
621	e17693e3	Steve Traylen
622			manage in https
623
624	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
625	e17693e3	Steve Traylen
626			manage in icinga2
627
628			#### Parameters
629
630	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
631	e17693e3	Steve Traylen
632	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
633	e17693e3	Steve Traylen
634	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
635	e17693e3	Steve Traylen
636	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
637	e17693e3	Steve Traylen
638	8db66304	Steve Traylen	Specify ports for icinga2
639	e17693e3	Steve Traylen
640			Default value: `[5665]`
641
642	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
643	7f6cacc5	Steve Traylen
644			The nftables::rules::icmp class.
645
646			#### Parameters
647
648	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
649
650	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
651			* [`v6_types`](#-nftables--rules--icmp--v6_types)
652			* [`order`](#-nftables--rules--icmp--order)
653	7f6cacc5	Steve Traylen
654	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
655	7f6cacc5	Steve Traylen
656			Data type: `Optional[Array[String]]`
657
658
659
660	c24d3118	Tim Meusel	Default value: `undef`
661	7f6cacc5	Steve Traylen
662	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
663	7f6cacc5	Steve Traylen
664			Data type: `Optional[Array[String]]`
665
666
667
668	c24d3118	Tim Meusel	Default value: `undef`
669	7f6cacc5	Steve Traylen
670	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
671	7f6cacc5	Steve Traylen
672			Data type: `String`
673
674
675
676			Default value: `'10'`
677
678	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
679
680			allow incoming IGMP messages
681
682	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
683
684			manage in ldap
685
686			#### Parameters
687
688			The following parameters are available in the `nftables::rules::ldap` class:
689
690			* [`ports`](#-nftables--rules--ldap--ports)
691
692			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
693
694			Data type: `Array[Integer,1]`
695
696			ldap server ports
697
698			Default value: `[389, 636]`
699
700	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
701
702			allow incoming Link-Local Multicast Name Resolution
703
704			* See also
705			* https://datatracker.ietf.org/doc/html/rfc4795
706
707			#### Parameters
708
709			The following parameters are available in the `nftables::rules::llmnr` class:
710
711			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
712			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
713
714			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
715
716			Data type: `Boolean`
717
718			Allow LLMNR over IPv4
719
720			Default value: `true`
721
722			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
723
724			Data type: `Boolean`
725
726			Allow LLMNR over IPv6
727
728			Default value: `true`
729
730	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
731
732			allow incoming multicast DNS
733
734	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
735
736			The following parameters are available in the `nftables::rules::mdns` class:
737
738			* [`ipv4`](#-nftables--rules--mdns--ipv4)
739			* [`ipv6`](#-nftables--rules--mdns--ipv6)
740
741			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
742
743			Data type: `Boolean`
744
745			Allow mdns over IPv4
746
747			Default value: `true`
748
749			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
750
751			Data type: `Boolean`
752
753			Allow mdns over IPv6
754
755			Default value: `true`
756
757	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
758
759			allow incoming multicast traffic
760
761	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
762	b9785000	Steve Traylen
763			manage in nfs4
764
765	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
766	b9785000	Steve Traylen
767			manage in nfs3
768
769	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
770	7f6cacc5	Steve Traylen
771			manage in node exporter
772
773			#### Parameters
774
775	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
776	7f6cacc5	Steve Traylen
777	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
778			* [`port`](#-nftables--rules--node_exporter--port)
779	7f6cacc5	Steve Traylen
780	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
781	7f6cacc5	Steve Traylen
782	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
783	7f6cacc5	Steve Traylen
784	09cba182	Steve Traylen	Specify server name
785	7f6cacc5	Steve Traylen
786	c24d3118	Tim Meusel	Default value: `undef`
787	7f6cacc5	Steve Traylen
788	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
789	7f6cacc5	Steve Traylen
790	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
791	7f6cacc5	Steve Traylen
792	09cba182	Steve Traylen	Specify port to open
793	7f6cacc5	Steve Traylen
794			Default value: `9100`
795
796	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
797	e17693e3	Steve Traylen
798			manage in ospf
799
800	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
801	e17693e3	Steve Traylen
802			manage in ospf3
803
804	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
805
806			manage outgoing active diectory
807
808			#### Parameters
809
810			The following parameters are available in the `nftables::rules::out::active_directory` class:
811
812			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
813			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
814
815			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
816
817			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
818
819			adserver IPs
820
821			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
822
823			Data type: `Array[Stdlib::Port,1]`
824
825			adserver ports
826
827			Default value: `[389, 636, 3268, 3269]`
828
829	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
830	e17693e3	Steve Traylen
831			allow all outbound
832
833	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
834	b9785000	Steve Traylen
835			Ceph is a distributed object store and file system.
836			Enable this to be a client of Ceph's Monitor (MON),
837			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
838			and Manager Daemons (MGR).
839
840			#### Parameters
841
842	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
843	b9785000	Steve Traylen
844	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
845	b9785000	Steve Traylen
846	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
847	b9785000	Steve Traylen
848	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
849	b9785000	Steve Traylen
850	09cba182	Steve Traylen	Specify ports to open
851	b9785000	Steve Traylen
852			Default value: `[3300, 6789]`
853
854	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
855	e17693e3	Steve Traylen
856			manage out chrony
857
858	7937a13b	Tim Meusel	#### Parameters
859
860			The following parameters are available in the `nftables::rules::out::chrony` class:
861
862	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
863	7937a13b	Tim Meusel
864	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
865	7937a13b	Tim Meusel
866			Data type: `Array[Stdlib::IP::Address]`
867
868			single IP-Address or array of IP-addresses from NTP servers
869
870			Default value: `[]`
871
872	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
873	e17693e3	Steve Traylen
874			manage out dhcp
875
876	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
877	7f6cacc5	Steve Traylen
878	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
879	7f6cacc5	Steve Traylen
880	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
881	e17693e3	Steve Traylen
882			manage out dns
883
884			#### Parameters
885
886	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
887	e17693e3	Steve Traylen
888	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
889	e17693e3	Steve Traylen
890	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
891	e17693e3	Steve Traylen
892	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
893	e17693e3	Steve Traylen
894	09cba182	Steve Traylen	specify dns_server name
895	e17693e3	Steve Traylen
896	c24d3118	Tim Meusel	Default value: `undef`
897	e17693e3	Steve Traylen
898	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
899	a1f09048	Tim Meusel
900			allow outgoing hkp connections to gpg keyservers
901
902	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
903	e17693e3	Steve Traylen
904			manage out http
905
906	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
907	e17693e3	Steve Traylen
908			manage out https
909
910	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
911	7f6cacc5	Steve Traylen
912	09cba182	Steve Traylen	control outbound icmp packages
913	7f6cacc5	Steve Traylen
914			#### Parameters
915
916	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
917
918	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
919			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
920			* [`order`](#-nftables--rules--out--icmp--order)
921	7f6cacc5	Steve Traylen
922	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
923	7f6cacc5	Steve Traylen
924			Data type: `Optional[Array[String]]`
925
926
927
928	c24d3118	Tim Meusel	Default value: `undef`
929	7f6cacc5	Steve Traylen
930	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
931	7f6cacc5	Steve Traylen
932			Data type: `Optional[Array[String]]`
933
934
935
936	c24d3118	Tim Meusel	Default value: `undef`
937	7f6cacc5	Steve Traylen
938	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
939	7f6cacc5	Steve Traylen
940			Data type: `String`
941
942
943
944			Default value: `'10'`
945
946	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
947
948	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
949	020842af	Tim Meusel
950	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
951	19908f41	mh
952			allow outgoing imap
953
954	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
955	7f6cacc5	Steve Traylen
956			allows outbound access for kerberos
957
958	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
959
960			manage outgoing ldap
961
962			#### Parameters
963
964			The following parameters are available in the `nftables::rules::out::ldap` class:
965
966			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
967			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
968
969			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
970
971			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
972
973			ldapserver IPs
974
975			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
976
977			Data type: `Array[Stdlib::Port,1]`
978
979			ldapserver ports
980
981			Default value: `[389, 636]`
982
983	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
984
985			allow outgoing multicast DNS
986
987			#### Parameters
988
989			The following parameters are available in the `nftables::rules::out::mdns` class:
990
991			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
992			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
993
994			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
995
996			Data type: `Boolean`
997
998			Allow mdns over IPv4
999
1000			Default value: `true`
1001
1002			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1003
1004			Data type: `Boolean`
1005
1006			Allow mdns over IPv6
1007
1008			Default value: `true`
1009
1010	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1011
1012			allow multicast listener requests
1013
1014	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1015	e17693e3	Steve Traylen
1016			manage out mysql
1017
1018	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1019	b9785000	Steve Traylen
1020			manage out nfs
1021
1022	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1023	b9785000	Steve Traylen
1024			manage out nfs3
1025
1026	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1027	7f6cacc5	Steve Traylen
1028	09cba182	Steve Traylen	allows outbound access for afs clients
1029	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1030			7002 - afs3-ptserver
1031			7003 - vlserver
1032
1033			* See also
1034			* https://wiki.openafs.org/devel/AFSServicePorts/
1035			* AFS Service Ports
1036
1037			#### Parameters
1038
1039	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1040	7f6cacc5	Steve Traylen
1041	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1042	7f6cacc5	Steve Traylen
1043	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1044	7f6cacc5	Steve Traylen
1045	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1046	7f6cacc5	Steve Traylen
1047	09cba182	Steve Traylen	port numbers to use
1048	7f6cacc5	Steve Traylen
1049			Default value: `[7000, 7002, 7003]`
1050
1051	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1052	e17693e3	Steve Traylen
1053			manage out ospf
1054
1055	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1056	e17693e3	Steve Traylen
1057			manage out ospf3
1058
1059	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1060	19908f41	mh
1061			allow outgoing pop3
1062
1063	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1064	e17693e3	Steve Traylen
1065			manage out postgres
1066
1067	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1068	e17693e3	Steve Traylen
1069			manage outgoing puppet
1070
1071			#### Parameters
1072
1073	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1074	e17693e3	Steve Traylen
1075	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1076			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1077	e17693e3	Steve Traylen
1078	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1079	e17693e3	Steve Traylen
1080	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1081	e17693e3	Steve Traylen
1082	09cba182	Steve Traylen	puppetserver hostname
1083	e17693e3	Steve Traylen
1084	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1085	e17693e3	Steve Traylen
1086	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1087	e17693e3	Steve Traylen
1088	09cba182	Steve Traylen	puppetserver port
1089	e17693e3	Steve Traylen
1090			Default value: `8140`
1091
1092	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1093	194e05d5	Tim Meusel
1094			manage outgoing pxp-agent
1095
1096			* See also
1097			* also
1098			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1099
1100			#### Parameters
1101
1102			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1103
1104	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1105			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1106	194e05d5	Tim Meusel
1107	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1108	194e05d5	Tim Meusel
1109			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1110
1111			PXP broker IP(s)
1112
1113	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1114	194e05d5	Tim Meusel
1115			Data type: `Stdlib::Port`
1116
1117			PXP broker port
1118
1119			Default value: `8142`
1120
1121	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1122	e17693e3	Steve Traylen
1123	19908f41	mh	allow outgoing smtp
1124
1125	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1126	19908f41	mh
1127			allow outgoing smtp client
1128	e17693e3	Steve Traylen
1129	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1130
1131			allow outgoing SSDP
1132
1133			* See also
1134			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1135
1136			#### Parameters
1137
1138			The following parameters are available in the `nftables::rules::out::ssdp` class:
1139
1140			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1141			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1142
1143			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1144
1145			Data type: `Boolean`
1146
1147			Allow SSDP over IPv4
1148
1149			Default value: `true`
1150
1151			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1152
1153			Data type: `Boolean`
1154
1155			Allow SSDP over IPv6
1156
1157			Default value: `true`
1158
1159	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1160	e17693e3	Steve Traylen
1161			manage out ssh
1162
1163	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1164	e17693e3	Steve Traylen
1165			disable outgoing ssh
1166
1167	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1168	e17693e3	Steve Traylen
1169			manage out tor
1170
1171	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1172	2b1896c1	Tim Meusel
1173			allow clients to query remote whois server
1174
1175	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1176	e17693e3	Steve Traylen
1177			manage out wireguard
1178
1179			#### Parameters
1180
1181	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1182	e17693e3	Steve Traylen
1183	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1184	e17693e3	Steve Traylen
1185	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1186	e17693e3	Steve Traylen
1187	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1188	e17693e3	Steve Traylen
1189	09cba182	Steve Traylen	specify wireguard ports
1190	e17693e3	Steve Traylen
1191			Default value: `[51820]`
1192
1193	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1194	e17693e3	Steve Traylen
1195			manage in puppet
1196
1197			#### Parameters
1198
1199	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1200	e17693e3	Steve Traylen
1201	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1202	e17693e3	Steve Traylen
1203	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1204	e17693e3	Steve Traylen
1205	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1206	e17693e3	Steve Traylen
1207	09cba182	Steve Traylen	puppet server ports
1208	e17693e3	Steve Traylen
1209			Default value: `[8140]`
1210
1211	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1212	7f74df2e	Tim Meusel
1213			manage in pxp-agent
1214
1215			#### Parameters
1216
1217			The following parameters are available in the `nftables::rules::pxp_agent` class:
1218
1219	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1220	7f74df2e	Tim Meusel
1221	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1222	7f74df2e	Tim Meusel
1223	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1224	7f74df2e	Tim Meusel
1225			pxp server ports
1226
1227			Default value: `[8142]`
1228
1229	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1230	cd2a3cbf	Nacho Barrientos
1231			This class configures the typical firewall setup that libvirt
1232			creates. Depending on your requirements you can switch on and off
1233			several aspects, for instance if you don't do DHCP to your guests
1234			you can disable the rules that accept DHCP traffic on the host or if
1235			you don't want your guests to talk to hosts outside you can disable
1236			forwarding and/or masquerading for IPv4 traffic.
1237
1238			#### Parameters
1239
1240			The following parameters are available in the `nftables::rules::qemu` class:
1241
1242	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1243			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1244			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1245			* [`dns`](#-nftables--rules--qemu--dns)
1246			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1247			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1248			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1249			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1250	cd2a3cbf	Nacho Barrientos
1251	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1252	cd2a3cbf	Nacho Barrientos
1253			Data type: `String[1]`
1254
1255			Interface name used by the bridge.
1256
1257			Default value: `'virbr0'`
1258
1259	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1260	cd2a3cbf	Nacho Barrientos
1261			Data type: `Stdlib::IP::Address::V4::CIDR`
1262
1263			The IPv4 network prefix used in the virtual network.
1264
1265			Default value: `'192.168.122.0/24'`
1266
1267	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1268	cd2a3cbf	Nacho Barrientos
1269			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1270
1271			The IPv6 network prefix used in the virtual network.
1272
1273	c24d3118	Tim Meusel	Default value: `undef`
1274	cd2a3cbf	Nacho Barrientos
1275	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1276	cd2a3cbf	Nacho Barrientos
1277			Data type: `Boolean`
1278
1279			Allow DNS traffic from the guests to the host.
1280
1281	c24d3118	Tim Meusel	Default value: `true`
1282	cd2a3cbf	Nacho Barrientos
1283	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1284	cd2a3cbf	Nacho Barrientos
1285			Data type: `Boolean`
1286
1287			Allow DHCPv4 traffic from the guests to the host.
1288
1289	c24d3118	Tim Meusel	Default value: `true`
1290	cd2a3cbf	Nacho Barrientos
1291	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1292	cd2a3cbf	Nacho Barrientos
1293			Data type: `Boolean`
1294
1295			Allow forwarded traffic (out all, in related/established)
1296			generated by the virtual network.
1297
1298	c24d3118	Tim Meusel	Default value: `true`
1299	cd2a3cbf	Nacho Barrientos
1300	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1301	cd2a3cbf	Nacho Barrientos
1302			Data type: `Boolean`
1303
1304			Allow guests in the virtual network to talk to each other.
1305
1306	c24d3118	Tim Meusel	Default value: `true`
1307	cd2a3cbf	Nacho Barrientos
1308	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1309	cd2a3cbf	Nacho Barrientos
1310			Data type: `Boolean`
1311
1312			Do NAT masquerade on all IPv4 traffic generated by guests
1313			to external networks.
1314
1315	c24d3118	Tim Meusel	Default value: `true`
1316	cd2a3cbf	Nacho Barrientos
1317	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1318	19908f41	mh
1319			manage Samba, the suite to allow Windows file sharing on Linux resources.
1320
1321			#### Parameters
1322
1323			The following parameters are available in the `nftables::rules::samba` class:
1324
1325	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1326	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1327	19908f41	mh
1328	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1329	19908f41	mh
1330			Data type: `Boolean`
1331
1332	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1333	19908f41	mh
1334	c24d3118	Tim Meusel	Default value: `false`
1335	19908f41	mh
1336	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1337
1338			Data type: `Enum['accept', 'drop']`
1339
1340			if the traffic should be allowed or dropped
1341
1342			Default value: `'accept'`
1343
1344	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1345	e17693e3	Steve Traylen
1346			manage in smtp
1347
1348	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1349	e17693e3	Steve Traylen
1350			manage in smtp submission
1351
1352	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1353	e17693e3	Steve Traylen
1354			manage in smtps
1355
1356	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1357
1358			allow incoming spotify
1359
1360	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1361
1362			allow incoming SSDP
1363
1364			* See also
1365			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1366
1367			#### Parameters
1368
1369			The following parameters are available in the `nftables::rules::ssdp` class:
1370
1371			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1372			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1373
1374			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1375
1376			Data type: `Boolean`
1377
1378			Allow SSDP over IPv4
1379
1380			Default value: `true`
1381
1382			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1383
1384			Data type: `Boolean`
1385
1386			Allow SSDP over IPv6
1387
1388			Default value: `true`
1389
1390	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1391	e17693e3	Steve Traylen
1392			manage in ssh
1393
1394			#### Parameters
1395
1396	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1397	e17693e3	Steve Traylen
1398	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1399	e17693e3	Steve Traylen
1400	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1401	e17693e3	Steve Traylen
1402	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1403	e17693e3	Steve Traylen
1404	09cba182	Steve Traylen	ssh ports
1405	e17693e3	Steve Traylen
1406			Default value: `[22]`
1407
1408	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1409	e17693e3	Steve Traylen
1410			manage in tor
1411
1412			#### Parameters
1413
1414	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1415	e17693e3	Steve Traylen
1416	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1417	e17693e3	Steve Traylen
1418	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1419	e17693e3	Steve Traylen
1420	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1421	e17693e3	Steve Traylen
1422	09cba182	Steve Traylen	ports for tor
1423	e17693e3	Steve Traylen
1424			Default value: `[9001]`
1425
1426	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1427	e17693e3	Steve Traylen
1428			manage in wireguard
1429
1430			#### Parameters
1431
1432	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1433	e17693e3	Steve Traylen
1434	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1435	e17693e3	Steve Traylen
1436	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1437	e17693e3	Steve Traylen
1438	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1439	e17693e3	Steve Traylen
1440	09cba182	Steve Traylen	wiregueard port
1441	e17693e3	Steve Traylen
1442			Default value: `[51820]`
1443
1444	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1445
1446			allow incoming webservice discovery
1447
1448			* See also
1449			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1450
1451			#### Parameters
1452
1453			The following parameters are available in the `nftables::rules::wsd` class:
1454
1455			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1456			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1457
1458			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1459
1460			Data type: `Boolean`
1461
1462			Allow ws-discovery over IPv4
1463
1464			Default value: `true`
1465
1466			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1467
1468			Data type: `Boolean`
1469
1470			Allow ws-discovery over IPv6
1471
1472			Default value: `true`
1473
1474	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1475	7f6cacc5	Steve Traylen
1476	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1477	7f6cacc5	Steve Traylen
1478	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1479	7f6cacc5	Steve Traylen
1480	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1481	7f6cacc5	Steve Traylen
1482	e17693e3	Steve Traylen	## Defined types
1483
1484	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1485	e17693e3	Steve Traylen
1486			manage a chain
1487
1488			#### Parameters
1489
1490	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1491
1492	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1493			* [`chain`](#-nftables--chain--chain)
1494			* [`inject`](#-nftables--chain--inject)
1495			* [`inject_iif`](#-nftables--chain--inject_iif)
1496			* [`inject_oif`](#-nftables--chain--inject_oif)
1497	e17693e3	Steve Traylen
1498	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1499	e17693e3	Steve Traylen
1500	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1501	e17693e3	Steve Traylen
1502
1503
1504			Default value: `'inet-filter'`
1505
1506	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1507	e17693e3	Steve Traylen
1508			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1509
1510
1511
1512			Default value: `$title`
1513
1514	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1515	e17693e3	Steve Traylen
1516			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1517
1518
1519
1520	c24d3118	Tim Meusel	Default value: `undef`
1521	e17693e3	Steve Traylen
1522	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1523	e17693e3	Steve Traylen
1524			Data type: `Optional[String]`
1525
1526
1527
1528	c24d3118	Tim Meusel	Default value: `undef`
1529	e17693e3	Steve Traylen
1530	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1531	e17693e3	Steve Traylen
1532			Data type: `Optional[String]`
1533
1534
1535
1536	c24d3118	Tim Meusel	Default value: `undef`
1537	e17693e3	Steve Traylen
1538	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1539	e17693e3	Steve Traylen
1540			manage a config snippet
1541
1542			#### Parameters
1543
1544	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1545	e17693e3	Steve Traylen
1546	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1547			* [`content`](#-nftables--config--content)
1548			* [`source`](#-nftables--config--source)
1549			* [`prefix`](#-nftables--config--prefix)
1550	09cba182	Steve Traylen
1551	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1552	13f4e4c6	Steve Traylen
1553			Data type: `Pattern[/^\w+-\w+$/]`
1554
1555
1556
1557			Default value: `$title`
1558
1559	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1560	e17693e3	Steve Traylen
1561			Data type: `Optional[String]`
1562
1563
1564
1565	c24d3118	Tim Meusel	Default value: `undef`
1566	e17693e3	Steve Traylen
1567	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1568	e17693e3	Steve Traylen
1569			Data type: `Optional[Variant[String,Array[String,1]]]`
1570
1571
1572
1573	c24d3118	Tim Meusel	Default value: `undef`
1574	e17693e3	Steve Traylen
1575	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1576	13f4e4c6	Steve Traylen
1577			Data type: `String`
1578
1579
1580
1581			Default value: `'custom-'`
1582
1583	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1584	331b8d85	Steve Traylen
1585			Insert a file into the nftables configuration
1586
1587			#### Examples
1588
1589			##### Include a file that includes other files
1590
1591			```puppet
1592			nftables::file{'geoip':
1593			content => @(EOT)
1594			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1595			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1596			\|EOT,
1597			}
1598			```
1599
1600			#### Parameters
1601
1602			The following parameters are available in the `nftables::file` defined type:
1603
1604	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1605			* [`content`](#-nftables--file--content)
1606			* [`source`](#-nftables--file--source)
1607			* [`prefix`](#-nftables--file--prefix)
1608	331b8d85	Steve Traylen
1609	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1610	331b8d85	Steve Traylen
1611			Data type: `String[1]`
1612
1613			Unique name to include in filename.
1614
1615			Default value: `$title`
1616
1617	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1618	331b8d85	Steve Traylen
1619			Data type: `Optional[String]`
1620
1621			The content to place in the file.
1622
1623	c24d3118	Tim Meusel	Default value: `undef`
1624	331b8d85	Steve Traylen
1625	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1626	331b8d85	Steve Traylen
1627			Data type: `Optional[Variant[String,Array[String,1]]]`
1628
1629			A source to obtain the file content from.
1630
1631	c24d3118	Tim Meusel	Default value: `undef`
1632	331b8d85	Steve Traylen
1633	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1634	331b8d85	Steve Traylen
1635			Data type: `String`
1636
1637			Prefix of file name to be created, if left as `file-` it will be
1638			auto included in the main nft configuration
1639
1640			Default value: `'file-'`
1641
1642	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1643
1644			manage a conntrack helper
1645
1646			#### Examples
1647
1648			##### FTP helper
1649
1650			```puppet
1651			nftables::helper { 'ftp-standard':
1652			content => 'type "ftp" protocol tcp;',
1653			}
1654			```
1655
1656			#### Parameters
1657
1658			The following parameters are available in the `nftables::helper` defined type:
1659
1660			* [`content`](#-nftables--helper--content)
1661			* [`table`](#-nftables--helper--table)
1662			* [`helper`](#-nftables--helper--helper)
1663
1664			##### <a name="-nftables--helper--content"></a>`content`
1665
1666			Data type: `String`
1667
1668			Conntrack helper definition.
1669
1670			##### <a name="-nftables--helper--table"></a>`table`
1671
1672			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1673
1674			The name of the table to add this helper to.
1675
1676			Default value: `'inet-filter'`
1677
1678			##### <a name="-nftables--helper--helper"></a>`helper`
1679
1680			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1681
1682			The symbolic name for the helper.
1683
1684			Default value: `$title`
1685
1686	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1687	e17693e3	Steve Traylen
1688	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1689
1690			#### Examples
1691
1692			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1693
1694			```puppet
1695			nftables::rule {
1696			'default_in-myhttp':
1697			content => 'tcp dport 80 accept',
1698			}
1699			```
1700
1701			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1702
1703			```puppet
1704			nftables::rule {
1705			'PREROUTING6-count':
1706			content => 'counter',
1707			table => 'ip6-nat'
1708			}
1709			```
1710	e17693e3	Steve Traylen
1711	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1712
1713			```puppet
1714			nftables::rule { 'PREROUTING-redirect':
1715			content => 'tcp dport 443 redirect to :8443',
1716			table => 'ip-nat',
1717			}
1718			nftables::rule{'PREROUTING6-redirect':
1719			content => 'tcp dport 443 redirect to :8443',
1720			table => 'ip6-nat',
1721			}
1722			```
1723
1724	e17693e3	Steve Traylen	#### Parameters
1725
1726	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1727
1728	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1729			* [`rulename`](#-nftables--rule--rulename)
1730			* [`order`](#-nftables--rule--order)
1731			* [`table`](#-nftables--rule--table)
1732			* [`content`](#-nftables--rule--content)
1733			* [`source`](#-nftables--rule--source)
1734	e17693e3	Steve Traylen
1735	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1736	e17693e3	Steve Traylen
1737			Data type: `Enum['present','absent']`
1738
1739	13f26dfc	Nacho Barrientos	Should the rule be created.
1740	e17693e3	Steve Traylen
1741			Default value: `'present'`
1742
1743	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1744	e17693e3	Steve Traylen
1745	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1746	e17693e3	Steve Traylen
1747	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1748			format is defined by the Nftables::RuleName type.
1749	e17693e3	Steve Traylen
1750			Default value: `$title`
1751
1752	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1753	e17693e3	Steve Traylen
1754			Data type: `Pattern[/^\d\d$/]`
1755
1756	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1757	e17693e3	Steve Traylen
1758			Default value: `'50'`
1759
1760	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1761	e17693e3	Steve Traylen
1762	b02d6ea9	Nacho Barrientos	Data type: `String`
1763	e17693e3	Steve Traylen
1764	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1765	e17693e3	Steve Traylen
1766			Default value: `'inet-filter'`
1767
1768	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1769	e17693e3	Steve Traylen
1770			Data type: `Optional[String]`
1771
1772	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1773			language.
1774	e17693e3	Steve Traylen
1775	c24d3118	Tim Meusel	Default value: `undef`
1776	e17693e3	Steve Traylen
1777	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1778	e17693e3	Steve Traylen
1779			Data type: `Optional[Variant[String,Array[String,1]]]`
1780
1781	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1782	e17693e3	Steve Traylen
1783	c24d3118	Tim Meusel	Default value: `undef`
1784	e17693e3	Steve Traylen
1785	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1786	e17693e3	Steve Traylen
1787			manage a ipv4 dnat rule
1788
1789			#### Parameters
1790
1791	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1792
1793	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1794			* [`port`](#-nftables--rules--dnat4--port)
1795			* [`rulename`](#-nftables--rules--dnat4--rulename)
1796			* [`order`](#-nftables--rules--dnat4--order)
1797			* [`chain`](#-nftables--rules--dnat4--chain)
1798			* [`iif`](#-nftables--rules--dnat4--iif)
1799			* [`proto`](#-nftables--rules--dnat4--proto)
1800			* [`dport`](#-nftables--rules--dnat4--dport)
1801			* [`ensure`](#-nftables--rules--dnat4--ensure)
1802	e17693e3	Steve Traylen
1803	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1804	e17693e3	Steve Traylen
1805			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1806
1807
1808
1809	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1810	e17693e3	Steve Traylen
1811	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1812	e17693e3	Steve Traylen
1813
1814
1815	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1816	e17693e3	Steve Traylen
1817			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1818
1819
1820
1821			Default value: `$title`
1822
1823	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1824	e17693e3	Steve Traylen
1825			Data type: `Pattern[/^\d\d$/]`
1826
1827
1828
1829			Default value: `'50'`
1830
1831	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1832	e17693e3	Steve Traylen
1833			Data type: `String[1]`
1834
1835
1836
1837			Default value: `'default_fwd'`
1838
1839	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1840	e17693e3	Steve Traylen
1841			Data type: `Optional[String[1]]`
1842
1843
1844
1845	c24d3118	Tim Meusel	Default value: `undef`
1846	e17693e3	Steve Traylen
1847	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1848	e17693e3	Steve Traylen
1849			Data type: `Enum['tcp','udp']`
1850
1851
1852
1853			Default value: `'tcp'`
1854
1855	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1856	e17693e3	Steve Traylen
1857	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1858	e17693e3	Steve Traylen
1859
1860
1861	c24d3118	Tim Meusel	Default value: `undef`
1862	e17693e3	Steve Traylen
1863	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1864	e17693e3	Steve Traylen
1865			Data type: `Enum['present','absent']`
1866
1867
1868
1869			Default value: `'present'`
1870
1871	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1872	e17693e3	Steve Traylen
1873			masquerade all outgoing traffic
1874
1875			#### Parameters
1876
1877	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1878	e17693e3	Steve Traylen
1879	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1880			* [`order`](#-nftables--rules--masquerade--order)
1881			* [`chain`](#-nftables--rules--masquerade--chain)
1882			* [`oif`](#-nftables--rules--masquerade--oif)
1883			* [`saddr`](#-nftables--rules--masquerade--saddr)
1884			* [`daddr`](#-nftables--rules--masquerade--daddr)
1885			* [`proto`](#-nftables--rules--masquerade--proto)
1886			* [`dport`](#-nftables--rules--masquerade--dport)
1887			* [`ensure`](#-nftables--rules--masquerade--ensure)
1888	09cba182	Steve Traylen
1889	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1890	e17693e3	Steve Traylen
1891			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1892
1893
1894
1895			Default value: `$title`
1896
1897	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1898	e17693e3	Steve Traylen
1899			Data type: `Pattern[/^\d\d$/]`
1900
1901
1902
1903			Default value: `'70'`
1904
1905	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1906	e17693e3	Steve Traylen
1907			Data type: `String[1]`
1908
1909
1910
1911			Default value: `'POSTROUTING'`
1912
1913	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1914	e17693e3	Steve Traylen
1915			Data type: `Optional[String[1]]`
1916
1917
1918
1919	c24d3118	Tim Meusel	Default value: `undef`
1920	e17693e3	Steve Traylen
1921	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1922	e17693e3	Steve Traylen
1923			Data type: `Optional[String[1]]`
1924
1925
1926
1927	c24d3118	Tim Meusel	Default value: `undef`
1928	e17693e3	Steve Traylen
1929	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1930	e17693e3	Steve Traylen
1931			Data type: `Optional[String[1]]`
1932
1933
1934
1935	c24d3118	Tim Meusel	Default value: `undef`
1936	e17693e3	Steve Traylen
1937	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1938	e17693e3	Steve Traylen
1939			Data type: `Optional[Enum['tcp','udp']]`
1940
1941
1942
1943	c24d3118	Tim Meusel	Default value: `undef`
1944	e17693e3	Steve Traylen
1945	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1946	e17693e3	Steve Traylen
1947	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1948	e17693e3	Steve Traylen
1949
1950
1951	c24d3118	Tim Meusel	Default value: `undef`
1952	e17693e3	Steve Traylen
1953	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1954	e17693e3	Steve Traylen
1955			Data type: `Enum['present','absent']`
1956
1957
1958
1959			Default value: `'present'`
1960
1961	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1962	e17693e3	Steve Traylen
1963			manage a ipv4 snat rule
1964
1965			#### Parameters
1966
1967	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1968
1969	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1970			* [`rulename`](#-nftables--rules--snat4--rulename)
1971			* [`order`](#-nftables--rules--snat4--order)
1972			* [`chain`](#-nftables--rules--snat4--chain)
1973			* [`oif`](#-nftables--rules--snat4--oif)
1974			* [`saddr`](#-nftables--rules--snat4--saddr)
1975			* [`proto`](#-nftables--rules--snat4--proto)
1976			* [`dport`](#-nftables--rules--snat4--dport)
1977			* [`ensure`](#-nftables--rules--snat4--ensure)
1978	e17693e3	Steve Traylen
1979	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1980	e17693e3	Steve Traylen
1981			Data type: `String[1]`
1982
1983
1984
1985	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1986	e17693e3	Steve Traylen
1987			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1988
1989
1990
1991			Default value: `$title`
1992
1993	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1994	e17693e3	Steve Traylen
1995			Data type: `Pattern[/^\d\d$/]`
1996
1997
1998
1999			Default value: `'70'`
2000
2001	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2002	e17693e3	Steve Traylen
2003			Data type: `String[1]`
2004
2005
2006
2007			Default value: `'POSTROUTING'`
2008
2009	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2010	e17693e3	Steve Traylen
2011			Data type: `Optional[String[1]]`
2012
2013
2014
2015	c24d3118	Tim Meusel	Default value: `undef`
2016	e17693e3	Steve Traylen
2017	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2018	e17693e3	Steve Traylen
2019			Data type: `Optional[String[1]]`
2020
2021
2022
2023	c24d3118	Tim Meusel	Default value: `undef`
2024	e17693e3	Steve Traylen
2025	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2026	e17693e3	Steve Traylen
2027			Data type: `Optional[Enum['tcp','udp']]`
2028
2029
2030
2031	c24d3118	Tim Meusel	Default value: `undef`
2032	e17693e3	Steve Traylen
2033	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2034	e17693e3	Steve Traylen
2035	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2036	e17693e3	Steve Traylen
2037
2038
2039	c24d3118	Tim Meusel	Default value: `undef`
2040	e17693e3	Steve Traylen
2041	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2042	e17693e3	Steve Traylen
2043			Data type: `Enum['present','absent']`
2044
2045
2046
2047			Default value: `'present'`
2048
2049	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2050	7f6cacc5	Steve Traylen
2051			manage a named set
2052
2053	13f4e4c6	Steve Traylen	#### Examples
2054
2055			##### simple set
2056
2057			```puppet
2058			nftables::set{'my_set':
2059			type => 'ipv4_addr',
2060			flags => ['interval'],
2061			elements => ['192.168.0.1/24', '10.0.0.2'],
2062			auto_merge => true,
2063			}
2064			```
2065
2066	7f6cacc5	Steve Traylen	#### Parameters
2067
2068	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2069
2070	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2071			* [`setname`](#-nftables--set--setname)
2072			* [`order`](#-nftables--set--order)
2073			* [`type`](#-nftables--set--type)
2074			* [`table`](#-nftables--set--table)
2075			* [`flags`](#-nftables--set--flags)
2076			* [`timeout`](#-nftables--set--timeout)
2077			* [`gc_interval`](#-nftables--set--gc_interval)
2078			* [`elements`](#-nftables--set--elements)
2079			* [`size`](#-nftables--set--size)
2080			* [`policy`](#-nftables--set--policy)
2081			* [`auto_merge`](#-nftables--set--auto_merge)
2082			* [`content`](#-nftables--set--content)
2083			* [`source`](#-nftables--set--source)
2084
2085			##### <a name="-nftables--set--ensure"></a>`ensure`
2086	7f6cacc5	Steve Traylen
2087			Data type: `Enum['present','absent']`
2088
2089	13f4e4c6	Steve Traylen	should the set be created.
2090	7f6cacc5	Steve Traylen
2091			Default value: `'present'`
2092
2093	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2094	7f6cacc5	Steve Traylen
2095			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2096
2097	13f4e4c6	Steve Traylen	name of set, equal to to title.
2098	7f6cacc5	Steve Traylen
2099			Default value: `$title`
2100
2101	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2102	7f6cacc5	Steve Traylen
2103			Data type: `Pattern[/^\d\d$/]`
2104
2105	13f4e4c6	Steve Traylen	concat ordering.
2106	7f6cacc5	Steve Traylen
2107			Default value: `'10'`
2108
2109	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2110	7f6cacc5	Steve Traylen
2111			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2112
2113	13f4e4c6	Steve Traylen	type of set.
2114	7f6cacc5	Steve Traylen
2115	c24d3118	Tim Meusel	Default value: `undef`
2116	7f6cacc5	Steve Traylen
2117	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2118	7f6cacc5	Steve Traylen
2119	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2120	7f6cacc5	Steve Traylen
2121	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2122	7f6cacc5	Steve Traylen
2123			Default value: `'inet-filter'`
2124
2125	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2126	7f6cacc5	Steve Traylen
2127			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2128
2129	13f4e4c6	Steve Traylen	specify flags for set
2130	7f6cacc5	Steve Traylen
2131			Default value: `[]`
2132
2133	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2134	7f6cacc5	Steve Traylen
2135			Data type: `Optional[Integer]`
2136
2137	13f4e4c6	Steve Traylen	timeout in seconds
2138	7f6cacc5	Steve Traylen
2139	c24d3118	Tim Meusel	Default value: `undef`
2140	7f6cacc5	Steve Traylen
2141	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2142	7f6cacc5	Steve Traylen
2143			Data type: `Optional[Integer]`
2144
2145	13f4e4c6	Steve Traylen	garbage collection interval.
2146	7f6cacc5	Steve Traylen
2147	c24d3118	Tim Meusel	Default value: `undef`
2148	7f6cacc5	Steve Traylen
2149	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2150	7f6cacc5	Steve Traylen
2151			Data type: `Optional[Array[String]]`
2152
2153	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2154	7f6cacc5	Steve Traylen
2155	c24d3118	Tim Meusel	Default value: `undef`
2156	7f6cacc5	Steve Traylen
2157	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2158	7f6cacc5	Steve Traylen
2159			Data type: `Optional[Integer]`
2160
2161	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2162	7f6cacc5	Steve Traylen
2163	c24d3118	Tim Meusel	Default value: `undef`
2164	7f6cacc5	Steve Traylen
2165	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2166	7f6cacc5	Steve Traylen
2167			Data type: `Optional[Enum['performance', 'memory']]`
2168
2169	13f4e4c6	Steve Traylen	determines set selection policy.
2170	7f6cacc5	Steve Traylen
2171	c24d3118	Tim Meusel	Default value: `undef`
2172	7f6cacc5	Steve Traylen
2173	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2174	7f6cacc5	Steve Traylen
2175			Data type: `Boolean`
2176
2177	13f4e4c6	Steve Traylen	?
2178	7f6cacc5	Steve Traylen
2179	c24d3118	Tim Meusel	Default value: `false`
2180	7f6cacc5	Steve Traylen
2181	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2182	7f6cacc5	Steve Traylen
2183			Data type: `Optional[String]`
2184
2185	13f4e4c6	Steve Traylen	specify content of set.
2186	7f6cacc5	Steve Traylen
2187	c24d3118	Tim Meusel	Default value: `undef`
2188	7f6cacc5	Steve Traylen
2189	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2190	7f6cacc5	Steve Traylen
2191			Data type: `Optional[Variant[String,Array[String,1]]]`
2192
2193	13f4e4c6	Steve Traylen	specify source of set.
2194	7f6cacc5	Steve Traylen
2195	c24d3118	Tim Meusel	Default value: `undef`
2196	7f6cacc5	Steve Traylen
2197	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2198	4d63adda	Nacho Barrientos
2199	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2200	4d63adda	Nacho Barrientos
2201	b46c9ce9	Nacho Barrientos	#### Examples
2202	4d63adda	Nacho Barrientos
2203	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2204	4d63adda	Nacho Barrientos
2205	b46c9ce9	Nacho Barrientos	```puppet
2206			nftables::simplerule{'my_service_in':
2207			action => 'accept',
2208			comment => 'allow traffic to port 543',
2209			counter => true,
2210			proto => 'tcp',
2211			dport => 543,
2212			daddr => '2001:1458::/32',
2213			sport => 541,
2214			}
2215			```
2216	4d63adda	Nacho Barrientos
2217	b46c9ce9	Nacho Barrientos	#### Parameters
2218	4d63adda	Nacho Barrientos
2219	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2220
2221	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2222			* [`rulename`](#-nftables--simplerule--rulename)
2223			* [`order`](#-nftables--simplerule--order)
2224			* [`chain`](#-nftables--simplerule--chain)
2225			* [`table`](#-nftables--simplerule--table)
2226			* [`action`](#-nftables--simplerule--action)
2227			* [`comment`](#-nftables--simplerule--comment)
2228			* [`dport`](#-nftables--simplerule--dport)
2229			* [`proto`](#-nftables--simplerule--proto)
2230			* [`daddr`](#-nftables--simplerule--daddr)
2231			* [`set_type`](#-nftables--simplerule--set_type)
2232			* [`sport`](#-nftables--simplerule--sport)
2233			* [`saddr`](#-nftables--simplerule--saddr)
2234			* [`counter`](#-nftables--simplerule--counter)
2235
2236			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2237	13f4e4c6	Steve Traylen
2238			Data type: `Enum['present','absent']`
2239
2240			Should the rule be created.
2241
2242			Default value: `'present'`
2243
2244	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2245	4d63adda	Nacho Barrientos
2246	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2247	4d63adda	Nacho Barrientos
2248	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2249	4d63adda	Nacho Barrientos
2250			Default value: `$title`
2251
2252	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2253	4d63adda	Nacho Barrientos
2254			Data type: `Pattern[/^\d\d$/]`
2255
2256	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2257	4d63adda	Nacho Barrientos
2258			Default value: `'50'`
2259
2260	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2261	4d63adda	Nacho Barrientos
2262			Data type: `String`
2263
2264	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2265	4d63adda	Nacho Barrientos
2266			Default value: `'default_in'`
2267
2268	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2269	4d63adda	Nacho Barrientos
2270			Data type: `String`
2271
2272	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2273	4d63adda	Nacho Barrientos
2274			Default value: `'inet-filter'`
2275
2276	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2277	4d63adda	Nacho Barrientos
2278			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2279
2280	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2281	4d63adda	Nacho Barrientos
2282			Default value: `'accept'`
2283
2284	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2285	4d63adda	Nacho Barrientos
2286			Data type: `Optional[String]`
2287
2288	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2289	4d63adda	Nacho Barrientos
2290	c24d3118	Tim Meusel	Default value: `undef`
2291	4d63adda	Nacho Barrientos
2292	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2293	4d63adda	Nacho Barrientos
2294			Data type: `Optional[Nftables::Port]`
2295
2296	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2297	4d63adda	Nacho Barrientos
2298	c24d3118	Tim Meusel	Default value: `undef`
2299	4d63adda	Nacho Barrientos
2300	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2301	4d63adda	Nacho Barrientos
2302			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2303
2304	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2305	4d63adda	Nacho Barrientos
2306	c24d3118	Tim Meusel	Default value: `undef`
2307	4d63adda	Nacho Barrientos
2308	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2309	4d63adda	Nacho Barrientos
2310			Data type: `Optional[Nftables::Addr]`
2311
2312	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2313	4d63adda	Nacho Barrientos
2314	c24d3118	Tim Meusel	Default value: `undef`
2315	4d63adda	Nacho Barrientos
2316	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2317	4d63adda	Nacho Barrientos
2318			Data type: `Enum['ip', 'ip6']`
2319
2320	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2321			Use `ip` for sets of type `ipv4_addr`.
2322	4d63adda	Nacho Barrientos
2323			Default value: `'ip6'`
2324
2325	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2326	4d63adda	Nacho Barrientos
2327			Data type: `Optional[Nftables::Port]`
2328
2329	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2330	4d63adda	Nacho Barrientos
2331	c24d3118	Tim Meusel	Default value: `undef`
2332	4d63adda	Nacho Barrientos
2333	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2334	4d63adda	Nacho Barrientos
2335			Data type: `Optional[Nftables::Addr]`
2336
2337	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2338	4d63adda	Nacho Barrientos
2339	c24d3118	Tim Meusel	Default value: `undef`
2340	4d63adda	Nacho Barrientos
2341	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2342	4d63adda	Nacho Barrientos
2343			Data type: `Boolean`
2344
2345	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2346	4d63adda	Nacho Barrientos
2347	c24d3118	Tim Meusel	Default value: `false`
2348	4d63adda	Nacho Barrientos
2349			## Data types
2350
2351	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2352	4d63adda	Nacho Barrientos
2353			Represents an address expression to be used within a rule.
2354
2355	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2356	09cba182	Steve Traylen
2357	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2358	4d63adda	Nacho Barrientos
2359			Represents a set expression to be used within a rule.
2360
2361	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2362	4d63adda	Nacho Barrientos
2363	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2364	4d63adda	Nacho Barrientos
2365			Represents a port expression to be used within a rule.
2366
2367	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2368	4d63adda	Nacho Barrientos
2369	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2370	4d63adda	Nacho Barrientos
2371			Represents a port range expression to be used within a rule.
2372
2373	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2374	4d63adda	Nacho Barrientos
2375	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2376	8c00b818	Nacho Barrientos
2377			Represents a rule name to be used in a raw rule created via nftables::rule.
2378			It's a dash separated string. The first component describes the chain to
2379			add the rule to, the second the rule name and the (optional) third a number.
2380			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2381
2382	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2383	09cba182	Steve Traylen
2384	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2385	8c00b818	Nacho Barrientos
2386			Represents a simple rule name to be used in a rule created via nftables::simplerule
2387
2388	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ 94285e5f