/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ ad3dbd7d

Historique | Voir | Annoter | Télécharger (53,7 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
28	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
29	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
30	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
31	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
32			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
33			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
34			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
35			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
36	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
37	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
38			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
39	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
40			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
41			and Manager Daemons (MGR).
42	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
43			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
44			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
45			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
46			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
47			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
48			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
49			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
50	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
51	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
52			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
53	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
54	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
55			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
56			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
57			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
58	09cba182	Steve Traylen	7000 - afs3-fileserver
59			7002 - afs3-ptserver
60			7003 - vlserver
61	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
62			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
63			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
64			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
65			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
66			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
67			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
68			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
69			* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
70			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
71			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
72			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
73			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
74			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
75			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
76			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
77			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
78			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
79			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
80			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
81	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
82	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
83			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
84			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
85			* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
86			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
87	e17693e3	Steve Traylen
88			### Defined types
89
90	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
91			* [`nftables::config`](#nftables--config): manage a config snippet
92			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
93			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
94			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
95			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
96			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
97			* [`nftables::set`](#nftables--set): manage a named set
98			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
99	4d63adda	Nacho Barrientos
100			### Data types
101
102	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
103			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
104			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
105			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
106			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
107	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
108			add the rule to, the second the rule name and the (optional) third a number.
109			Ex: 'default_in-sshd', 'default_out-my_service-2'.
110	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
111	e17693e3	Steve Traylen
112			## Classes
113
114	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
115	e17693e3	Steve Traylen
116			Configure nftables
117
118			#### Examples
119
120	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
121	e17693e3	Steve Traylen
122			```puppet
123	2063deaf	hashworks	class{ 'nftables':
124			out_ntp => false,
125			out_dns => true,
126	e17693e3	Steve Traylen	}
127			```
128
129	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
130
131			```puppet
132	2063deaf	hashworks	class{ 'nftables':
133			noflush_tables => ['inet-f2b-table'],
134	b9785000	Steve Traylen	}
135			```
136
137	e17693e3	Steve Traylen	#### Parameters
138
139	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
140
141	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
142			* [`out_ntp`](#-nftables--out_ntp)
143			* [`out_http`](#-nftables--out_http)
144			* [`out_dns`](#-nftables--out_dns)
145			* [`out_https`](#-nftables--out_https)
146			* [`out_icmp`](#-nftables--out_icmp)
147			* [`in_ssh`](#-nftables--in_ssh)
148			* [`in_icmp`](#-nftables--in_icmp)
149			* [`inet_filter`](#-nftables--inet_filter)
150			* [`nat`](#-nftables--nat)
151			* [`nat_table_name`](#-nftables--nat_table_name)
152			* [`sets`](#-nftables--sets)
153			* [`log_prefix`](#-nftables--log_prefix)
154			* [`log_limit`](#-nftables--log_limit)
155			* [`reject_with`](#-nftables--reject_with)
156			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
157			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
158			* [`firewalld_enable`](#-nftables--firewalld_enable)
159			* [`noflush_tables`](#-nftables--noflush_tables)
160			* [`rules`](#-nftables--rules)
161			* [`configuration_path`](#-nftables--configuration_path)
162			* [`nft_path`](#-nftables--nft_path)
163			* [`echo`](#-nftables--echo)
164			* [`default_config_mode`](#-nftables--default_config_mode)
165
166			##### <a name="-nftables--out_all"></a>`out_all`
167	e17693e3	Steve Traylen
168			Data type: `Boolean`
169
170			Allow all outbound connections. If `true` then all other
171			out parameters `out_ntp`, `out_dns`, ... will be assuemed
172			false.
173
174	c24d3118	Tim Meusel	Default value: `false`
175	e17693e3	Steve Traylen
176	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
177	e17693e3	Steve Traylen
178			Data type: `Boolean`
179
180			Allow outbound to ntp servers.
181
182	c24d3118	Tim Meusel	Default value: `true`
183	e17693e3	Steve Traylen
184	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
185	e17693e3	Steve Traylen
186			Data type: `Boolean`
187
188			Allow outbound to http servers.
189
190	c24d3118	Tim Meusel	Default value: `true`
191	e17693e3	Steve Traylen
192	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
193	e17693e3	Steve Traylen
194			Data type: `Boolean`
195
196	09cba182	Steve Traylen	Allow outbound to dns servers.
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	Default value: `true`
199	e17693e3	Steve Traylen
200	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
201	09cba182	Steve Traylen
202			Data type: `Boolean`
203	e17693e3	Steve Traylen
204			Allow outbound to https servers.
205
206	c24d3118	Tim Meusel	Default value: `true`
207	e17693e3	Steve Traylen
208	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
209	7f6cacc5	Steve Traylen
210			Data type: `Boolean`
211
212			Allow outbound ICMPv4/v6 traffic.
213
214	c24d3118	Tim Meusel	Default value: `true`
215	7f6cacc5	Steve Traylen
216	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
217	e17693e3	Steve Traylen
218			Data type: `Boolean`
219
220			Allow inbound to ssh servers.
221
222	c24d3118	Tim Meusel	Default value: `true`
223	e17693e3	Steve Traylen
224	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
225	7f6cacc5	Steve Traylen
226			Data type: `Boolean`
227
228			Allow inbound ICMPv4/v6 traffic.
229
230	c24d3118	Tim Meusel	Default value: `true`
231	7f6cacc5	Steve Traylen
232	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
233	7b9d6ffc	Nacho Barrientos
234			Data type: `Boolean`
235
236			Add default tables, chains and rules to process traffic.
237
238	c24d3118	Tim Meusel	Default value: `true`
239	7b9d6ffc	Nacho Barrientos
240	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
241	7f6cacc5	Steve Traylen
242			Data type: `Boolean`
243
244			Add default tables and chains to process NAT traffic.
245
246	c24d3118	Tim Meusel	Default value: `true`
247	7f6cacc5	Steve Traylen
248	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
249	b02d6ea9	Nacho Barrientos
250			Data type: `String[1]`
251
252			The name of the 'nat' table.
253
254			Default value: `'nat'`
255
256	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
257	b9785000	Steve Traylen
258			Data type: `Hash`
259
260			Allows sourcing set definitions directly from Hiera.
261
262			Default value: `{}`
263
264	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
265	7f6cacc5	Steve Traylen
266			Data type: `String`
267
268			String that will be used as prefix when logging packets. It can contain
269			two variables using standard sprintf() string-formatting:
270			* chain: Will be replaced by the name of the chain.
271			* comment: Allows chains to add extra comments.
272
273			Default value: `'[nftables] %<chain>s %<comment>s'`
274
275	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
276	b9785000	Steve Traylen
277			Data type: `Variant[Boolean[false], String]`
278
279			String with the content of a limit statement to be applied
280			to the rules that log discarded traffic. Set to false to
281			disable rate limiting.
282
283			Default value: `'3/minute burst 5 packets'`
284
285	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
286	7f6cacc5	Steve Traylen
287	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
288	7f6cacc5	Steve Traylen
289			How to discard packets not matching any rule. If `false`, the
290			fate of the packet will be defined by the chain policy (normally
291			drop), otherwise the packet will be rejected with the REJECT_WITH
292			policy indicated by the value of this parameter.
293
294			Default value: `'icmpx type port-unreachable'`
295
296	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
297	7f6cacc5	Steve Traylen
298			Data type: `Boolean`
299
300			Adds INPUT and OUTPUT rules to allow traffic that's part of an
301			established connection and also to drop invalid packets.
302
303	c24d3118	Tim Meusel	Default value: `true`
304	7f6cacc5	Steve Traylen
305	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
306	b9785000	Steve Traylen
307			Data type: `Boolean`
308
309			Adds FORWARD rules to allow traffic that's part of an
310			established connection and also to drop invalid packets.
311
312	c24d3118	Tim Meusel	Default value: `false`
313	b9785000	Steve Traylen
314	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
315	7f6cacc5	Steve Traylen
316			Data type: `Variant[Boolean[false], Enum['mask']]`
317
318			Configures how the firewalld systemd service unit is enabled. It might be
319			useful to set this to false if you're externaly removing firewalld from
320			the system completely.
321
322			Default value: `'mask'`
323
324	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
325	b9785000	Steve Traylen
326	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
327	b9785000	Steve Traylen
328			If specified only other existings tables will be flushed.
329			If left unset all tables will be flushed via a `flush ruleset`
330
331	c24d3118	Tim Meusel	Default value: `undef`
332	b9785000	Steve Traylen
333	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
334	7f6cacc5	Steve Traylen
335			Data type: `Hash`
336
337	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
338	7f6cacc5	Steve Traylen
339			Default value: `{}`
340
341	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
342	d0a1ffef	hashworks
343			Data type: `Stdlib::Unixpath`
344
345			The absolute path to the principal nftables configuration file. The default
346			varies depending on the system, and is set in the module's data.
347
348	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
349	8842a597	Tim Meusel
350			Data type: `Stdlib::Unixpath`
351
352			Path to the nft binary
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
355	821ec83a	Tim Meusel
356			Data type: `Stdlib::Unixpath`
357
358			Path to the echo binary
359
360	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
361	7030bde0	Luis Fernández Álvarez
362			Data type: `Stdlib::Filemode`
363
364			The default file & dir mode for configuration files and directories. The
365			default varies depending on the system, and is set in the module's data.
366
367	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
368	7f6cacc5	Steve Traylen
369			allow forwarding traffic on bridges
370
371			#### Parameters
372
373	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
374	7f6cacc5	Steve Traylen
375	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
376			* [`bridgenames`](#-nftables--bridges--bridgenames)
377	09cba182	Steve Traylen
378	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
379	7f6cacc5	Steve Traylen
380			Data type: `Enum['present','absent']`
381
382
383
384			Default value: `'present'`
385
386	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
387	7f6cacc5	Steve Traylen
388			Data type: `Regexp`
389
390
391
392			Default value: `/^br.+/`
393
394	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
395	e17693e3	Steve Traylen
396			manage basic chains in table inet filter
397
398	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
399	a1f09048	Tim Meusel
400			enable conntrack for fwd
401
402	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
403	a1f09048	Tim Meusel
404			manage input & output conntrack
405
406	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
407	e17693e3	Steve Traylen
408			manage basic chains in table ip nat
409
410	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
411	771b3256	Nacho Barrientos
412			Provides input rules for Apache ActiveMQ
413
414			#### Parameters
415
416			The following parameters are available in the `nftables::rules::activemq` class:
417
418	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
419			* [`udp`](#-nftables--rules--activemq--udp)
420			* [`port`](#-nftables--rules--activemq--port)
421	771b3256	Nacho Barrientos
422	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
423	771b3256	Nacho Barrientos
424			Data type: `Boolean`
425
426			Create the rule for TCP traffic.
427
428	c24d3118	Tim Meusel	Default value: `true`
429	771b3256	Nacho Barrientos
430	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
431	771b3256	Nacho Barrientos
432			Data type: `Boolean`
433
434			Create the rule for UDP traffic.
435
436	c24d3118	Tim Meusel	Default value: `true`
437	771b3256	Nacho Barrientos
438	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
439	771b3256	Nacho Barrientos
440			Data type: `Stdlib::Port`
441
442			The port number for the ActiveMQ daemon.
443
444			Default value: `61616`
445
446	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
447	09cba182	Steve Traylen
448			Open call back port for AFS clients
449	7f6cacc5	Steve Traylen
450	09cba182	Steve Traylen	#### Examples
451
452			##### allow call backs from particular hosts
453
454			```puppet
455	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
456			saddr => ['192.168.0.0/16', '10.0.0.222']
457			}
458	09cba182	Steve Traylen	```
459	7f6cacc5	Steve Traylen
460			#### Parameters
461
462	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
463
464	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
465	7f6cacc5	Steve Traylen
466	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
467	7f6cacc5	Steve Traylen
468			Data type: `Array[Stdlib::IP::Address::V4,1]`
469
470			list of source network ranges to a
471
472			Default value: `['0.0.0.0/0']`
473
474	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
475	b9785000	Steve Traylen
476			Ceph is a distributed object store and file system.
477			Enable this to support Ceph's Object Storage Daemons (OSD),
478			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
479
480	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
481	b9785000	Steve Traylen
482			Ceph is a distributed object store and file system.
483			Enable this option to support Ceph's Monitor Daemon.
484
485			#### Parameters
486
487	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
488	b9785000	Steve Traylen
489	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
490	b9785000	Steve Traylen
491	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
492	b9785000	Steve Traylen
493	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
494	b9785000	Steve Traylen
495	09cba182	Steve Traylen	specify ports for ceph service
496	b9785000	Steve Traylen
497			Default value: `[3300, 6789]`
498
499	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
500	7f6cacc5	Steve Traylen
501	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
502	7f6cacc5	Steve Traylen
503	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
504	7f6cacc5	Steve Traylen
505			manage in dns
506
507			#### Parameters
508
509	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
510	7f6cacc5	Steve Traylen
511	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
512	7f6cacc5	Steve Traylen
513	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
514	7f6cacc5	Steve Traylen
515	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
516	7f6cacc5	Steve Traylen
517	09cba182	Steve Traylen	Specify ports for dns.
518	7f6cacc5	Steve Traylen
519			Default value: `[53]`
520
521	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
522	804b96e4	Nacho Barrientos
523			The configuration distributed in this class represents the default firewall
524			configuration done by docker-ce when the iptables integration is enabled.
525
526			This class is needed as the default docker-ce rules added to ip-filter conflict
527			with the inet-filter forward rules set by default in this module.
528
529			When using this class 'docker::iptables: false' should be set.
530
531			#### Parameters
532
533			The following parameters are available in the `nftables::rules::docker_ce` class:
534
535	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
536			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
537			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
538			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
539	804b96e4	Nacho Barrientos
540	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
541	804b96e4	Nacho Barrientos
542			Data type: `String[1]`
543
544			Interface name used by docker.
545
546			Default value: `'docker0'`
547
548	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
549	804b96e4	Nacho Barrientos
550			Data type: `Stdlib::IP::Address::V4::CIDR`
551
552			The address space used by docker.
553
554			Default value: `'172.17.0.0/16'`
555
556	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
557	804b96e4	Nacho Barrientos
558			Data type: `Boolean`
559
560			Flag to control whether the class should create the docker related chains.
561
562	c24d3118	Tim Meusel	Default value: `true`
563	804b96e4	Nacho Barrientos
564	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
565	804b96e4	Nacho Barrientos
566			Data type: `Boolean`
567
568			Flag to control whether the class should create the base common chains.
569
570	c24d3118	Tim Meusel	Default value: `true`
571	804b96e4	Nacho Barrientos
572	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
573	e17693e3	Steve Traylen
574			manage in http
575
576	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
577	e17693e3	Steve Traylen
578			manage in https
579
580	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
581	e17693e3	Steve Traylen
582			manage in icinga2
583
584			#### Parameters
585
586	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
587	e17693e3	Steve Traylen
588	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
589	e17693e3	Steve Traylen
590	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
591	e17693e3	Steve Traylen
592	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
593	e17693e3	Steve Traylen
594	8db66304	Steve Traylen	Specify ports for icinga2
595	e17693e3	Steve Traylen
596			Default value: `[5665]`
597
598	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
599	7f6cacc5	Steve Traylen
600			The nftables::rules::icmp class.
601
602			#### Parameters
603
604	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
605
606	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
607			* [`v6_types`](#-nftables--rules--icmp--v6_types)
608			* [`order`](#-nftables--rules--icmp--order)
609	7f6cacc5	Steve Traylen
610	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
611	7f6cacc5	Steve Traylen
612			Data type: `Optional[Array[String]]`
613
614
615
616	c24d3118	Tim Meusel	Default value: `undef`
617	7f6cacc5	Steve Traylen
618	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
619	7f6cacc5	Steve Traylen
620			Data type: `Optional[Array[String]]`
621
622
623
624	c24d3118	Tim Meusel	Default value: `undef`
625	7f6cacc5	Steve Traylen
626	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
627	7f6cacc5	Steve Traylen
628			Data type: `String`
629
630
631
632			Default value: `'10'`
633
634	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
635
636			allow incoming IGMP messages
637
638	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
639
640			manage in ldap
641
642			#### Parameters
643
644			The following parameters are available in the `nftables::rules::ldap` class:
645
646			* [`ports`](#-nftables--rules--ldap--ports)
647
648			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
649
650			Data type: `Array[Integer,1]`
651
652			ldap server ports
653
654			Default value: `[389, 636]`
655
656	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
657
658			allow incoming multicast DNS
659
660	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
661
662			The following parameters are available in the `nftables::rules::mdns` class:
663
664			* [`ipv4`](#-nftables--rules--mdns--ipv4)
665			* [`ipv6`](#-nftables--rules--mdns--ipv6)
666
667			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
668
669			Data type: `Boolean`
670
671			Allow mdns over IPv4
672
673			Default value: `true`
674
675			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
676
677			Data type: `Boolean`
678
679			Allow mdns over IPv6
680
681			Default value: `true`
682
683	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
684
685			allow incoming multicast traffic
686
687	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
688	b9785000	Steve Traylen
689			manage in nfs4
690
691	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
692	b9785000	Steve Traylen
693			manage in nfs3
694
695	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
696	7f6cacc5	Steve Traylen
697			manage in node exporter
698
699			#### Parameters
700
701	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
702	7f6cacc5	Steve Traylen
703	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
704			* [`port`](#-nftables--rules--node_exporter--port)
705	7f6cacc5	Steve Traylen
706	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
707	7f6cacc5	Steve Traylen
708	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
709	7f6cacc5	Steve Traylen
710	09cba182	Steve Traylen	Specify server name
711	7f6cacc5	Steve Traylen
712	c24d3118	Tim Meusel	Default value: `undef`
713	7f6cacc5	Steve Traylen
714	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
715	7f6cacc5	Steve Traylen
716	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
717	7f6cacc5	Steve Traylen
718	09cba182	Steve Traylen	Specify port to open
719	7f6cacc5	Steve Traylen
720			Default value: `9100`
721
722	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
723	e17693e3	Steve Traylen
724			manage in ospf
725
726	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
727	e17693e3	Steve Traylen
728			manage in ospf3
729
730	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
731
732			manage outgoing active diectory
733
734			#### Parameters
735
736			The following parameters are available in the `nftables::rules::out::active_directory` class:
737
738			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
739			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
740
741			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
742
743			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
744
745			adserver IPs
746
747			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
748
749			Data type: `Array[Stdlib::Port,1]`
750
751			adserver ports
752
753			Default value: `[389, 636, 3268, 3269]`
754
755	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
756	e17693e3	Steve Traylen
757			allow all outbound
758
759	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
760	b9785000	Steve Traylen
761			Ceph is a distributed object store and file system.
762			Enable this to be a client of Ceph's Monitor (MON),
763			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
764			and Manager Daemons (MGR).
765
766			#### Parameters
767
768	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
769	b9785000	Steve Traylen
770	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
771	b9785000	Steve Traylen
772	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
773	b9785000	Steve Traylen
774	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
775	b9785000	Steve Traylen
776	09cba182	Steve Traylen	Specify ports to open
777	b9785000	Steve Traylen
778			Default value: `[3300, 6789]`
779
780	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
781	e17693e3	Steve Traylen
782			manage out chrony
783
784	7937a13b	Tim Meusel	#### Parameters
785
786			The following parameters are available in the `nftables::rules::out::chrony` class:
787
788	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
789	7937a13b	Tim Meusel
790	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
791	7937a13b	Tim Meusel
792			Data type: `Array[Stdlib::IP::Address]`
793
794			single IP-Address or array of IP-addresses from NTP servers
795
796			Default value: `[]`
797
798	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
799	e17693e3	Steve Traylen
800			manage out dhcp
801
802	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
803	7f6cacc5	Steve Traylen
804	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
805	7f6cacc5	Steve Traylen
806	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
807	e17693e3	Steve Traylen
808			manage out dns
809
810			#### Parameters
811
812	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
813	e17693e3	Steve Traylen
814	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
815	e17693e3	Steve Traylen
816	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
817	e17693e3	Steve Traylen
818	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
819	e17693e3	Steve Traylen
820	09cba182	Steve Traylen	specify dns_server name
821	e17693e3	Steve Traylen
822	c24d3118	Tim Meusel	Default value: `undef`
823	e17693e3	Steve Traylen
824	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
825	a1f09048	Tim Meusel
826			allow outgoing hkp connections to gpg keyservers
827
828	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
829	e17693e3	Steve Traylen
830			manage out http
831
832	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
833	e17693e3	Steve Traylen
834			manage out https
835
836	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
837	7f6cacc5	Steve Traylen
838	09cba182	Steve Traylen	control outbound icmp packages
839	7f6cacc5	Steve Traylen
840			#### Parameters
841
842	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
843
844	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
845			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
846			* [`order`](#-nftables--rules--out--icmp--order)
847	7f6cacc5	Steve Traylen
848	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
849	7f6cacc5	Steve Traylen
850			Data type: `Optional[Array[String]]`
851
852
853
854	c24d3118	Tim Meusel	Default value: `undef`
855	7f6cacc5	Steve Traylen
856	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
857	7f6cacc5	Steve Traylen
858			Data type: `Optional[Array[String]]`
859
860
861
862	c24d3118	Tim Meusel	Default value: `undef`
863	7f6cacc5	Steve Traylen
864	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
865	7f6cacc5	Steve Traylen
866			Data type: `String`
867
868
869
870			Default value: `'10'`
871
872	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
873
874	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
875	020842af	Tim Meusel
876	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
877	19908f41	mh
878			allow outgoing imap
879
880	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
881	7f6cacc5	Steve Traylen
882			allows outbound access for kerberos
883
884	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
885
886			manage outgoing ldap
887
888			#### Parameters
889
890			The following parameters are available in the `nftables::rules::out::ldap` class:
891
892			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
893			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
894
895			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
896
897			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
898
899			ldapserver IPs
900
901			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
902
903			Data type: `Array[Stdlib::Port,1]`
904
905			ldapserver ports
906
907			Default value: `[389, 636]`
908
909	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
910	e17693e3	Steve Traylen
911			manage out mysql
912
913	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
914	b9785000	Steve Traylen
915			manage out nfs
916
917	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
918	b9785000	Steve Traylen
919			manage out nfs3
920
921	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
922	7f6cacc5	Steve Traylen
923	09cba182	Steve Traylen	allows outbound access for afs clients
924	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
925			7002 - afs3-ptserver
926			7003 - vlserver
927
928			* See also
929			* https://wiki.openafs.org/devel/AFSServicePorts/
930			* AFS Service Ports
931
932			#### Parameters
933
934	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
935	7f6cacc5	Steve Traylen
936	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
937	7f6cacc5	Steve Traylen
938	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
939	7f6cacc5	Steve Traylen
940	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
941	7f6cacc5	Steve Traylen
942	09cba182	Steve Traylen	port numbers to use
943	7f6cacc5	Steve Traylen
944			Default value: `[7000, 7002, 7003]`
945
946	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
947	e17693e3	Steve Traylen
948			manage out ospf
949
950	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
951	e17693e3	Steve Traylen
952			manage out ospf3
953
954	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
955	19908f41	mh
956			allow outgoing pop3
957
958	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
959	e17693e3	Steve Traylen
960			manage out postgres
961
962	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
963	e17693e3	Steve Traylen
964			manage outgoing puppet
965
966			#### Parameters
967
968	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
969	e17693e3	Steve Traylen
970	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
971			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
972	e17693e3	Steve Traylen
973	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
974	e17693e3	Steve Traylen
975	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
976	e17693e3	Steve Traylen
977	09cba182	Steve Traylen	puppetserver hostname
978	e17693e3	Steve Traylen
979	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
980	e17693e3	Steve Traylen
981	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
982	e17693e3	Steve Traylen
983	09cba182	Steve Traylen	puppetserver port
984	e17693e3	Steve Traylen
985			Default value: `8140`
986
987	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
988	194e05d5	Tim Meusel
989			manage outgoing pxp-agent
990
991			* See also
992			* also
993			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
994
995			#### Parameters
996
997			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
998
999	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1000			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1001	194e05d5	Tim Meusel
1002	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1003	194e05d5	Tim Meusel
1004			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1005
1006			PXP broker IP(s)
1007
1008	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1009	194e05d5	Tim Meusel
1010			Data type: `Stdlib::Port`
1011
1012			PXP broker port
1013
1014			Default value: `8142`
1015
1016	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1017	e17693e3	Steve Traylen
1018	19908f41	mh	allow outgoing smtp
1019
1020	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1021	19908f41	mh
1022			allow outgoing smtp client
1023	e17693e3	Steve Traylen
1024	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1025	e17693e3	Steve Traylen
1026			manage out ssh
1027
1028	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1029	e17693e3	Steve Traylen
1030			disable outgoing ssh
1031
1032	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1033	e17693e3	Steve Traylen
1034			manage out tor
1035
1036	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1037	2b1896c1	Tim Meusel
1038			allow clients to query remote whois server
1039
1040	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1041	e17693e3	Steve Traylen
1042			manage out wireguard
1043
1044			#### Parameters
1045
1046	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1047	e17693e3	Steve Traylen
1048	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1049	e17693e3	Steve Traylen
1050	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1051	e17693e3	Steve Traylen
1052	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1053	e17693e3	Steve Traylen
1054	09cba182	Steve Traylen	specify wireguard ports
1055	e17693e3	Steve Traylen
1056			Default value: `[51820]`
1057
1058	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1059	e17693e3	Steve Traylen
1060			manage in puppet
1061
1062			#### Parameters
1063
1064	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1065	e17693e3	Steve Traylen
1066	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1067	e17693e3	Steve Traylen
1068	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1069	e17693e3	Steve Traylen
1070	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1071	e17693e3	Steve Traylen
1072	09cba182	Steve Traylen	puppet server ports
1073	e17693e3	Steve Traylen
1074			Default value: `[8140]`
1075
1076	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1077	7f74df2e	Tim Meusel
1078			manage in pxp-agent
1079
1080			#### Parameters
1081
1082			The following parameters are available in the `nftables::rules::pxp_agent` class:
1083
1084	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1085	7f74df2e	Tim Meusel
1086	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1087	7f74df2e	Tim Meusel
1088	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1089	7f74df2e	Tim Meusel
1090			pxp server ports
1091
1092			Default value: `[8142]`
1093
1094	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1095	cd2a3cbf	Nacho Barrientos
1096			This class configures the typical firewall setup that libvirt
1097			creates. Depending on your requirements you can switch on and off
1098			several aspects, for instance if you don't do DHCP to your guests
1099			you can disable the rules that accept DHCP traffic on the host or if
1100			you don't want your guests to talk to hosts outside you can disable
1101			forwarding and/or masquerading for IPv4 traffic.
1102
1103			#### Parameters
1104
1105			The following parameters are available in the `nftables::rules::qemu` class:
1106
1107	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1108			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1109			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1110			* [`dns`](#-nftables--rules--qemu--dns)
1111			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1112			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1113			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1114			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1115	cd2a3cbf	Nacho Barrientos
1116	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1117	cd2a3cbf	Nacho Barrientos
1118			Data type: `String[1]`
1119
1120			Interface name used by the bridge.
1121
1122			Default value: `'virbr0'`
1123
1124	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1125	cd2a3cbf	Nacho Barrientos
1126			Data type: `Stdlib::IP::Address::V4::CIDR`
1127
1128			The IPv4 network prefix used in the virtual network.
1129
1130			Default value: `'192.168.122.0/24'`
1131
1132	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1133	cd2a3cbf	Nacho Barrientos
1134			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1135
1136			The IPv6 network prefix used in the virtual network.
1137
1138	c24d3118	Tim Meusel	Default value: `undef`
1139	cd2a3cbf	Nacho Barrientos
1140	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1141	cd2a3cbf	Nacho Barrientos
1142			Data type: `Boolean`
1143
1144			Allow DNS traffic from the guests to the host.
1145
1146	c24d3118	Tim Meusel	Default value: `true`
1147	cd2a3cbf	Nacho Barrientos
1148	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1149	cd2a3cbf	Nacho Barrientos
1150			Data type: `Boolean`
1151
1152			Allow DHCPv4 traffic from the guests to the host.
1153
1154	c24d3118	Tim Meusel	Default value: `true`
1155	cd2a3cbf	Nacho Barrientos
1156	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1157	cd2a3cbf	Nacho Barrientos
1158			Data type: `Boolean`
1159
1160			Allow forwarded traffic (out all, in related/established)
1161			generated by the virtual network.
1162
1163	c24d3118	Tim Meusel	Default value: `true`
1164	cd2a3cbf	Nacho Barrientos
1165	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1166	cd2a3cbf	Nacho Barrientos
1167			Data type: `Boolean`
1168
1169			Allow guests in the virtual network to talk to each other.
1170
1171	c24d3118	Tim Meusel	Default value: `true`
1172	cd2a3cbf	Nacho Barrientos
1173	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1174	cd2a3cbf	Nacho Barrientos
1175			Data type: `Boolean`
1176
1177			Do NAT masquerade on all IPv4 traffic generated by guests
1178			to external networks.
1179
1180	c24d3118	Tim Meusel	Default value: `true`
1181	cd2a3cbf	Nacho Barrientos
1182	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1183	19908f41	mh
1184			manage Samba, the suite to allow Windows file sharing on Linux resources.
1185
1186			#### Parameters
1187
1188			The following parameters are available in the `nftables::rules::samba` class:
1189
1190	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1191	19908f41	mh
1192	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1193	19908f41	mh
1194			Data type: `Boolean`
1195
1196			Enable ctdb-driven clustered Samba setups.
1197
1198	c24d3118	Tim Meusel	Default value: `false`
1199	19908f41	mh
1200	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1201	e17693e3	Steve Traylen
1202			manage in smtp
1203
1204	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1205	e17693e3	Steve Traylen
1206			manage in smtp submission
1207
1208	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1209	e17693e3	Steve Traylen
1210			manage in smtps
1211
1212	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1213
1214			allow incoming spotify
1215
1216	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1217	e17693e3	Steve Traylen
1218			manage in ssh
1219
1220			#### Parameters
1221
1222	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1223	e17693e3	Steve Traylen
1224	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1225	e17693e3	Steve Traylen
1226	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1227	e17693e3	Steve Traylen
1228	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1229	e17693e3	Steve Traylen
1230	09cba182	Steve Traylen	ssh ports
1231	e17693e3	Steve Traylen
1232			Default value: `[22]`
1233
1234	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1235	e17693e3	Steve Traylen
1236			manage in tor
1237
1238			#### Parameters
1239
1240	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1241	e17693e3	Steve Traylen
1242	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1243	e17693e3	Steve Traylen
1244	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1245	e17693e3	Steve Traylen
1246	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1247	e17693e3	Steve Traylen
1248	09cba182	Steve Traylen	ports for tor
1249	e17693e3	Steve Traylen
1250			Default value: `[9001]`
1251
1252	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1253	e17693e3	Steve Traylen
1254			manage in wireguard
1255
1256			#### Parameters
1257
1258	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1259	e17693e3	Steve Traylen
1260	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1261	e17693e3	Steve Traylen
1262	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1263	e17693e3	Steve Traylen
1264	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1265	e17693e3	Steve Traylen
1266	09cba182	Steve Traylen	wiregueard port
1267	e17693e3	Steve Traylen
1268			Default value: `[51820]`
1269
1270	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1271	7f6cacc5	Steve Traylen
1272	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1273	7f6cacc5	Steve Traylen
1274	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1275	7f6cacc5	Steve Traylen
1276	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1277	7f6cacc5	Steve Traylen
1278	e17693e3	Steve Traylen	## Defined types
1279
1280	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1281	e17693e3	Steve Traylen
1282			manage a chain
1283
1284			#### Parameters
1285
1286	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1287
1288	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1289			* [`chain`](#-nftables--chain--chain)
1290			* [`inject`](#-nftables--chain--inject)
1291			* [`inject_iif`](#-nftables--chain--inject_iif)
1292			* [`inject_oif`](#-nftables--chain--inject_oif)
1293	e17693e3	Steve Traylen
1294	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1295	e17693e3	Steve Traylen
1296	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1297	e17693e3	Steve Traylen
1298
1299
1300			Default value: `'inet-filter'`
1301
1302	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1303	e17693e3	Steve Traylen
1304			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1305
1306
1307
1308			Default value: `$title`
1309
1310	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1311	e17693e3	Steve Traylen
1312			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1313
1314
1315
1316	c24d3118	Tim Meusel	Default value: `undef`
1317	e17693e3	Steve Traylen
1318	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1319	e17693e3	Steve Traylen
1320			Data type: `Optional[String]`
1321
1322
1323
1324	c24d3118	Tim Meusel	Default value: `undef`
1325	e17693e3	Steve Traylen
1326	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1327	e17693e3	Steve Traylen
1328			Data type: `Optional[String]`
1329
1330
1331
1332	c24d3118	Tim Meusel	Default value: `undef`
1333	e17693e3	Steve Traylen
1334	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1335	e17693e3	Steve Traylen
1336			manage a config snippet
1337
1338			#### Parameters
1339
1340	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1341	e17693e3	Steve Traylen
1342	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1343			* [`content`](#-nftables--config--content)
1344			* [`source`](#-nftables--config--source)
1345			* [`prefix`](#-nftables--config--prefix)
1346	09cba182	Steve Traylen
1347	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1348	13f4e4c6	Steve Traylen
1349			Data type: `Pattern[/^\w+-\w+$/]`
1350
1351
1352
1353			Default value: `$title`
1354
1355	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1356	e17693e3	Steve Traylen
1357			Data type: `Optional[String]`
1358
1359
1360
1361	c24d3118	Tim Meusel	Default value: `undef`
1362	e17693e3	Steve Traylen
1363	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1364	e17693e3	Steve Traylen
1365			Data type: `Optional[Variant[String,Array[String,1]]]`
1366
1367
1368
1369	c24d3118	Tim Meusel	Default value: `undef`
1370	e17693e3	Steve Traylen
1371	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1372	13f4e4c6	Steve Traylen
1373			Data type: `String`
1374
1375
1376
1377			Default value: `'custom-'`
1378
1379	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1380	331b8d85	Steve Traylen
1381			Insert a file into the nftables configuration
1382
1383			#### Examples
1384
1385			##### Include a file that includes other files
1386
1387			```puppet
1388			nftables::file{'geoip':
1389			content => @(EOT)
1390			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1391			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1392			\|EOT,
1393			}
1394			```
1395
1396			#### Parameters
1397
1398			The following parameters are available in the `nftables::file` defined type:
1399
1400	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1401			* [`content`](#-nftables--file--content)
1402			* [`source`](#-nftables--file--source)
1403			* [`prefix`](#-nftables--file--prefix)
1404	331b8d85	Steve Traylen
1405	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1406	331b8d85	Steve Traylen
1407			Data type: `String[1]`
1408
1409			Unique name to include in filename.
1410
1411			Default value: `$title`
1412
1413	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1414	331b8d85	Steve Traylen
1415			Data type: `Optional[String]`
1416
1417			The content to place in the file.
1418
1419	c24d3118	Tim Meusel	Default value: `undef`
1420	331b8d85	Steve Traylen
1421	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1422	331b8d85	Steve Traylen
1423			Data type: `Optional[Variant[String,Array[String,1]]]`
1424
1425			A source to obtain the file content from.
1426
1427	c24d3118	Tim Meusel	Default value: `undef`
1428	331b8d85	Steve Traylen
1429	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1430	331b8d85	Steve Traylen
1431			Data type: `String`
1432
1433			Prefix of file name to be created, if left as `file-` it will be
1434			auto included in the main nft configuration
1435
1436			Default value: `'file-'`
1437
1438	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1439	e17693e3	Steve Traylen
1440	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1441
1442			#### Examples
1443
1444			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1445
1446			```puppet
1447			nftables::rule {
1448			'default_in-myhttp':
1449			content => 'tcp dport 80 accept',
1450			}
1451			```
1452
1453			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1454
1455			```puppet
1456			nftables::rule {
1457			'PREROUTING6-count':
1458			content => 'counter',
1459			table => 'ip6-nat'
1460			}
1461			```
1462	e17693e3	Steve Traylen
1463			#### Parameters
1464
1465	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1466
1467	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1468			* [`rulename`](#-nftables--rule--rulename)
1469			* [`order`](#-nftables--rule--order)
1470			* [`table`](#-nftables--rule--table)
1471			* [`content`](#-nftables--rule--content)
1472			* [`source`](#-nftables--rule--source)
1473	e17693e3	Steve Traylen
1474	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1475	e17693e3	Steve Traylen
1476			Data type: `Enum['present','absent']`
1477
1478	13f26dfc	Nacho Barrientos	Should the rule be created.
1479	e17693e3	Steve Traylen
1480			Default value: `'present'`
1481
1482	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1483	e17693e3	Steve Traylen
1484	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1485	e17693e3	Steve Traylen
1486	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1487			format is defined by the Nftables::RuleName type.
1488	e17693e3	Steve Traylen
1489			Default value: `$title`
1490
1491	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1492	e17693e3	Steve Traylen
1493			Data type: `Pattern[/^\d\d$/]`
1494
1495	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1496	e17693e3	Steve Traylen
1497			Default value: `'50'`
1498
1499	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1500	e17693e3	Steve Traylen
1501	b02d6ea9	Nacho Barrientos	Data type: `String`
1502	e17693e3	Steve Traylen
1503	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1504	e17693e3	Steve Traylen
1505			Default value: `'inet-filter'`
1506
1507	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1508	e17693e3	Steve Traylen
1509			Data type: `Optional[String]`
1510
1511	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1512			language.
1513	e17693e3	Steve Traylen
1514	c24d3118	Tim Meusel	Default value: `undef`
1515	e17693e3	Steve Traylen
1516	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1517	e17693e3	Steve Traylen
1518			Data type: `Optional[Variant[String,Array[String,1]]]`
1519
1520	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1521	e17693e3	Steve Traylen
1522	c24d3118	Tim Meusel	Default value: `undef`
1523	e17693e3	Steve Traylen
1524	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1525	e17693e3	Steve Traylen
1526			manage a ipv4 dnat rule
1527
1528			#### Parameters
1529
1530	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1531
1532	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1533			* [`port`](#-nftables--rules--dnat4--port)
1534			* [`rulename`](#-nftables--rules--dnat4--rulename)
1535			* [`order`](#-nftables--rules--dnat4--order)
1536			* [`chain`](#-nftables--rules--dnat4--chain)
1537			* [`iif`](#-nftables--rules--dnat4--iif)
1538			* [`proto`](#-nftables--rules--dnat4--proto)
1539			* [`dport`](#-nftables--rules--dnat4--dport)
1540			* [`ensure`](#-nftables--rules--dnat4--ensure)
1541	e17693e3	Steve Traylen
1542	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1543	e17693e3	Steve Traylen
1544			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1545
1546
1547
1548	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1549	e17693e3	Steve Traylen
1550	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1551	e17693e3	Steve Traylen
1552
1553
1554	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1555	e17693e3	Steve Traylen
1556			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1557
1558
1559
1560			Default value: `$title`
1561
1562	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1563	e17693e3	Steve Traylen
1564			Data type: `Pattern[/^\d\d$/]`
1565
1566
1567
1568			Default value: `'50'`
1569
1570	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1571	e17693e3	Steve Traylen
1572			Data type: `String[1]`
1573
1574
1575
1576			Default value: `'default_fwd'`
1577
1578	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1579	e17693e3	Steve Traylen
1580			Data type: `Optional[String[1]]`
1581
1582
1583
1584	c24d3118	Tim Meusel	Default value: `undef`
1585	e17693e3	Steve Traylen
1586	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1587	e17693e3	Steve Traylen
1588			Data type: `Enum['tcp','udp']`
1589
1590
1591
1592			Default value: `'tcp'`
1593
1594	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1595	e17693e3	Steve Traylen
1596	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1597	e17693e3	Steve Traylen
1598
1599
1600	c24d3118	Tim Meusel	Default value: `undef`
1601	e17693e3	Steve Traylen
1602	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1603	e17693e3	Steve Traylen
1604			Data type: `Enum['present','absent']`
1605
1606
1607
1608			Default value: `'present'`
1609
1610	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1611	e17693e3	Steve Traylen
1612			masquerade all outgoing traffic
1613
1614			#### Parameters
1615
1616	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1617	e17693e3	Steve Traylen
1618	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1619			* [`order`](#-nftables--rules--masquerade--order)
1620			* [`chain`](#-nftables--rules--masquerade--chain)
1621			* [`oif`](#-nftables--rules--masquerade--oif)
1622			* [`saddr`](#-nftables--rules--masquerade--saddr)
1623			* [`daddr`](#-nftables--rules--masquerade--daddr)
1624			* [`proto`](#-nftables--rules--masquerade--proto)
1625			* [`dport`](#-nftables--rules--masquerade--dport)
1626			* [`ensure`](#-nftables--rules--masquerade--ensure)
1627	09cba182	Steve Traylen
1628	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1629	e17693e3	Steve Traylen
1630			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1631
1632
1633
1634			Default value: `$title`
1635
1636	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1637	e17693e3	Steve Traylen
1638			Data type: `Pattern[/^\d\d$/]`
1639
1640
1641
1642			Default value: `'70'`
1643
1644	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1645	e17693e3	Steve Traylen
1646			Data type: `String[1]`
1647
1648
1649
1650			Default value: `'POSTROUTING'`
1651
1652	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1653	e17693e3	Steve Traylen
1654			Data type: `Optional[String[1]]`
1655
1656
1657
1658	c24d3118	Tim Meusel	Default value: `undef`
1659	e17693e3	Steve Traylen
1660	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1661	e17693e3	Steve Traylen
1662			Data type: `Optional[String[1]]`
1663
1664
1665
1666	c24d3118	Tim Meusel	Default value: `undef`
1667	e17693e3	Steve Traylen
1668	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1669	e17693e3	Steve Traylen
1670			Data type: `Optional[String[1]]`
1671
1672
1673
1674	c24d3118	Tim Meusel	Default value: `undef`
1675	e17693e3	Steve Traylen
1676	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1677	e17693e3	Steve Traylen
1678			Data type: `Optional[Enum['tcp','udp']]`
1679
1680
1681
1682	c24d3118	Tim Meusel	Default value: `undef`
1683	e17693e3	Steve Traylen
1684	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1685	e17693e3	Steve Traylen
1686	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1687	e17693e3	Steve Traylen
1688
1689
1690	c24d3118	Tim Meusel	Default value: `undef`
1691	e17693e3	Steve Traylen
1692	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1693	e17693e3	Steve Traylen
1694			Data type: `Enum['present','absent']`
1695
1696
1697
1698			Default value: `'present'`
1699
1700	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1701	e17693e3	Steve Traylen
1702			manage a ipv4 snat rule
1703
1704			#### Parameters
1705
1706	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1707
1708	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1709			* [`rulename`](#-nftables--rules--snat4--rulename)
1710			* [`order`](#-nftables--rules--snat4--order)
1711			* [`chain`](#-nftables--rules--snat4--chain)
1712			* [`oif`](#-nftables--rules--snat4--oif)
1713			* [`saddr`](#-nftables--rules--snat4--saddr)
1714			* [`proto`](#-nftables--rules--snat4--proto)
1715			* [`dport`](#-nftables--rules--snat4--dport)
1716			* [`ensure`](#-nftables--rules--snat4--ensure)
1717	e17693e3	Steve Traylen
1718	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1719	e17693e3	Steve Traylen
1720			Data type: `String[1]`
1721
1722
1723
1724	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1725	e17693e3	Steve Traylen
1726			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1727
1728
1729
1730			Default value: `$title`
1731
1732	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1733	e17693e3	Steve Traylen
1734			Data type: `Pattern[/^\d\d$/]`
1735
1736
1737
1738			Default value: `'70'`
1739
1740	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1741	e17693e3	Steve Traylen
1742			Data type: `String[1]`
1743
1744
1745
1746			Default value: `'POSTROUTING'`
1747
1748	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1749	e17693e3	Steve Traylen
1750			Data type: `Optional[String[1]]`
1751
1752
1753
1754	c24d3118	Tim Meusel	Default value: `undef`
1755	e17693e3	Steve Traylen
1756	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1757	e17693e3	Steve Traylen
1758			Data type: `Optional[String[1]]`
1759
1760
1761
1762	c24d3118	Tim Meusel	Default value: `undef`
1763	e17693e3	Steve Traylen
1764	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1765	e17693e3	Steve Traylen
1766			Data type: `Optional[Enum['tcp','udp']]`
1767
1768
1769
1770	c24d3118	Tim Meusel	Default value: `undef`
1771	e17693e3	Steve Traylen
1772	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1773	e17693e3	Steve Traylen
1774	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1775	e17693e3	Steve Traylen
1776
1777
1778	c24d3118	Tim Meusel	Default value: `undef`
1779	e17693e3	Steve Traylen
1780	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1781	e17693e3	Steve Traylen
1782			Data type: `Enum['present','absent']`
1783
1784
1785
1786			Default value: `'present'`
1787
1788	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1789	7f6cacc5	Steve Traylen
1790			manage a named set
1791
1792	13f4e4c6	Steve Traylen	#### Examples
1793
1794			##### simple set
1795
1796			```puppet
1797			nftables::set{'my_set':
1798			type => 'ipv4_addr',
1799			flags => ['interval'],
1800			elements => ['192.168.0.1/24', '10.0.0.2'],
1801			auto_merge => true,
1802			}
1803			```
1804
1805	7f6cacc5	Steve Traylen	#### Parameters
1806
1807	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1808
1809	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1810			* [`setname`](#-nftables--set--setname)
1811			* [`order`](#-nftables--set--order)
1812			* [`type`](#-nftables--set--type)
1813			* [`table`](#-nftables--set--table)
1814			* [`flags`](#-nftables--set--flags)
1815			* [`timeout`](#-nftables--set--timeout)
1816			* [`gc_interval`](#-nftables--set--gc_interval)
1817			* [`elements`](#-nftables--set--elements)
1818			* [`size`](#-nftables--set--size)
1819			* [`policy`](#-nftables--set--policy)
1820			* [`auto_merge`](#-nftables--set--auto_merge)
1821			* [`content`](#-nftables--set--content)
1822			* [`source`](#-nftables--set--source)
1823
1824			##### <a name="-nftables--set--ensure"></a>`ensure`
1825	7f6cacc5	Steve Traylen
1826			Data type: `Enum['present','absent']`
1827
1828	13f4e4c6	Steve Traylen	should the set be created.
1829	7f6cacc5	Steve Traylen
1830			Default value: `'present'`
1831
1832	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1833	7f6cacc5	Steve Traylen
1834			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
1835
1836	13f4e4c6	Steve Traylen	name of set, equal to to title.
1837	7f6cacc5	Steve Traylen
1838			Default value: `$title`
1839
1840	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
1841	7f6cacc5	Steve Traylen
1842			Data type: `Pattern[/^\d\d$/]`
1843
1844	13f4e4c6	Steve Traylen	concat ordering.
1845	7f6cacc5	Steve Traylen
1846			Default value: `'10'`
1847
1848	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
1849	7f6cacc5	Steve Traylen
1850			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
1851
1852	13f4e4c6	Steve Traylen	type of set.
1853	7f6cacc5	Steve Traylen
1854	c24d3118	Tim Meusel	Default value: `undef`
1855	7f6cacc5	Steve Traylen
1856	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
1857	7f6cacc5	Steve Traylen
1858	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
1859	7f6cacc5	Steve Traylen
1860	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
1861	7f6cacc5	Steve Traylen
1862			Default value: `'inet-filter'`
1863
1864	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
1865	7f6cacc5	Steve Traylen
1866			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
1867
1868	13f4e4c6	Steve Traylen	specify flags for set
1869	7f6cacc5	Steve Traylen
1870			Default value: `[]`
1871
1872	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
1873	7f6cacc5	Steve Traylen
1874			Data type: `Optional[Integer]`
1875
1876	13f4e4c6	Steve Traylen	timeout in seconds
1877	7f6cacc5	Steve Traylen
1878	c24d3118	Tim Meusel	Default value: `undef`
1879	7f6cacc5	Steve Traylen
1880	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
1881	7f6cacc5	Steve Traylen
1882			Data type: `Optional[Integer]`
1883
1884	13f4e4c6	Steve Traylen	garbage collection interval.
1885	7f6cacc5	Steve Traylen
1886	c24d3118	Tim Meusel	Default value: `undef`
1887	7f6cacc5	Steve Traylen
1888	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
1889	7f6cacc5	Steve Traylen
1890			Data type: `Optional[Array[String]]`
1891
1892	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
1893	7f6cacc5	Steve Traylen
1894	c24d3118	Tim Meusel	Default value: `undef`
1895	7f6cacc5	Steve Traylen
1896	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
1897	7f6cacc5	Steve Traylen
1898			Data type: `Optional[Integer]`
1899
1900	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
1901	7f6cacc5	Steve Traylen
1902	c24d3118	Tim Meusel	Default value: `undef`
1903	7f6cacc5	Steve Traylen
1904	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
1905	7f6cacc5	Steve Traylen
1906			Data type: `Optional[Enum['performance', 'memory']]`
1907
1908	13f4e4c6	Steve Traylen	determines set selection policy.
1909	7f6cacc5	Steve Traylen
1910	c24d3118	Tim Meusel	Default value: `undef`
1911	7f6cacc5	Steve Traylen
1912	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
1913	7f6cacc5	Steve Traylen
1914			Data type: `Boolean`
1915
1916	13f4e4c6	Steve Traylen	?
1917	7f6cacc5	Steve Traylen
1918	c24d3118	Tim Meusel	Default value: `false`
1919	7f6cacc5	Steve Traylen
1920	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
1921	7f6cacc5	Steve Traylen
1922			Data type: `Optional[String]`
1923
1924	13f4e4c6	Steve Traylen	specify content of set.
1925	7f6cacc5	Steve Traylen
1926	c24d3118	Tim Meusel	Default value: `undef`
1927	7f6cacc5	Steve Traylen
1928	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
1929	7f6cacc5	Steve Traylen
1930			Data type: `Optional[Variant[String,Array[String,1]]]`
1931
1932	13f4e4c6	Steve Traylen	specify source of set.
1933	7f6cacc5	Steve Traylen
1934	c24d3118	Tim Meusel	Default value: `undef`
1935	7f6cacc5	Steve Traylen
1936	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
1937	4d63adda	Nacho Barrientos
1938	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
1939	4d63adda	Nacho Barrientos
1940	b46c9ce9	Nacho Barrientos	#### Examples
1941	4d63adda	Nacho Barrientos
1942	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
1943	4d63adda	Nacho Barrientos
1944	b46c9ce9	Nacho Barrientos	```puppet
1945			nftables::simplerule{'my_service_in':
1946			action => 'accept',
1947			comment => 'allow traffic to port 543',
1948			counter => true,
1949			proto => 'tcp',
1950			dport => 543,
1951			daddr => '2001:1458::/32',
1952			sport => 541,
1953			}
1954			```
1955	4d63adda	Nacho Barrientos
1956	b46c9ce9	Nacho Barrientos	#### Parameters
1957	4d63adda	Nacho Barrientos
1958	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
1959
1960	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
1961			* [`rulename`](#-nftables--simplerule--rulename)
1962			* [`order`](#-nftables--simplerule--order)
1963			* [`chain`](#-nftables--simplerule--chain)
1964			* [`table`](#-nftables--simplerule--table)
1965			* [`action`](#-nftables--simplerule--action)
1966			* [`comment`](#-nftables--simplerule--comment)
1967			* [`dport`](#-nftables--simplerule--dport)
1968			* [`proto`](#-nftables--simplerule--proto)
1969			* [`daddr`](#-nftables--simplerule--daddr)
1970			* [`set_type`](#-nftables--simplerule--set_type)
1971			* [`sport`](#-nftables--simplerule--sport)
1972			* [`saddr`](#-nftables--simplerule--saddr)
1973			* [`counter`](#-nftables--simplerule--counter)
1974
1975			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
1976	13f4e4c6	Steve Traylen
1977			Data type: `Enum['present','absent']`
1978
1979			Should the rule be created.
1980
1981			Default value: `'present'`
1982
1983	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
1984	4d63adda	Nacho Barrientos
1985	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
1986	4d63adda	Nacho Barrientos
1987	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
1988	4d63adda	Nacho Barrientos
1989			Default value: `$title`
1990
1991	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
1992	4d63adda	Nacho Barrientos
1993			Data type: `Pattern[/^\d\d$/]`
1994
1995	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
1996	4d63adda	Nacho Barrientos
1997			Default value: `'50'`
1998
1999	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2000	4d63adda	Nacho Barrientos
2001			Data type: `String`
2002
2003	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2004	4d63adda	Nacho Barrientos
2005			Default value: `'default_in'`
2006
2007	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2008	4d63adda	Nacho Barrientos
2009			Data type: `String`
2010
2011	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2012	4d63adda	Nacho Barrientos
2013			Default value: `'inet-filter'`
2014
2015	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2016	4d63adda	Nacho Barrientos
2017			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2018
2019	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2020	4d63adda	Nacho Barrientos
2021			Default value: `'accept'`
2022
2023	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2024	4d63adda	Nacho Barrientos
2025			Data type: `Optional[String]`
2026
2027	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2028	4d63adda	Nacho Barrientos
2029	c24d3118	Tim Meusel	Default value: `undef`
2030	4d63adda	Nacho Barrientos
2031	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2032	4d63adda	Nacho Barrientos
2033			Data type: `Optional[Nftables::Port]`
2034
2035	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2036	4d63adda	Nacho Barrientos
2037	c24d3118	Tim Meusel	Default value: `undef`
2038	4d63adda	Nacho Barrientos
2039	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2040	4d63adda	Nacho Barrientos
2041			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2042
2043	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2044	4d63adda	Nacho Barrientos
2045	c24d3118	Tim Meusel	Default value: `undef`
2046	4d63adda	Nacho Barrientos
2047	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2048	4d63adda	Nacho Barrientos
2049			Data type: `Optional[Nftables::Addr]`
2050
2051	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2052	4d63adda	Nacho Barrientos
2053	c24d3118	Tim Meusel	Default value: `undef`
2054	4d63adda	Nacho Barrientos
2055	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2056	4d63adda	Nacho Barrientos
2057			Data type: `Enum['ip', 'ip6']`
2058
2059	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2060			Use `ip` for sets of type `ipv4_addr`.
2061	4d63adda	Nacho Barrientos
2062			Default value: `'ip6'`
2063
2064	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2065	4d63adda	Nacho Barrientos
2066			Data type: `Optional[Nftables::Port]`
2067
2068	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2069	4d63adda	Nacho Barrientos
2070	c24d3118	Tim Meusel	Default value: `undef`
2071	4d63adda	Nacho Barrientos
2072	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2073	4d63adda	Nacho Barrientos
2074			Data type: `Optional[Nftables::Addr]`
2075
2076	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2077	4d63adda	Nacho Barrientos
2078	c24d3118	Tim Meusel	Default value: `undef`
2079	4d63adda	Nacho Barrientos
2080	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2081	4d63adda	Nacho Barrientos
2082			Data type: `Boolean`
2083
2084	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2085	4d63adda	Nacho Barrientos
2086	c24d3118	Tim Meusel	Default value: `false`
2087	4d63adda	Nacho Barrientos
2088			## Data types
2089
2090	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2091	4d63adda	Nacho Barrientos
2092			Represents an address expression to be used within a rule.
2093
2094	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2095	09cba182	Steve Traylen
2096	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2097	4d63adda	Nacho Barrientos
2098			Represents a set expression to be used within a rule.
2099
2100	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2101	4d63adda	Nacho Barrientos
2102	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2103	4d63adda	Nacho Barrientos
2104			Represents a port expression to be used within a rule.
2105
2106	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2107	4d63adda	Nacho Barrientos
2108	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2109	4d63adda	Nacho Barrientos
2110			Represents a port range expression to be used within a rule.
2111
2112	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2113	4d63adda	Nacho Barrientos
2114	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2115	8c00b818	Nacho Barrientos
2116			Represents a rule name to be used in a raw rule created via nftables::rule.
2117			It's a dash separated string. The first component describes the chain to
2118			add the rule to, the second the rule name and the (optional) third a number.
2119			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2120
2121	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2122	09cba182	Steve Traylen
2123	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2124	8c00b818	Nacho Barrientos
2125			Represents a simple rule name to be used in a rule created via nftables::simplerule
2126
2127	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ ad3dbd7d