/REFERENCE.md - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ eac19d14

Historique | Voir | Annoter | Télécharger (61,7 ko)

       # Reference
       <!-- DO NOT EDIT: This document was generated by Puppet Strings -->
       ## Table of Contents
       ### Classes
       * [`nftables`](#nftables): Configure nftables
       * [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
       * [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
       * [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
       * [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
       * [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
       * [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
       * [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
       * [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
       * [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
       Enable this option to support Ceph's Monitor Daemon.
       * [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
       * [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
       * [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
       * [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
       * [`nftables::rules::http`](#nftables--rules--http): manage in http
       * [`nftables::rules::https`](#nftables--rules--https): manage in https
       * [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
       * [`nftables::rules::icmp`](#nftables--rules--icmp)
       * [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
       * [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
       * [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
       * [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
       * [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
       * [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
       * [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
       * [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
       * [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
       * [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
       * [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
       * [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
       * [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
       Enable this to be a client of Ceph's Monitor (MON),
       Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
       and Manager Daemons (MGR).
       * [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
       * [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
       * [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
       * [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
       * [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
       * [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
       * [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
       * [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
       * [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
       * [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
       * [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
       * [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
       * [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
       * [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
       * [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
       * [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
       * [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
       * [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
       * [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
       * [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
       * [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
       * [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
       * [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
       * [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
       * [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
       * [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
       * [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
       * [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
       * [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
       * [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
       * [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
       * [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
       * [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
       This class defines additional forwarding rules to let root containers
       reach external networks when using Netavark (since v4.0) or CNI (deprecated).
       At the time of writing, Podman supports automatic configuration
       of firewall rules with iptables and firewalld only.
       * [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
       * [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
       * [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
       * [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
       * [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
       * [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
       * [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
       * [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
       * [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
       * [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
       * [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
       * [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
       * [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
       * [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
       * [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
       ### Defined types
       * [`nftables::chain`](#nftables--chain): manage a chain
       * [`nftables::config`](#nftables--config): manage a config snippet
       * [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
       * [`nftables::helper`](#nftables--helper): manage a conntrack helper
       * [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
       * [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
       * [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
       * [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
       * [`nftables::set`](#nftables--set): manage a named set
       * [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
       ### Data types
       * [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
       * [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
       * [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
       * [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
       * [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       * [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
       ## Classes
       ### <a name="nftables"></a>`nftables`
       Configure nftables
       #### Examples
       ##### allow dns out and do not allow ntp out
       ```puppet
       class{ 'nftables':
         out_ntp => false,
         out_dns => true,
+      }
       ```
       ##### do not flush particular tables, fail2ban in this case
       ```puppet
       class{ 'nftables':
         noflush_tables => ['inet-f2b-table'],
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables` class:
       * [`out_all`](#-nftables--out_all)
       * [`out_ntp`](#-nftables--out_ntp)
       * [`out_http`](#-nftables--out_http)
       * [`out_dns`](#-nftables--out_dns)
       * [`out_https`](#-nftables--out_https)
       * [`out_icmp`](#-nftables--out_icmp)
       * [`in_ssh`](#-nftables--in_ssh)
       * [`in_icmp`](#-nftables--in_icmp)
       * [`inet_filter`](#-nftables--inet_filter)
       * [`nat`](#-nftables--nat)
       * [`nat_table_name`](#-nftables--nat_table_name)
       * [`sets`](#-nftables--sets)
       * [`log_prefix`](#-nftables--log_prefix)
       * [`log_discarded`](#-nftables--log_discarded)
       * [`log_limit`](#-nftables--log_limit)
       * [`reject_with`](#-nftables--reject_with)
       * [`in_out_conntrack`](#-nftables--in_out_conntrack)
       * [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
       * [`fwd_conntrack`](#-nftables--fwd_conntrack)
       * [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
       * [`firewalld_enable`](#-nftables--firewalld_enable)
       * [`noflush_tables`](#-nftables--noflush_tables)
       * [`rules`](#-nftables--rules)
       * [`configuration_path`](#-nftables--configuration_path)
       * [`nft_path`](#-nftables--nft_path)
       * [`echo`](#-nftables--echo)
       * [`default_config_mode`](#-nftables--default_config_mode)
       ##### <a name="-nftables--out_all"></a>`out_all`
       Data type: `Boolean`
       Allow all outbound connections. If `true` then all other
       out parameters `out_ntp`, `out_dns`, ... will be assuemed
       false.
       Default value: `false`
       ##### <a name="-nftables--out_ntp"></a>`out_ntp`
       Data type: `Boolean`
       Allow outbound to ntp servers.
       Default value: `true`
       ##### <a name="-nftables--out_http"></a>`out_http`
       Data type: `Boolean`
       Allow outbound to http servers.
       Default value: `true`
       ##### <a name="-nftables--out_dns"></a>`out_dns`
       Data type: `Boolean`
       Allow outbound to dns servers.
       Default value: `true`
       ##### <a name="-nftables--out_https"></a>`out_https`
       Data type: `Boolean`
       Allow outbound to https servers.
       Default value: `true`
       ##### <a name="-nftables--out_icmp"></a>`out_icmp`
       Data type: `Boolean`
       Allow outbound ICMPv4/v6 traffic.
       Default value: `true`
       ##### <a name="-nftables--in_ssh"></a>`in_ssh`
       Data type: `Boolean`
       Allow inbound to ssh servers.
       Default value: `true`
       ##### <a name="-nftables--in_icmp"></a>`in_icmp`
       Data type: `Boolean`
       Allow inbound ICMPv4/v6 traffic.
       Default value: `true`
       ##### <a name="-nftables--inet_filter"></a>`inet_filter`
       Data type: `Boolean`
       Add default tables, chains and rules to process traffic.
       Default value: `true`
       ##### <a name="-nftables--nat"></a>`nat`
       Data type: `Boolean`
       Add default tables and chains to process NAT traffic.
       Default value: `true`
       ##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
       Data type: `String[1]`
       The name of the 'nat' table.
       Default value: `'nat'`
       ##### <a name="-nftables--sets"></a>`sets`
       Data type: `Hash`
       Allows sourcing set definitions directly from Hiera.
       Default value: `{}`
       ##### <a name="-nftables--log_prefix"></a>`log_prefix`
       Data type: `String`
       String that will be used as prefix when logging packets. It can contain
       two variables using standard sprintf() string-formatting:
        * chain: Will be replaced by the name of the chain.
        * comment: Allows chains to add extra comments.
       Default value: `'[nftables] %<chain>s %<comment>s'`
       ##### <a name="-nftables--log_discarded"></a>`log_discarded`
       Data type: `Boolean`
       Allow to log discarded packets
       Default value: `true`
       ##### <a name="-nftables--log_limit"></a>`log_limit`
       Data type: `Variant[Boolean[false], String]`
       String with the content of a limit statement to be applied
       to the rules that log discarded traffic. Set to false to
       disable rate limiting.
       Default value: `'3/minute burst 5 packets'`
       ##### <a name="-nftables--reject_with"></a>`reject_with`
       Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]`
       How to discard packets not matching any rule. If `false`, the
       fate of the packet will be defined by the chain policy (normally
       drop), otherwise the packet will be rejected with the REJECT_WITH
       policy indicated by the value of this parameter.
       Default value: `'icmpx type port-unreachable'`
       ##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
       Data type: `Boolean`
       Adds INPUT and OUTPUT rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: `true`
       ##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
       Data type: `Boolean`
       Drops invalid packets in INPUT and OUTPUT
       Default value: `$in_out_conntrack`
       ##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
       Data type: `Boolean`
       Adds FORWARD rules to allow traffic that's part of an
       established connection and also to drop invalid packets.
       Default value: `false`
       ##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
       Data type: `Boolean`
       Drops invalid packets in FORWARD
       Default value: `$fwd_conntrack`
       ##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
       Data type: `Variant[Boolean[false], Enum['mask']]`
       Configures how the firewalld systemd service unit is enabled. It might be
       useful to set this to false if you're externaly removing firewalld from
       the system completely.
       Default value: `'mask'`
       ##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
       Data type: `Optional[Array[Pattern[/^(ip|ip6|inet|arp|bridge|netdev)-[-a-zA-Z0-9_]+$/],1]]`
       If specified only other existings tables will be flushed.
       If left unset all tables will be flushed via a `flush ruleset`
       Default value: `undef`
       ##### <a name="-nftables--rules"></a>`rules`
       Data type: `Hash`
       Specify hashes of `nftables::rule`s via hiera
       Default value: `{}`
       ##### <a name="-nftables--configuration_path"></a>`configuration_path`
       Data type: `Stdlib::Unixpath`
       The absolute path to the principal nftables configuration file. The default
       varies depending on the system, and is set in the module's data.
       ##### <a name="-nftables--nft_path"></a>`nft_path`
       Data type: `Stdlib::Unixpath`
       Path to the nft binary
       ##### <a name="-nftables--echo"></a>`echo`
       Data type: `Stdlib::Unixpath`
       Path to the echo binary
       ##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
       Data type: `Stdlib::Filemode`
       The default file & dir mode for configuration files and directories. The
       default varies depending on the system, and is set in the module's data.
       ### <a name="nftables--bridges"></a>`nftables::bridges`
       allow forwarding traffic on bridges
       #### Parameters
       The following parameters are available in the `nftables::bridges` class:
       * [`ensure`](#-nftables--bridges--ensure)
       * [`bridgenames`](#-nftables--bridges--bridgenames)
       ##### <a name="-nftables--bridges--ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
       Data type: `Regexp`
       Default value: `/^br.+/`
       ### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
       manage basic chains in table inet filter
       ### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
       enable conntrack for fwd
       ### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
       manage input & output conntrack
       ### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
       manage basic chains in table ip nat
       ### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
       Provides input rules for Apache ActiveMQ
       #### Parameters
       The following parameters are available in the `nftables::rules::activemq` class:
       * [`tcp`](#-nftables--rules--activemq--tcp)
       * [`udp`](#-nftables--rules--activemq--udp)
       * [`port`](#-nftables--rules--activemq--port)
       ##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
       Data type: `Boolean`
       Create the rule for TCP traffic.
       Default value: `true`
       ##### <a name="-nftables--rules--activemq--udp"></a>`udp`
       Data type: `Boolean`
       Create the rule for UDP traffic.
       Default value: `true`
       ##### <a name="-nftables--rules--activemq--port"></a>`port`
       Data type: `Stdlib::Port`
       The port number for the ActiveMQ daemon.
       Default value: `61616`
       ### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
       Open call back port for AFS clients
       #### Examples
       ##### allow call backs from particular hosts
       ```puppet
       class{'nftables::rules::afs3_callback':
         saddr => ['192.168.0.0/16', '10.0.0.222']
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::rules::afs3_callback` class:
       * [`saddr`](#-nftables--rules--afs3_callback--saddr)
       ##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
       Data type: `Array[Stdlib::IP::Address::V4,1]`
       list of source network ranges to a
       Default value: `['0.0.0.0/0']`
       ### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
       Ceph is a distributed object store and file system.
       Enable this to support Ceph's Object Storage Daemons (OSD),
       Metadata Server Daemons (MDS), or Manager Daemons (MGR).
       ### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
       Ceph is a distributed object store and file system.
       Enable this option to support Ceph's Monitor Daemon.
       #### Parameters
       The following parameters are available in the `nftables::rules::ceph_mon` class:
       * [`ports`](#-nftables--rules--ceph_mon--ports)
       ##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       specify ports for ceph service
       Default value: `[3300, 6789]`
       ### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
       allow DHCPv6 requests in to a host
       ### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
       manage in dns
       #### Examples
       ##### Allow access to stub dns resolver from docker containers
       ```puppet
       class { 'nftables::rules::dns':
         iifname => ['docker0'],
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::rules::dns` class:
       * [`ports`](#-nftables--rules--dns--ports)
       * [`iifname`](#-nftables--rules--dns--iifname)
       ##### <a name="-nftables--rules--dns--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports for dns.
       Default value: `[53]`
       ##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
       Data type: `Optional[Array[String[1],1]]`
       Specify input interface names.
       Default value: `undef`
       ### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
       The configuration distributed in this class represents the default firewall
       configuration done by docker-ce when the iptables integration is enabled.
       This class is needed as the default docker-ce rules added to ip-filter conflict
       with the inet-filter forward rules set by default in this module.
       When using this class 'docker::iptables: false' should be set.
       #### Parameters
       The following parameters are available in the `nftables::rules::docker_ce` class:
       * [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
       * [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
       * [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
       * [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
       ##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
       Data type: `String[1]`
       Interface name used by docker.
       Default value: `'docker0'`
       ##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
       Data type: `Stdlib::IP::Address::V4::CIDR`
       The address space used by docker.
       Default value: `'172.17.0.0/16'`
       ##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
       Data type: `Boolean`
       Flag to control whether the class should create the docker related chains.
       Default value: `true`
       ##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
       Data type: `Boolean`
       Flag to control whether the class should create the base common chains.
       Default value: `true`
       ### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
       manage in ftp (with conntrack helper)
       #### Parameters
       The following parameters are available in the `nftables::rules::ftp` class:
       * [`enable_passive`](#-nftables--rules--ftp--enable_passive)
       * [`passive_ports`](#-nftables--rules--ftp--passive_ports)
       ##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
       Data type: `Boolean`
       Enable FTP passive mode support
       Default value: `true`
       ##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
       Data type: `Nftables::Port::Range`
       Set the FTP passive mode port range
       Default value: `'10090-10100'`
       ### <a name="nftables--rules--http"></a>`nftables::rules::http`
       manage in http
       ### <a name="nftables--rules--https"></a>`nftables::rules::https`
       manage in https
       ### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
       manage in icinga2
       #### Parameters
       The following parameters are available in the `nftables::rules::icinga2` class:
       * [`ports`](#-nftables--rules--icinga2--ports)
       ##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports for icinga2
       Default value: `[5665]`
       ### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
       The nftables::rules::icmp class.
       #### Parameters
       The following parameters are available in the `nftables::rules::icmp` class:
       * [`v4_types`](#-nftables--rules--icmp--v4_types)
       * [`v6_types`](#-nftables--rules--icmp--v6_types)
       * [`order`](#-nftables--rules--icmp--order)
       ##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
       Data type: `Optional[Array[String]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
       Data type: `Optional[Array[String]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--icmp--order"></a>`order`
       Data type: `String`
       Default value: `'10'`
       ### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
       allow incoming IGMP messages
       ### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
       manage in ldap
       #### Parameters
       The following parameters are available in the `nftables::rules::ldap` class:
       * [`ports`](#-nftables--rules--ldap--ports)
       ##### <a name="-nftables--rules--ldap--ports"></a>`ports`
       Data type: `Array[Integer,1]`
       ldap server ports
       Default value: `[389, 636]`
       ### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
       allow incoming Link-Local Multicast Name Resolution
       * **See also**
         * https://datatracker.ietf.org/doc/html/rfc4795
       #### Parameters
       The following parameters are available in the `nftables::rules::llmnr` class:
       * [`ipv4`](#-nftables--rules--llmnr--ipv4)
       * [`ipv6`](#-nftables--rules--llmnr--ipv6)
       ##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
       Data type: `Boolean`
       Allow LLMNR over IPv4
       Default value: `true`
       ##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
       Data type: `Boolean`
       Allow LLMNR over IPv6
       Default value: `true`
       ### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
       allow incoming multicast DNS
       #### Parameters
       The following parameters are available in the `nftables::rules::mdns` class:
       * [`ipv4`](#-nftables--rules--mdns--ipv4)
       * [`ipv6`](#-nftables--rules--mdns--ipv6)
       ##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
       Data type: `Boolean`
       Allow mdns over IPv4
       Default value: `true`
       ##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
       Data type: `Boolean`
       Allow mdns over IPv6
       Default value: `true`
       ### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
       allow incoming multicast traffic
       ### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
       manage in nfs4
       ### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
       manage in nfs3
       ### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
       manage in node exporter
       #### Parameters
       The following parameters are available in the `nftables::rules::node_exporter` class:
       * [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
       * [`port`](#-nftables--rules--node_exporter--port)
       ##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Specify server name
       Default value: `undef`
       ##### <a name="-nftables--rules--node_exporter--port"></a>`port`
       Data type: `Stdlib::Port`
       Specify port to open
       Default value: `9100`
       ### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
       manage in ospf
       ### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
       manage in ospf3
       ### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
       manage outgoing active diectory
       #### Parameters
       The following parameters are available in the `nftables::rules::out::active_directory` class:
       * [`adserver`](#-nftables--rules--out--active_directory--adserver)
       * [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
       ##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
       Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
       adserver IPs
       ##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
       Data type: `Array[Stdlib::Port,1]`
       adserver ports
       Default value: `[389, 636, 3268, 3269]`
       ### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
       allow all outbound
       ### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
       Ceph is a distributed object store and file system.
       Enable this to be a client of Ceph's Monitor (MON),
       Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
       and Manager Daemons (MGR).
       #### Parameters
       The following parameters are available in the `nftables::rules::out::ceph_client` class:
       * [`ports`](#-nftables--rules--out--ceph_client--ports)
       ##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       Specify ports to open
       Default value: `[3300, 6789]`
       ### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
       manage out chrony
       #### Parameters
       The following parameters are available in the `nftables::rules::out::chrony` class:
       * [`servers`](#-nftables--rules--out--chrony--servers)
       ##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
       Data type: `Array[Stdlib::IP::Address]`
       single IP-Address or array of IP-addresses from NTP servers
       Default value: `[]`
       ### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
       manage out dhcp
       ### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
       Allow DHCPv6 requests out of a host
       ### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
       manage out dns
       #### Parameters
       The following parameters are available in the `nftables::rules::out::dns` class:
       * [`dns_server`](#-nftables--rules--out--dns--dns_server)
       ##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
       Data type: `Array[Stdlib::IP::Address]`
       specify dns_server name
       Default value: `[]`
       ### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
       allow outgoing hkp connections to gpg keyservers
       ### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
       manage out http
       ### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
       manage out https
       ### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
       control outbound icmp packages
       #### Parameters
       The following parameters are available in the `nftables::rules::out::icmp` class:
       * [`v4_types`](#-nftables--rules--out--icmp--v4_types)
       * [`v6_types`](#-nftables--rules--out--icmp--v6_types)
       * [`order`](#-nftables--rules--out--icmp--order)
       ##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
       Data type: `Optional[Array[String]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
       Data type: `Optional[Array[String]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--out--icmp--order"></a>`order`
       Data type: `String`
       Default value: `'10'`
       ### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
       allow outgoing IGMP messages
       ### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
       allow outgoing imap
       ### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
       allows outbound access for kerberos
       ### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
       manage outgoing ldap
       #### Parameters
       The following parameters are available in the `nftables::rules::out::ldap` class:
       * [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
       * [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
       ##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
       Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
       ldapserver IPs
       ##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
       Data type: `Array[Stdlib::Port,1]`
       ldapserver ports
       Default value: `[389, 636]`
       ### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
       allow outgoing multicast DNS
       #### Parameters
       The following parameters are available in the `nftables::rules::out::mdns` class:
       * [`ipv4`](#-nftables--rules--out--mdns--ipv4)
       * [`ipv6`](#-nftables--rules--out--mdns--ipv6)
       ##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
       Data type: `Boolean`
       Allow mdns over IPv4
       Default value: `true`
       ##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
       Data type: `Boolean`
       Allow mdns over IPv6
       Default value: `true`
       ### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
       allow multicast listener requests
       ### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
       manage out mysql
       ### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
       manage out nfs
       ### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
       manage out nfs3
       ### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
       allows outbound access for afs clients
 - afs3-fileserver
 - afs3-ptserver
 - vlserver
       * **See also**
         * https://wiki.openafs.org/devel/AFSServicePorts/
           * AFS Service Ports
       #### Parameters
       The following parameters are available in the `nftables::rules::out::openafs_client` class:
       * [`ports`](#-nftables--rules--out--openafs_client--ports)
       ##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       port numbers to use
       Default value: `[7000, 7002, 7003]`
       ### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
       manage out ospf
       ### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
       manage out ospf3
       ### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
       allow outgoing pop3
       ### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
       manage out postgres
       ### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
       manage outgoing puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::out::puppet` class:
       * [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
       * [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
       ##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
       Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
       puppetserver hostname
       ##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
       Data type: `Stdlib::Port`
       puppetserver port
       Default value: `8140`
       ### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
       manage outgoing pxp-agent
       * **See also**
         * also
           * take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
       #### Parameters
       The following parameters are available in the `nftables::rules::out::pxp_agent` class:
       * [`broker`](#-nftables--rules--out--pxp_agent--broker)
       * [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
       ##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
       Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
       PXP broker IP(s)
       ##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
       Data type: `Stdlib::Port`
       PXP broker port
       Default value: `8142`
       ### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
       allow outgoing smtp
       ### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
       allow outgoing smtp client
       ### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
       allow outgoing SSDP
       * **See also**
         * https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
       #### Parameters
       The following parameters are available in the `nftables::rules::out::ssdp` class:
       * [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
       * [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
       ##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
       Data type: `Boolean`
       Allow SSDP over IPv4
       Default value: `true`
       ##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
       Data type: `Boolean`
       Allow SSDP over IPv6
       Default value: `true`
       ### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
       manage out ssh
       ### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
       disable outgoing ssh
       ### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
       manage out tor
       ### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
       allow clients to query remote whois server
       ### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
       manage out wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::out::wireguard` class:
       * [`ports`](#-nftables--rules--out--wireguard--ports)
       ##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
       Data type: `Array[Integer,1]`
       specify wireguard ports
       Default value: `[51820]`
       ### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
       Rules for Podman, a tool for managing OCI containers and pods.
       This class defines additional forwarding rules to let root containers
       reach external networks when using Netavark (since v4.0) or CNI (deprecated).
       At the time of writing, Podman supports automatic configuration
       of firewall rules with iptables and firewalld only.
       ### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
       manage in puppet
       #### Parameters
       The following parameters are available in the `nftables::rules::puppet` class:
       * [`ports`](#-nftables--rules--puppet--ports)
       ##### <a name="-nftables--rules--puppet--ports"></a>`ports`
       Data type: `Array[Integer,1]`
       puppet server ports
       Default value: `[8140]`
       ### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
       manage in pxp-agent
       #### Parameters
       The following parameters are available in the `nftables::rules::pxp_agent` class:
       * [`ports`](#-nftables--rules--pxp_agent--ports)
       ##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       pxp server ports
       Default value: `[8142]`
       ### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
       This class configures the typical firewall setup that libvirt
       creates. Depending on your requirements you can switch on and off
       several aspects, for instance if you don't do DHCP to your guests
       you can disable the rules that accept DHCP traffic on the host or if
       you don't want your guests to talk to hosts outside you can disable
       forwarding and/or masquerading for IPv4 traffic.
       #### Parameters
       The following parameters are available in the `nftables::rules::qemu` class:
       * [`interface`](#-nftables--rules--qemu--interface)
       * [`network_v4`](#-nftables--rules--qemu--network_v4)
       * [`network_v6`](#-nftables--rules--qemu--network_v6)
       * [`dns`](#-nftables--rules--qemu--dns)
       * [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
       * [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
       * [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
       * [`masquerade`](#-nftables--rules--qemu--masquerade)
       ##### <a name="-nftables--rules--qemu--interface"></a>`interface`
       Data type: `String[1]`
       Interface name used by the bridge.
       Default value: `'virbr0'`
       ##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
       Data type: `Stdlib::IP::Address::V4::CIDR`
       The IPv4 network prefix used in the virtual network.
       Default value: `'192.168.122.0/24'`
       ##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
       Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
       The IPv6 network prefix used in the virtual network.
       Default value: `undef`
       ##### <a name="-nftables--rules--qemu--dns"></a>`dns`
       Data type: `Boolean`
       Allow DNS traffic from the guests to the host.
       Default value: `true`
       ##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
       Data type: `Boolean`
       Allow DHCPv4 traffic from the guests to the host.
       Default value: `true`
       ##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
       Data type: `Boolean`
       Allow forwarded traffic (out all, in related/established)
       generated by the virtual network.
       Default value: `true`
       ##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
       Data type: `Boolean`
       Allow guests in the virtual network to talk to each other.
       Default value: `true`
       ##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
       Data type: `Boolean`
       Do NAT masquerade on all IPv4 traffic generated by guests
       to external networks.
       Default value: `true`
       ### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
       manage Samba, the suite to allow Windows file sharing on Linux resources.
       #### Parameters
       The following parameters are available in the `nftables::rules::samba` class:
       * [`ctdb`](#-nftables--rules--samba--ctdb)
       * [`action`](#-nftables--rules--samba--action)
       ##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
       Data type: `Boolean`
       Enable ctdb-driven clustered Samba setups
       Default value: `false`
       ##### <a name="-nftables--rules--samba--action"></a>`action`
       Data type: `Enum['accept', 'drop']`
       if the traffic should be allowed or dropped
       Default value: `'accept'`
       ### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
       manage in smtp
       ### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
       manage in smtp submission
       ### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
       manage in smtps
       ### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
       allow incoming spotify
       ### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
       allow incoming SSDP
       * **See also**
         * https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
       #### Parameters
       The following parameters are available in the `nftables::rules::ssdp` class:
       * [`ipv4`](#-nftables--rules--ssdp--ipv4)
       * [`ipv6`](#-nftables--rules--ssdp--ipv6)
       ##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
       Data type: `Boolean`
       Allow SSDP over IPv4
       Default value: `true`
       ##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
       Data type: `Boolean`
       Allow SSDP over IPv6
       Default value: `true`
       ### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
       manage in ssh
       #### Parameters
       The following parameters are available in the `nftables::rules::ssh` class:
       * [`ports`](#-nftables--rules--ssh--ports)
       ##### <a name="-nftables--rules--ssh--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       ssh ports
       Default value: `[22]`
       ### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
       manage in tor
       #### Parameters
       The following parameters are available in the `nftables::rules::tor` class:
       * [`ports`](#-nftables--rules--tor--ports)
       ##### <a name="-nftables--rules--tor--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       ports for tor
       Default value: `[9001]`
       ### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
       manage in wireguard
       #### Parameters
       The following parameters are available in the `nftables::rules::wireguard` class:
       * [`ports`](#-nftables--rules--wireguard--ports)
       ##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
       Data type: `Array[Stdlib::Port,1]`
       wiregueard port
       Default value: `[51820]`
       ### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
       allow incoming webservice discovery
       * **See also**
         * https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
       #### Parameters
       The following parameters are available in the `nftables::rules::wsd` class:
       * [`ipv4`](#-nftables--rules--wsd--ipv4)
       * [`ipv6`](#-nftables--rules--wsd--ipv6)
       ##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
       Data type: `Boolean`
       Allow ws-discovery over IPv4
       Default value: `true`
       ##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
       Data type: `Boolean`
       Allow ws-discovery over IPv6
       Default value: `true`
       ### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
       Allow in and outbound traffic for DHCPv6 server
       ### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
       Open inbound and outbound ports for an AFS client
       ## Defined types
       ### <a name="nftables--chain"></a>`nftables::chain`
       manage a chain
       #### Parameters
       The following parameters are available in the `nftables::chain` defined type:
       * [`table`](#-nftables--chain--table)
       * [`chain`](#-nftables--chain--chain)
       * [`inject`](#-nftables--chain--inject)
       * [`inject_iif`](#-nftables--chain--inject_iif)
       * [`inject_oif`](#-nftables--chain--inject_oif)
       ##### <a name="-nftables--chain--table"></a>`table`
       Data type: `Pattern[/^(ip|ip6|inet|netdev|bridge)-[a-zA-Z0-9_]+$/]`
       Default value: `'inet-filter'`
       ##### <a name="-nftables--chain--chain"></a>`chain`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="-nftables--chain--inject"></a>`inject`
       Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
       Default value: `undef`
       ##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
       Data type: `Optional[String]`
       Default value: `undef`
       ##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
       Data type: `Optional[String]`
       Default value: `undef`
       ### <a name="nftables--config"></a>`nftables::config`
       manage a config snippet
       #### Parameters
       The following parameters are available in the `nftables::config` defined type:
       * [`tablespec`](#-nftables--config--tablespec)
       * [`content`](#-nftables--config--content)
       * [`source`](#-nftables--config--source)
       * [`prefix`](#-nftables--config--prefix)
       ##### <a name="-nftables--config--tablespec"></a>`tablespec`
       Data type: `Pattern[/^\w+-\w+$/]`
       Default value: `$title`
       ##### <a name="-nftables--config--content"></a>`content`
       Data type: `Optional[String]`
       Default value: `undef`
       ##### <a name="-nftables--config--source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Default value: `undef`
       ##### <a name="-nftables--config--prefix"></a>`prefix`
       Data type: `String`
       Default value: `'custom-'`
       ### <a name="nftables--file"></a>`nftables::file`
       Insert a file into the nftables configuration
       #### Examples
       ##### Include a file that includes other files
       ```puppet
       nftables::file{'geoip':
         content => @(EOT)
           include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
           include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
           |EOT,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::file` defined type:
       * [`label`](#-nftables--file--label)
       * [`content`](#-nftables--file--content)
       * [`source`](#-nftables--file--source)
       * [`prefix`](#-nftables--file--prefix)
       ##### <a name="-nftables--file--label"></a>`label`
       Data type: `String[1]`
       Unique name to include in filename.
       Default value: `$title`
       ##### <a name="-nftables--file--content"></a>`content`
       Data type: `Optional[String]`
       The content to place in the file.
       Default value: `undef`
       ##### <a name="-nftables--file--source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       A source to obtain the file content from.
       Default value: `undef`
       ##### <a name="-nftables--file--prefix"></a>`prefix`
       Data type: `String`
       Prefix of file name to be created, if left as `file-` it will be
       auto included in the main nft configuration
       Default value: `'file-'`
       ### <a name="nftables--helper"></a>`nftables::helper`
       manage a conntrack helper
       #### Examples
       ##### FTP helper
       ```puppet
       nftables::helper { 'ftp-standard':
         content => 'type "ftp" protocol tcp;',
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::helper` defined type:
       * [`content`](#-nftables--helper--content)
       * [`table`](#-nftables--helper--table)
       * [`helper`](#-nftables--helper--helper)
       ##### <a name="-nftables--helper--content"></a>`content`
       Data type: `String`
       Conntrack helper definition.
       ##### <a name="-nftables--helper--table"></a>`table`
       Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`
       The name of the table to add this helper to.
       Default value: `'inet-filter'`
       ##### <a name="-nftables--helper--helper"></a>`helper`
       Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
       The symbolic name for the helper.
       Default value: `$title`
       ### <a name="nftables--rule"></a>`nftables::rule`
       Provides an interface to create a firewall rule
       #### Examples
       ##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
       ```puppet
       nftables::rule {
         'default_in-myhttp':
           content => 'tcp dport 80 accept',
+      }
       ```
       ##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
       ```puppet
       nftables::rule {
         'PREROUTING6-count':
           content => 'counter',
           table   => 'ip6-nat'
+      }
       ```
       ##### Redirect port 443 to port 8443
       ```puppet
       nftables::rule { 'PREROUTING-redirect':
         content => 'tcp dport 443 redirect to :8443',
         table   => 'ip-nat',
+      }
       nftables::rule{'PREROUTING6-redirect':
         content => 'tcp dport 443 redirect to :8443',
         table   => 'ip6-nat',
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::rule` defined type:
       * [`ensure`](#-nftables--rule--ensure)
       * [`rulename`](#-nftables--rule--rulename)
       * [`order`](#-nftables--rule--order)
       * [`table`](#-nftables--rule--table)
       * [`content`](#-nftables--rule--content)
       * [`source`](#-nftables--rule--source)
       ##### <a name="-nftables--rule--ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Should the rule be created.
       Default value: `'present'`
       ##### <a name="-nftables--rule--rulename"></a>`rulename`
       Data type: `Nftables::RuleName`
       The symbolic name for the rule and to what chain to add it. The
       format is defined by the Nftables::RuleName type.
       Default value: `$title`
       ##### <a name="-nftables--rule--order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       A number representing the order of the rule.
       Default value: `'50'`
       ##### <a name="-nftables--rule--table"></a>`table`
       Data type: `String`
       The name of the table to add this rule to.
       Default value: `'inet-filter'`
       ##### <a name="-nftables--rule--content"></a>`content`
       Data type: `Optional[String]`
       The raw statements that compose the rule represented using the nftables
       language.
       Default value: `undef`
       ##### <a name="-nftables--rule--source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       Same goal as content but sourcing the value from a file.
       Default value: `undef`
       ### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
       manage a ipv4 dnat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::dnat4` defined type:
       * [`daddr`](#-nftables--rules--dnat4--daddr)
       * [`port`](#-nftables--rules--dnat4--port)
       * [`rulename`](#-nftables--rules--dnat4--rulename)
       * [`order`](#-nftables--rules--dnat4--order)
       * [`chain`](#-nftables--rules--dnat4--chain)
       * [`iif`](#-nftables--rules--dnat4--iif)
       * [`proto`](#-nftables--rules--dnat4--proto)
       * [`dport`](#-nftables--rules--dnat4--dport)
       * [`ensure`](#-nftables--rules--dnat4--ensure)
       ##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
       Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
       ##### <a name="-nftables--rules--dnat4--port"></a>`port`
       Data type: `Variant[String,Stdlib::Port]`
       ##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="-nftables--rules--dnat4--order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'50'`
       ##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'default_fwd'`
       ##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
       Data type: `Optional[String[1]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
       Data type: `Enum['tcp','udp']`
       Default value: `'tcp'`
       ##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
       masquerade all outgoing traffic
       #### Parameters
       The following parameters are available in the `nftables::rules::masquerade` defined type:
       * [`rulename`](#-nftables--rules--masquerade--rulename)
       * [`order`](#-nftables--rules--masquerade--order)
       * [`chain`](#-nftables--rules--masquerade--chain)
       * [`oif`](#-nftables--rules--masquerade--oif)
       * [`saddr`](#-nftables--rules--masquerade--saddr)
       * [`daddr`](#-nftables--rules--masquerade--daddr)
       * [`proto`](#-nftables--rules--masquerade--proto)
       * [`dport`](#-nftables--rules--masquerade--dport)
       * [`ensure`](#-nftables--rules--masquerade--ensure)
       ##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="-nftables--rules--masquerade--order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
       Data type: `Optional[String[1]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
       Data type: `Optional[String[1]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
       Data type: `Optional[String[1]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: `undef`
       ##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
       manage a ipv4 snat rule
       #### Parameters
       The following parameters are available in the `nftables::rules::snat4` defined type:
       * [`snat`](#-nftables--rules--snat4--snat)
       * [`rulename`](#-nftables--rules--snat4--rulename)
       * [`order`](#-nftables--rules--snat4--order)
       * [`chain`](#-nftables--rules--snat4--chain)
       * [`oif`](#-nftables--rules--snat4--oif)
       * [`saddr`](#-nftables--rules--snat4--saddr)
       * [`proto`](#-nftables--rules--snat4--proto)
       * [`dport`](#-nftables--rules--snat4--dport)
       * [`ensure`](#-nftables--rules--snat4--ensure)
       ##### <a name="-nftables--rules--snat4--snat"></a>`snat`
       Data type: `String[1]`
       ##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
       Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
       Default value: `$title`
       ##### <a name="-nftables--rules--snat4--order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       Default value: `'70'`
       ##### <a name="-nftables--rules--snat4--chain"></a>`chain`
       Data type: `String[1]`
       Default value: `'POSTROUTING'`
       ##### <a name="-nftables--rules--snat4--oif"></a>`oif`
       Data type: `Optional[String[1]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
       Data type: `Optional[String[1]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--snat4--proto"></a>`proto`
       Data type: `Optional[Enum['tcp','udp']]`
       Default value: `undef`
       ##### <a name="-nftables--rules--snat4--dport"></a>`dport`
       Data type: `Optional[Variant[String,Stdlib::Port]]`
       Default value: `undef`
       ##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Default value: `'present'`
       ### <a name="nftables--set"></a>`nftables::set`
       manage a named set
       #### Examples
       ##### simple set
       ```puppet
       nftables::set{'my_set':
         type       => 'ipv4_addr',
         flags      => ['interval'],
         elements   => ['192.168.0.1/24', '10.0.0.2'],
         auto_merge => true,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::set` defined type:
       * [`ensure`](#-nftables--set--ensure)
       * [`setname`](#-nftables--set--setname)
       * [`order`](#-nftables--set--order)
       * [`type`](#-nftables--set--type)
       * [`table`](#-nftables--set--table)
       * [`flags`](#-nftables--set--flags)
       * [`timeout`](#-nftables--set--timeout)
       * [`gc_interval`](#-nftables--set--gc_interval)
       * [`elements`](#-nftables--set--elements)
       * [`size`](#-nftables--set--size)
       * [`policy`](#-nftables--set--policy)
       * [`auto_merge`](#-nftables--set--auto_merge)
       * [`content`](#-nftables--set--content)
       * [`source`](#-nftables--set--source)
       ##### <a name="-nftables--set--ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       should the set be created.
       Default value: `'present'`
       ##### <a name="-nftables--set--setname"></a>`setname`
       Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
       name of set, equal to to title.
       Default value: `$title`
       ##### <a name="-nftables--set--order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       concat ordering.
       Default value: `'10'`
       ##### <a name="-nftables--set--type"></a>`type`
       Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
       type of set.
       Default value: `undef`
       ##### <a name="-nftables--set--table"></a>`table`
       Data type: `Variant[String, Array[String, 1]]`
       table or array of tables to add the set to.
       Default value: `'inet-filter'`
       ##### <a name="-nftables--set--flags"></a>`flags`
       Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
       specify flags for set
       Default value: `[]`
       ##### <a name="-nftables--set--timeout"></a>`timeout`
       Data type: `Optional[Integer]`
       timeout in seconds
       Default value: `undef`
       ##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
       Data type: `Optional[Integer]`
       garbage collection interval.
       Default value: `undef`
       ##### <a name="-nftables--set--elements"></a>`elements`
       Data type: `Optional[Array[String]]`
       initialize the set with some elements in it.
       Default value: `undef`
       ##### <a name="-nftables--set--size"></a>`size`
       Data type: `Optional[Integer]`
       limits the maximum number of elements of the set.
       Default value: `undef`
       ##### <a name="-nftables--set--policy"></a>`policy`
       Data type: `Optional[Enum['performance', 'memory']]`
       determines set selection policy.
       Default value: `undef`
       ##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
       Data type: `Boolean`
       automatically merge adjacent/overlapping set elements (only valid for interval sets)
       Default value: `false`
       ##### <a name="-nftables--set--content"></a>`content`
       Data type: `Optional[String]`
       specify content of set.
       Default value: `undef`
       ##### <a name="-nftables--set--source"></a>`source`
       Data type: `Optional[Variant[String,Array[String,1]]]`
       specify source of set.
       Default value: `undef`
       ### <a name="nftables--simplerule"></a>`nftables::simplerule`
       Provides a simplified interface to nftables::rule
       #### Examples
       ##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
       ```puppet
       nftables::simplerule{'my_service_in':
         action  => 'accept',
         comment => 'allow traffic to port 543',
         counter => true,
         proto   => 'tcp',
         dport   => 543,
         daddr   => '2001:1458::/32',
         sport   => 541,
+      }
       ```
       #### Parameters
       The following parameters are available in the `nftables::simplerule` defined type:
       * [`ensure`](#-nftables--simplerule--ensure)
       * [`rulename`](#-nftables--simplerule--rulename)
       * [`order`](#-nftables--simplerule--order)
       * [`chain`](#-nftables--simplerule--chain)
       * [`table`](#-nftables--simplerule--table)
       * [`action`](#-nftables--simplerule--action)
       * [`comment`](#-nftables--simplerule--comment)
       * [`dport`](#-nftables--simplerule--dport)
       * [`proto`](#-nftables--simplerule--proto)
       * [`daddr`](#-nftables--simplerule--daddr)
       * [`set_type`](#-nftables--simplerule--set_type)
       * [`sport`](#-nftables--simplerule--sport)
       * [`saddr`](#-nftables--simplerule--saddr)
       * [`counter`](#-nftables--simplerule--counter)
       * [`iifname`](#-nftables--simplerule--iifname)
       * [`oifname`](#-nftables--simplerule--oifname)
       ##### <a name="-nftables--simplerule--ensure"></a>`ensure`
       Data type: `Enum['present','absent']`
       Should the rule be created.
       Default value: `'present'`
       ##### <a name="-nftables--simplerule--rulename"></a>`rulename`
       Data type: `Nftables::SimpleRuleName`
       The symbolic name for the rule to add. Defaults to the resource's title.
       Default value: `$title`
       ##### <a name="-nftables--simplerule--order"></a>`order`
       Data type: `Pattern[/^\d\d$/]`
       A number representing the order of the rule.
       Default value: `'50'`
       ##### <a name="-nftables--simplerule--chain"></a>`chain`
       Data type: `String`
       The name of the chain to add this rule to.
       Default value: `'default_in'`
       ##### <a name="-nftables--simplerule--table"></a>`table`
       Data type: `String`
       The name of the table to add this rule to.
       Default value: `'inet-filter'`
       ##### <a name="-nftables--simplerule--action"></a>`action`
       Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
       The verdict for the matched traffic.
       Default value: `'accept'`
       ##### <a name="-nftables--simplerule--comment"></a>`comment`
       Data type: `Optional[String]`
       A typically human-readable comment for the rule.
       Default value: `undef`
       ##### <a name="-nftables--simplerule--dport"></a>`dport`
       Data type: `Optional[Nftables::Port]`
       The destination port, ports or port range.
       Default value: `undef`
       ##### <a name="-nftables--simplerule--proto"></a>`proto`
       Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
       The transport-layer protocol to match.
       Default value: `undef`
       ##### <a name="-nftables--simplerule--daddr"></a>`daddr`
       Data type: `Optional[Nftables::Addr]`
       The destination address, CIDR or set to match.
       Default value: `undef`
       ##### <a name="-nftables--simplerule--set_type"></a>`set_type`
       Data type: `Enum['ip', 'ip6']`
       When using sets as saddr or daddr, the type of the set.
       Use `ip` for sets of type `ipv4_addr`.
       Default value: `'ip6'`
       ##### <a name="-nftables--simplerule--sport"></a>`sport`
       Data type: `Optional[Nftables::Port]`
       The source port, ports or port range.
       Default value: `undef`
       ##### <a name="-nftables--simplerule--saddr"></a>`saddr`
       Data type: `Optional[Nftables::Addr]`
       The source address, CIDR or set to match.
       Default value: `undef`
       ##### <a name="-nftables--simplerule--counter"></a>`counter`
       Data type: `Boolean`
       Enable traffic counters for the matched traffic.
       Default value: `false`
       ##### <a name="-nftables--simplerule--iifname"></a>`iifname`
       Data type: `Optional[String[1]]`
       Optional filter for the incoming interface
       Default value: `undef`
       ##### <a name="-nftables--simplerule--oifname"></a>`oifname`
       Data type: `Optional[String[1]]`
       Optional filter for the outgoing interface
       Default value: `undef`
       ## Data types
       ### <a name="Nftables--Addr"></a>`Nftables::Addr`
       Represents an address expression to be used within a rule.
       Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
       ### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
       Represents a set expression to be used within a rule.
       Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
       ### <a name="Nftables--Port"></a>`Nftables::Port`
       Represents a port expression to be used within a rule.
       Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
       ### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
       Represents a port range expression to be used within a rule.
       Alias of `Pattern[/^\d+-\d+$/]`
       ### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
       Represents a rule name to be used in a raw rule created via nftables::rule.
       It's a dash separated string. The first component describes the chain to
       add the rule to, the second the rule name and the (optional) third a number.
       Ex: 'default_in-sshd', 'default_out-my_service-2'.
       Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
       ### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
       Represents a simple rule name to be used in a rule created via nftables::simplerule
       Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ eac19d14