/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ baad986e

Historique | Voir | Annoter | Télécharger (59,4 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27			* [`nftables::rules::icmp`](#nftables--rules--icmp)
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
80			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
81			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
82			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
83			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
84			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
85			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
86	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
87	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
88	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
89			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
90			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
91	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
92	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
93			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
94	e17693e3	Steve Traylen
95			### Defined types
96
97	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
98			* [`nftables::config`](#nftables--config): manage a config snippet
99			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
100	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
101	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
102			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
103			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
104			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
105			* [`nftables::set`](#nftables--set): manage a named set
106			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
107	4d63adda	Nacho Barrientos
108			### Data types
109
110	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
111			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
112			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
113			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
114			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
115	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
116			add the rule to, the second the rule name and the (optional) third a number.
117			Ex: 'default_in-sshd', 'default_out-my_service-2'.
118	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
119	e17693e3	Steve Traylen
120			## Classes
121
122	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
123	e17693e3	Steve Traylen
124			Configure nftables
125
126			#### Examples
127
128	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
129	e17693e3	Steve Traylen
130			```puppet
131	2063deaf	hashworks	class{ 'nftables':
132			out_ntp => false,
133			out_dns => true,
134	e17693e3	Steve Traylen	}
135			```
136
137	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
138
139			```puppet
140	2063deaf	hashworks	class{ 'nftables':
141			noflush_tables => ['inet-f2b-table'],
142	b9785000	Steve Traylen	}
143			```
144
145	e17693e3	Steve Traylen	#### Parameters
146
147	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
148
149	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
150			* [`out_ntp`](#-nftables--out_ntp)
151			* [`out_http`](#-nftables--out_http)
152			* [`out_dns`](#-nftables--out_dns)
153			* [`out_https`](#-nftables--out_https)
154			* [`out_icmp`](#-nftables--out_icmp)
155			* [`in_ssh`](#-nftables--in_ssh)
156			* [`in_icmp`](#-nftables--in_icmp)
157			* [`inet_filter`](#-nftables--inet_filter)
158			* [`nat`](#-nftables--nat)
159			* [`nat_table_name`](#-nftables--nat_table_name)
160			* [`sets`](#-nftables--sets)
161			* [`log_prefix`](#-nftables--log_prefix)
162	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
163	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
164			* [`reject_with`](#-nftables--reject_with)
165			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
166			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
167			* [`firewalld_enable`](#-nftables--firewalld_enable)
168			* [`noflush_tables`](#-nftables--noflush_tables)
169			* [`rules`](#-nftables--rules)
170			* [`configuration_path`](#-nftables--configuration_path)
171			* [`nft_path`](#-nftables--nft_path)
172			* [`echo`](#-nftables--echo)
173			* [`default_config_mode`](#-nftables--default_config_mode)
174
175			##### <a name="-nftables--out_all"></a>`out_all`
176	e17693e3	Steve Traylen
177			Data type: `Boolean`
178
179			Allow all outbound connections. If `true` then all other
180			out parameters `out_ntp`, `out_dns`, ... will be assuemed
181			false.
182
183	c24d3118	Tim Meusel	Default value: `false`
184	e17693e3	Steve Traylen
185	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
186	e17693e3	Steve Traylen
187			Data type: `Boolean`
188
189			Allow outbound to ntp servers.
190
191	c24d3118	Tim Meusel	Default value: `true`
192	e17693e3	Steve Traylen
193	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
194	e17693e3	Steve Traylen
195			Data type: `Boolean`
196
197			Allow outbound to http servers.
198
199	c24d3118	Tim Meusel	Default value: `true`
200	e17693e3	Steve Traylen
201	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
202	e17693e3	Steve Traylen
203			Data type: `Boolean`
204
205	09cba182	Steve Traylen	Allow outbound to dns servers.
206	e17693e3	Steve Traylen
207	c24d3118	Tim Meusel	Default value: `true`
208	e17693e3	Steve Traylen
209	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
210	09cba182	Steve Traylen
211			Data type: `Boolean`
212	e17693e3	Steve Traylen
213			Allow outbound to https servers.
214
215	c24d3118	Tim Meusel	Default value: `true`
216	e17693e3	Steve Traylen
217	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
218	7f6cacc5	Steve Traylen
219			Data type: `Boolean`
220
221			Allow outbound ICMPv4/v6 traffic.
222
223	c24d3118	Tim Meusel	Default value: `true`
224	7f6cacc5	Steve Traylen
225	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
226	e17693e3	Steve Traylen
227			Data type: `Boolean`
228
229			Allow inbound to ssh servers.
230
231	c24d3118	Tim Meusel	Default value: `true`
232	e17693e3	Steve Traylen
233	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
234	7f6cacc5	Steve Traylen
235			Data type: `Boolean`
236
237			Allow inbound ICMPv4/v6 traffic.
238
239	c24d3118	Tim Meusel	Default value: `true`
240	7f6cacc5	Steve Traylen
241	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
242	7b9d6ffc	Nacho Barrientos
243			Data type: `Boolean`
244
245			Add default tables, chains and rules to process traffic.
246
247	c24d3118	Tim Meusel	Default value: `true`
248	7b9d6ffc	Nacho Barrientos
249	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
250	7f6cacc5	Steve Traylen
251			Data type: `Boolean`
252
253			Add default tables and chains to process NAT traffic.
254
255	c24d3118	Tim Meusel	Default value: `true`
256	7f6cacc5	Steve Traylen
257	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
258	b02d6ea9	Nacho Barrientos
259			Data type: `String[1]`
260
261			The name of the 'nat' table.
262
263			Default value: `'nat'`
264
265	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
266	b9785000	Steve Traylen
267			Data type: `Hash`
268
269			Allows sourcing set definitions directly from Hiera.
270
271			Default value: `{}`
272
273	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
274	7f6cacc5	Steve Traylen
275			Data type: `String`
276
277			String that will be used as prefix when logging packets. It can contain
278			two variables using standard sprintf() string-formatting:
279			* chain: Will be replaced by the name of the chain.
280			* comment: Allows chains to add extra comments.
281
282			Default value: `'[nftables] %<chain>s %<comment>s'`
283
284	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
285
286			Data type: `Boolean`
287
288			Allow to log discarded packets
289
290			Default value: `true`
291
292	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
293	b9785000	Steve Traylen
294			Data type: `Variant[Boolean[false], String]`
295
296			String with the content of a limit statement to be applied
297			to the rules that log discarded traffic. Set to false to
298			disable rate limiting.
299
300			Default value: `'3/minute burst 5 packets'`
301
302	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
303	7f6cacc5	Steve Traylen
304	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
305	7f6cacc5	Steve Traylen
306			How to discard packets not matching any rule. If `false`, the
307			fate of the packet will be defined by the chain policy (normally
308			drop), otherwise the packet will be rejected with the REJECT_WITH
309			policy indicated by the value of this parameter.
310
311			Default value: `'icmpx type port-unreachable'`
312
313	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
314	7f6cacc5	Steve Traylen
315			Data type: `Boolean`
316
317			Adds INPUT and OUTPUT rules to allow traffic that's part of an
318			established connection and also to drop invalid packets.
319
320	c24d3118	Tim Meusel	Default value: `true`
321	7f6cacc5	Steve Traylen
322	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
323	b9785000	Steve Traylen
324			Data type: `Boolean`
325
326			Adds FORWARD rules to allow traffic that's part of an
327			established connection and also to drop invalid packets.
328
329	c24d3118	Tim Meusel	Default value: `false`
330	b9785000	Steve Traylen
331	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
332	7f6cacc5	Steve Traylen
333			Data type: `Variant[Boolean[false], Enum['mask']]`
334
335			Configures how the firewalld systemd service unit is enabled. It might be
336			useful to set this to false if you're externaly removing firewalld from
337			the system completely.
338
339			Default value: `'mask'`
340
341	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
342	b9785000	Steve Traylen
343	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
344	b9785000	Steve Traylen
345			If specified only other existings tables will be flushed.
346			If left unset all tables will be flushed via a `flush ruleset`
347
348	c24d3118	Tim Meusel	Default value: `undef`
349	b9785000	Steve Traylen
350	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
351	7f6cacc5	Steve Traylen
352			Data type: `Hash`
353
354	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
355	7f6cacc5	Steve Traylen
356			Default value: `{}`
357
358	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
359	d0a1ffef	hashworks
360			Data type: `Stdlib::Unixpath`
361
362			The absolute path to the principal nftables configuration file. The default
363			varies depending on the system, and is set in the module's data.
364
365	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
366	8842a597	Tim Meusel
367			Data type: `Stdlib::Unixpath`
368
369			Path to the nft binary
370
371	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
372	821ec83a	Tim Meusel
373			Data type: `Stdlib::Unixpath`
374
375			Path to the echo binary
376
377	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
378	7030bde0	Luis Fernández Álvarez
379			Data type: `Stdlib::Filemode`
380
381			The default file & dir mode for configuration files and directories. The
382			default varies depending on the system, and is set in the module's data.
383
384	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
385	7f6cacc5	Steve Traylen
386			allow forwarding traffic on bridges
387
388			#### Parameters
389
390	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
391	7f6cacc5	Steve Traylen
392	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
393			* [`bridgenames`](#-nftables--bridges--bridgenames)
394	09cba182	Steve Traylen
395	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
396	7f6cacc5	Steve Traylen
397			Data type: `Enum['present','absent']`
398
399
400
401			Default value: `'present'`
402
403	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
404	7f6cacc5	Steve Traylen
405			Data type: `Regexp`
406
407
408
409			Default value: `/^br.+/`
410
411	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
412	e17693e3	Steve Traylen
413			manage basic chains in table inet filter
414
415	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
416	a1f09048	Tim Meusel
417			enable conntrack for fwd
418
419	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
420	a1f09048	Tim Meusel
421			manage input & output conntrack
422
423	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
424	e17693e3	Steve Traylen
425			manage basic chains in table ip nat
426
427	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
428	771b3256	Nacho Barrientos
429			Provides input rules for Apache ActiveMQ
430
431			#### Parameters
432
433			The following parameters are available in the `nftables::rules::activemq` class:
434
435	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
436			* [`udp`](#-nftables--rules--activemq--udp)
437			* [`port`](#-nftables--rules--activemq--port)
438	771b3256	Nacho Barrientos
439	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
440	771b3256	Nacho Barrientos
441			Data type: `Boolean`
442
443			Create the rule for TCP traffic.
444
445	c24d3118	Tim Meusel	Default value: `true`
446	771b3256	Nacho Barrientos
447	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
448	771b3256	Nacho Barrientos
449			Data type: `Boolean`
450
451			Create the rule for UDP traffic.
452
453	c24d3118	Tim Meusel	Default value: `true`
454	771b3256	Nacho Barrientos
455	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
456	771b3256	Nacho Barrientos
457			Data type: `Stdlib::Port`
458
459			The port number for the ActiveMQ daemon.
460
461			Default value: `61616`
462
463	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
464	09cba182	Steve Traylen
465			Open call back port for AFS clients
466	7f6cacc5	Steve Traylen
467	09cba182	Steve Traylen	#### Examples
468
469			##### allow call backs from particular hosts
470
471			```puppet
472	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
473			saddr => ['192.168.0.0/16', '10.0.0.222']
474			}
475	09cba182	Steve Traylen	```
476	7f6cacc5	Steve Traylen
477			#### Parameters
478
479	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
480
481	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
482	7f6cacc5	Steve Traylen
483	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
484	7f6cacc5	Steve Traylen
485			Data type: `Array[Stdlib::IP::Address::V4,1]`
486
487			list of source network ranges to a
488
489			Default value: `['0.0.0.0/0']`
490
491	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
492	b9785000	Steve Traylen
493			Ceph is a distributed object store and file system.
494			Enable this to support Ceph's Object Storage Daemons (OSD),
495			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
496
497	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
498	b9785000	Steve Traylen
499			Ceph is a distributed object store and file system.
500			Enable this option to support Ceph's Monitor Daemon.
501
502			#### Parameters
503
504	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
505	b9785000	Steve Traylen
506	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
507	b9785000	Steve Traylen
508	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
509	b9785000	Steve Traylen
510	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
511	b9785000	Steve Traylen
512	09cba182	Steve Traylen	specify ports for ceph service
513	b9785000	Steve Traylen
514			Default value: `[3300, 6789]`
515
516	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
517	7f6cacc5	Steve Traylen
518	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
519	7f6cacc5	Steve Traylen
520	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
521	7f6cacc5	Steve Traylen
522			manage in dns
523
524			#### Parameters
525
526	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
527	7f6cacc5	Steve Traylen
528	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
529	7f6cacc5	Steve Traylen
530	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
531	7f6cacc5	Steve Traylen
532	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
533	7f6cacc5	Steve Traylen
534	09cba182	Steve Traylen	Specify ports for dns.
535	7f6cacc5	Steve Traylen
536			Default value: `[53]`
537
538	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
539	804b96e4	Nacho Barrientos
540			The configuration distributed in this class represents the default firewall
541			configuration done by docker-ce when the iptables integration is enabled.
542
543			This class is needed as the default docker-ce rules added to ip-filter conflict
544			with the inet-filter forward rules set by default in this module.
545
546			When using this class 'docker::iptables: false' should be set.
547
548			#### Parameters
549
550			The following parameters are available in the `nftables::rules::docker_ce` class:
551
552	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
553			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
554			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
555			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
556	804b96e4	Nacho Barrientos
557	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
558	804b96e4	Nacho Barrientos
559			Data type: `String[1]`
560
561			Interface name used by docker.
562
563			Default value: `'docker0'`
564
565	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
566	804b96e4	Nacho Barrientos
567			Data type: `Stdlib::IP::Address::V4::CIDR`
568
569			The address space used by docker.
570
571			Default value: `'172.17.0.0/16'`
572
573	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
574	804b96e4	Nacho Barrientos
575			Data type: `Boolean`
576
577			Flag to control whether the class should create the docker related chains.
578
579	c24d3118	Tim Meusel	Default value: `true`
580	804b96e4	Nacho Barrientos
581	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
582	804b96e4	Nacho Barrientos
583			Data type: `Boolean`
584
585			Flag to control whether the class should create the base common chains.
586
587	c24d3118	Tim Meusel	Default value: `true`
588	804b96e4	Nacho Barrientos
589	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
590
591			manage in ftp (with conntrack helper)
592
593			#### Parameters
594
595			The following parameters are available in the `nftables::rules::ftp` class:
596
597			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
598			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
599
600			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
601
602			Data type: `Boolean`
603
604			Enable FTP passive mode support
605
606			Default value: `true`
607
608			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
609
610			Data type: `Nftables::Port::Range`
611
612			Set the FTP passive mode port range
613
614			Default value: `'10090-10100'`
615
616	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
617	e17693e3	Steve Traylen
618			manage in http
619
620	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
621	e17693e3	Steve Traylen
622			manage in https
623
624	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
625	e17693e3	Steve Traylen
626			manage in icinga2
627
628			#### Parameters
629
630	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
631	e17693e3	Steve Traylen
632	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
633	e17693e3	Steve Traylen
634	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
635	e17693e3	Steve Traylen
636	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
637	e17693e3	Steve Traylen
638	8db66304	Steve Traylen	Specify ports for icinga2
639	e17693e3	Steve Traylen
640			Default value: `[5665]`
641
642	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
643	7f6cacc5	Steve Traylen
644			The nftables::rules::icmp class.
645
646			#### Parameters
647
648	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
649
650	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
651			* [`v6_types`](#-nftables--rules--icmp--v6_types)
652			* [`order`](#-nftables--rules--icmp--order)
653	7f6cacc5	Steve Traylen
654	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
655	7f6cacc5	Steve Traylen
656			Data type: `Optional[Array[String]]`
657
658
659
660	c24d3118	Tim Meusel	Default value: `undef`
661	7f6cacc5	Steve Traylen
662	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
663	7f6cacc5	Steve Traylen
664			Data type: `Optional[Array[String]]`
665
666
667
668	c24d3118	Tim Meusel	Default value: `undef`
669	7f6cacc5	Steve Traylen
670	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
671	7f6cacc5	Steve Traylen
672			Data type: `String`
673
674
675
676			Default value: `'10'`
677
678	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
679
680			allow incoming IGMP messages
681
682	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
683
684			manage in ldap
685
686			#### Parameters
687
688			The following parameters are available in the `nftables::rules::ldap` class:
689
690			* [`ports`](#-nftables--rules--ldap--ports)
691
692			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
693
694			Data type: `Array[Integer,1]`
695
696			ldap server ports
697
698			Default value: `[389, 636]`
699
700	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
701
702			allow incoming Link-Local Multicast Name Resolution
703
704			* See also
705			* https://datatracker.ietf.org/doc/html/rfc4795
706
707			#### Parameters
708
709			The following parameters are available in the `nftables::rules::llmnr` class:
710
711			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
712			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
713
714			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
715
716			Data type: `Boolean`
717
718			Allow LLMNR over IPv4
719
720			Default value: `true`
721
722			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
723
724			Data type: `Boolean`
725
726			Allow LLMNR over IPv6
727
728			Default value: `true`
729
730	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
731
732			allow incoming multicast DNS
733
734	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
735
736			The following parameters are available in the `nftables::rules::mdns` class:
737
738			* [`ipv4`](#-nftables--rules--mdns--ipv4)
739			* [`ipv6`](#-nftables--rules--mdns--ipv6)
740
741			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
742
743			Data type: `Boolean`
744
745			Allow mdns over IPv4
746
747			Default value: `true`
748
749			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
750
751			Data type: `Boolean`
752
753			Allow mdns over IPv6
754
755			Default value: `true`
756
757	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
758
759			allow incoming multicast traffic
760
761	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
762	b9785000	Steve Traylen
763			manage in nfs4
764
765	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
766	b9785000	Steve Traylen
767			manage in nfs3
768
769	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
770	7f6cacc5	Steve Traylen
771			manage in node exporter
772
773			#### Parameters
774
775	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
776	7f6cacc5	Steve Traylen
777	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
778			* [`port`](#-nftables--rules--node_exporter--port)
779	7f6cacc5	Steve Traylen
780	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
781	7f6cacc5	Steve Traylen
782	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
783	7f6cacc5	Steve Traylen
784	09cba182	Steve Traylen	Specify server name
785	7f6cacc5	Steve Traylen
786	c24d3118	Tim Meusel	Default value: `undef`
787	7f6cacc5	Steve Traylen
788	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
789	7f6cacc5	Steve Traylen
790	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
791	7f6cacc5	Steve Traylen
792	09cba182	Steve Traylen	Specify port to open
793	7f6cacc5	Steve Traylen
794			Default value: `9100`
795
796	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
797	e17693e3	Steve Traylen
798			manage in ospf
799
800	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
801	e17693e3	Steve Traylen
802			manage in ospf3
803
804	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
805
806			manage outgoing active diectory
807
808			#### Parameters
809
810			The following parameters are available in the `nftables::rules::out::active_directory` class:
811
812			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
813			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
814
815			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
816
817			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
818
819			adserver IPs
820
821			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
822
823			Data type: `Array[Stdlib::Port,1]`
824
825			adserver ports
826
827			Default value: `[389, 636, 3268, 3269]`
828
829	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
830	e17693e3	Steve Traylen
831			allow all outbound
832
833	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
834	b9785000	Steve Traylen
835			Ceph is a distributed object store and file system.
836			Enable this to be a client of Ceph's Monitor (MON),
837			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
838			and Manager Daemons (MGR).
839
840			#### Parameters
841
842	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
843	b9785000	Steve Traylen
844	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
845	b9785000	Steve Traylen
846	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
847	b9785000	Steve Traylen
848	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
849	b9785000	Steve Traylen
850	09cba182	Steve Traylen	Specify ports to open
851	b9785000	Steve Traylen
852			Default value: `[3300, 6789]`
853
854	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
855	e17693e3	Steve Traylen
856			manage out chrony
857
858	7937a13b	Tim Meusel	#### Parameters
859
860			The following parameters are available in the `nftables::rules::out::chrony` class:
861
862	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
863	7937a13b	Tim Meusel
864	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
865	7937a13b	Tim Meusel
866			Data type: `Array[Stdlib::IP::Address]`
867
868			single IP-Address or array of IP-addresses from NTP servers
869
870			Default value: `[]`
871
872	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
873	e17693e3	Steve Traylen
874			manage out dhcp
875
876	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
877	7f6cacc5	Steve Traylen
878	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
879	7f6cacc5	Steve Traylen
880	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
881	e17693e3	Steve Traylen
882			manage out dns
883
884			#### Parameters
885
886	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
887	e17693e3	Steve Traylen
888	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
889	e17693e3	Steve Traylen
890	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
891	e17693e3	Steve Traylen
892	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
893	e17693e3	Steve Traylen
894	09cba182	Steve Traylen	specify dns_server name
895	e17693e3	Steve Traylen
896	c24d3118	Tim Meusel	Default value: `undef`
897	e17693e3	Steve Traylen
898	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
899	a1f09048	Tim Meusel
900			allow outgoing hkp connections to gpg keyservers
901
902	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
903	e17693e3	Steve Traylen
904			manage out http
905
906	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
907	e17693e3	Steve Traylen
908			manage out https
909
910	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
911	7f6cacc5	Steve Traylen
912	09cba182	Steve Traylen	control outbound icmp packages
913	7f6cacc5	Steve Traylen
914			#### Parameters
915
916	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
917
918	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
919			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
920			* [`order`](#-nftables--rules--out--icmp--order)
921	7f6cacc5	Steve Traylen
922	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
923	7f6cacc5	Steve Traylen
924			Data type: `Optional[Array[String]]`
925
926
927
928	c24d3118	Tim Meusel	Default value: `undef`
929	7f6cacc5	Steve Traylen
930	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
931	7f6cacc5	Steve Traylen
932			Data type: `Optional[Array[String]]`
933
934
935
936	c24d3118	Tim Meusel	Default value: `undef`
937	7f6cacc5	Steve Traylen
938	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
939	7f6cacc5	Steve Traylen
940			Data type: `String`
941
942
943
944			Default value: `'10'`
945
946	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
947
948	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
949	020842af	Tim Meusel
950	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
951	19908f41	mh
952			allow outgoing imap
953
954	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
955	7f6cacc5	Steve Traylen
956			allows outbound access for kerberos
957
958	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
959
960			manage outgoing ldap
961
962			#### Parameters
963
964			The following parameters are available in the `nftables::rules::out::ldap` class:
965
966			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
967			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
968
969			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
970
971			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
972
973			ldapserver IPs
974
975			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
976
977			Data type: `Array[Stdlib::Port,1]`
978
979			ldapserver ports
980
981			Default value: `[389, 636]`
982
983	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
984
985			allow outgoing multicast DNS
986
987			#### Parameters
988
989			The following parameters are available in the `nftables::rules::out::mdns` class:
990
991			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
992			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
993
994			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
995
996			Data type: `Boolean`
997
998			Allow mdns over IPv4
999
1000			Default value: `true`
1001
1002			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1003
1004			Data type: `Boolean`
1005
1006			Allow mdns over IPv6
1007
1008			Default value: `true`
1009
1010	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1011
1012			allow multicast listener requests
1013
1014	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1015	e17693e3	Steve Traylen
1016			manage out mysql
1017
1018	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1019	b9785000	Steve Traylen
1020			manage out nfs
1021
1022	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1023	b9785000	Steve Traylen
1024			manage out nfs3
1025
1026	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1027	7f6cacc5	Steve Traylen
1028	09cba182	Steve Traylen	allows outbound access for afs clients
1029	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1030			7002 - afs3-ptserver
1031			7003 - vlserver
1032
1033			* See also
1034			* https://wiki.openafs.org/devel/AFSServicePorts/
1035			* AFS Service Ports
1036
1037			#### Parameters
1038
1039	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1040	7f6cacc5	Steve Traylen
1041	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1042	7f6cacc5	Steve Traylen
1043	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1044	7f6cacc5	Steve Traylen
1045	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1046	7f6cacc5	Steve Traylen
1047	09cba182	Steve Traylen	port numbers to use
1048	7f6cacc5	Steve Traylen
1049			Default value: `[7000, 7002, 7003]`
1050
1051	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1052	e17693e3	Steve Traylen
1053			manage out ospf
1054
1055	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1056	e17693e3	Steve Traylen
1057			manage out ospf3
1058
1059	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1060	19908f41	mh
1061			allow outgoing pop3
1062
1063	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1064	e17693e3	Steve Traylen
1065			manage out postgres
1066
1067	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1068	e17693e3	Steve Traylen
1069			manage outgoing puppet
1070
1071			#### Parameters
1072
1073	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1074	e17693e3	Steve Traylen
1075	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1076			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1077	e17693e3	Steve Traylen
1078	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1079	e17693e3	Steve Traylen
1080	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1081	e17693e3	Steve Traylen
1082	09cba182	Steve Traylen	puppetserver hostname
1083	e17693e3	Steve Traylen
1084	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1085	e17693e3	Steve Traylen
1086	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1087	e17693e3	Steve Traylen
1088	09cba182	Steve Traylen	puppetserver port
1089	e17693e3	Steve Traylen
1090			Default value: `8140`
1091
1092	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1093	194e05d5	Tim Meusel
1094			manage outgoing pxp-agent
1095
1096			* See also
1097			* also
1098			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1099
1100			#### Parameters
1101
1102			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1103
1104	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1105			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1106	194e05d5	Tim Meusel
1107	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1108	194e05d5	Tim Meusel
1109			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1110
1111			PXP broker IP(s)
1112
1113	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1114	194e05d5	Tim Meusel
1115			Data type: `Stdlib::Port`
1116
1117			PXP broker port
1118
1119			Default value: `8142`
1120
1121	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1122	e17693e3	Steve Traylen
1123	19908f41	mh	allow outgoing smtp
1124
1125	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1126	19908f41	mh
1127			allow outgoing smtp client
1128	e17693e3	Steve Traylen
1129	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1130
1131			allow outgoing SSDP
1132
1133			* See also
1134			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1135
1136			#### Parameters
1137
1138			The following parameters are available in the `nftables::rules::out::ssdp` class:
1139
1140			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1141			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1142
1143			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1144
1145			Data type: `Boolean`
1146
1147			Allow SSDP over IPv4
1148
1149			Default value: `true`
1150
1151			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1152
1153			Data type: `Boolean`
1154
1155			Allow SSDP over IPv6
1156
1157			Default value: `true`
1158
1159	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1160	e17693e3	Steve Traylen
1161			manage out ssh
1162
1163	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1164	e17693e3	Steve Traylen
1165			disable outgoing ssh
1166
1167	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1168	e17693e3	Steve Traylen
1169			manage out tor
1170
1171	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1172	2b1896c1	Tim Meusel
1173			allow clients to query remote whois server
1174
1175	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1176	e17693e3	Steve Traylen
1177			manage out wireguard
1178
1179			#### Parameters
1180
1181	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1182	e17693e3	Steve Traylen
1183	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1184	e17693e3	Steve Traylen
1185	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1186	e17693e3	Steve Traylen
1187	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1188	e17693e3	Steve Traylen
1189	09cba182	Steve Traylen	specify wireguard ports
1190	e17693e3	Steve Traylen
1191			Default value: `[51820]`
1192
1193	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1194	e17693e3	Steve Traylen
1195			manage in puppet
1196
1197			#### Parameters
1198
1199	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1200	e17693e3	Steve Traylen
1201	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1202	e17693e3	Steve Traylen
1203	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1204	e17693e3	Steve Traylen
1205	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1206	e17693e3	Steve Traylen
1207	09cba182	Steve Traylen	puppet server ports
1208	e17693e3	Steve Traylen
1209			Default value: `[8140]`
1210
1211	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1212	7f74df2e	Tim Meusel
1213			manage in pxp-agent
1214
1215			#### Parameters
1216
1217			The following parameters are available in the `nftables::rules::pxp_agent` class:
1218
1219	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1220	7f74df2e	Tim Meusel
1221	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1222	7f74df2e	Tim Meusel
1223	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1224	7f74df2e	Tim Meusel
1225			pxp server ports
1226
1227			Default value: `[8142]`
1228
1229	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1230	cd2a3cbf	Nacho Barrientos
1231			This class configures the typical firewall setup that libvirt
1232			creates. Depending on your requirements you can switch on and off
1233			several aspects, for instance if you don't do DHCP to your guests
1234			you can disable the rules that accept DHCP traffic on the host or if
1235			you don't want your guests to talk to hosts outside you can disable
1236			forwarding and/or masquerading for IPv4 traffic.
1237
1238			#### Parameters
1239
1240			The following parameters are available in the `nftables::rules::qemu` class:
1241
1242	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1243			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1244			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1245			* [`dns`](#-nftables--rules--qemu--dns)
1246			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1247			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1248			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1249			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1250	cd2a3cbf	Nacho Barrientos
1251	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1252	cd2a3cbf	Nacho Barrientos
1253			Data type: `String[1]`
1254
1255			Interface name used by the bridge.
1256
1257			Default value: `'virbr0'`
1258
1259	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1260	cd2a3cbf	Nacho Barrientos
1261			Data type: `Stdlib::IP::Address::V4::CIDR`
1262
1263			The IPv4 network prefix used in the virtual network.
1264
1265			Default value: `'192.168.122.0/24'`
1266
1267	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1268	cd2a3cbf	Nacho Barrientos
1269			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1270
1271			The IPv6 network prefix used in the virtual network.
1272
1273	c24d3118	Tim Meusel	Default value: `undef`
1274	cd2a3cbf	Nacho Barrientos
1275	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1276	cd2a3cbf	Nacho Barrientos
1277			Data type: `Boolean`
1278
1279			Allow DNS traffic from the guests to the host.
1280
1281	c24d3118	Tim Meusel	Default value: `true`
1282	cd2a3cbf	Nacho Barrientos
1283	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1284	cd2a3cbf	Nacho Barrientos
1285			Data type: `Boolean`
1286
1287			Allow DHCPv4 traffic from the guests to the host.
1288
1289	c24d3118	Tim Meusel	Default value: `true`
1290	cd2a3cbf	Nacho Barrientos
1291	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1292	cd2a3cbf	Nacho Barrientos
1293			Data type: `Boolean`
1294
1295			Allow forwarded traffic (out all, in related/established)
1296			generated by the virtual network.
1297
1298	c24d3118	Tim Meusel	Default value: `true`
1299	cd2a3cbf	Nacho Barrientos
1300	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1301	cd2a3cbf	Nacho Barrientos
1302			Data type: `Boolean`
1303
1304			Allow guests in the virtual network to talk to each other.
1305
1306	c24d3118	Tim Meusel	Default value: `true`
1307	cd2a3cbf	Nacho Barrientos
1308	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1309	cd2a3cbf	Nacho Barrientos
1310			Data type: `Boolean`
1311
1312			Do NAT masquerade on all IPv4 traffic generated by guests
1313			to external networks.
1314
1315	c24d3118	Tim Meusel	Default value: `true`
1316	cd2a3cbf	Nacho Barrientos
1317	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1318	19908f41	mh
1319			manage Samba, the suite to allow Windows file sharing on Linux resources.
1320
1321			#### Parameters
1322
1323			The following parameters are available in the `nftables::rules::samba` class:
1324
1325	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1326	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1327	19908f41	mh
1328	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1329	19908f41	mh
1330			Data type: `Boolean`
1331
1332	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1333	19908f41	mh
1334	c24d3118	Tim Meusel	Default value: `false`
1335	19908f41	mh
1336	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1337
1338			Data type: `Enum['accept', 'drop']`
1339
1340			if the traffic should be allowed or dropped
1341
1342			Default value: `'accept'`
1343
1344	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1345	e17693e3	Steve Traylen
1346			manage in smtp
1347
1348	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1349	e17693e3	Steve Traylen
1350			manage in smtp submission
1351
1352	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1353	e17693e3	Steve Traylen
1354			manage in smtps
1355
1356	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1357
1358			allow incoming spotify
1359
1360	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1361
1362			allow incoming SSDP
1363
1364			* See also
1365			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1366
1367			#### Parameters
1368
1369			The following parameters are available in the `nftables::rules::ssdp` class:
1370
1371			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1372			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1373
1374			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1375
1376			Data type: `Boolean`
1377
1378			Allow SSDP over IPv4
1379
1380			Default value: `true`
1381
1382			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1383
1384			Data type: `Boolean`
1385
1386			Allow SSDP over IPv6
1387
1388			Default value: `true`
1389
1390	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1391	e17693e3	Steve Traylen
1392			manage in ssh
1393
1394			#### Parameters
1395
1396	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1397	e17693e3	Steve Traylen
1398	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1399	e17693e3	Steve Traylen
1400	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1401	e17693e3	Steve Traylen
1402	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1403	e17693e3	Steve Traylen
1404	09cba182	Steve Traylen	ssh ports
1405	e17693e3	Steve Traylen
1406			Default value: `[22]`
1407
1408	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1409	e17693e3	Steve Traylen
1410			manage in tor
1411
1412			#### Parameters
1413
1414	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1415	e17693e3	Steve Traylen
1416	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1417	e17693e3	Steve Traylen
1418	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1419	e17693e3	Steve Traylen
1420	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1421	e17693e3	Steve Traylen
1422	09cba182	Steve Traylen	ports for tor
1423	e17693e3	Steve Traylen
1424			Default value: `[9001]`
1425
1426	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1427	e17693e3	Steve Traylen
1428			manage in wireguard
1429
1430			#### Parameters
1431
1432	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1433	e17693e3	Steve Traylen
1434	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1435	e17693e3	Steve Traylen
1436	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1437	e17693e3	Steve Traylen
1438	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1439	e17693e3	Steve Traylen
1440	09cba182	Steve Traylen	wiregueard port
1441	e17693e3	Steve Traylen
1442			Default value: `[51820]`
1443
1444	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1445
1446			allow incoming webservice discovery
1447
1448			* See also
1449			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1450
1451			#### Parameters
1452
1453			The following parameters are available in the `nftables::rules::wsd` class:
1454
1455			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1456			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1457
1458			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1459
1460			Data type: `Boolean`
1461
1462			Allow ws-discovery over IPv4
1463
1464			Default value: `true`
1465
1466			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1467
1468			Data type: `Boolean`
1469
1470			Allow ws-discovery over IPv6
1471
1472			Default value: `true`
1473
1474	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1475	7f6cacc5	Steve Traylen
1476	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1477	7f6cacc5	Steve Traylen
1478	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1479	7f6cacc5	Steve Traylen
1480	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1481	7f6cacc5	Steve Traylen
1482	e17693e3	Steve Traylen	## Defined types
1483
1484	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1485	e17693e3	Steve Traylen
1486			manage a chain
1487
1488			#### Parameters
1489
1490	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1491
1492	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1493			* [`chain`](#-nftables--chain--chain)
1494			* [`inject`](#-nftables--chain--inject)
1495			* [`inject_iif`](#-nftables--chain--inject_iif)
1496			* [`inject_oif`](#-nftables--chain--inject_oif)
1497	e17693e3	Steve Traylen
1498	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1499	e17693e3	Steve Traylen
1500	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1501	e17693e3	Steve Traylen
1502
1503
1504			Default value: `'inet-filter'`
1505
1506	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1507	e17693e3	Steve Traylen
1508			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1509
1510
1511
1512			Default value: `$title`
1513
1514	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1515	e17693e3	Steve Traylen
1516			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1517
1518
1519
1520	c24d3118	Tim Meusel	Default value: `undef`
1521	e17693e3	Steve Traylen
1522	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1523	e17693e3	Steve Traylen
1524			Data type: `Optional[String]`
1525
1526
1527
1528	c24d3118	Tim Meusel	Default value: `undef`
1529	e17693e3	Steve Traylen
1530	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1531	e17693e3	Steve Traylen
1532			Data type: `Optional[String]`
1533
1534
1535
1536	c24d3118	Tim Meusel	Default value: `undef`
1537	e17693e3	Steve Traylen
1538	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1539	e17693e3	Steve Traylen
1540			manage a config snippet
1541
1542			#### Parameters
1543
1544	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1545	e17693e3	Steve Traylen
1546	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1547			* [`content`](#-nftables--config--content)
1548			* [`source`](#-nftables--config--source)
1549			* [`prefix`](#-nftables--config--prefix)
1550	09cba182	Steve Traylen
1551	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1552	13f4e4c6	Steve Traylen
1553			Data type: `Pattern[/^\w+-\w+$/]`
1554
1555
1556
1557			Default value: `$title`
1558
1559	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1560	e17693e3	Steve Traylen
1561			Data type: `Optional[String]`
1562
1563
1564
1565	c24d3118	Tim Meusel	Default value: `undef`
1566	e17693e3	Steve Traylen
1567	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1568	e17693e3	Steve Traylen
1569			Data type: `Optional[Variant[String,Array[String,1]]]`
1570
1571
1572
1573	c24d3118	Tim Meusel	Default value: `undef`
1574	e17693e3	Steve Traylen
1575	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1576	13f4e4c6	Steve Traylen
1577			Data type: `String`
1578
1579
1580
1581			Default value: `'custom-'`
1582
1583	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1584	331b8d85	Steve Traylen
1585			Insert a file into the nftables configuration
1586
1587			#### Examples
1588
1589			##### Include a file that includes other files
1590
1591			```puppet
1592			nftables::file{'geoip':
1593			content => @(EOT)
1594			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1595			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1596			\|EOT,
1597			}
1598			```
1599
1600			#### Parameters
1601
1602			The following parameters are available in the `nftables::file` defined type:
1603
1604	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1605			* [`content`](#-nftables--file--content)
1606			* [`source`](#-nftables--file--source)
1607			* [`prefix`](#-nftables--file--prefix)
1608	331b8d85	Steve Traylen
1609	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1610	331b8d85	Steve Traylen
1611			Data type: `String[1]`
1612
1613			Unique name to include in filename.
1614
1615			Default value: `$title`
1616
1617	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1618	331b8d85	Steve Traylen
1619			Data type: `Optional[String]`
1620
1621			The content to place in the file.
1622
1623	c24d3118	Tim Meusel	Default value: `undef`
1624	331b8d85	Steve Traylen
1625	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1626	331b8d85	Steve Traylen
1627			Data type: `Optional[Variant[String,Array[String,1]]]`
1628
1629			A source to obtain the file content from.
1630
1631	c24d3118	Tim Meusel	Default value: `undef`
1632	331b8d85	Steve Traylen
1633	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1634	331b8d85	Steve Traylen
1635			Data type: `String`
1636
1637			Prefix of file name to be created, if left as `file-` it will be
1638			auto included in the main nft configuration
1639
1640			Default value: `'file-'`
1641
1642	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1643
1644			manage a conntrack helper
1645
1646			#### Examples
1647
1648			##### FTP helper
1649
1650			```puppet
1651			nftables::helper { 'ftp-standard':
1652			content => 'type "ftp" protocol tcp;',
1653			}
1654			```
1655
1656			#### Parameters
1657
1658			The following parameters are available in the `nftables::helper` defined type:
1659
1660			* [`content`](#-nftables--helper--content)
1661			* [`table`](#-nftables--helper--table)
1662			* [`helper`](#-nftables--helper--helper)
1663
1664			##### <a name="-nftables--helper--content"></a>`content`
1665
1666			Data type: `String`
1667
1668			Conntrack helper definition.
1669
1670			##### <a name="-nftables--helper--table"></a>`table`
1671
1672			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1673
1674			The name of the table to add this helper to.
1675
1676			Default value: `'inet-filter'`
1677
1678			##### <a name="-nftables--helper--helper"></a>`helper`
1679
1680			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1681
1682			The symbolic name for the helper.
1683
1684			Default value: `$title`
1685
1686	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1687	e17693e3	Steve Traylen
1688	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1689
1690			#### Examples
1691
1692			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1693
1694			```puppet
1695			nftables::rule {
1696			'default_in-myhttp':
1697			content => 'tcp dport 80 accept',
1698			}
1699			```
1700
1701			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1702
1703			```puppet
1704			nftables::rule {
1705			'PREROUTING6-count':
1706			content => 'counter',
1707			table => 'ip6-nat'
1708			}
1709			```
1710	e17693e3	Steve Traylen
1711			#### Parameters
1712
1713	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1714
1715	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1716			* [`rulename`](#-nftables--rule--rulename)
1717			* [`order`](#-nftables--rule--order)
1718			* [`table`](#-nftables--rule--table)
1719			* [`content`](#-nftables--rule--content)
1720			* [`source`](#-nftables--rule--source)
1721	e17693e3	Steve Traylen
1722	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1723	e17693e3	Steve Traylen
1724			Data type: `Enum['present','absent']`
1725
1726	13f26dfc	Nacho Barrientos	Should the rule be created.
1727	e17693e3	Steve Traylen
1728			Default value: `'present'`
1729
1730	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1731	e17693e3	Steve Traylen
1732	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1733	e17693e3	Steve Traylen
1734	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1735			format is defined by the Nftables::RuleName type.
1736	e17693e3	Steve Traylen
1737			Default value: `$title`
1738
1739	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1740	e17693e3	Steve Traylen
1741			Data type: `Pattern[/^\d\d$/]`
1742
1743	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1744	e17693e3	Steve Traylen
1745			Default value: `'50'`
1746
1747	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1748	e17693e3	Steve Traylen
1749	b02d6ea9	Nacho Barrientos	Data type: `String`
1750	e17693e3	Steve Traylen
1751	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1752	e17693e3	Steve Traylen
1753			Default value: `'inet-filter'`
1754
1755	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1756	e17693e3	Steve Traylen
1757			Data type: `Optional[String]`
1758
1759	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1760			language.
1761	e17693e3	Steve Traylen
1762	c24d3118	Tim Meusel	Default value: `undef`
1763	e17693e3	Steve Traylen
1764	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1765	e17693e3	Steve Traylen
1766			Data type: `Optional[Variant[String,Array[String,1]]]`
1767
1768	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1769	e17693e3	Steve Traylen
1770	c24d3118	Tim Meusel	Default value: `undef`
1771	e17693e3	Steve Traylen
1772	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1773	e17693e3	Steve Traylen
1774			manage a ipv4 dnat rule
1775
1776			#### Parameters
1777
1778	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1779
1780	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1781			* [`port`](#-nftables--rules--dnat4--port)
1782			* [`rulename`](#-nftables--rules--dnat4--rulename)
1783			* [`order`](#-nftables--rules--dnat4--order)
1784			* [`chain`](#-nftables--rules--dnat4--chain)
1785			* [`iif`](#-nftables--rules--dnat4--iif)
1786			* [`proto`](#-nftables--rules--dnat4--proto)
1787			* [`dport`](#-nftables--rules--dnat4--dport)
1788			* [`ensure`](#-nftables--rules--dnat4--ensure)
1789	e17693e3	Steve Traylen
1790	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1791	e17693e3	Steve Traylen
1792			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1793
1794
1795
1796	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1797	e17693e3	Steve Traylen
1798	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1799	e17693e3	Steve Traylen
1800
1801
1802	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1803	e17693e3	Steve Traylen
1804			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1805
1806
1807
1808			Default value: `$title`
1809
1810	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1811	e17693e3	Steve Traylen
1812			Data type: `Pattern[/^\d\d$/]`
1813
1814
1815
1816			Default value: `'50'`
1817
1818	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1819	e17693e3	Steve Traylen
1820			Data type: `String[1]`
1821
1822
1823
1824			Default value: `'default_fwd'`
1825
1826	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1827	e17693e3	Steve Traylen
1828			Data type: `Optional[String[1]]`
1829
1830
1831
1832	c24d3118	Tim Meusel	Default value: `undef`
1833	e17693e3	Steve Traylen
1834	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1835	e17693e3	Steve Traylen
1836			Data type: `Enum['tcp','udp']`
1837
1838
1839
1840			Default value: `'tcp'`
1841
1842	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1843	e17693e3	Steve Traylen
1844	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1845	e17693e3	Steve Traylen
1846
1847
1848	c24d3118	Tim Meusel	Default value: `undef`
1849	e17693e3	Steve Traylen
1850	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1851	e17693e3	Steve Traylen
1852			Data type: `Enum['present','absent']`
1853
1854
1855
1856			Default value: `'present'`
1857
1858	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1859	e17693e3	Steve Traylen
1860			masquerade all outgoing traffic
1861
1862			#### Parameters
1863
1864	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1865	e17693e3	Steve Traylen
1866	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1867			* [`order`](#-nftables--rules--masquerade--order)
1868			* [`chain`](#-nftables--rules--masquerade--chain)
1869			* [`oif`](#-nftables--rules--masquerade--oif)
1870			* [`saddr`](#-nftables--rules--masquerade--saddr)
1871			* [`daddr`](#-nftables--rules--masquerade--daddr)
1872			* [`proto`](#-nftables--rules--masquerade--proto)
1873			* [`dport`](#-nftables--rules--masquerade--dport)
1874			* [`ensure`](#-nftables--rules--masquerade--ensure)
1875	09cba182	Steve Traylen
1876	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1877	e17693e3	Steve Traylen
1878			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1879
1880
1881
1882			Default value: `$title`
1883
1884	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1885	e17693e3	Steve Traylen
1886			Data type: `Pattern[/^\d\d$/]`
1887
1888
1889
1890			Default value: `'70'`
1891
1892	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1893	e17693e3	Steve Traylen
1894			Data type: `String[1]`
1895
1896
1897
1898			Default value: `'POSTROUTING'`
1899
1900	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1901	e17693e3	Steve Traylen
1902			Data type: `Optional[String[1]]`
1903
1904
1905
1906	c24d3118	Tim Meusel	Default value: `undef`
1907	e17693e3	Steve Traylen
1908	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1909	e17693e3	Steve Traylen
1910			Data type: `Optional[String[1]]`
1911
1912
1913
1914	c24d3118	Tim Meusel	Default value: `undef`
1915	e17693e3	Steve Traylen
1916	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1917	e17693e3	Steve Traylen
1918			Data type: `Optional[String[1]]`
1919
1920
1921
1922	c24d3118	Tim Meusel	Default value: `undef`
1923	e17693e3	Steve Traylen
1924	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1925	e17693e3	Steve Traylen
1926			Data type: `Optional[Enum['tcp','udp']]`
1927
1928
1929
1930	c24d3118	Tim Meusel	Default value: `undef`
1931	e17693e3	Steve Traylen
1932	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1933	e17693e3	Steve Traylen
1934	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1935	e17693e3	Steve Traylen
1936
1937
1938	c24d3118	Tim Meusel	Default value: `undef`
1939	e17693e3	Steve Traylen
1940	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1941	e17693e3	Steve Traylen
1942			Data type: `Enum['present','absent']`
1943
1944
1945
1946			Default value: `'present'`
1947
1948	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1949	e17693e3	Steve Traylen
1950			manage a ipv4 snat rule
1951
1952			#### Parameters
1953
1954	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1955
1956	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1957			* [`rulename`](#-nftables--rules--snat4--rulename)
1958			* [`order`](#-nftables--rules--snat4--order)
1959			* [`chain`](#-nftables--rules--snat4--chain)
1960			* [`oif`](#-nftables--rules--snat4--oif)
1961			* [`saddr`](#-nftables--rules--snat4--saddr)
1962			* [`proto`](#-nftables--rules--snat4--proto)
1963			* [`dport`](#-nftables--rules--snat4--dport)
1964			* [`ensure`](#-nftables--rules--snat4--ensure)
1965	e17693e3	Steve Traylen
1966	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1967	e17693e3	Steve Traylen
1968			Data type: `String[1]`
1969
1970
1971
1972	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1973	e17693e3	Steve Traylen
1974			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1975
1976
1977
1978			Default value: `$title`
1979
1980	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1981	e17693e3	Steve Traylen
1982			Data type: `Pattern[/^\d\d$/]`
1983
1984
1985
1986			Default value: `'70'`
1987
1988	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1989	e17693e3	Steve Traylen
1990			Data type: `String[1]`
1991
1992
1993
1994			Default value: `'POSTROUTING'`
1995
1996	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1997	e17693e3	Steve Traylen
1998			Data type: `Optional[String[1]]`
1999
2000
2001
2002	c24d3118	Tim Meusel	Default value: `undef`
2003	e17693e3	Steve Traylen
2004	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2005	e17693e3	Steve Traylen
2006			Data type: `Optional[String[1]]`
2007
2008
2009
2010	c24d3118	Tim Meusel	Default value: `undef`
2011	e17693e3	Steve Traylen
2012	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2013	e17693e3	Steve Traylen
2014			Data type: `Optional[Enum['tcp','udp']]`
2015
2016
2017
2018	c24d3118	Tim Meusel	Default value: `undef`
2019	e17693e3	Steve Traylen
2020	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2021	e17693e3	Steve Traylen
2022	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2023	e17693e3	Steve Traylen
2024
2025
2026	c24d3118	Tim Meusel	Default value: `undef`
2027	e17693e3	Steve Traylen
2028	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2029	e17693e3	Steve Traylen
2030			Data type: `Enum['present','absent']`
2031
2032
2033
2034			Default value: `'present'`
2035
2036	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2037	7f6cacc5	Steve Traylen
2038			manage a named set
2039
2040	13f4e4c6	Steve Traylen	#### Examples
2041
2042			##### simple set
2043
2044			```puppet
2045			nftables::set{'my_set':
2046			type => 'ipv4_addr',
2047			flags => ['interval'],
2048			elements => ['192.168.0.1/24', '10.0.0.2'],
2049			auto_merge => true,
2050			}
2051			```
2052
2053	7f6cacc5	Steve Traylen	#### Parameters
2054
2055	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2056
2057	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2058			* [`setname`](#-nftables--set--setname)
2059			* [`order`](#-nftables--set--order)
2060			* [`type`](#-nftables--set--type)
2061			* [`table`](#-nftables--set--table)
2062			* [`flags`](#-nftables--set--flags)
2063			* [`timeout`](#-nftables--set--timeout)
2064			* [`gc_interval`](#-nftables--set--gc_interval)
2065			* [`elements`](#-nftables--set--elements)
2066			* [`size`](#-nftables--set--size)
2067			* [`policy`](#-nftables--set--policy)
2068			* [`auto_merge`](#-nftables--set--auto_merge)
2069			* [`content`](#-nftables--set--content)
2070			* [`source`](#-nftables--set--source)
2071
2072			##### <a name="-nftables--set--ensure"></a>`ensure`
2073	7f6cacc5	Steve Traylen
2074			Data type: `Enum['present','absent']`
2075
2076	13f4e4c6	Steve Traylen	should the set be created.
2077	7f6cacc5	Steve Traylen
2078			Default value: `'present'`
2079
2080	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2081	7f6cacc5	Steve Traylen
2082			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2083
2084	13f4e4c6	Steve Traylen	name of set, equal to to title.
2085	7f6cacc5	Steve Traylen
2086			Default value: `$title`
2087
2088	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2089	7f6cacc5	Steve Traylen
2090			Data type: `Pattern[/^\d\d$/]`
2091
2092	13f4e4c6	Steve Traylen	concat ordering.
2093	7f6cacc5	Steve Traylen
2094			Default value: `'10'`
2095
2096	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2097	7f6cacc5	Steve Traylen
2098			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2099
2100	13f4e4c6	Steve Traylen	type of set.
2101	7f6cacc5	Steve Traylen
2102	c24d3118	Tim Meusel	Default value: `undef`
2103	7f6cacc5	Steve Traylen
2104	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2105	7f6cacc5	Steve Traylen
2106	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2107	7f6cacc5	Steve Traylen
2108	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2109	7f6cacc5	Steve Traylen
2110			Default value: `'inet-filter'`
2111
2112	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2113	7f6cacc5	Steve Traylen
2114			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2115
2116	13f4e4c6	Steve Traylen	specify flags for set
2117	7f6cacc5	Steve Traylen
2118			Default value: `[]`
2119
2120	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2121	7f6cacc5	Steve Traylen
2122			Data type: `Optional[Integer]`
2123
2124	13f4e4c6	Steve Traylen	timeout in seconds
2125	7f6cacc5	Steve Traylen
2126	c24d3118	Tim Meusel	Default value: `undef`
2127	7f6cacc5	Steve Traylen
2128	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2129	7f6cacc5	Steve Traylen
2130			Data type: `Optional[Integer]`
2131
2132	13f4e4c6	Steve Traylen	garbage collection interval.
2133	7f6cacc5	Steve Traylen
2134	c24d3118	Tim Meusel	Default value: `undef`
2135	7f6cacc5	Steve Traylen
2136	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2137	7f6cacc5	Steve Traylen
2138			Data type: `Optional[Array[String]]`
2139
2140	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2141	7f6cacc5	Steve Traylen
2142	c24d3118	Tim Meusel	Default value: `undef`
2143	7f6cacc5	Steve Traylen
2144	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2145	7f6cacc5	Steve Traylen
2146			Data type: `Optional[Integer]`
2147
2148	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2149	7f6cacc5	Steve Traylen
2150	c24d3118	Tim Meusel	Default value: `undef`
2151	7f6cacc5	Steve Traylen
2152	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2153	7f6cacc5	Steve Traylen
2154			Data type: `Optional[Enum['performance', 'memory']]`
2155
2156	13f4e4c6	Steve Traylen	determines set selection policy.
2157	7f6cacc5	Steve Traylen
2158	c24d3118	Tim Meusel	Default value: `undef`
2159	7f6cacc5	Steve Traylen
2160	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2161	7f6cacc5	Steve Traylen
2162			Data type: `Boolean`
2163
2164	13f4e4c6	Steve Traylen	?
2165	7f6cacc5	Steve Traylen
2166	c24d3118	Tim Meusel	Default value: `false`
2167	7f6cacc5	Steve Traylen
2168	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2169	7f6cacc5	Steve Traylen
2170			Data type: `Optional[String]`
2171
2172	13f4e4c6	Steve Traylen	specify content of set.
2173	7f6cacc5	Steve Traylen
2174	c24d3118	Tim Meusel	Default value: `undef`
2175	7f6cacc5	Steve Traylen
2176	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2177	7f6cacc5	Steve Traylen
2178			Data type: `Optional[Variant[String,Array[String,1]]]`
2179
2180	13f4e4c6	Steve Traylen	specify source of set.
2181	7f6cacc5	Steve Traylen
2182	c24d3118	Tim Meusel	Default value: `undef`
2183	7f6cacc5	Steve Traylen
2184	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2185	4d63adda	Nacho Barrientos
2186	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2187	4d63adda	Nacho Barrientos
2188	b46c9ce9	Nacho Barrientos	#### Examples
2189	4d63adda	Nacho Barrientos
2190	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2191	4d63adda	Nacho Barrientos
2192	b46c9ce9	Nacho Barrientos	```puppet
2193			nftables::simplerule{'my_service_in':
2194			action => 'accept',
2195			comment => 'allow traffic to port 543',
2196			counter => true,
2197			proto => 'tcp',
2198			dport => 543,
2199			daddr => '2001:1458::/32',
2200			sport => 541,
2201			}
2202			```
2203	4d63adda	Nacho Barrientos
2204	b46c9ce9	Nacho Barrientos	#### Parameters
2205	4d63adda	Nacho Barrientos
2206	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2207
2208	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2209			* [`rulename`](#-nftables--simplerule--rulename)
2210			* [`order`](#-nftables--simplerule--order)
2211			* [`chain`](#-nftables--simplerule--chain)
2212			* [`table`](#-nftables--simplerule--table)
2213			* [`action`](#-nftables--simplerule--action)
2214			* [`comment`](#-nftables--simplerule--comment)
2215			* [`dport`](#-nftables--simplerule--dport)
2216			* [`proto`](#-nftables--simplerule--proto)
2217			* [`daddr`](#-nftables--simplerule--daddr)
2218			* [`set_type`](#-nftables--simplerule--set_type)
2219			* [`sport`](#-nftables--simplerule--sport)
2220			* [`saddr`](#-nftables--simplerule--saddr)
2221			* [`counter`](#-nftables--simplerule--counter)
2222
2223			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2224	13f4e4c6	Steve Traylen
2225			Data type: `Enum['present','absent']`
2226
2227			Should the rule be created.
2228
2229			Default value: `'present'`
2230
2231	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2232	4d63adda	Nacho Barrientos
2233	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2234	4d63adda	Nacho Barrientos
2235	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2236	4d63adda	Nacho Barrientos
2237			Default value: `$title`
2238
2239	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2240	4d63adda	Nacho Barrientos
2241			Data type: `Pattern[/^\d\d$/]`
2242
2243	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2244	4d63adda	Nacho Barrientos
2245			Default value: `'50'`
2246
2247	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2248	4d63adda	Nacho Barrientos
2249			Data type: `String`
2250
2251	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2252	4d63adda	Nacho Barrientos
2253			Default value: `'default_in'`
2254
2255	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2256	4d63adda	Nacho Barrientos
2257			Data type: `String`
2258
2259	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2260	4d63adda	Nacho Barrientos
2261			Default value: `'inet-filter'`
2262
2263	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2264	4d63adda	Nacho Barrientos
2265			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2266
2267	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2268	4d63adda	Nacho Barrientos
2269			Default value: `'accept'`
2270
2271	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2272	4d63adda	Nacho Barrientos
2273			Data type: `Optional[String]`
2274
2275	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2276	4d63adda	Nacho Barrientos
2277	c24d3118	Tim Meusel	Default value: `undef`
2278	4d63adda	Nacho Barrientos
2279	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2280	4d63adda	Nacho Barrientos
2281			Data type: `Optional[Nftables::Port]`
2282
2283	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2284	4d63adda	Nacho Barrientos
2285	c24d3118	Tim Meusel	Default value: `undef`
2286	4d63adda	Nacho Barrientos
2287	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2288	4d63adda	Nacho Barrientos
2289			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2290
2291	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2292	4d63adda	Nacho Barrientos
2293	c24d3118	Tim Meusel	Default value: `undef`
2294	4d63adda	Nacho Barrientos
2295	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2296	4d63adda	Nacho Barrientos
2297			Data type: `Optional[Nftables::Addr]`
2298
2299	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2300	4d63adda	Nacho Barrientos
2301	c24d3118	Tim Meusel	Default value: `undef`
2302	4d63adda	Nacho Barrientos
2303	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2304	4d63adda	Nacho Barrientos
2305			Data type: `Enum['ip', 'ip6']`
2306
2307	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2308			Use `ip` for sets of type `ipv4_addr`.
2309	4d63adda	Nacho Barrientos
2310			Default value: `'ip6'`
2311
2312	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2313	4d63adda	Nacho Barrientos
2314			Data type: `Optional[Nftables::Port]`
2315
2316	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2317	4d63adda	Nacho Barrientos
2318	c24d3118	Tim Meusel	Default value: `undef`
2319	4d63adda	Nacho Barrientos
2320	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2321	4d63adda	Nacho Barrientos
2322			Data type: `Optional[Nftables::Addr]`
2323
2324	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2325	4d63adda	Nacho Barrientos
2326	c24d3118	Tim Meusel	Default value: `undef`
2327	4d63adda	Nacho Barrientos
2328	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2329	4d63adda	Nacho Barrientos
2330			Data type: `Boolean`
2331
2332	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2333	4d63adda	Nacho Barrientos
2334	c24d3118	Tim Meusel	Default value: `false`
2335	4d63adda	Nacho Barrientos
2336			## Data types
2337
2338	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2339	4d63adda	Nacho Barrientos
2340			Represents an address expression to be used within a rule.
2341
2342	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2343	09cba182	Steve Traylen
2344	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2345	4d63adda	Nacho Barrientos
2346			Represents a set expression to be used within a rule.
2347
2348	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2349	4d63adda	Nacho Barrientos
2350	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2351	4d63adda	Nacho Barrientos
2352			Represents a port expression to be used within a rule.
2353
2354	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2355	4d63adda	Nacho Barrientos
2356	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2357	4d63adda	Nacho Barrientos
2358			Represents a port range expression to be used within a rule.
2359
2360	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2361	4d63adda	Nacho Barrientos
2362	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2363	8c00b818	Nacho Barrientos
2364			Represents a rule name to be used in a raw rule created via nftables::rule.
2365			It's a dash separated string. The first component describes the chain to
2366			add the rule to, the second the rule name and the (optional) third a number.
2367			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2368
2369	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2370	09cba182	Steve Traylen
2371	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2372	8c00b818	Nacho Barrientos
2373			Represents a simple rule name to be used in a rule created via nftables::simplerule
2374
2375	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ baad986e