/REFERENCE.md - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ c3f6e1ff

Historique | Voir | Annoter | Télécharger (25,3 ko)

       # Reference
       <!-- DO NOT EDIT: This document was generated by Puppet Strings -->
       ## Table of Contents
       ### Classes
       * [`nftables`](#nftables): Configure nftables
       * [`nftables::bridges`](#nftablesbridges): allow forwarding traffic on bridges
       * [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter
       * [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat
       * [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients
       * [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
       * [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.
       * [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client)
       * [`nftables::rules::dns`](#nftablesrulesdns): manage in dns
       * [`nftables::rules::http`](#nftablesruleshttp): manage in http
       * [`nftables::rules::https`](#nftablesruleshttps): manage in https
       * [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2
       * [`nftables::rules::icmp`](#nftablesrulesicmp)
       * [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4
       * [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3
       * [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter
       * [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf
       * [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3
       * [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound
       * [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadat
       * [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony
       * [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp
       * [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client)
       * [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns
       * [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http
       * [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https
       * [`nftables::rules::out::icmp`](#nftablesrulesouticmp)
       * [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos
       * [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql
       * [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs
       * [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3
       * [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients
       * [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf
       * [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3
       * [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres
       * [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet
       * [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): manage out smtp
       * [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh
       * [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh
       * [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor
       * [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard
       * [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet
       * [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp
       * [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission
       * [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps
       * [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh
       * [`nftables::rules::tor`](#nftablesrulestor): manage in tor
       * [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard
       * [`nftables::services::dhcpv6_client`](#nftablesservicesdhcpv6_client)
       * [`nftables::services::openafs_client`](#nftablesservicesopenafs_client)
       ### Defined types
       * [`nftables::chain`](#nftableschain): manage a chain
       * [`nftables::config`](#nftablesconfig): manage a config snippet
       * [`nftables::rule`](#nftablesrule): manage a chain rule Name should be:   CHAIN_NAME-rulename
       * [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule
       * [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic
       * [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule
       * [`nftables::set`](#nftablesset): manage a named set
       * [`nftables::simplerule`](#nftablessimplerule): Provides a simplified interface to nftables::rule
       ### Data types
       * [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule.
       * [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule.
       * [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule.
       * [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule.
       * [`Nftables::RuleName`](#nftablesrulename): Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       * [`Nftables::SimpleRuleName`](#nftablessimplerulename): Represents a simple rule name to be used in a rule created via nftables::simplerule
       ## Classes
       ### `nftables`
       Configure nftables
       #### Examples
       ##### allow dns out and do not allow ntp out
       ```puppet
       class{'nftables:
         out_ntp = false,
         out_dns = true,
+      }
       ```
       ##### do not flush particular tables, fail2ban in this case
       ```puppet
       class{'nftables':
         noflush_tables = ['inet-f2b-table'],
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables` class.
       ##### `out_all`
       Data type: `Boolean`
       Allow all outbound connections. If `true` then all other
       out parameters `out_ntp`, `out_dns`, ... will be assuemed
       false.
       Default value: ``false``
       ##### `out_ntp`
       Data type: `Boolean`
       Allow outbound to ntp servers.
       Default value: ``true``
       ##### `out_http`
       Data type: `Boolean`
       Allow outbound to http servers.
       Default value: ``true``
       ##### `out_https`
       Data type: `Boolean`
       Allow outbound to https servers.
       Default value: ``true``
       ##### `out_https`
       Allow outbound to https servers.
       Default value: ``true``
       ##### `out_icmp`
       Data type: `Boolean`
       Allow outbound ICMPv4/v6 traffic.
       Default value: ``true``
       ##### `in_ssh`
       Data type: `Boolean`
       Allow inbound to ssh servers.
       Default value: ``true``
       ##### `in_icmp`
       Data type: `Boolean`
       Allow inbound ICMPv4/v6 traffic.
       Default value: ``true``
       ##### `nat`
       Data type: `Boolean`
       Add default tables and chains to process NAT traffic.
       Default value: ``true``
       ##### `sets`
       Data type: `Hash`
       Allows sourcing set definitions directly from Hiera.
       Default value: `{}`
       ##### `log_prefix`
       Data type: `String`
       String that will be used as prefix when logging packets. It can contain
       two variables using standard sprintf() string-formatting:
        * chain: Will be replaced by the name of the chain.
        * comment: Allows chains to add extra comments.
       Default value: `'[nftables] %<chain>s %<comment>s'`
       ##### `log_limit`
       Data type: `Variant[Boolean[false], String]`
       String with the content of a limit statement to be applied
       to the rules that log discarded traffic. Set to false to
       disable rate limiting.
       Default value: `'3/minute burst 5 packets'`
       ##### `reject_with`
       Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`
       How to discard packets not matching any rule. If `false`, the
       fate of the packet will be defined by the chain policy (normally
       drop), otherwise the packet will be rejected with the REJECT_WITH
       policy indicated by the value of this parameter.
       Default value: `'icmpx type port-unreachable'`
       ##### `in_out_conntrack`
       Data type: `Boolean`
       Adds INPUT and OUTPUT rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: ``true``
       ##### `fwd_conntrack`
       Data type: `Boolean`
       Adds FORWARD rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: ``false``
       ##### `firewalld_enable`
       Data type: `Variant[Boolean[false], Enum['mask']]`
       Configures how the firewalld systemd service unit is enabled. It might be
       useful to set this to false if you're externaly removing firewalld from
       the system completely.
       Default value: `'mask'`
       ##### `noflush_tables`
       Data type: `Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]`
       If specified only other existings tables will be flushed.
       If left unset all tables will be flushed via a `flush ruleset`
       Default value: ``undef``
       ##### `out_dns`
       Data type: `Boolean`
       Default value: ``true``
       ##### `rules`
       Data type: `Hash`
       Default value: `{}`
       ### `nftables::bridges`
       allow forwarding traffic on bridges
       #### Parameters
       The following parameters are available in the `nftables::bridges` class.
       ##### `ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ##### `bridgenames`
       Data type: `Regexp`
       Default value: `/^br.+/`
       ### `nftables::inet_filter`
       manage basic chains in table inet filter
       ### `nftables::ip_nat`
       manage basic chains in table ip nat
       ### `nftables::rules::afs3_callback`
       class{'nftables::rules::afs3_callback':
         saddr => ['192.168.0.0/16', '10.0.0.222']
+      }
       #### Parameters
       The following parameters are available in the `nftables::rules::afs3_callback` class.
       ##### `saddr`
       Data type: `Array[Stdlib::IP::Address::V4,1]`
       list of source network ranges to a
       Default value: `['0.0.0.0/0']`
       ### `nftables::rules::ceph`
       Ceph is a distributed object store and file system.
       Enable this to support Ceph's Object Storage Daemons (OSD),
       Metadata Server Daemons (MDS), or Manager Daemons (MGR).
       ### `nftables::rules::ceph_mon`
       Ceph is a distributed object store and file system.
       Enable this option to support Ceph's Monitor Daemon.
       #### Parameters
       The following parameters are available in the `nftables::rules::ceph_mon` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[3300, 6789]`
       ### `nftables::rules::dhcpv6_client`
       The nftables::rules::dhcpv6_client class.
       ### `nftables::rules::dns`
       manage in dns
       #### Parameters
       The following parameters are available in the `nftables::rules::dns` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[53]`
       ### `nftables::rules::http`
       manage in http
       ### `nftables::rules::https`
       manage in https
       ### `nftables::rules::icinga2`
       manage in icinga2
       #### Parameters
       The following parameters are available in the `nftables::rules::icinga2` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[5665]`
       ### `nftables::rules::icmp`
       The nftables::rules::icmp class.
       #### Parameters
       The following parameters are available in the `nftables::rules::icmp` class.
       ##### `v4_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### `v6_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### `order`
       Data type: `String`
       Default value: `'10'`
       ### `nftables::rules::nfs`
       manage in nfs4
       ### `nftables::rules::nfs3`
       manage in nfs3
       ### `nftables::rules::node_exporter`
       manage in node exporter
       #### Parameters
       The following parameters are available in the `nftables::rules::node_exporter` class.
       ##### `prometheus_server`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Default value: ``undef``
       ##### `port`
       Data type: `Stdlib::Port`
       Default value: `9100`
       ### `nftables::rules::ospf`
       manage in ospf
       ### `nftables::rules::ospf3`
       manage in ospf3
       ### `nftables::rules::out::all`
       allow all outbound
       ### `nftables::rules::out::ceph_client`
       Ceph is a distributed object store and file system.
       Enable this to be a client of Ceph's Monitor (MON),
       Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
       and Manager Daemons (MGR).
       #### Parameters
       The following parameters are available in the `nftables::rules::out::ceph_client` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[3300, 6789]`
       ### `nftables::rules::out::chrony`
       manage out chrony
       ### `nftables::rules::out::dhcp`
       manage out dhcp
       ### `nftables::rules::out::dhcpv6_client`
       The nftables::rules::out::dhcpv6_client class.
       ### `nftables::rules::out::dns`
       manage out dns
       #### Parameters
       The following parameters are available in the `nftables::rules::out::dns` class.
       ##### `dns_server`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Default value: ``undef``
       ### `nftables::rules::out::http`
       manage out http
       ### `nftables::rules::out::https`
       manage out https
       ### `nftables::rules::out::icmp`
       The nftables::rules::out::icmp class.
       #### Parameters
       The following parameters are available in the `nftables::rules::out::icmp` class.
       ##### `v4_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### `v6_types`
       Data type: `Optional[Array[String]]`
       Default value: ``undef``
       ##### `order`
       Data type: `String`
       Default value: `'10'`
       ### `nftables::rules::out::kerberos`
       allows outbound access for kerberos
       ### `nftables::rules::out::mysql`
       manage out mysql
       ### `nftables::rules::out::nfs`
       manage out nfs
       ### `nftables::rules::out::nfs3`
       manage out nfs3
       ### `nftables::rules::out::openafs_client`
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
       * **See also**
         * https://wiki.openafs.org/devel/AFSServicePorts/
           * AFS Service Ports
       #### Parameters
       The following parameters are available in the `nftables::rules::out::openafs_client` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[7000, 7002, 7003]`
       ### `nftables::rules::out::ospf`
       manage out ospf
       ### `nftables::rules::out::ospf3`
       manage out ospf3
       ### `nftables::rules::out::postgres`
       manage out postgres
       ### `nftables::rules::out::puppet`
       manage outgoing puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::out::puppet` class.
       ##### `puppetserver`
       Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
       ##### `puppetserver_port`
       Data type: `Stdlib::Port`
       Default value: `8140`
       ### `nftables::rules::out::smtp`
       manage out smtp
       ### `nftables::rules::out::ssh`
       manage out ssh
       ### `nftables::rules::out::ssh::remove`
       disable outgoing ssh
       ### `nftables::rules::out::tor`
       manage out tor
       ### `nftables::rules::out::wireguard`
       manage out wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::out::wireguard` class.
       ##### `ports`
       Data type: `Array[Integer,1]`
       Default value: `[51820]`
       ### `nftables::rules::puppet`
       manage in puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::puppet` class.
       ##### `ports`
       Data type: `Array[Integer,1]`
       Default value: `[8140]`
       ### `nftables::rules::smtp`
       manage in smtp
       ### `nftables::rules::smtp_submission`
       manage in smtp submission
       ### `nftables::rules::smtps`
       manage in smtps
       ### `nftables::rules::ssh`
       manage in ssh
       #### Parameters
       The following parameters are available in the `nftables::rules::ssh` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[22]`
       ### `nftables::rules::tor`
       manage in tor
       #### Parameters
       The following parameters are available in the `nftables::rules::tor` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[9001]`
       ### `nftables::rules::wireguard`
       manage in wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::wireguard` class.
       ##### `ports`
       Data type: `Array[Stdlib::Port,1]`
       Default value: `[51820]`
       ### `nftables::services::dhcpv6_client`
       The nftables::services::dhcpv6_client class.
       ### `nftables::services::openafs_client`
       The nftables::services::openafs_client class.
       ## Defined types
       ### `nftables::chain`
       manage a chain
       #### Parameters
       The following parameters are available in the `nftables::chain` defined type.
       ##### `table`
       Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`
       Default value: `'inet-filter'`
       ##### `chain`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### `inject`
       Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
       Default value: ``undef``
       ##### `inject_iif`
       Data type: `Optional[String]`
       Default value: ``undef``
       ##### `inject_oif`
       Data type: `Optional[String]`
       Default value: ``undef``
       ### `nftables::config`
       manage a config snippet
       #### Parameters
       The following parameters are available in the `nftables::config` defined type.
       ##### `tablespec`
       Data type: `Pattern[/^\w+-\w+$/]`
       Default value: `$title`
       ##### `content`
       Data type: `Optional[String]`
       Default value: ``undef``
       ##### `source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Default value: ``undef``
       ##### `prefix`
       Data type: `String`
       Default value: `'custom-'`
       ### `nftables::rule`
       manage a chain rule
       Name should be:
         CHAIN_NAME-rulename
       #### Parameters
       The following parameters are available in the `nftables::rule` defined type.
       ##### `ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ##### `rulename`
       Data type: `Nftables::RuleName`
       Default value: `$title`
       ##### `order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'50'`
       ##### `table`
       Data type: `Optional[String]`
       Default value: `'inet-filter'`
       ##### `content`
       Data type: `Optional[String]`
       Default value: ``undef``
       ##### `source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Default value: ``undef``
       ### `nftables::rules::dnat4`
       manage a ipv4 dnat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::dnat4` defined type.
       ##### `daddr`
       Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
       ##### `port`
       Data type: `Variant[String,Stdlib::Port]`
       ##### `rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### `order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'50'`
       ##### `chain`
       Data type: `String[1]`
       Default value: `'default_fwd'`
       ##### `iif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### `proto`
       Data type: `Enum['tcp','udp']`
       Default value: `'tcp'`
       ##### `dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: `''`
       ##### `ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### `nftables::rules::masquerade`
       masquerade all outgoing traffic
       #### Parameters
       The following parameters are available in the `nftables::rules::masquerade` defined type.
       ##### `rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### `order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### `chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### `oif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### `saddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### `daddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### `proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: ``undef``
       ##### `dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: ``undef``
       ##### `ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### `nftables::rules::snat4`
       manage a ipv4 snat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::snat4` defined type.
       ##### `snat`
       Data type: `String[1]`
       ##### `rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### `order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### `chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### `oif`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### `saddr`
       Data type: `Optional[String[1]]`
       Default value: ``undef``
       ##### `proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: ``undef``
       ##### `dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: ``undef``
       ##### `ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### `nftables::set`
       manage a named set
       #### Examples
       ##### simple set
       ```puppet
       nftables::set{'my_set':
         type       => 'ipv4_addr',
         flags      => ['interval'],
         elements   => ['192.168.0.1/24', '10.0.0.2'],
         auto_merge => true,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::set` defined type.
       ##### `ensure`
       Data type: `Enum['present','absent']`
       should the set be created.
       Default value: `'present'`
       ##### `setname`
       Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
       name of set, equal to to title.
       Default value: `$title`
       ##### `order`
       Data type: `Pattern[/^\d\d$/]`
       concat ordering.
       Default value: `'10'`
       ##### `type`
       Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
       type of set.
       Default value: ``undef``
       ##### `table`
       Data type: `String`
       table to add set to.
       Default value: `'inet-filter'`
       ##### `flags`
       Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
       specify flags for set
       Default value: `[]`
       ##### `timeout`
       Data type: `Optional[Integer]`
       timeout in seconds
       Default value: ``undef``
       ##### `gc_interval`
       Data type: `Optional[Integer]`
       garbage collection interval.
       Default value: ``undef``
       ##### `elements`
       Data type: `Optional[Array[String]]`
       initialize the set with some elements in it.
       Default value: ``undef``
       ##### `size`
       Data type: `Optional[Integer]`
       limits the maximum number of elements of the set.
       Default value: ``undef``
       ##### `policy`
       Data type: `Optional[Enum['performance', 'memory']]`
       determines set selection policy.
       Default value: ``undef``
       ##### `auto_merge`
       Data type: `Boolean`
+      ?
       Default value: ``false``
       ##### `content`
       Data type: `Optional[String]`
       specify content of set.
       Default value: ``undef``
       ##### `source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       specify source of set.
       Default value: ``undef``
       ### `nftables::simplerule`
       Provides a simplified interface to nftables::rule
       #### Examples
       ##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
       ```puppet
       nftables::simplerule{'my_service_in':
         action  => 'accept',
         comment => 'allow traffic to port 543',
         counter => true,
         proto   => 'tcp',
         dport   => 543,
         daddr   => '2001:1458::/32',
         sport   => 541,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::simplerule` defined type.
       ##### `ensure`
       Data type: `Enum['present','absent']`
       Should the rule be created.
       Default value: `'present'`
       ##### `rulename`
       Data type: `Nftables::SimpleRuleName`
       The symbolic name for the rule to add. Defaults to the resource's title.
       Default value: `$title`
       ##### `order`
       Data type: `Pattern[/^\d\d$/]`
       A number representing the order of the rule.
       Default value: `'50'`
       ##### `chain`
       Data type: `String`
       The name of the chain to add this rule to.
       Default value: `'default_in'`
       ##### `table`
       Data type: `String`
       The name of the table to add this rule to.
       Default value: `'inet-filter'`
       ##### `action`
       Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
       The verdict for the matched traffic.
       Default value: `'accept'`
       ##### `comment`
       Data type: `Optional[String]`
       A typically human-readable comment for the rule.
       Default value: ``undef``
       ##### `dport`
       Data type: `Optional[Nftables::Port]`
       The destination port, ports or port range.
       Default value: ``undef``
       ##### `proto`
       Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
       The transport-layer protocol to match.
       Default value: ``undef``
       ##### `daddr`
       Data type: `Optional[Nftables::Addr]`
       The destination address, CIDR or set to match.
       Default value: ``undef``
       ##### `set_type`
       Data type: `Enum['ip', 'ip6']`
       When using sets as saddr or daddr, the type of the set.
       Use `ip` for sets of type `ipv4_addr`.
       Default value: `'ip6'`
       ##### `sport`
       Data type: `Optional[Nftables::Port]`
       The source port, ports or port range.
       Default value: ``undef``
       ##### `saddr`
       Data type: `Optional[Nftables::Addr]`
       The source address, CIDR or set to match.
       Default value: ``undef``
       ##### `counter`
       Data type: `Boolean`
       Enable traffic counters for the matched traffic.
       Default value: ``false``
       ## Data types
       ### `Nftables::Addr`
       Represents an address expression to be used within a rule.
       Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
       ### `Nftables::Addr::Set`
       Represents a set expression to be used within a rule.
       Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
       ### `Nftables::Port`
       Represents a port expression to be used within a rule.
       Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
       ### `Nftables::Port::Range`
       Represents a port range expression to be used within a rule.
       Alias of `Pattern[/^\d+-\d+$/]`
       ### `Nftables::RuleName`
       Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
       ### `Nftables::SimpleRuleName`
       Represents a simple rule name to be used in a rule created via nftables::simplerule
       Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ c3f6e1ff