/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ f1d50c1e

Historique | Voir | Annoter | Télécharger (60,9 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27			* [`nftables::rules::icmp`](#nftables--rules--icmp)
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
172			* [`firewalld_enable`](#-nftables--firewalld_enable)
173			* [`noflush_tables`](#-nftables--noflush_tables)
174			* [`rules`](#-nftables--rules)
175			* [`configuration_path`](#-nftables--configuration_path)
176			* [`nft_path`](#-nftables--nft_path)
177			* [`echo`](#-nftables--echo)
178			* [`default_config_mode`](#-nftables--default_config_mode)
179
180			##### <a name="-nftables--out_all"></a>`out_all`
181	e17693e3	Steve Traylen
182			Data type: `Boolean`
183
184			Allow all outbound connections. If `true` then all other
185			out parameters `out_ntp`, `out_dns`, ... will be assuemed
186			false.
187
188	c24d3118	Tim Meusel	Default value: `false`
189	e17693e3	Steve Traylen
190	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
191	e17693e3	Steve Traylen
192			Data type: `Boolean`
193
194			Allow outbound to ntp servers.
195
196	c24d3118	Tim Meusel	Default value: `true`
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
199	e17693e3	Steve Traylen
200			Data type: `Boolean`
201
202			Allow outbound to http servers.
203
204	c24d3118	Tim Meusel	Default value: `true`
205	e17693e3	Steve Traylen
206	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
207	e17693e3	Steve Traylen
208			Data type: `Boolean`
209
210	09cba182	Steve Traylen	Allow outbound to dns servers.
211	e17693e3	Steve Traylen
212	c24d3118	Tim Meusel	Default value: `true`
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
215	09cba182	Steve Traylen
216			Data type: `Boolean`
217	e17693e3	Steve Traylen
218			Allow outbound to https servers.
219
220	c24d3118	Tim Meusel	Default value: `true`
221	e17693e3	Steve Traylen
222	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
223	7f6cacc5	Steve Traylen
224			Data type: `Boolean`
225
226			Allow outbound ICMPv4/v6 traffic.
227
228	c24d3118	Tim Meusel	Default value: `true`
229	7f6cacc5	Steve Traylen
230	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
231	e17693e3	Steve Traylen
232			Data type: `Boolean`
233
234			Allow inbound to ssh servers.
235
236	c24d3118	Tim Meusel	Default value: `true`
237	e17693e3	Steve Traylen
238	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
239	7f6cacc5	Steve Traylen
240			Data type: `Boolean`
241
242			Allow inbound ICMPv4/v6 traffic.
243
244	c24d3118	Tim Meusel	Default value: `true`
245	7f6cacc5	Steve Traylen
246	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
247	7b9d6ffc	Nacho Barrientos
248			Data type: `Boolean`
249
250			Add default tables, chains and rules to process traffic.
251
252	c24d3118	Tim Meusel	Default value: `true`
253	7b9d6ffc	Nacho Barrientos
254	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
255	7f6cacc5	Steve Traylen
256			Data type: `Boolean`
257
258			Add default tables and chains to process NAT traffic.
259
260	c24d3118	Tim Meusel	Default value: `true`
261	7f6cacc5	Steve Traylen
262	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
263	b02d6ea9	Nacho Barrientos
264			Data type: `String[1]`
265
266			The name of the 'nat' table.
267
268			Default value: `'nat'`
269
270	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
271	b9785000	Steve Traylen
272			Data type: `Hash`
273
274			Allows sourcing set definitions directly from Hiera.
275
276			Default value: `{}`
277
278	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
279	7f6cacc5	Steve Traylen
280			Data type: `String`
281
282			String that will be used as prefix when logging packets. It can contain
283			two variables using standard sprintf() string-formatting:
284			* chain: Will be replaced by the name of the chain.
285			* comment: Allows chains to add extra comments.
286
287			Default value: `'[nftables] %<chain>s %<comment>s'`
288
289	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
290
291			Data type: `Boolean`
292
293			Allow to log discarded packets
294
295			Default value: `true`
296
297	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
298	b9785000	Steve Traylen
299			Data type: `Variant[Boolean[false], String]`
300
301			String with the content of a limit statement to be applied
302			to the rules that log discarded traffic. Set to false to
303			disable rate limiting.
304
305			Default value: `'3/minute burst 5 packets'`
306
307	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
308	7f6cacc5	Steve Traylen
309	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
310	7f6cacc5	Steve Traylen
311			How to discard packets not matching any rule. If `false`, the
312			fate of the packet will be defined by the chain policy (normally
313			drop), otherwise the packet will be rejected with the REJECT_WITH
314			policy indicated by the value of this parameter.
315
316			Default value: `'icmpx type port-unreachable'`
317
318	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
319	7f6cacc5	Steve Traylen
320			Data type: `Boolean`
321
322			Adds INPUT and OUTPUT rules to allow traffic that's part of an
323			established connection and also to drop invalid packets.
324
325	c24d3118	Tim Meusel	Default value: `true`
326	7f6cacc5	Steve Traylen
327	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
328	b9785000	Steve Traylen
329			Data type: `Boolean`
330
331			Adds FORWARD rules to allow traffic that's part of an
332			established connection and also to drop invalid packets.
333
334	c24d3118	Tim Meusel	Default value: `false`
335	b9785000	Steve Traylen
336	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
337	7f6cacc5	Steve Traylen
338			Data type: `Variant[Boolean[false], Enum['mask']]`
339
340			Configures how the firewalld systemd service unit is enabled. It might be
341			useful to set this to false if you're externaly removing firewalld from
342			the system completely.
343
344			Default value: `'mask'`
345
346	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
347	b9785000	Steve Traylen
348	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
349	b9785000	Steve Traylen
350			If specified only other existings tables will be flushed.
351			If left unset all tables will be flushed via a `flush ruleset`
352
353	c24d3118	Tim Meusel	Default value: `undef`
354	b9785000	Steve Traylen
355	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
356	7f6cacc5	Steve Traylen
357			Data type: `Hash`
358
359	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
360	7f6cacc5	Steve Traylen
361			Default value: `{}`
362
363	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
364	d0a1ffef	hashworks
365			Data type: `Stdlib::Unixpath`
366
367			The absolute path to the principal nftables configuration file. The default
368			varies depending on the system, and is set in the module's data.
369
370	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
371	8842a597	Tim Meusel
372			Data type: `Stdlib::Unixpath`
373
374			Path to the nft binary
375
376	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
377	821ec83a	Tim Meusel
378			Data type: `Stdlib::Unixpath`
379
380			Path to the echo binary
381
382	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
383	7030bde0	Luis Fernández Álvarez
384			Data type: `Stdlib::Filemode`
385
386			The default file & dir mode for configuration files and directories. The
387			default varies depending on the system, and is set in the module's data.
388
389	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
390	7f6cacc5	Steve Traylen
391			allow forwarding traffic on bridges
392
393			#### Parameters
394
395	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
396	7f6cacc5	Steve Traylen
397	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
398			* [`bridgenames`](#-nftables--bridges--bridgenames)
399	09cba182	Steve Traylen
400	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
401	7f6cacc5	Steve Traylen
402			Data type: `Enum['present','absent']`
403
404
405
406			Default value: `'present'`
407
408	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
409	7f6cacc5	Steve Traylen
410			Data type: `Regexp`
411
412
413
414			Default value: `/^br.+/`
415
416	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
417	e17693e3	Steve Traylen
418			manage basic chains in table inet filter
419
420	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
421	a1f09048	Tim Meusel
422			enable conntrack for fwd
423
424	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
425	a1f09048	Tim Meusel
426			manage input & output conntrack
427
428	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
429	e17693e3	Steve Traylen
430			manage basic chains in table ip nat
431
432	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
433	771b3256	Nacho Barrientos
434			Provides input rules for Apache ActiveMQ
435
436			#### Parameters
437
438			The following parameters are available in the `nftables::rules::activemq` class:
439
440	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
441			* [`udp`](#-nftables--rules--activemq--udp)
442			* [`port`](#-nftables--rules--activemq--port)
443	771b3256	Nacho Barrientos
444	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
445	771b3256	Nacho Barrientos
446			Data type: `Boolean`
447
448			Create the rule for TCP traffic.
449
450	c24d3118	Tim Meusel	Default value: `true`
451	771b3256	Nacho Barrientos
452	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
453	771b3256	Nacho Barrientos
454			Data type: `Boolean`
455
456			Create the rule for UDP traffic.
457
458	c24d3118	Tim Meusel	Default value: `true`
459	771b3256	Nacho Barrientos
460	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
461	771b3256	Nacho Barrientos
462			Data type: `Stdlib::Port`
463
464			The port number for the ActiveMQ daemon.
465
466			Default value: `61616`
467
468	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
469	09cba182	Steve Traylen
470			Open call back port for AFS clients
471	7f6cacc5	Steve Traylen
472	09cba182	Steve Traylen	#### Examples
473
474			##### allow call backs from particular hosts
475
476			```puppet
477	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
478			saddr => ['192.168.0.0/16', '10.0.0.222']
479			}
480	09cba182	Steve Traylen	```
481	7f6cacc5	Steve Traylen
482			#### Parameters
483
484	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
485
486	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
487	7f6cacc5	Steve Traylen
488	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
489	7f6cacc5	Steve Traylen
490			Data type: `Array[Stdlib::IP::Address::V4,1]`
491
492			list of source network ranges to a
493
494			Default value: `['0.0.0.0/0']`
495
496	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
497	b9785000	Steve Traylen
498			Ceph is a distributed object store and file system.
499			Enable this to support Ceph's Object Storage Daemons (OSD),
500			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
501
502	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
503	b9785000	Steve Traylen
504			Ceph is a distributed object store and file system.
505			Enable this option to support Ceph's Monitor Daemon.
506
507			#### Parameters
508
509	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
510	b9785000	Steve Traylen
511	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
512	b9785000	Steve Traylen
513	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
514	b9785000	Steve Traylen
515	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
516	b9785000	Steve Traylen
517	09cba182	Steve Traylen	specify ports for ceph service
518	b9785000	Steve Traylen
519			Default value: `[3300, 6789]`
520
521	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
522	7f6cacc5	Steve Traylen
523	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
524	7f6cacc5	Steve Traylen
525	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
526	7f6cacc5	Steve Traylen
527			manage in dns
528
529	67cdcf15	Steve Traylen	#### Examples
530
531			##### Allow access to stub dns resolver from docker containers
532
533			```puppet
534			class { 'nftables::rules::dns':
535			iifname => ['docker0'],
536			}
537			```
538
539	7f6cacc5	Steve Traylen	#### Parameters
540
541	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
542	7f6cacc5	Steve Traylen
543	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
544	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
545	7f6cacc5	Steve Traylen
546	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
547	7f6cacc5	Steve Traylen
548	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
549	7f6cacc5	Steve Traylen
550	09cba182	Steve Traylen	Specify ports for dns.
551	7f6cacc5	Steve Traylen
552			Default value: `[53]`
553
554	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
555
556			Data type: `Optional[Array[String[1],1]]`
557
558			Specify input interface names.
559
560			Default value: `undef`
561
562	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
563	804b96e4	Nacho Barrientos
564			The configuration distributed in this class represents the default firewall
565			configuration done by docker-ce when the iptables integration is enabled.
566
567			This class is needed as the default docker-ce rules added to ip-filter conflict
568			with the inet-filter forward rules set by default in this module.
569
570			When using this class 'docker::iptables: false' should be set.
571
572			#### Parameters
573
574			The following parameters are available in the `nftables::rules::docker_ce` class:
575
576	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
577			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
578			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
579			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
580	804b96e4	Nacho Barrientos
581	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
582	804b96e4	Nacho Barrientos
583			Data type: `String[1]`
584
585			Interface name used by docker.
586
587			Default value: `'docker0'`
588
589	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
590	804b96e4	Nacho Barrientos
591			Data type: `Stdlib::IP::Address::V4::CIDR`
592
593			The address space used by docker.
594
595			Default value: `'172.17.0.0/16'`
596
597	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
598	804b96e4	Nacho Barrientos
599			Data type: `Boolean`
600
601			Flag to control whether the class should create the docker related chains.
602
603	c24d3118	Tim Meusel	Default value: `true`
604	804b96e4	Nacho Barrientos
605	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
606	804b96e4	Nacho Barrientos
607			Data type: `Boolean`
608
609			Flag to control whether the class should create the base common chains.
610
611	c24d3118	Tim Meusel	Default value: `true`
612	804b96e4	Nacho Barrientos
613	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
614
615			manage in ftp (with conntrack helper)
616
617			#### Parameters
618
619			The following parameters are available in the `nftables::rules::ftp` class:
620
621			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
622			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
623
624			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
625
626			Data type: `Boolean`
627
628			Enable FTP passive mode support
629
630			Default value: `true`
631
632			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
633
634			Data type: `Nftables::Port::Range`
635
636			Set the FTP passive mode port range
637
638			Default value: `'10090-10100'`
639
640	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
641	e17693e3	Steve Traylen
642			manage in http
643
644	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
645	e17693e3	Steve Traylen
646			manage in https
647
648	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
649	e17693e3	Steve Traylen
650			manage in icinga2
651
652			#### Parameters
653
654	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
655	e17693e3	Steve Traylen
656	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
657	e17693e3	Steve Traylen
658	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
659	e17693e3	Steve Traylen
660	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
661	e17693e3	Steve Traylen
662	8db66304	Steve Traylen	Specify ports for icinga2
663	e17693e3	Steve Traylen
664			Default value: `[5665]`
665
666	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
667	7f6cacc5	Steve Traylen
668			The nftables::rules::icmp class.
669
670			#### Parameters
671
672	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
673
674	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
675			* [`v6_types`](#-nftables--rules--icmp--v6_types)
676			* [`order`](#-nftables--rules--icmp--order)
677	7f6cacc5	Steve Traylen
678	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
679	7f6cacc5	Steve Traylen
680			Data type: `Optional[Array[String]]`
681
682
683
684	c24d3118	Tim Meusel	Default value: `undef`
685	7f6cacc5	Steve Traylen
686	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
687	7f6cacc5	Steve Traylen
688			Data type: `Optional[Array[String]]`
689
690
691
692	c24d3118	Tim Meusel	Default value: `undef`
693	7f6cacc5	Steve Traylen
694	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
695	7f6cacc5	Steve Traylen
696			Data type: `String`
697
698
699
700			Default value: `'10'`
701
702	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
703
704			allow incoming IGMP messages
705
706	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
707
708			manage in ldap
709
710			#### Parameters
711
712			The following parameters are available in the `nftables::rules::ldap` class:
713
714			* [`ports`](#-nftables--rules--ldap--ports)
715
716			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
717
718			Data type: `Array[Integer,1]`
719
720			ldap server ports
721
722			Default value: `[389, 636]`
723
724	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
725
726			allow incoming Link-Local Multicast Name Resolution
727
728			* See also
729			* https://datatracker.ietf.org/doc/html/rfc4795
730
731			#### Parameters
732
733			The following parameters are available in the `nftables::rules::llmnr` class:
734
735			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
736			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
737
738			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
739
740			Data type: `Boolean`
741
742			Allow LLMNR over IPv4
743
744			Default value: `true`
745
746			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
747
748			Data type: `Boolean`
749
750			Allow LLMNR over IPv6
751
752			Default value: `true`
753
754	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
755
756			allow incoming multicast DNS
757
758	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
759
760			The following parameters are available in the `nftables::rules::mdns` class:
761
762			* [`ipv4`](#-nftables--rules--mdns--ipv4)
763			* [`ipv6`](#-nftables--rules--mdns--ipv6)
764
765			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
766
767			Data type: `Boolean`
768
769			Allow mdns over IPv4
770
771			Default value: `true`
772
773			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
774
775			Data type: `Boolean`
776
777			Allow mdns over IPv6
778
779			Default value: `true`
780
781	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
782
783			allow incoming multicast traffic
784
785	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
786	b9785000	Steve Traylen
787			manage in nfs4
788
789	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
790	b9785000	Steve Traylen
791			manage in nfs3
792
793	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
794	7f6cacc5	Steve Traylen
795			manage in node exporter
796
797			#### Parameters
798
799	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
800	7f6cacc5	Steve Traylen
801	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
802			* [`port`](#-nftables--rules--node_exporter--port)
803	7f6cacc5	Steve Traylen
804	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
805	7f6cacc5	Steve Traylen
806	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
807	7f6cacc5	Steve Traylen
808	09cba182	Steve Traylen	Specify server name
809	7f6cacc5	Steve Traylen
810	c24d3118	Tim Meusel	Default value: `undef`
811	7f6cacc5	Steve Traylen
812	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
813	7f6cacc5	Steve Traylen
814	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
815	7f6cacc5	Steve Traylen
816	09cba182	Steve Traylen	Specify port to open
817	7f6cacc5	Steve Traylen
818			Default value: `9100`
819
820	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
821	e17693e3	Steve Traylen
822			manage in ospf
823
824	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
825	e17693e3	Steve Traylen
826			manage in ospf3
827
828	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
829
830			manage outgoing active diectory
831
832			#### Parameters
833
834			The following parameters are available in the `nftables::rules::out::active_directory` class:
835
836			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
837			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
838
839			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
840
841			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
842
843			adserver IPs
844
845			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
846
847			Data type: `Array[Stdlib::Port,1]`
848
849			adserver ports
850
851			Default value: `[389, 636, 3268, 3269]`
852
853	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
854	e17693e3	Steve Traylen
855			allow all outbound
856
857	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
858	b9785000	Steve Traylen
859			Ceph is a distributed object store and file system.
860			Enable this to be a client of Ceph's Monitor (MON),
861			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
862			and Manager Daemons (MGR).
863
864			#### Parameters
865
866	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
867	b9785000	Steve Traylen
868	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
869	b9785000	Steve Traylen
870	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
871	b9785000	Steve Traylen
872	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
873	b9785000	Steve Traylen
874	09cba182	Steve Traylen	Specify ports to open
875	b9785000	Steve Traylen
876			Default value: `[3300, 6789]`
877
878	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
879	e17693e3	Steve Traylen
880			manage out chrony
881
882	7937a13b	Tim Meusel	#### Parameters
883
884			The following parameters are available in the `nftables::rules::out::chrony` class:
885
886	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
887	7937a13b	Tim Meusel
888	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
889	7937a13b	Tim Meusel
890			Data type: `Array[Stdlib::IP::Address]`
891
892			single IP-Address or array of IP-addresses from NTP servers
893
894			Default value: `[]`
895
896	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
897	e17693e3	Steve Traylen
898			manage out dhcp
899
900	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
901	7f6cacc5	Steve Traylen
902	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
903	7f6cacc5	Steve Traylen
904	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
905	e17693e3	Steve Traylen
906			manage out dns
907
908			#### Parameters
909
910	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
911	e17693e3	Steve Traylen
912	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
913	e17693e3	Steve Traylen
914	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
915	e17693e3	Steve Traylen
916	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
917	e17693e3	Steve Traylen
918	09cba182	Steve Traylen	specify dns_server name
919	e17693e3	Steve Traylen
920	c24d3118	Tim Meusel	Default value: `undef`
921	e17693e3	Steve Traylen
922	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
923	a1f09048	Tim Meusel
924			allow outgoing hkp connections to gpg keyservers
925
926	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
927	e17693e3	Steve Traylen
928			manage out http
929
930	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
931	e17693e3	Steve Traylen
932			manage out https
933
934	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
935	7f6cacc5	Steve Traylen
936	09cba182	Steve Traylen	control outbound icmp packages
937	7f6cacc5	Steve Traylen
938			#### Parameters
939
940	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
941
942	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
943			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
944			* [`order`](#-nftables--rules--out--icmp--order)
945	7f6cacc5	Steve Traylen
946	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
947	7f6cacc5	Steve Traylen
948			Data type: `Optional[Array[String]]`
949
950
951
952	c24d3118	Tim Meusel	Default value: `undef`
953	7f6cacc5	Steve Traylen
954	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
955	7f6cacc5	Steve Traylen
956			Data type: `Optional[Array[String]]`
957
958
959
960	c24d3118	Tim Meusel	Default value: `undef`
961	7f6cacc5	Steve Traylen
962	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
963	7f6cacc5	Steve Traylen
964			Data type: `String`
965
966
967
968			Default value: `'10'`
969
970	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
971
972	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
973	020842af	Tim Meusel
974	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
975	19908f41	mh
976			allow outgoing imap
977
978	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
979	7f6cacc5	Steve Traylen
980			allows outbound access for kerberos
981
982	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
983
984			manage outgoing ldap
985
986			#### Parameters
987
988			The following parameters are available in the `nftables::rules::out::ldap` class:
989
990			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
991			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
992
993			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
994
995			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
996
997			ldapserver IPs
998
999			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1000
1001			Data type: `Array[Stdlib::Port,1]`
1002
1003			ldapserver ports
1004
1005			Default value: `[389, 636]`
1006
1007	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1008
1009			allow outgoing multicast DNS
1010
1011			#### Parameters
1012
1013			The following parameters are available in the `nftables::rules::out::mdns` class:
1014
1015			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1016			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1017
1018			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1019
1020			Data type: `Boolean`
1021
1022			Allow mdns over IPv4
1023
1024			Default value: `true`
1025
1026			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1027
1028			Data type: `Boolean`
1029
1030			Allow mdns over IPv6
1031
1032			Default value: `true`
1033
1034	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1035
1036			allow multicast listener requests
1037
1038	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1039	e17693e3	Steve Traylen
1040			manage out mysql
1041
1042	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1043	b9785000	Steve Traylen
1044			manage out nfs
1045
1046	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1047	b9785000	Steve Traylen
1048			manage out nfs3
1049
1050	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1051	7f6cacc5	Steve Traylen
1052	09cba182	Steve Traylen	allows outbound access for afs clients
1053	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1054			7002 - afs3-ptserver
1055			7003 - vlserver
1056
1057			* See also
1058			* https://wiki.openafs.org/devel/AFSServicePorts/
1059			* AFS Service Ports
1060
1061			#### Parameters
1062
1063	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1064	7f6cacc5	Steve Traylen
1065	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1066	7f6cacc5	Steve Traylen
1067	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1068	7f6cacc5	Steve Traylen
1069	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1070	7f6cacc5	Steve Traylen
1071	09cba182	Steve Traylen	port numbers to use
1072	7f6cacc5	Steve Traylen
1073			Default value: `[7000, 7002, 7003]`
1074
1075	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1076	e17693e3	Steve Traylen
1077			manage out ospf
1078
1079	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1080	e17693e3	Steve Traylen
1081			manage out ospf3
1082
1083	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1084	19908f41	mh
1085			allow outgoing pop3
1086
1087	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1088	e17693e3	Steve Traylen
1089			manage out postgres
1090
1091	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1092	e17693e3	Steve Traylen
1093			manage outgoing puppet
1094
1095			#### Parameters
1096
1097	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1098	e17693e3	Steve Traylen
1099	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1100			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1101	e17693e3	Steve Traylen
1102	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1103	e17693e3	Steve Traylen
1104	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1105	e17693e3	Steve Traylen
1106	09cba182	Steve Traylen	puppetserver hostname
1107	e17693e3	Steve Traylen
1108	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1109	e17693e3	Steve Traylen
1110	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1111	e17693e3	Steve Traylen
1112	09cba182	Steve Traylen	puppetserver port
1113	e17693e3	Steve Traylen
1114			Default value: `8140`
1115
1116	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1117	194e05d5	Tim Meusel
1118			manage outgoing pxp-agent
1119
1120			* See also
1121			* also
1122			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1123
1124			#### Parameters
1125
1126			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1127
1128	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1129			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1130	194e05d5	Tim Meusel
1131	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1132	194e05d5	Tim Meusel
1133			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1134
1135			PXP broker IP(s)
1136
1137	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1138	194e05d5	Tim Meusel
1139			Data type: `Stdlib::Port`
1140
1141			PXP broker port
1142
1143			Default value: `8142`
1144
1145	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1146	e17693e3	Steve Traylen
1147	19908f41	mh	allow outgoing smtp
1148
1149	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1150	19908f41	mh
1151			allow outgoing smtp client
1152	e17693e3	Steve Traylen
1153	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1154
1155			allow outgoing SSDP
1156
1157			* See also
1158			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1159
1160			#### Parameters
1161
1162			The following parameters are available in the `nftables::rules::out::ssdp` class:
1163
1164			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1165			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1166
1167			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1168
1169			Data type: `Boolean`
1170
1171			Allow SSDP over IPv4
1172
1173			Default value: `true`
1174
1175			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1176
1177			Data type: `Boolean`
1178
1179			Allow SSDP over IPv6
1180
1181			Default value: `true`
1182
1183	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1184	e17693e3	Steve Traylen
1185			manage out ssh
1186
1187	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1188	e17693e3	Steve Traylen
1189			disable outgoing ssh
1190
1191	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1192	e17693e3	Steve Traylen
1193			manage out tor
1194
1195	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1196	2b1896c1	Tim Meusel
1197			allow clients to query remote whois server
1198
1199	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1200	e17693e3	Steve Traylen
1201			manage out wireguard
1202
1203			#### Parameters
1204
1205	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1206	e17693e3	Steve Traylen
1207	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1208	e17693e3	Steve Traylen
1209	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1210	e17693e3	Steve Traylen
1211	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1212	e17693e3	Steve Traylen
1213	09cba182	Steve Traylen	specify wireguard ports
1214	e17693e3	Steve Traylen
1215			Default value: `[51820]`
1216
1217	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1218
1219			Rules for Podman, a tool for managing OCI containers and pods.
1220			This class defines additional forwarding rules to let root containers
1221			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1222			At the time of writing, Podman supports automatic configuration
1223			of firewall rules with iptables and firewalld only.
1224
1225	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1226	e17693e3	Steve Traylen
1227			manage in puppet
1228
1229			#### Parameters
1230
1231	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1232	e17693e3	Steve Traylen
1233	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1234	e17693e3	Steve Traylen
1235	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1236	e17693e3	Steve Traylen
1237	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1238	e17693e3	Steve Traylen
1239	09cba182	Steve Traylen	puppet server ports
1240	e17693e3	Steve Traylen
1241			Default value: `[8140]`
1242
1243	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1244	7f74df2e	Tim Meusel
1245			manage in pxp-agent
1246
1247			#### Parameters
1248
1249			The following parameters are available in the `nftables::rules::pxp_agent` class:
1250
1251	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1252	7f74df2e	Tim Meusel
1253	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1254	7f74df2e	Tim Meusel
1255	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1256	7f74df2e	Tim Meusel
1257			pxp server ports
1258
1259			Default value: `[8142]`
1260
1261	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1262	cd2a3cbf	Nacho Barrientos
1263			This class configures the typical firewall setup that libvirt
1264			creates. Depending on your requirements you can switch on and off
1265			several aspects, for instance if you don't do DHCP to your guests
1266			you can disable the rules that accept DHCP traffic on the host or if
1267			you don't want your guests to talk to hosts outside you can disable
1268			forwarding and/or masquerading for IPv4 traffic.
1269
1270			#### Parameters
1271
1272			The following parameters are available in the `nftables::rules::qemu` class:
1273
1274	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1275			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1276			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1277			* [`dns`](#-nftables--rules--qemu--dns)
1278			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1279			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1280			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1281			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1282	cd2a3cbf	Nacho Barrientos
1283	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1284	cd2a3cbf	Nacho Barrientos
1285			Data type: `String[1]`
1286
1287			Interface name used by the bridge.
1288
1289			Default value: `'virbr0'`
1290
1291	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1292	cd2a3cbf	Nacho Barrientos
1293			Data type: `Stdlib::IP::Address::V4::CIDR`
1294
1295			The IPv4 network prefix used in the virtual network.
1296
1297			Default value: `'192.168.122.0/24'`
1298
1299	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1300	cd2a3cbf	Nacho Barrientos
1301			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1302
1303			The IPv6 network prefix used in the virtual network.
1304
1305	c24d3118	Tim Meusel	Default value: `undef`
1306	cd2a3cbf	Nacho Barrientos
1307	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1308	cd2a3cbf	Nacho Barrientos
1309			Data type: `Boolean`
1310
1311			Allow DNS traffic from the guests to the host.
1312
1313	c24d3118	Tim Meusel	Default value: `true`
1314	cd2a3cbf	Nacho Barrientos
1315	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1316	cd2a3cbf	Nacho Barrientos
1317			Data type: `Boolean`
1318
1319			Allow DHCPv4 traffic from the guests to the host.
1320
1321	c24d3118	Tim Meusel	Default value: `true`
1322	cd2a3cbf	Nacho Barrientos
1323	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1324	cd2a3cbf	Nacho Barrientos
1325			Data type: `Boolean`
1326
1327			Allow forwarded traffic (out all, in related/established)
1328			generated by the virtual network.
1329
1330	c24d3118	Tim Meusel	Default value: `true`
1331	cd2a3cbf	Nacho Barrientos
1332	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1333	cd2a3cbf	Nacho Barrientos
1334			Data type: `Boolean`
1335
1336			Allow guests in the virtual network to talk to each other.
1337
1338	c24d3118	Tim Meusel	Default value: `true`
1339	cd2a3cbf	Nacho Barrientos
1340	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1341	cd2a3cbf	Nacho Barrientos
1342			Data type: `Boolean`
1343
1344			Do NAT masquerade on all IPv4 traffic generated by guests
1345			to external networks.
1346
1347	c24d3118	Tim Meusel	Default value: `true`
1348	cd2a3cbf	Nacho Barrientos
1349	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1350	19908f41	mh
1351			manage Samba, the suite to allow Windows file sharing on Linux resources.
1352
1353			#### Parameters
1354
1355			The following parameters are available in the `nftables::rules::samba` class:
1356
1357	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1358	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1359	19908f41	mh
1360	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1361	19908f41	mh
1362			Data type: `Boolean`
1363
1364	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1365	19908f41	mh
1366	c24d3118	Tim Meusel	Default value: `false`
1367	19908f41	mh
1368	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1369
1370			Data type: `Enum['accept', 'drop']`
1371
1372			if the traffic should be allowed or dropped
1373
1374			Default value: `'accept'`
1375
1376	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1377	e17693e3	Steve Traylen
1378			manage in smtp
1379
1380	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1381	e17693e3	Steve Traylen
1382			manage in smtp submission
1383
1384	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1385	e17693e3	Steve Traylen
1386			manage in smtps
1387
1388	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1389
1390			allow incoming spotify
1391
1392	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1393
1394			allow incoming SSDP
1395
1396			* See also
1397			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1398
1399			#### Parameters
1400
1401			The following parameters are available in the `nftables::rules::ssdp` class:
1402
1403			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1404			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1405
1406			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1407
1408			Data type: `Boolean`
1409
1410			Allow SSDP over IPv4
1411
1412			Default value: `true`
1413
1414			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1415
1416			Data type: `Boolean`
1417
1418			Allow SSDP over IPv6
1419
1420			Default value: `true`
1421
1422	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1423	e17693e3	Steve Traylen
1424			manage in ssh
1425
1426			#### Parameters
1427
1428	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1429	e17693e3	Steve Traylen
1430	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1431	e17693e3	Steve Traylen
1432	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1433	e17693e3	Steve Traylen
1434	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1435	e17693e3	Steve Traylen
1436	09cba182	Steve Traylen	ssh ports
1437	e17693e3	Steve Traylen
1438			Default value: `[22]`
1439
1440	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1441	e17693e3	Steve Traylen
1442			manage in tor
1443
1444			#### Parameters
1445
1446	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1447	e17693e3	Steve Traylen
1448	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1449	e17693e3	Steve Traylen
1450	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1451	e17693e3	Steve Traylen
1452	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1453	e17693e3	Steve Traylen
1454	09cba182	Steve Traylen	ports for tor
1455	e17693e3	Steve Traylen
1456			Default value: `[9001]`
1457
1458	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1459	e17693e3	Steve Traylen
1460			manage in wireguard
1461
1462			#### Parameters
1463
1464	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1465	e17693e3	Steve Traylen
1466	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1467	e17693e3	Steve Traylen
1468	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1469	e17693e3	Steve Traylen
1470	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1471	e17693e3	Steve Traylen
1472	09cba182	Steve Traylen	wiregueard port
1473	e17693e3	Steve Traylen
1474			Default value: `[51820]`
1475
1476	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1477
1478			allow incoming webservice discovery
1479
1480			* See also
1481			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1482
1483			#### Parameters
1484
1485			The following parameters are available in the `nftables::rules::wsd` class:
1486
1487			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1488			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1489
1490			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1491
1492			Data type: `Boolean`
1493
1494			Allow ws-discovery over IPv4
1495
1496			Default value: `true`
1497
1498			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1499
1500			Data type: `Boolean`
1501
1502			Allow ws-discovery over IPv6
1503
1504			Default value: `true`
1505
1506	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1507	7f6cacc5	Steve Traylen
1508	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1509	7f6cacc5	Steve Traylen
1510	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1511	7f6cacc5	Steve Traylen
1512	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1513	7f6cacc5	Steve Traylen
1514	e17693e3	Steve Traylen	## Defined types
1515
1516	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1517	e17693e3	Steve Traylen
1518			manage a chain
1519
1520			#### Parameters
1521
1522	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1523
1524	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1525			* [`chain`](#-nftables--chain--chain)
1526			* [`inject`](#-nftables--chain--inject)
1527			* [`inject_iif`](#-nftables--chain--inject_iif)
1528			* [`inject_oif`](#-nftables--chain--inject_oif)
1529	e17693e3	Steve Traylen
1530	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1531	e17693e3	Steve Traylen
1532	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1533	e17693e3	Steve Traylen
1534
1535
1536			Default value: `'inet-filter'`
1537
1538	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1539	e17693e3	Steve Traylen
1540			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1541
1542
1543
1544			Default value: `$title`
1545
1546	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1547	e17693e3	Steve Traylen
1548			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1549
1550
1551
1552	c24d3118	Tim Meusel	Default value: `undef`
1553	e17693e3	Steve Traylen
1554	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1555	e17693e3	Steve Traylen
1556			Data type: `Optional[String]`
1557
1558
1559
1560	c24d3118	Tim Meusel	Default value: `undef`
1561	e17693e3	Steve Traylen
1562	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1563	e17693e3	Steve Traylen
1564			Data type: `Optional[String]`
1565
1566
1567
1568	c24d3118	Tim Meusel	Default value: `undef`
1569	e17693e3	Steve Traylen
1570	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1571	e17693e3	Steve Traylen
1572			manage a config snippet
1573
1574			#### Parameters
1575
1576	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1577	e17693e3	Steve Traylen
1578	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1579			* [`content`](#-nftables--config--content)
1580			* [`source`](#-nftables--config--source)
1581			* [`prefix`](#-nftables--config--prefix)
1582	09cba182	Steve Traylen
1583	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1584	13f4e4c6	Steve Traylen
1585			Data type: `Pattern[/^\w+-\w+$/]`
1586
1587
1588
1589			Default value: `$title`
1590
1591	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1592	e17693e3	Steve Traylen
1593			Data type: `Optional[String]`
1594
1595
1596
1597	c24d3118	Tim Meusel	Default value: `undef`
1598	e17693e3	Steve Traylen
1599	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1600	e17693e3	Steve Traylen
1601			Data type: `Optional[Variant[String,Array[String,1]]]`
1602
1603
1604
1605	c24d3118	Tim Meusel	Default value: `undef`
1606	e17693e3	Steve Traylen
1607	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1608	13f4e4c6	Steve Traylen
1609			Data type: `String`
1610
1611
1612
1613			Default value: `'custom-'`
1614
1615	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1616	331b8d85	Steve Traylen
1617			Insert a file into the nftables configuration
1618
1619			#### Examples
1620
1621			##### Include a file that includes other files
1622
1623			```puppet
1624			nftables::file{'geoip':
1625			content => @(EOT)
1626			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1627			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1628			\|EOT,
1629			}
1630			```
1631
1632			#### Parameters
1633
1634			The following parameters are available in the `nftables::file` defined type:
1635
1636	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1637			* [`content`](#-nftables--file--content)
1638			* [`source`](#-nftables--file--source)
1639			* [`prefix`](#-nftables--file--prefix)
1640	331b8d85	Steve Traylen
1641	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1642	331b8d85	Steve Traylen
1643			Data type: `String[1]`
1644
1645			Unique name to include in filename.
1646
1647			Default value: `$title`
1648
1649	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1650	331b8d85	Steve Traylen
1651			Data type: `Optional[String]`
1652
1653			The content to place in the file.
1654
1655	c24d3118	Tim Meusel	Default value: `undef`
1656	331b8d85	Steve Traylen
1657	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1658	331b8d85	Steve Traylen
1659			Data type: `Optional[Variant[String,Array[String,1]]]`
1660
1661			A source to obtain the file content from.
1662
1663	c24d3118	Tim Meusel	Default value: `undef`
1664	331b8d85	Steve Traylen
1665	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1666	331b8d85	Steve Traylen
1667			Data type: `String`
1668
1669			Prefix of file name to be created, if left as `file-` it will be
1670			auto included in the main nft configuration
1671
1672			Default value: `'file-'`
1673
1674	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1675
1676			manage a conntrack helper
1677
1678			#### Examples
1679
1680			##### FTP helper
1681
1682			```puppet
1683			nftables::helper { 'ftp-standard':
1684			content => 'type "ftp" protocol tcp;',
1685			}
1686			```
1687
1688			#### Parameters
1689
1690			The following parameters are available in the `nftables::helper` defined type:
1691
1692			* [`content`](#-nftables--helper--content)
1693			* [`table`](#-nftables--helper--table)
1694			* [`helper`](#-nftables--helper--helper)
1695
1696			##### <a name="-nftables--helper--content"></a>`content`
1697
1698			Data type: `String`
1699
1700			Conntrack helper definition.
1701
1702			##### <a name="-nftables--helper--table"></a>`table`
1703
1704			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1705
1706			The name of the table to add this helper to.
1707
1708			Default value: `'inet-filter'`
1709
1710			##### <a name="-nftables--helper--helper"></a>`helper`
1711
1712			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1713
1714			The symbolic name for the helper.
1715
1716			Default value: `$title`
1717
1718	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1719	e17693e3	Steve Traylen
1720	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1721
1722			#### Examples
1723
1724			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1725
1726			```puppet
1727			nftables::rule {
1728			'default_in-myhttp':
1729			content => 'tcp dport 80 accept',
1730			}
1731			```
1732
1733			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1734
1735			```puppet
1736			nftables::rule {
1737			'PREROUTING6-count':
1738			content => 'counter',
1739			table => 'ip6-nat'
1740			}
1741			```
1742	e17693e3	Steve Traylen
1743	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1744
1745			```puppet
1746			nftables::rule { 'PREROUTING-redirect':
1747			content => 'tcp dport 443 redirect to :8443',
1748			table => 'ip-nat',
1749			}
1750			nftables::rule{'PREROUTING6-redirect':
1751			content => 'tcp dport 443 redirect to :8443',
1752			table => 'ip6-nat',
1753			}
1754			```
1755
1756	e17693e3	Steve Traylen	#### Parameters
1757
1758	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1759
1760	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1761			* [`rulename`](#-nftables--rule--rulename)
1762			* [`order`](#-nftables--rule--order)
1763			* [`table`](#-nftables--rule--table)
1764			* [`content`](#-nftables--rule--content)
1765			* [`source`](#-nftables--rule--source)
1766	e17693e3	Steve Traylen
1767	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1768	e17693e3	Steve Traylen
1769			Data type: `Enum['present','absent']`
1770
1771	13f26dfc	Nacho Barrientos	Should the rule be created.
1772	e17693e3	Steve Traylen
1773			Default value: `'present'`
1774
1775	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1776	e17693e3	Steve Traylen
1777	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1778	e17693e3	Steve Traylen
1779	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1780			format is defined by the Nftables::RuleName type.
1781	e17693e3	Steve Traylen
1782			Default value: `$title`
1783
1784	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1785	e17693e3	Steve Traylen
1786			Data type: `Pattern[/^\d\d$/]`
1787
1788	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1789	e17693e3	Steve Traylen
1790			Default value: `'50'`
1791
1792	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1793	e17693e3	Steve Traylen
1794	b02d6ea9	Nacho Barrientos	Data type: `String`
1795	e17693e3	Steve Traylen
1796	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1797	e17693e3	Steve Traylen
1798			Default value: `'inet-filter'`
1799
1800	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1801	e17693e3	Steve Traylen
1802			Data type: `Optional[String]`
1803
1804	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1805			language.
1806	e17693e3	Steve Traylen
1807	c24d3118	Tim Meusel	Default value: `undef`
1808	e17693e3	Steve Traylen
1809	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1810	e17693e3	Steve Traylen
1811			Data type: `Optional[Variant[String,Array[String,1]]]`
1812
1813	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1814	e17693e3	Steve Traylen
1815	c24d3118	Tim Meusel	Default value: `undef`
1816	e17693e3	Steve Traylen
1817	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1818	e17693e3	Steve Traylen
1819			manage a ipv4 dnat rule
1820
1821			#### Parameters
1822
1823	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1824
1825	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1826			* [`port`](#-nftables--rules--dnat4--port)
1827			* [`rulename`](#-nftables--rules--dnat4--rulename)
1828			* [`order`](#-nftables--rules--dnat4--order)
1829			* [`chain`](#-nftables--rules--dnat4--chain)
1830			* [`iif`](#-nftables--rules--dnat4--iif)
1831			* [`proto`](#-nftables--rules--dnat4--proto)
1832			* [`dport`](#-nftables--rules--dnat4--dport)
1833			* [`ensure`](#-nftables--rules--dnat4--ensure)
1834	e17693e3	Steve Traylen
1835	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1836	e17693e3	Steve Traylen
1837			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1838
1839
1840
1841	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1842	e17693e3	Steve Traylen
1843	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1844	e17693e3	Steve Traylen
1845
1846
1847	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1848	e17693e3	Steve Traylen
1849			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1850
1851
1852
1853			Default value: `$title`
1854
1855	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1856	e17693e3	Steve Traylen
1857			Data type: `Pattern[/^\d\d$/]`
1858
1859
1860
1861			Default value: `'50'`
1862
1863	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1864	e17693e3	Steve Traylen
1865			Data type: `String[1]`
1866
1867
1868
1869			Default value: `'default_fwd'`
1870
1871	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1872	e17693e3	Steve Traylen
1873			Data type: `Optional[String[1]]`
1874
1875
1876
1877	c24d3118	Tim Meusel	Default value: `undef`
1878	e17693e3	Steve Traylen
1879	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1880	e17693e3	Steve Traylen
1881			Data type: `Enum['tcp','udp']`
1882
1883
1884
1885			Default value: `'tcp'`
1886
1887	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1888	e17693e3	Steve Traylen
1889	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1890	e17693e3	Steve Traylen
1891
1892
1893	c24d3118	Tim Meusel	Default value: `undef`
1894	e17693e3	Steve Traylen
1895	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1896	e17693e3	Steve Traylen
1897			Data type: `Enum['present','absent']`
1898
1899
1900
1901			Default value: `'present'`
1902
1903	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1904	e17693e3	Steve Traylen
1905			masquerade all outgoing traffic
1906
1907			#### Parameters
1908
1909	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1910	e17693e3	Steve Traylen
1911	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1912			* [`order`](#-nftables--rules--masquerade--order)
1913			* [`chain`](#-nftables--rules--masquerade--chain)
1914			* [`oif`](#-nftables--rules--masquerade--oif)
1915			* [`saddr`](#-nftables--rules--masquerade--saddr)
1916			* [`daddr`](#-nftables--rules--masquerade--daddr)
1917			* [`proto`](#-nftables--rules--masquerade--proto)
1918			* [`dport`](#-nftables--rules--masquerade--dport)
1919			* [`ensure`](#-nftables--rules--masquerade--ensure)
1920	09cba182	Steve Traylen
1921	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1922	e17693e3	Steve Traylen
1923			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1924
1925
1926
1927			Default value: `$title`
1928
1929	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1930	e17693e3	Steve Traylen
1931			Data type: `Pattern[/^\d\d$/]`
1932
1933
1934
1935			Default value: `'70'`
1936
1937	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1938	e17693e3	Steve Traylen
1939			Data type: `String[1]`
1940
1941
1942
1943			Default value: `'POSTROUTING'`
1944
1945	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1946	e17693e3	Steve Traylen
1947			Data type: `Optional[String[1]]`
1948
1949
1950
1951	c24d3118	Tim Meusel	Default value: `undef`
1952	e17693e3	Steve Traylen
1953	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1954	e17693e3	Steve Traylen
1955			Data type: `Optional[String[1]]`
1956
1957
1958
1959	c24d3118	Tim Meusel	Default value: `undef`
1960	e17693e3	Steve Traylen
1961	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1962	e17693e3	Steve Traylen
1963			Data type: `Optional[String[1]]`
1964
1965
1966
1967	c24d3118	Tim Meusel	Default value: `undef`
1968	e17693e3	Steve Traylen
1969	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1970	e17693e3	Steve Traylen
1971			Data type: `Optional[Enum['tcp','udp']]`
1972
1973
1974
1975	c24d3118	Tim Meusel	Default value: `undef`
1976	e17693e3	Steve Traylen
1977	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1978	e17693e3	Steve Traylen
1979	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1980	e17693e3	Steve Traylen
1981
1982
1983	c24d3118	Tim Meusel	Default value: `undef`
1984	e17693e3	Steve Traylen
1985	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1986	e17693e3	Steve Traylen
1987			Data type: `Enum['present','absent']`
1988
1989
1990
1991			Default value: `'present'`
1992
1993	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1994	e17693e3	Steve Traylen
1995			manage a ipv4 snat rule
1996
1997			#### Parameters
1998
1999	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2000
2001	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2002			* [`rulename`](#-nftables--rules--snat4--rulename)
2003			* [`order`](#-nftables--rules--snat4--order)
2004			* [`chain`](#-nftables--rules--snat4--chain)
2005			* [`oif`](#-nftables--rules--snat4--oif)
2006			* [`saddr`](#-nftables--rules--snat4--saddr)
2007			* [`proto`](#-nftables--rules--snat4--proto)
2008			* [`dport`](#-nftables--rules--snat4--dport)
2009			* [`ensure`](#-nftables--rules--snat4--ensure)
2010	e17693e3	Steve Traylen
2011	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2012	e17693e3	Steve Traylen
2013			Data type: `String[1]`
2014
2015
2016
2017	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2018	e17693e3	Steve Traylen
2019			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2020
2021
2022
2023			Default value: `$title`
2024
2025	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2026	e17693e3	Steve Traylen
2027			Data type: `Pattern[/^\d\d$/]`
2028
2029
2030
2031			Default value: `'70'`
2032
2033	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2034	e17693e3	Steve Traylen
2035			Data type: `String[1]`
2036
2037
2038
2039			Default value: `'POSTROUTING'`
2040
2041	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2042	e17693e3	Steve Traylen
2043			Data type: `Optional[String[1]]`
2044
2045
2046
2047	c24d3118	Tim Meusel	Default value: `undef`
2048	e17693e3	Steve Traylen
2049	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2050	e17693e3	Steve Traylen
2051			Data type: `Optional[String[1]]`
2052
2053
2054
2055	c24d3118	Tim Meusel	Default value: `undef`
2056	e17693e3	Steve Traylen
2057	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2058	e17693e3	Steve Traylen
2059			Data type: `Optional[Enum['tcp','udp']]`
2060
2061
2062
2063	c24d3118	Tim Meusel	Default value: `undef`
2064	e17693e3	Steve Traylen
2065	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2066	e17693e3	Steve Traylen
2067	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2068	e17693e3	Steve Traylen
2069
2070
2071	c24d3118	Tim Meusel	Default value: `undef`
2072	e17693e3	Steve Traylen
2073	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2074	e17693e3	Steve Traylen
2075			Data type: `Enum['present','absent']`
2076
2077
2078
2079			Default value: `'present'`
2080
2081	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2082	7f6cacc5	Steve Traylen
2083			manage a named set
2084
2085	13f4e4c6	Steve Traylen	#### Examples
2086
2087			##### simple set
2088
2089			```puppet
2090			nftables::set{'my_set':
2091			type => 'ipv4_addr',
2092			flags => ['interval'],
2093			elements => ['192.168.0.1/24', '10.0.0.2'],
2094			auto_merge => true,
2095			}
2096			```
2097
2098	7f6cacc5	Steve Traylen	#### Parameters
2099
2100	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2101
2102	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2103			* [`setname`](#-nftables--set--setname)
2104			* [`order`](#-nftables--set--order)
2105			* [`type`](#-nftables--set--type)
2106			* [`table`](#-nftables--set--table)
2107			* [`flags`](#-nftables--set--flags)
2108			* [`timeout`](#-nftables--set--timeout)
2109			* [`gc_interval`](#-nftables--set--gc_interval)
2110			* [`elements`](#-nftables--set--elements)
2111			* [`size`](#-nftables--set--size)
2112			* [`policy`](#-nftables--set--policy)
2113			* [`auto_merge`](#-nftables--set--auto_merge)
2114			* [`content`](#-nftables--set--content)
2115			* [`source`](#-nftables--set--source)
2116
2117			##### <a name="-nftables--set--ensure"></a>`ensure`
2118	7f6cacc5	Steve Traylen
2119			Data type: `Enum['present','absent']`
2120
2121	13f4e4c6	Steve Traylen	should the set be created.
2122	7f6cacc5	Steve Traylen
2123			Default value: `'present'`
2124
2125	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2126	7f6cacc5	Steve Traylen
2127			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2128
2129	13f4e4c6	Steve Traylen	name of set, equal to to title.
2130	7f6cacc5	Steve Traylen
2131			Default value: `$title`
2132
2133	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2134	7f6cacc5	Steve Traylen
2135			Data type: `Pattern[/^\d\d$/]`
2136
2137	13f4e4c6	Steve Traylen	concat ordering.
2138	7f6cacc5	Steve Traylen
2139			Default value: `'10'`
2140
2141	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2142	7f6cacc5	Steve Traylen
2143			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2144
2145	13f4e4c6	Steve Traylen	type of set.
2146	7f6cacc5	Steve Traylen
2147	c24d3118	Tim Meusel	Default value: `undef`
2148	7f6cacc5	Steve Traylen
2149	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2150	7f6cacc5	Steve Traylen
2151	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2152	7f6cacc5	Steve Traylen
2153	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2154	7f6cacc5	Steve Traylen
2155			Default value: `'inet-filter'`
2156
2157	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2158	7f6cacc5	Steve Traylen
2159			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2160
2161	13f4e4c6	Steve Traylen	specify flags for set
2162	7f6cacc5	Steve Traylen
2163			Default value: `[]`
2164
2165	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2166	7f6cacc5	Steve Traylen
2167			Data type: `Optional[Integer]`
2168
2169	13f4e4c6	Steve Traylen	timeout in seconds
2170	7f6cacc5	Steve Traylen
2171	c24d3118	Tim Meusel	Default value: `undef`
2172	7f6cacc5	Steve Traylen
2173	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2174	7f6cacc5	Steve Traylen
2175			Data type: `Optional[Integer]`
2176
2177	13f4e4c6	Steve Traylen	garbage collection interval.
2178	7f6cacc5	Steve Traylen
2179	c24d3118	Tim Meusel	Default value: `undef`
2180	7f6cacc5	Steve Traylen
2181	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2182	7f6cacc5	Steve Traylen
2183			Data type: `Optional[Array[String]]`
2184
2185	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2186	7f6cacc5	Steve Traylen
2187	c24d3118	Tim Meusel	Default value: `undef`
2188	7f6cacc5	Steve Traylen
2189	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2190	7f6cacc5	Steve Traylen
2191			Data type: `Optional[Integer]`
2192
2193	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2194	7f6cacc5	Steve Traylen
2195	c24d3118	Tim Meusel	Default value: `undef`
2196	7f6cacc5	Steve Traylen
2197	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2198	7f6cacc5	Steve Traylen
2199			Data type: `Optional[Enum['performance', 'memory']]`
2200
2201	13f4e4c6	Steve Traylen	determines set selection policy.
2202	7f6cacc5	Steve Traylen
2203	c24d3118	Tim Meusel	Default value: `undef`
2204	7f6cacc5	Steve Traylen
2205	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2206	7f6cacc5	Steve Traylen
2207			Data type: `Boolean`
2208
2209	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2210	7f6cacc5	Steve Traylen
2211	c24d3118	Tim Meusel	Default value: `false`
2212	7f6cacc5	Steve Traylen
2213	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2214	7f6cacc5	Steve Traylen
2215			Data type: `Optional[String]`
2216
2217	13f4e4c6	Steve Traylen	specify content of set.
2218	7f6cacc5	Steve Traylen
2219	c24d3118	Tim Meusel	Default value: `undef`
2220	7f6cacc5	Steve Traylen
2221	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2222	7f6cacc5	Steve Traylen
2223			Data type: `Optional[Variant[String,Array[String,1]]]`
2224
2225	13f4e4c6	Steve Traylen	specify source of set.
2226	7f6cacc5	Steve Traylen
2227	c24d3118	Tim Meusel	Default value: `undef`
2228	7f6cacc5	Steve Traylen
2229	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2230	4d63adda	Nacho Barrientos
2231	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2232	4d63adda	Nacho Barrientos
2233	b46c9ce9	Nacho Barrientos	#### Examples
2234	4d63adda	Nacho Barrientos
2235	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2236	4d63adda	Nacho Barrientos
2237	b46c9ce9	Nacho Barrientos	```puppet
2238			nftables::simplerule{'my_service_in':
2239			action => 'accept',
2240			comment => 'allow traffic to port 543',
2241			counter => true,
2242			proto => 'tcp',
2243			dport => 543,
2244			daddr => '2001:1458::/32',
2245			sport => 541,
2246			}
2247			```
2248	4d63adda	Nacho Barrientos
2249	b46c9ce9	Nacho Barrientos	#### Parameters
2250	4d63adda	Nacho Barrientos
2251	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2252
2253	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2254			* [`rulename`](#-nftables--simplerule--rulename)
2255			* [`order`](#-nftables--simplerule--order)
2256			* [`chain`](#-nftables--simplerule--chain)
2257			* [`table`](#-nftables--simplerule--table)
2258			* [`action`](#-nftables--simplerule--action)
2259			* [`comment`](#-nftables--simplerule--comment)
2260			* [`dport`](#-nftables--simplerule--dport)
2261			* [`proto`](#-nftables--simplerule--proto)
2262			* [`daddr`](#-nftables--simplerule--daddr)
2263			* [`set_type`](#-nftables--simplerule--set_type)
2264			* [`sport`](#-nftables--simplerule--sport)
2265			* [`saddr`](#-nftables--simplerule--saddr)
2266			* [`counter`](#-nftables--simplerule--counter)
2267
2268			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2269	13f4e4c6	Steve Traylen
2270			Data type: `Enum['present','absent']`
2271
2272			Should the rule be created.
2273
2274			Default value: `'present'`
2275
2276	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2277	4d63adda	Nacho Barrientos
2278	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2279	4d63adda	Nacho Barrientos
2280	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2281	4d63adda	Nacho Barrientos
2282			Default value: `$title`
2283
2284	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2285	4d63adda	Nacho Barrientos
2286			Data type: `Pattern[/^\d\d$/]`
2287
2288	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2289	4d63adda	Nacho Barrientos
2290			Default value: `'50'`
2291
2292	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2293	4d63adda	Nacho Barrientos
2294			Data type: `String`
2295
2296	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2297	4d63adda	Nacho Barrientos
2298			Default value: `'default_in'`
2299
2300	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2301	4d63adda	Nacho Barrientos
2302			Data type: `String`
2303
2304	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2305	4d63adda	Nacho Barrientos
2306			Default value: `'inet-filter'`
2307
2308	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2309	4d63adda	Nacho Barrientos
2310			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2311
2312	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2313	4d63adda	Nacho Barrientos
2314			Default value: `'accept'`
2315
2316	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2317	4d63adda	Nacho Barrientos
2318			Data type: `Optional[String]`
2319
2320	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2321	4d63adda	Nacho Barrientos
2322	c24d3118	Tim Meusel	Default value: `undef`
2323	4d63adda	Nacho Barrientos
2324	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2325	4d63adda	Nacho Barrientos
2326			Data type: `Optional[Nftables::Port]`
2327
2328	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2329	4d63adda	Nacho Barrientos
2330	c24d3118	Tim Meusel	Default value: `undef`
2331	4d63adda	Nacho Barrientos
2332	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2333	4d63adda	Nacho Barrientos
2334			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2335
2336	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2337	4d63adda	Nacho Barrientos
2338	c24d3118	Tim Meusel	Default value: `undef`
2339	4d63adda	Nacho Barrientos
2340	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2341	4d63adda	Nacho Barrientos
2342			Data type: `Optional[Nftables::Addr]`
2343
2344	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2345	4d63adda	Nacho Barrientos
2346	c24d3118	Tim Meusel	Default value: `undef`
2347	4d63adda	Nacho Barrientos
2348	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2349	4d63adda	Nacho Barrientos
2350			Data type: `Enum['ip', 'ip6']`
2351
2352	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2353			Use `ip` for sets of type `ipv4_addr`.
2354	4d63adda	Nacho Barrientos
2355			Default value: `'ip6'`
2356
2357	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2358	4d63adda	Nacho Barrientos
2359			Data type: `Optional[Nftables::Port]`
2360
2361	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2362	4d63adda	Nacho Barrientos
2363	c24d3118	Tim Meusel	Default value: `undef`
2364	4d63adda	Nacho Barrientos
2365	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2366	4d63adda	Nacho Barrientos
2367			Data type: `Optional[Nftables::Addr]`
2368
2369	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2370	4d63adda	Nacho Barrientos
2371	c24d3118	Tim Meusel	Default value: `undef`
2372	4d63adda	Nacho Barrientos
2373	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2374	4d63adda	Nacho Barrientos
2375			Data type: `Boolean`
2376
2377	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2378	4d63adda	Nacho Barrientos
2379	c24d3118	Tim Meusel	Default value: `false`
2380	4d63adda	Nacho Barrientos
2381			## Data types
2382
2383	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2384	4d63adda	Nacho Barrientos
2385			Represents an address expression to be used within a rule.
2386
2387	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2388	09cba182	Steve Traylen
2389	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2390	4d63adda	Nacho Barrientos
2391			Represents a set expression to be used within a rule.
2392
2393	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2394	4d63adda	Nacho Barrientos
2395	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2396	4d63adda	Nacho Barrientos
2397			Represents a port expression to be used within a rule.
2398
2399	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2400	4d63adda	Nacho Barrientos
2401	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2402	4d63adda	Nacho Barrientos
2403			Represents a port range expression to be used within a rule.
2404
2405	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2406	4d63adda	Nacho Barrientos
2407	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2408	8c00b818	Nacho Barrientos
2409			Represents a rule name to be used in a raw rule created via nftables::rule.
2410			It's a dash separated string. The first component describes the chain to
2411			add the rule to, the second the rule name and the (optional) third a number.
2412			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2413
2414	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2415	09cba182	Steve Traylen
2416	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2417	8c00b818	Nacho Barrientos
2418			Represents a simple rule name to be used in a rule created via nftables::simplerule
2419
2420	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ f1d50c1e