/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ fa9253fc

Historique | Voir | Annoter | Télécharger (63,5 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
37			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
38	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
39	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
40			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
41	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
42			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
43			and Manager Daemons (MGR).
44	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
45			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
46			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
47			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
48			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
49			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
50			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
51			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
52	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
53	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
54			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
55	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
56	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
57	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
58	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
59			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
60			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
61			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
62	09cba182	Steve Traylen	7000 - afs3-fileserver
63			7002 - afs3-ptserver
64			7003 - vlserver
65	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
66			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
67			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
68			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
69			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
70			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
71			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
72			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
73	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
74	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
75			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
76			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
77			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
78			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
79	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
80			This class defines additional forwarding rules to let root containers
81			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
82			At the time of writing, Podman supports automatic configuration
83			of firewall rules with iptables and firewalld only.
84	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
85			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
86			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
87			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
88			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
89			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
90			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
91	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
92	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
93	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
94			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
95			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
96	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
97	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
98			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
99	e17693e3	Steve Traylen
100			### Defined types
101
102	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
103			* [`nftables::config`](#nftables--config): manage a config snippet
104			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
105	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
106	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
107			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
108			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
109			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
110			* [`nftables::set`](#nftables--set): manage a named set
111			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
112	4d63adda	Nacho Barrientos
113			### Data types
114
115	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
116			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
117			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
118			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
119			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
120	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
121			add the rule to, the second the rule name and the (optional) third a number.
122			Ex: 'default_in-sshd', 'default_out-my_service-2'.
123	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
124	e17693e3	Steve Traylen
125			## Classes
126
127	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
128	e17693e3	Steve Traylen
129			Configure nftables
130
131			#### Examples
132
133	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
134	e17693e3	Steve Traylen
135			```puppet
136	2063deaf	hashworks	class{ 'nftables':
137			out_ntp => false,
138			out_dns => true,
139	e17693e3	Steve Traylen	}
140			```
141
142	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
143
144			```puppet
145	2063deaf	hashworks	class{ 'nftables':
146			noflush_tables => ['inet-f2b-table'],
147	b9785000	Steve Traylen	}
148			```
149
150	e17693e3	Steve Traylen	#### Parameters
151
152	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
153
154	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
155			* [`out_ntp`](#-nftables--out_ntp)
156			* [`out_http`](#-nftables--out_http)
157			* [`out_dns`](#-nftables--out_dns)
158			* [`out_https`](#-nftables--out_https)
159			* [`out_icmp`](#-nftables--out_icmp)
160			* [`in_ssh`](#-nftables--in_ssh)
161			* [`in_icmp`](#-nftables--in_icmp)
162			* [`inet_filter`](#-nftables--inet_filter)
163			* [`nat`](#-nftables--nat)
164			* [`nat_table_name`](#-nftables--nat_table_name)
165			* [`sets`](#-nftables--sets)
166			* [`log_prefix`](#-nftables--log_prefix)
167	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
168	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
169			* [`reject_with`](#-nftables--reject_with)
170			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
171	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
172	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
173	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
174	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
175			* [`noflush_tables`](#-nftables--noflush_tables)
176			* [`rules`](#-nftables--rules)
177			* [`configuration_path`](#-nftables--configuration_path)
178			* [`nft_path`](#-nftables--nft_path)
179			* [`echo`](#-nftables--echo)
180			* [`default_config_mode`](#-nftables--default_config_mode)
181	a528bf59	Steve Traylen	* [`clobber_default_config`](#-nftables--clobber_default_config)
182	c24d3118	Tim Meusel
183			##### <a name="-nftables--out_all"></a>`out_all`
184	e17693e3	Steve Traylen
185			Data type: `Boolean`
186
187			Allow all outbound connections. If `true` then all other
188			out parameters `out_ntp`, `out_dns`, ... will be assuemed
189			false.
190
191	c24d3118	Tim Meusel	Default value: `false`
192	e17693e3	Steve Traylen
193	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
194	e17693e3	Steve Traylen
195			Data type: `Boolean`
196
197			Allow outbound to ntp servers.
198
199	c24d3118	Tim Meusel	Default value: `true`
200	e17693e3	Steve Traylen
201	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
202	e17693e3	Steve Traylen
203			Data type: `Boolean`
204
205			Allow outbound to http servers.
206
207	c24d3118	Tim Meusel	Default value: `true`
208	e17693e3	Steve Traylen
209	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
210	e17693e3	Steve Traylen
211			Data type: `Boolean`
212
213	09cba182	Steve Traylen	Allow outbound to dns servers.
214	e17693e3	Steve Traylen
215	c24d3118	Tim Meusel	Default value: `true`
216	e17693e3	Steve Traylen
217	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
218	09cba182	Steve Traylen
219			Data type: `Boolean`
220	e17693e3	Steve Traylen
221			Allow outbound to https servers.
222
223	c24d3118	Tim Meusel	Default value: `true`
224	e17693e3	Steve Traylen
225	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
226	7f6cacc5	Steve Traylen
227			Data type: `Boolean`
228
229			Allow outbound ICMPv4/v6 traffic.
230
231	c24d3118	Tim Meusel	Default value: `true`
232	7f6cacc5	Steve Traylen
233	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
234	e17693e3	Steve Traylen
235			Data type: `Boolean`
236
237			Allow inbound to ssh servers.
238
239	c24d3118	Tim Meusel	Default value: `true`
240	e17693e3	Steve Traylen
241	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
242	7f6cacc5	Steve Traylen
243			Data type: `Boolean`
244
245			Allow inbound ICMPv4/v6 traffic.
246
247	c24d3118	Tim Meusel	Default value: `true`
248	7f6cacc5	Steve Traylen
249	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
250	7b9d6ffc	Nacho Barrientos
251			Data type: `Boolean`
252
253			Add default tables, chains and rules to process traffic.
254
255	c24d3118	Tim Meusel	Default value: `true`
256	7b9d6ffc	Nacho Barrientos
257	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
258	7f6cacc5	Steve Traylen
259			Data type: `Boolean`
260
261			Add default tables and chains to process NAT traffic.
262
263	c24d3118	Tim Meusel	Default value: `true`
264	7f6cacc5	Steve Traylen
265	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
266	b02d6ea9	Nacho Barrientos
267			Data type: `String[1]`
268
269			The name of the 'nat' table.
270
271			Default value: `'nat'`
272
273	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
274	b9785000	Steve Traylen
275			Data type: `Hash`
276
277			Allows sourcing set definitions directly from Hiera.
278
279			Default value: `{}`
280
281	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
282	7f6cacc5	Steve Traylen
283			Data type: `String`
284
285			String that will be used as prefix when logging packets. It can contain
286			two variables using standard sprintf() string-formatting:
287			* chain: Will be replaced by the name of the chain.
288			* comment: Allows chains to add extra comments.
289
290			Default value: `'[nftables] %<chain>s %<comment>s'`
291
292	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
293
294			Data type: `Boolean`
295
296			Allow to log discarded packets
297
298			Default value: `true`
299
300	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
301	b9785000	Steve Traylen
302			Data type: `Variant[Boolean[false], String]`
303
304			String with the content of a limit statement to be applied
305			to the rules that log discarded traffic. Set to false to
306			disable rate limiting.
307
308			Default value: `'3/minute burst 5 packets'`
309
310	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
311	7f6cacc5	Steve Traylen
312	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
313	7f6cacc5	Steve Traylen
314			How to discard packets not matching any rule. If `false`, the
315			fate of the packet will be defined by the chain policy (normally
316			drop), otherwise the packet will be rejected with the REJECT_WITH
317			policy indicated by the value of this parameter.
318
319			Default value: `'icmpx type port-unreachable'`
320
321	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
322	7f6cacc5	Steve Traylen
323			Data type: `Boolean`
324
325			Adds INPUT and OUTPUT rules to allow traffic that's part of an
326			established connection and also to drop invalid packets.
327
328	c24d3118	Tim Meusel	Default value: `true`
329	7f6cacc5	Steve Traylen
330	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
331
332			Data type: `Boolean`
333
334			Drops invalid packets in INPUT and OUTPUT
335
336			Default value: `$in_out_conntrack`
337
338	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
339	b9785000	Steve Traylen
340			Data type: `Boolean`
341
342			Adds FORWARD rules to allow traffic that's part of an
343			established connection and also to drop invalid packets.
344
345	c24d3118	Tim Meusel	Default value: `false`
346	b9785000	Steve Traylen
347	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
348
349			Data type: `Boolean`
350
351			Drops invalid packets in FORWARD
352
353			Default value: `$fwd_conntrack`
354
355	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
356	7f6cacc5	Steve Traylen
357			Data type: `Variant[Boolean[false], Enum['mask']]`
358
359			Configures how the firewalld systemd service unit is enabled. It might be
360			useful to set this to false if you're externaly removing firewalld from
361			the system completely.
362
363			Default value: `'mask'`
364
365	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
366	b9785000	Steve Traylen
367	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
368	b9785000	Steve Traylen
369			If specified only other existings tables will be flushed.
370			If left unset all tables will be flushed via a `flush ruleset`
371
372	c24d3118	Tim Meusel	Default value: `undef`
373	b9785000	Steve Traylen
374	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
375	7f6cacc5	Steve Traylen
376			Data type: `Hash`
377
378	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
379	7f6cacc5	Steve Traylen
380			Default value: `{}`
381
382	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
383	d0a1ffef	hashworks
384			Data type: `Stdlib::Unixpath`
385
386			The absolute path to the principal nftables configuration file. The default
387			varies depending on the system, and is set in the module's data.
388
389	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
390	8842a597	Tim Meusel
391			Data type: `Stdlib::Unixpath`
392
393			Path to the nft binary
394
395	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
396	821ec83a	Tim Meusel
397			Data type: `Stdlib::Unixpath`
398
399			Path to the echo binary
400
401	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
402	7030bde0	Luis Fernández Álvarez
403			Data type: `Stdlib::Filemode`
404
405			The default file & dir mode for configuration files and directories. The
406			default varies depending on the system, and is set in the module's data.
407
408	a528bf59	Steve Traylen	##### <a name="-nftables--clobber_default_config"></a>`clobber_default_config`
409
410			Data type: `Boolean`
411
412			Should the existing OS provided rules in the `configuration_path` be removed? If
413			they are not being removed this module will add all of its configuration to the end of
414			the existing rules.
415
416			Default value: `false`
417
418	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
419	7f6cacc5	Steve Traylen
420			allow forwarding traffic on bridges
421
422			#### Parameters
423
424	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
425	7f6cacc5	Steve Traylen
426	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
427			* [`bridgenames`](#-nftables--bridges--bridgenames)
428	09cba182	Steve Traylen
429	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
430	7f6cacc5	Steve Traylen
431			Data type: `Enum['present','absent']`
432
433
434
435			Default value: `'present'`
436
437	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
438	7f6cacc5	Steve Traylen
439			Data type: `Regexp`
440
441
442
443			Default value: `/^br.+/`
444
445	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
446	e17693e3	Steve Traylen
447			manage basic chains in table inet filter
448
449	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
450	a1f09048	Tim Meusel
451			enable conntrack for fwd
452
453	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
454	a1f09048	Tim Meusel
455			manage input & output conntrack
456
457	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
458	e17693e3	Steve Traylen
459			manage basic chains in table ip nat
460
461	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
462	771b3256	Nacho Barrientos
463			Provides input rules for Apache ActiveMQ
464
465			#### Parameters
466
467			The following parameters are available in the `nftables::rules::activemq` class:
468
469	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
470			* [`udp`](#-nftables--rules--activemq--udp)
471			* [`port`](#-nftables--rules--activemq--port)
472	771b3256	Nacho Barrientos
473	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
474	771b3256	Nacho Barrientos
475			Data type: `Boolean`
476
477			Create the rule for TCP traffic.
478
479	c24d3118	Tim Meusel	Default value: `true`
480	771b3256	Nacho Barrientos
481	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
482	771b3256	Nacho Barrientos
483			Data type: `Boolean`
484
485			Create the rule for UDP traffic.
486
487	c24d3118	Tim Meusel	Default value: `true`
488	771b3256	Nacho Barrientos
489	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
490	771b3256	Nacho Barrientos
491			Data type: `Stdlib::Port`
492
493			The port number for the ActiveMQ daemon.
494
495			Default value: `61616`
496
497	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
498	09cba182	Steve Traylen
499			Open call back port for AFS clients
500	7f6cacc5	Steve Traylen
501	09cba182	Steve Traylen	#### Examples
502
503			##### allow call backs from particular hosts
504
505			```puppet
506	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
507			saddr => ['192.168.0.0/16', '10.0.0.222']
508			}
509	09cba182	Steve Traylen	```
510	7f6cacc5	Steve Traylen
511			#### Parameters
512
513	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
514
515	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
516	7f6cacc5	Steve Traylen
517	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
518	7f6cacc5	Steve Traylen
519			Data type: `Array[Stdlib::IP::Address::V4,1]`
520
521			list of source network ranges to a
522
523			Default value: `['0.0.0.0/0']`
524
525	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
526	b9785000	Steve Traylen
527			Ceph is a distributed object store and file system.
528			Enable this to support Ceph's Object Storage Daemons (OSD),
529			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
530
531	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
532	b9785000	Steve Traylen
533			Ceph is a distributed object store and file system.
534			Enable this option to support Ceph's Monitor Daemon.
535
536			#### Parameters
537
538	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
539	b9785000	Steve Traylen
540	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
541	b9785000	Steve Traylen
542	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
543	b9785000	Steve Traylen
544	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
545	b9785000	Steve Traylen
546	09cba182	Steve Traylen	specify ports for ceph service
547	b9785000	Steve Traylen
548			Default value: `[3300, 6789]`
549
550	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
551	7f6cacc5	Steve Traylen
552	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
553	7f6cacc5	Steve Traylen
554	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
555	7f6cacc5	Steve Traylen
556			manage in dns
557
558	67cdcf15	Steve Traylen	#### Examples
559
560			##### Allow access to stub dns resolver from docker containers
561
562			```puppet
563			class { 'nftables::rules::dns':
564			iifname => ['docker0'],
565			}
566			```
567
568	7f6cacc5	Steve Traylen	#### Parameters
569
570	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
571	7f6cacc5	Steve Traylen
572	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
573	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
574	7f6cacc5	Steve Traylen
575	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
576	7f6cacc5	Steve Traylen
577	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
578	7f6cacc5	Steve Traylen
579	09cba182	Steve Traylen	Specify ports for dns.
580	7f6cacc5	Steve Traylen
581			Default value: `[53]`
582
583	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
584
585			Data type: `Optional[Array[String[1],1]]`
586
587			Specify input interface names.
588
589			Default value: `undef`
590
591	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
592	804b96e4	Nacho Barrientos
593			The configuration distributed in this class represents the default firewall
594			configuration done by docker-ce when the iptables integration is enabled.
595
596			This class is needed as the default docker-ce rules added to ip-filter conflict
597			with the inet-filter forward rules set by default in this module.
598
599			When using this class 'docker::iptables: false' should be set.
600
601			#### Parameters
602
603			The following parameters are available in the `nftables::rules::docker_ce` class:
604
605	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
606			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
607			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
608			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
609	804b96e4	Nacho Barrientos
610	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
611	804b96e4	Nacho Barrientos
612			Data type: `String[1]`
613
614			Interface name used by docker.
615
616			Default value: `'docker0'`
617
618	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
619	804b96e4	Nacho Barrientos
620			Data type: `Stdlib::IP::Address::V4::CIDR`
621
622			The address space used by docker.
623
624			Default value: `'172.17.0.0/16'`
625
626	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
627	804b96e4	Nacho Barrientos
628			Data type: `Boolean`
629
630			Flag to control whether the class should create the docker related chains.
631
632	c24d3118	Tim Meusel	Default value: `true`
633	804b96e4	Nacho Barrientos
634	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
635	804b96e4	Nacho Barrientos
636			Data type: `Boolean`
637
638			Flag to control whether the class should create the base common chains.
639
640	c24d3118	Tim Meusel	Default value: `true`
641	804b96e4	Nacho Barrientos
642	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
643
644			manage in ftp (with conntrack helper)
645
646			#### Parameters
647
648			The following parameters are available in the `nftables::rules::ftp` class:
649
650			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
651			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
652
653			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
654
655			Data type: `Boolean`
656
657			Enable FTP passive mode support
658
659			Default value: `true`
660
661			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
662
663			Data type: `Nftables::Port::Range`
664
665			Set the FTP passive mode port range
666
667			Default value: `'10090-10100'`
668
669	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
670	e17693e3	Steve Traylen
671			manage in http
672
673	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
674	e17693e3	Steve Traylen
675			manage in https
676
677	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
678	e17693e3	Steve Traylen
679			manage in icinga2
680
681			#### Parameters
682
683	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
684	e17693e3	Steve Traylen
685	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
686	e17693e3	Steve Traylen
687	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
688	e17693e3	Steve Traylen
689	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
690	e17693e3	Steve Traylen
691	8db66304	Steve Traylen	Specify ports for icinga2
692	e17693e3	Steve Traylen
693			Default value: `[5665]`
694
695	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
696	7f6cacc5	Steve Traylen
697	8cdd24a5	Tim Meusel	allows incoming ICMP
698	7f6cacc5	Steve Traylen
699			#### Parameters
700
701	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
702
703	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
704			* [`v6_types`](#-nftables--rules--icmp--v6_types)
705			* [`order`](#-nftables--rules--icmp--order)
706	7f6cacc5	Steve Traylen
707	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
708	7f6cacc5	Steve Traylen
709			Data type: `Optional[Array[String]]`
710
711	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
712	7f6cacc5	Steve Traylen
713	c24d3118	Tim Meusel	Default value: `undef`
714	7f6cacc5	Steve Traylen
715	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
716	7f6cacc5	Steve Traylen
717			Data type: `Optional[Array[String]]`
718
719	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
720	7f6cacc5	Steve Traylen
721	c24d3118	Tim Meusel	Default value: `undef`
722	7f6cacc5	Steve Traylen
723	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
724	7f6cacc5	Steve Traylen
725			Data type: `String`
726
727	8cdd24a5	Tim Meusel	the ordering of the rules
728	7f6cacc5	Steve Traylen
729			Default value: `'10'`
730
731	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
732
733			allow incoming IGMP messages
734
735	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
736
737			manage in ldap
738
739			#### Parameters
740
741			The following parameters are available in the `nftables::rules::ldap` class:
742
743			* [`ports`](#-nftables--rules--ldap--ports)
744
745			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
746
747			Data type: `Array[Integer,1]`
748
749			ldap server ports
750
751			Default value: `[389, 636]`
752
753	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
754
755			allow incoming Link-Local Multicast Name Resolution
756
757			* See also
758			* https://datatracker.ietf.org/doc/html/rfc4795
759
760			#### Parameters
761
762			The following parameters are available in the `nftables::rules::llmnr` class:
763
764			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
765			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
766	1ef7d5c4	Tim Meusel	* [`iifname`](#-nftables--rules--llmnr--iifname)
767	3b26826f	Tim Meusel
768			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
769
770			Data type: `Boolean`
771
772			Allow LLMNR over IPv4
773
774			Default value: `true`
775
776			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
777
778			Data type: `Boolean`
779
780			Allow LLMNR over IPv6
781
782			Default value: `true`
783
784	1ef7d5c4	Tim Meusel	##### <a name="-nftables--rules--llmnr--iifname"></a>`iifname`
785
786			Data type: `Array[String[1]]`
787
788			optional list of incoming interfaces to filter on
789
790			Default value: `[]`
791
792	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
793
794			allow incoming multicast DNS
795
796	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
797
798			The following parameters are available in the `nftables::rules::mdns` class:
799
800			* [`ipv4`](#-nftables--rules--mdns--ipv4)
801			* [`ipv6`](#-nftables--rules--mdns--ipv6)
802	4c3d5d6b	Tim Meusel	* [`iifname`](#-nftables--rules--mdns--iifname)
803	ad3dbd7d	Ewoud Kohl van Wijngaarden
804			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
805
806			Data type: `Boolean`
807
808			Allow mdns over IPv4
809
810			Default value: `true`
811
812			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
813
814			Data type: `Boolean`
815
816			Allow mdns over IPv6
817
818			Default value: `true`
819
820	4c3d5d6b	Tim Meusel	##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
821
822			Data type: `Array[String[1]]`
823
824			name for incoming interfaces to filter
825
826			Default value: `[]`
827
828	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
829
830			allow incoming multicast traffic
831
832	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
833	b9785000	Steve Traylen
834			manage in nfs4
835
836	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
837	b9785000	Steve Traylen
838			manage in nfs3
839
840	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
841	7f6cacc5	Steve Traylen
842			manage in node exporter
843
844			#### Parameters
845
846	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
847	7f6cacc5	Steve Traylen
848	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
849			* [`port`](#-nftables--rules--node_exporter--port)
850	7f6cacc5	Steve Traylen
851	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
852	7f6cacc5	Steve Traylen
853	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
854	7f6cacc5	Steve Traylen
855	09cba182	Steve Traylen	Specify server name
856	7f6cacc5	Steve Traylen
857	c24d3118	Tim Meusel	Default value: `undef`
858	7f6cacc5	Steve Traylen
859	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
860	7f6cacc5	Steve Traylen
861	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
862	7f6cacc5	Steve Traylen
863	09cba182	Steve Traylen	Specify port to open
864	7f6cacc5	Steve Traylen
865			Default value: `9100`
866
867	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
868	e17693e3	Steve Traylen
869			manage in ospf
870
871	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
872	e17693e3	Steve Traylen
873			manage in ospf3
874
875	3e2b5119	Tim Meusel	#### Parameters
876
877			The following parameters are available in the `nftables::rules::ospf3` class:
878
879			* [`iifname`](#-nftables--rules--ospf3--iifname)
880
881			##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
882
883			Data type: `Array[String[1]]`
884
885			optional list of incoming interfaces to allow traffic
886
887			Default value: `[]`
888
889	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
890
891			manage outgoing active diectory
892
893			#### Parameters
894
895			The following parameters are available in the `nftables::rules::out::active_directory` class:
896
897			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
898			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
899
900			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
901
902			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
903
904			adserver IPs
905
906			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
907
908			Data type: `Array[Stdlib::Port,1]`
909
910			adserver ports
911
912			Default value: `[389, 636, 3268, 3269]`
913
914	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
915	e17693e3	Steve Traylen
916			allow all outbound
917
918	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
919	b9785000	Steve Traylen
920			Ceph is a distributed object store and file system.
921			Enable this to be a client of Ceph's Monitor (MON),
922			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
923			and Manager Daemons (MGR).
924
925			#### Parameters
926
927	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
928	b9785000	Steve Traylen
929	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
930	b9785000	Steve Traylen
931	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
932	b9785000	Steve Traylen
933	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
934	b9785000	Steve Traylen
935	09cba182	Steve Traylen	Specify ports to open
936	b9785000	Steve Traylen
937			Default value: `[3300, 6789]`
938
939	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
940	e17693e3	Steve Traylen
941			manage out chrony
942
943	7937a13b	Tim Meusel	#### Parameters
944
945			The following parameters are available in the `nftables::rules::out::chrony` class:
946
947	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
948	7937a13b	Tim Meusel
949	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
950	7937a13b	Tim Meusel
951			Data type: `Array[Stdlib::IP::Address]`
952
953			single IP-Address or array of IP-addresses from NTP servers
954
955			Default value: `[]`
956
957	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
958	e17693e3	Steve Traylen
959			manage out dhcp
960
961	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
962	7f6cacc5	Steve Traylen
963	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
964	7f6cacc5	Steve Traylen
965	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
966	e17693e3	Steve Traylen
967			manage out dns
968
969			#### Parameters
970
971	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
972	e17693e3	Steve Traylen
973	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
974	e17693e3	Steve Traylen
975	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
976	e17693e3	Steve Traylen
977	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
978	e17693e3	Steve Traylen
979	09cba182	Steve Traylen	specify dns_server name
980	e17693e3	Steve Traylen
981	9d1ee648	Tim Meusel	Default value: `[]`
982	e17693e3	Steve Traylen
983	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
984	a1f09048	Tim Meusel
985			allow outgoing hkp connections to gpg keyservers
986
987	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
988	e17693e3	Steve Traylen
989			manage out http
990
991	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
992	e17693e3	Steve Traylen
993			manage out https
994
995	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
996	7f6cacc5	Steve Traylen
997	09cba182	Steve Traylen	control outbound icmp packages
998	7f6cacc5	Steve Traylen
999			#### Parameters
1000
1001	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
1002
1003	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
1004			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
1005			* [`order`](#-nftables--rules--out--icmp--order)
1006	7f6cacc5	Steve Traylen
1007	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
1008	7f6cacc5	Steve Traylen
1009			Data type: `Optional[Array[String]]`
1010
1011	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
1012	7f6cacc5	Steve Traylen
1013	c24d3118	Tim Meusel	Default value: `undef`
1014	7f6cacc5	Steve Traylen
1015	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
1016	7f6cacc5	Steve Traylen
1017			Data type: `Optional[Array[String]]`
1018
1019	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
1020	7f6cacc5	Steve Traylen
1021	c24d3118	Tim Meusel	Default value: `undef`
1022	7f6cacc5	Steve Traylen
1023	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
1024	7f6cacc5	Steve Traylen
1025			Data type: `String`
1026
1027	5d554e75	Tim Meusel	the ordering of the rules
1028	7f6cacc5	Steve Traylen
1029			Default value: `'10'`
1030
1031	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
1032
1033	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
1034	020842af	Tim Meusel
1035	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
1036	19908f41	mh
1037			allow outgoing imap
1038
1039	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
1040	7f6cacc5	Steve Traylen
1041			allows outbound access for kerberos
1042
1043	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1044
1045			manage outgoing ldap
1046
1047			#### Parameters
1048
1049			The following parameters are available in the `nftables::rules::out::ldap` class:
1050
1051			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1052			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1053
1054			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1055
1056			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1057
1058			ldapserver IPs
1059
1060			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1061
1062			Data type: `Array[Stdlib::Port,1]`
1063
1064			ldapserver ports
1065
1066			Default value: `[389, 636]`
1067
1068	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1069
1070			allow outgoing multicast DNS
1071
1072			#### Parameters
1073
1074			The following parameters are available in the `nftables::rules::out::mdns` class:
1075
1076			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1077			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1078	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1079	6b350264	Tim Meusel
1080			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1081
1082			Data type: `Boolean`
1083
1084			Allow mdns over IPv4
1085
1086			Default value: `true`
1087
1088			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1089
1090			Data type: `Boolean`
1091
1092			Allow mdns over IPv6
1093
1094			Default value: `true`
1095
1096	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1097
1098			Data type: `Array[String[1]]`
1099
1100			optional name for outgoing interfaces
1101
1102			Default value: `[]`
1103
1104	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1105
1106			allow multicast listener requests
1107
1108	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1109	e17693e3	Steve Traylen
1110			manage out mysql
1111
1112	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1113	b9785000	Steve Traylen
1114			manage out nfs
1115
1116	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1117	b9785000	Steve Traylen
1118			manage out nfs3
1119
1120	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1121	7f6cacc5	Steve Traylen
1122	09cba182	Steve Traylen	allows outbound access for afs clients
1123	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1124			7002 - afs3-ptserver
1125			7003 - vlserver
1126
1127			* See also
1128			* https://wiki.openafs.org/devel/AFSServicePorts/
1129			* AFS Service Ports
1130
1131			#### Parameters
1132
1133	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1134	7f6cacc5	Steve Traylen
1135	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1136	7f6cacc5	Steve Traylen
1137	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1138	7f6cacc5	Steve Traylen
1139	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1140	7f6cacc5	Steve Traylen
1141	09cba182	Steve Traylen	port numbers to use
1142	7f6cacc5	Steve Traylen
1143			Default value: `[7000, 7002, 7003]`
1144
1145	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1146	e17693e3	Steve Traylen
1147			manage out ospf
1148
1149	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1150	e17693e3	Steve Traylen
1151			manage out ospf3
1152
1153	925c358d	Tim Meusel	#### Parameters
1154
1155			The following parameters are available in the `nftables::rules::out::ospf3` class:
1156
1157			* [`oifname`](#-nftables--rules--out--ospf3--oifname)
1158
1159			##### <a name="-nftables--rules--out--ospf3--oifname"></a>`oifname`
1160
1161			Data type: `Array[String[1]]`
1162
1163			optional list of outgoing interfaces to filter on
1164
1165			Default value: `[]`
1166
1167	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1168	19908f41	mh
1169			allow outgoing pop3
1170
1171	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1172	e17693e3	Steve Traylen
1173			manage out postgres
1174
1175	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1176	e17693e3	Steve Traylen
1177			manage outgoing puppet
1178
1179			#### Parameters
1180
1181	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1182	e17693e3	Steve Traylen
1183	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1184			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1185	e17693e3	Steve Traylen
1186	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1187	e17693e3	Steve Traylen
1188	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1189	e17693e3	Steve Traylen
1190	09cba182	Steve Traylen	puppetserver hostname
1191	e17693e3	Steve Traylen
1192	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1193	e17693e3	Steve Traylen
1194	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1195	e17693e3	Steve Traylen
1196	09cba182	Steve Traylen	puppetserver port
1197	e17693e3	Steve Traylen
1198			Default value: `8140`
1199
1200	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1201	194e05d5	Tim Meusel
1202			manage outgoing pxp-agent
1203
1204			* See also
1205			* also
1206			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1207
1208			#### Parameters
1209
1210			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1211
1212	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1213			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1214	194e05d5	Tim Meusel
1215	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1216	194e05d5	Tim Meusel
1217			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1218
1219			PXP broker IP(s)
1220
1221	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1222	194e05d5	Tim Meusel
1223			Data type: `Stdlib::Port`
1224
1225			PXP broker port
1226
1227			Default value: `8142`
1228
1229	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1230	e17693e3	Steve Traylen
1231	19908f41	mh	allow outgoing smtp
1232
1233	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1234	19908f41	mh
1235			allow outgoing smtp client
1236	e17693e3	Steve Traylen
1237	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1238
1239			allow outgoing SSDP
1240
1241			* See also
1242			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1243
1244			#### Parameters
1245
1246			The following parameters are available in the `nftables::rules::out::ssdp` class:
1247
1248			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1249			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1250
1251			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1252
1253			Data type: `Boolean`
1254
1255			Allow SSDP over IPv4
1256
1257			Default value: `true`
1258
1259			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1260
1261			Data type: `Boolean`
1262
1263			Allow SSDP over IPv6
1264
1265			Default value: `true`
1266
1267	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1268	e17693e3	Steve Traylen
1269			manage out ssh
1270
1271	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1272	e17693e3	Steve Traylen
1273			disable outgoing ssh
1274
1275	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1276	e17693e3	Steve Traylen
1277			manage out tor
1278
1279	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1280	2b1896c1	Tim Meusel
1281			allow clients to query remote whois server
1282
1283	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1284	e17693e3	Steve Traylen
1285			manage out wireguard
1286
1287			#### Parameters
1288
1289	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1290	e17693e3	Steve Traylen
1291	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1292	e17693e3	Steve Traylen
1293	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1294	e17693e3	Steve Traylen
1295	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1296	e17693e3	Steve Traylen
1297	09cba182	Steve Traylen	specify wireguard ports
1298	e17693e3	Steve Traylen
1299			Default value: `[51820]`
1300
1301	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1302
1303			Rules for Podman, a tool for managing OCI containers and pods.
1304			This class defines additional forwarding rules to let root containers
1305			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1306			At the time of writing, Podman supports automatic configuration
1307			of firewall rules with iptables and firewalld only.
1308
1309	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1310	e17693e3	Steve Traylen
1311			manage in puppet
1312
1313			#### Parameters
1314
1315	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1316	e17693e3	Steve Traylen
1317	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1318	e17693e3	Steve Traylen
1319	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1320	e17693e3	Steve Traylen
1321	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1322	e17693e3	Steve Traylen
1323	09cba182	Steve Traylen	puppet server ports
1324	e17693e3	Steve Traylen
1325			Default value: `[8140]`
1326
1327	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1328	7f74df2e	Tim Meusel
1329			manage in pxp-agent
1330
1331			#### Parameters
1332
1333			The following parameters are available in the `nftables::rules::pxp_agent` class:
1334
1335	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1336	7f74df2e	Tim Meusel
1337	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1338	7f74df2e	Tim Meusel
1339	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1340	7f74df2e	Tim Meusel
1341			pxp server ports
1342
1343			Default value: `[8142]`
1344
1345	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1346	cd2a3cbf	Nacho Barrientos
1347			This class configures the typical firewall setup that libvirt
1348			creates. Depending on your requirements you can switch on and off
1349			several aspects, for instance if you don't do DHCP to your guests
1350			you can disable the rules that accept DHCP traffic on the host or if
1351			you don't want your guests to talk to hosts outside you can disable
1352			forwarding and/or masquerading for IPv4 traffic.
1353
1354			#### Parameters
1355
1356			The following parameters are available in the `nftables::rules::qemu` class:
1357
1358	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1359			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1360			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1361			* [`dns`](#-nftables--rules--qemu--dns)
1362			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1363			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1364			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1365			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1366	cd2a3cbf	Nacho Barrientos
1367	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1368	cd2a3cbf	Nacho Barrientos
1369			Data type: `String[1]`
1370
1371			Interface name used by the bridge.
1372
1373			Default value: `'virbr0'`
1374
1375	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1376	cd2a3cbf	Nacho Barrientos
1377			Data type: `Stdlib::IP::Address::V4::CIDR`
1378
1379			The IPv4 network prefix used in the virtual network.
1380
1381			Default value: `'192.168.122.0/24'`
1382
1383	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1384	cd2a3cbf	Nacho Barrientos
1385			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1386
1387			The IPv6 network prefix used in the virtual network.
1388
1389	c24d3118	Tim Meusel	Default value: `undef`
1390	cd2a3cbf	Nacho Barrientos
1391	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1392	cd2a3cbf	Nacho Barrientos
1393			Data type: `Boolean`
1394
1395			Allow DNS traffic from the guests to the host.
1396
1397	c24d3118	Tim Meusel	Default value: `true`
1398	cd2a3cbf	Nacho Barrientos
1399	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1400	cd2a3cbf	Nacho Barrientos
1401			Data type: `Boolean`
1402
1403			Allow DHCPv4 traffic from the guests to the host.
1404
1405	c24d3118	Tim Meusel	Default value: `true`
1406	cd2a3cbf	Nacho Barrientos
1407	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1408	cd2a3cbf	Nacho Barrientos
1409			Data type: `Boolean`
1410
1411			Allow forwarded traffic (out all, in related/established)
1412			generated by the virtual network.
1413
1414	c24d3118	Tim Meusel	Default value: `true`
1415	cd2a3cbf	Nacho Barrientos
1416	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1417	cd2a3cbf	Nacho Barrientos
1418			Data type: `Boolean`
1419
1420			Allow guests in the virtual network to talk to each other.
1421
1422	c24d3118	Tim Meusel	Default value: `true`
1423	cd2a3cbf	Nacho Barrientos
1424	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1425	cd2a3cbf	Nacho Barrientos
1426			Data type: `Boolean`
1427
1428			Do NAT masquerade on all IPv4 traffic generated by guests
1429			to external networks.
1430
1431	c24d3118	Tim Meusel	Default value: `true`
1432	cd2a3cbf	Nacho Barrientos
1433	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1434	19908f41	mh
1435			manage Samba, the suite to allow Windows file sharing on Linux resources.
1436
1437			#### Parameters
1438
1439			The following parameters are available in the `nftables::rules::samba` class:
1440
1441	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1442	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1443	19908f41	mh
1444	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1445	19908f41	mh
1446			Data type: `Boolean`
1447
1448	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1449	19908f41	mh
1450	c24d3118	Tim Meusel	Default value: `false`
1451	19908f41	mh
1452	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1453
1454			Data type: `Enum['accept', 'drop']`
1455
1456			if the traffic should be allowed or dropped
1457
1458			Default value: `'accept'`
1459
1460	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1461	e17693e3	Steve Traylen
1462			manage in smtp
1463
1464	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1465	e17693e3	Steve Traylen
1466			manage in smtp submission
1467
1468	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1469	e17693e3	Steve Traylen
1470			manage in smtps
1471
1472	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1473
1474			allow incoming spotify
1475
1476	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1477
1478			allow incoming SSDP
1479
1480			* See also
1481			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1482
1483			#### Parameters
1484
1485			The following parameters are available in the `nftables::rules::ssdp` class:
1486
1487			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1488			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1489
1490			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1491
1492			Data type: `Boolean`
1493
1494			Allow SSDP over IPv4
1495
1496			Default value: `true`
1497
1498			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1499
1500			Data type: `Boolean`
1501
1502			Allow SSDP over IPv6
1503
1504			Default value: `true`
1505
1506	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1507	e17693e3	Steve Traylen
1508			manage in ssh
1509
1510			#### Parameters
1511
1512	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1513	e17693e3	Steve Traylen
1514	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1515	e17693e3	Steve Traylen
1516	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1517	e17693e3	Steve Traylen
1518	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1519	e17693e3	Steve Traylen
1520	09cba182	Steve Traylen	ssh ports
1521	e17693e3	Steve Traylen
1522			Default value: `[22]`
1523
1524	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1525	e17693e3	Steve Traylen
1526			manage in tor
1527
1528			#### Parameters
1529
1530	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1531	e17693e3	Steve Traylen
1532	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1533	e17693e3	Steve Traylen
1534	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1535	e17693e3	Steve Traylen
1536	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1537	e17693e3	Steve Traylen
1538	09cba182	Steve Traylen	ports for tor
1539	e17693e3	Steve Traylen
1540			Default value: `[9001]`
1541
1542	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1543	e17693e3	Steve Traylen
1544			manage in wireguard
1545
1546			#### Parameters
1547
1548	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1549	e17693e3	Steve Traylen
1550	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1551	e17693e3	Steve Traylen
1552	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1553	e17693e3	Steve Traylen
1554	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1555	e17693e3	Steve Traylen
1556	09cba182	Steve Traylen	wiregueard port
1557	e17693e3	Steve Traylen
1558			Default value: `[51820]`
1559
1560	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1561
1562			allow incoming webservice discovery
1563
1564			* See also
1565			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1566
1567			#### Parameters
1568
1569			The following parameters are available in the `nftables::rules::wsd` class:
1570
1571			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1572			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1573
1574			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1575
1576			Data type: `Boolean`
1577
1578			Allow ws-discovery over IPv4
1579
1580			Default value: `true`
1581
1582			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1583
1584			Data type: `Boolean`
1585
1586			Allow ws-discovery over IPv6
1587
1588			Default value: `true`
1589
1590	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1591	7f6cacc5	Steve Traylen
1592	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1593	7f6cacc5	Steve Traylen
1594	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1595	7f6cacc5	Steve Traylen
1596	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1597	7f6cacc5	Steve Traylen
1598	e17693e3	Steve Traylen	## Defined types
1599
1600	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1601	e17693e3	Steve Traylen
1602			manage a chain
1603
1604			#### Parameters
1605
1606	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1607
1608	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1609			* [`chain`](#-nftables--chain--chain)
1610			* [`inject`](#-nftables--chain--inject)
1611			* [`inject_iif`](#-nftables--chain--inject_iif)
1612			* [`inject_oif`](#-nftables--chain--inject_oif)
1613	e17693e3	Steve Traylen
1614	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1615	e17693e3	Steve Traylen
1616	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1617	e17693e3	Steve Traylen
1618
1619
1620			Default value: `'inet-filter'`
1621
1622	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1623	e17693e3	Steve Traylen
1624			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1625
1626
1627
1628			Default value: `$title`
1629
1630	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1631	e17693e3	Steve Traylen
1632			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1633
1634
1635
1636	c24d3118	Tim Meusel	Default value: `undef`
1637	e17693e3	Steve Traylen
1638	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1639	e17693e3	Steve Traylen
1640			Data type: `Optional[String]`
1641
1642
1643
1644	c24d3118	Tim Meusel	Default value: `undef`
1645	e17693e3	Steve Traylen
1646	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1647	e17693e3	Steve Traylen
1648			Data type: `Optional[String]`
1649
1650
1651
1652	c24d3118	Tim Meusel	Default value: `undef`
1653	e17693e3	Steve Traylen
1654	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1655	e17693e3	Steve Traylen
1656			manage a config snippet
1657
1658			#### Parameters
1659
1660	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1661	e17693e3	Steve Traylen
1662	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1663			* [`content`](#-nftables--config--content)
1664			* [`source`](#-nftables--config--source)
1665			* [`prefix`](#-nftables--config--prefix)
1666	09cba182	Steve Traylen
1667	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1668	13f4e4c6	Steve Traylen
1669			Data type: `Pattern[/^\w+-\w+$/]`
1670
1671
1672
1673			Default value: `$title`
1674
1675	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1676	e17693e3	Steve Traylen
1677			Data type: `Optional[String]`
1678
1679
1680
1681	c24d3118	Tim Meusel	Default value: `undef`
1682	e17693e3	Steve Traylen
1683	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1684	e17693e3	Steve Traylen
1685			Data type: `Optional[Variant[String,Array[String,1]]]`
1686
1687
1688
1689	c24d3118	Tim Meusel	Default value: `undef`
1690	e17693e3	Steve Traylen
1691	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1692	13f4e4c6	Steve Traylen
1693			Data type: `String`
1694
1695
1696
1697			Default value: `'custom-'`
1698
1699	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1700	331b8d85	Steve Traylen
1701			Insert a file into the nftables configuration
1702
1703			#### Examples
1704
1705			##### Include a file that includes other files
1706
1707			```puppet
1708			nftables::file{'geoip':
1709			content => @(EOT)
1710			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1711			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1712			\|EOT,
1713			}
1714			```
1715
1716			#### Parameters
1717
1718			The following parameters are available in the `nftables::file` defined type:
1719
1720	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1721			* [`content`](#-nftables--file--content)
1722			* [`source`](#-nftables--file--source)
1723			* [`prefix`](#-nftables--file--prefix)
1724	331b8d85	Steve Traylen
1725	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1726	331b8d85	Steve Traylen
1727			Data type: `String[1]`
1728
1729			Unique name to include in filename.
1730
1731			Default value: `$title`
1732
1733	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1734	331b8d85	Steve Traylen
1735			Data type: `Optional[String]`
1736
1737			The content to place in the file.
1738
1739	c24d3118	Tim Meusel	Default value: `undef`
1740	331b8d85	Steve Traylen
1741	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1742	331b8d85	Steve Traylen
1743			Data type: `Optional[Variant[String,Array[String,1]]]`
1744
1745			A source to obtain the file content from.
1746
1747	c24d3118	Tim Meusel	Default value: `undef`
1748	331b8d85	Steve Traylen
1749	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1750	331b8d85	Steve Traylen
1751			Data type: `String`
1752
1753			Prefix of file name to be created, if left as `file-` it will be
1754			auto included in the main nft configuration
1755
1756			Default value: `'file-'`
1757
1758	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1759
1760			manage a conntrack helper
1761
1762			#### Examples
1763
1764			##### FTP helper
1765
1766			```puppet
1767			nftables::helper { 'ftp-standard':
1768			content => 'type "ftp" protocol tcp;',
1769			}
1770			```
1771
1772			#### Parameters
1773
1774			The following parameters are available in the `nftables::helper` defined type:
1775
1776			* [`content`](#-nftables--helper--content)
1777			* [`table`](#-nftables--helper--table)
1778			* [`helper`](#-nftables--helper--helper)
1779
1780			##### <a name="-nftables--helper--content"></a>`content`
1781
1782			Data type: `String`
1783
1784			Conntrack helper definition.
1785
1786			##### <a name="-nftables--helper--table"></a>`table`
1787
1788			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1789
1790			The name of the table to add this helper to.
1791
1792			Default value: `'inet-filter'`
1793
1794			##### <a name="-nftables--helper--helper"></a>`helper`
1795
1796			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1797
1798			The symbolic name for the helper.
1799
1800			Default value: `$title`
1801
1802	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1803	e17693e3	Steve Traylen
1804	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1805
1806			#### Examples
1807
1808			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1809
1810			```puppet
1811			nftables::rule {
1812			'default_in-myhttp':
1813			content => 'tcp dport 80 accept',
1814			}
1815			```
1816
1817			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1818
1819			```puppet
1820			nftables::rule {
1821			'PREROUTING6-count':
1822			content => 'counter',
1823			table => 'ip6-nat'
1824			}
1825			```
1826	e17693e3	Steve Traylen
1827	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1828
1829			```puppet
1830			nftables::rule { 'PREROUTING-redirect':
1831			content => 'tcp dport 443 redirect to :8443',
1832			table => 'ip-nat',
1833			}
1834			nftables::rule{'PREROUTING6-redirect':
1835			content => 'tcp dport 443 redirect to :8443',
1836			table => 'ip6-nat',
1837			}
1838			```
1839
1840	e17693e3	Steve Traylen	#### Parameters
1841
1842	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1843
1844	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1845			* [`rulename`](#-nftables--rule--rulename)
1846			* [`order`](#-nftables--rule--order)
1847			* [`table`](#-nftables--rule--table)
1848			* [`content`](#-nftables--rule--content)
1849			* [`source`](#-nftables--rule--source)
1850	e17693e3	Steve Traylen
1851	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1852	e17693e3	Steve Traylen
1853			Data type: `Enum['present','absent']`
1854
1855	13f26dfc	Nacho Barrientos	Should the rule be created.
1856	e17693e3	Steve Traylen
1857			Default value: `'present'`
1858
1859	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1860	e17693e3	Steve Traylen
1861	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1862	e17693e3	Steve Traylen
1863	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1864			format is defined by the Nftables::RuleName type.
1865	e17693e3	Steve Traylen
1866			Default value: `$title`
1867
1868	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1869	e17693e3	Steve Traylen
1870			Data type: `Pattern[/^\d\d$/]`
1871
1872	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1873	e17693e3	Steve Traylen
1874			Default value: `'50'`
1875
1876	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1877	e17693e3	Steve Traylen
1878	b02d6ea9	Nacho Barrientos	Data type: `String`
1879	e17693e3	Steve Traylen
1880	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1881	e17693e3	Steve Traylen
1882			Default value: `'inet-filter'`
1883
1884	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1885	e17693e3	Steve Traylen
1886			Data type: `Optional[String]`
1887
1888	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1889			language.
1890	e17693e3	Steve Traylen
1891	c24d3118	Tim Meusel	Default value: `undef`
1892	e17693e3	Steve Traylen
1893	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1894	e17693e3	Steve Traylen
1895			Data type: `Optional[Variant[String,Array[String,1]]]`
1896
1897	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1898	e17693e3	Steve Traylen
1899	c24d3118	Tim Meusel	Default value: `undef`
1900	e17693e3	Steve Traylen
1901	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1902	e17693e3	Steve Traylen
1903			manage a ipv4 dnat rule
1904
1905			#### Parameters
1906
1907	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1908
1909	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1910			* [`port`](#-nftables--rules--dnat4--port)
1911			* [`rulename`](#-nftables--rules--dnat4--rulename)
1912			* [`order`](#-nftables--rules--dnat4--order)
1913			* [`chain`](#-nftables--rules--dnat4--chain)
1914			* [`iif`](#-nftables--rules--dnat4--iif)
1915			* [`proto`](#-nftables--rules--dnat4--proto)
1916			* [`dport`](#-nftables--rules--dnat4--dport)
1917			* [`ensure`](#-nftables--rules--dnat4--ensure)
1918	e17693e3	Steve Traylen
1919	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1920	e17693e3	Steve Traylen
1921			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1922
1923
1924
1925	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1926	e17693e3	Steve Traylen
1927	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1928	e17693e3	Steve Traylen
1929
1930
1931	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1932	e17693e3	Steve Traylen
1933			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1934
1935
1936
1937			Default value: `$title`
1938
1939	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1940	e17693e3	Steve Traylen
1941			Data type: `Pattern[/^\d\d$/]`
1942
1943
1944
1945			Default value: `'50'`
1946
1947	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1948	e17693e3	Steve Traylen
1949			Data type: `String[1]`
1950
1951
1952
1953			Default value: `'default_fwd'`
1954
1955	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1956	e17693e3	Steve Traylen
1957			Data type: `Optional[String[1]]`
1958
1959
1960
1961	c24d3118	Tim Meusel	Default value: `undef`
1962	e17693e3	Steve Traylen
1963	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1964	e17693e3	Steve Traylen
1965			Data type: `Enum['tcp','udp']`
1966
1967
1968
1969			Default value: `'tcp'`
1970
1971	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1972	e17693e3	Steve Traylen
1973	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1974	e17693e3	Steve Traylen
1975
1976
1977	c24d3118	Tim Meusel	Default value: `undef`
1978	e17693e3	Steve Traylen
1979	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1980	e17693e3	Steve Traylen
1981			Data type: `Enum['present','absent']`
1982
1983
1984
1985			Default value: `'present'`
1986
1987	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1988	e17693e3	Steve Traylen
1989			masquerade all outgoing traffic
1990
1991			#### Parameters
1992
1993	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1994	e17693e3	Steve Traylen
1995	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1996			* [`order`](#-nftables--rules--masquerade--order)
1997			* [`chain`](#-nftables--rules--masquerade--chain)
1998			* [`oif`](#-nftables--rules--masquerade--oif)
1999			* [`saddr`](#-nftables--rules--masquerade--saddr)
2000			* [`daddr`](#-nftables--rules--masquerade--daddr)
2001			* [`proto`](#-nftables--rules--masquerade--proto)
2002			* [`dport`](#-nftables--rules--masquerade--dport)
2003			* [`ensure`](#-nftables--rules--masquerade--ensure)
2004	09cba182	Steve Traylen
2005	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
2006	e17693e3	Steve Traylen
2007			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2008
2009
2010
2011			Default value: `$title`
2012
2013	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
2014	e17693e3	Steve Traylen
2015			Data type: `Pattern[/^\d\d$/]`
2016
2017
2018
2019			Default value: `'70'`
2020
2021	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
2022	e17693e3	Steve Traylen
2023			Data type: `String[1]`
2024
2025
2026
2027			Default value: `'POSTROUTING'`
2028
2029	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
2030	e17693e3	Steve Traylen
2031			Data type: `Optional[String[1]]`
2032
2033
2034
2035	c24d3118	Tim Meusel	Default value: `undef`
2036	e17693e3	Steve Traylen
2037	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
2038	e17693e3	Steve Traylen
2039			Data type: `Optional[String[1]]`
2040
2041
2042
2043	c24d3118	Tim Meusel	Default value: `undef`
2044	e17693e3	Steve Traylen
2045	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
2046	e17693e3	Steve Traylen
2047			Data type: `Optional[String[1]]`
2048
2049
2050
2051	c24d3118	Tim Meusel	Default value: `undef`
2052	e17693e3	Steve Traylen
2053	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
2054	e17693e3	Steve Traylen
2055			Data type: `Optional[Enum['tcp','udp']]`
2056
2057
2058
2059	c24d3118	Tim Meusel	Default value: `undef`
2060	e17693e3	Steve Traylen
2061	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2062	e17693e3	Steve Traylen
2063	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2064	e17693e3	Steve Traylen
2065
2066
2067	c24d3118	Tim Meusel	Default value: `undef`
2068	e17693e3	Steve Traylen
2069	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2070	e17693e3	Steve Traylen
2071			Data type: `Enum['present','absent']`
2072
2073
2074
2075			Default value: `'present'`
2076
2077	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2078	e17693e3	Steve Traylen
2079			manage a ipv4 snat rule
2080
2081			#### Parameters
2082
2083	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2084
2085	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2086			* [`rulename`](#-nftables--rules--snat4--rulename)
2087			* [`order`](#-nftables--rules--snat4--order)
2088			* [`chain`](#-nftables--rules--snat4--chain)
2089			* [`oif`](#-nftables--rules--snat4--oif)
2090			* [`saddr`](#-nftables--rules--snat4--saddr)
2091			* [`proto`](#-nftables--rules--snat4--proto)
2092			* [`dport`](#-nftables--rules--snat4--dport)
2093			* [`ensure`](#-nftables--rules--snat4--ensure)
2094	e17693e3	Steve Traylen
2095	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2096	e17693e3	Steve Traylen
2097			Data type: `String[1]`
2098
2099
2100
2101	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2102	e17693e3	Steve Traylen
2103			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2104
2105
2106
2107			Default value: `$title`
2108
2109	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2110	e17693e3	Steve Traylen
2111			Data type: `Pattern[/^\d\d$/]`
2112
2113
2114
2115			Default value: `'70'`
2116
2117	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2118	e17693e3	Steve Traylen
2119			Data type: `String[1]`
2120
2121
2122
2123			Default value: `'POSTROUTING'`
2124
2125	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2126	e17693e3	Steve Traylen
2127			Data type: `Optional[String[1]]`
2128
2129
2130
2131	c24d3118	Tim Meusel	Default value: `undef`
2132	e17693e3	Steve Traylen
2133	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2134	e17693e3	Steve Traylen
2135			Data type: `Optional[String[1]]`
2136
2137
2138
2139	c24d3118	Tim Meusel	Default value: `undef`
2140	e17693e3	Steve Traylen
2141	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2142	e17693e3	Steve Traylen
2143			Data type: `Optional[Enum['tcp','udp']]`
2144
2145
2146
2147	c24d3118	Tim Meusel	Default value: `undef`
2148	e17693e3	Steve Traylen
2149	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2150	e17693e3	Steve Traylen
2151	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2152	e17693e3	Steve Traylen
2153
2154
2155	c24d3118	Tim Meusel	Default value: `undef`
2156	e17693e3	Steve Traylen
2157	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2158	e17693e3	Steve Traylen
2159			Data type: `Enum['present','absent']`
2160
2161
2162
2163			Default value: `'present'`
2164
2165	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2166	7f6cacc5	Steve Traylen
2167			manage a named set
2168
2169	13f4e4c6	Steve Traylen	#### Examples
2170
2171			##### simple set
2172
2173			```puppet
2174			nftables::set{'my_set':
2175			type => 'ipv4_addr',
2176			flags => ['interval'],
2177			elements => ['192.168.0.1/24', '10.0.0.2'],
2178			auto_merge => true,
2179			}
2180			```
2181
2182	7f6cacc5	Steve Traylen	#### Parameters
2183
2184	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2185
2186	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2187			* [`setname`](#-nftables--set--setname)
2188			* [`order`](#-nftables--set--order)
2189			* [`type`](#-nftables--set--type)
2190			* [`table`](#-nftables--set--table)
2191			* [`flags`](#-nftables--set--flags)
2192			* [`timeout`](#-nftables--set--timeout)
2193			* [`gc_interval`](#-nftables--set--gc_interval)
2194			* [`elements`](#-nftables--set--elements)
2195			* [`size`](#-nftables--set--size)
2196			* [`policy`](#-nftables--set--policy)
2197			* [`auto_merge`](#-nftables--set--auto_merge)
2198			* [`content`](#-nftables--set--content)
2199			* [`source`](#-nftables--set--source)
2200
2201			##### <a name="-nftables--set--ensure"></a>`ensure`
2202	7f6cacc5	Steve Traylen
2203			Data type: `Enum['present','absent']`
2204
2205	13f4e4c6	Steve Traylen	should the set be created.
2206	7f6cacc5	Steve Traylen
2207			Default value: `'present'`
2208
2209	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2210	7f6cacc5	Steve Traylen
2211			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2212
2213	13f4e4c6	Steve Traylen	name of set, equal to to title.
2214	7f6cacc5	Steve Traylen
2215			Default value: `$title`
2216
2217	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2218	7f6cacc5	Steve Traylen
2219			Data type: `Pattern[/^\d\d$/]`
2220
2221	13f4e4c6	Steve Traylen	concat ordering.
2222	7f6cacc5	Steve Traylen
2223			Default value: `'10'`
2224
2225	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2226	7f6cacc5	Steve Traylen
2227			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2228
2229	13f4e4c6	Steve Traylen	type of set.
2230	7f6cacc5	Steve Traylen
2231	c24d3118	Tim Meusel	Default value: `undef`
2232	7f6cacc5	Steve Traylen
2233	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2234	7f6cacc5	Steve Traylen
2235	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2236	7f6cacc5	Steve Traylen
2237	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2238	7f6cacc5	Steve Traylen
2239			Default value: `'inet-filter'`
2240
2241	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2242	7f6cacc5	Steve Traylen
2243			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2244
2245	13f4e4c6	Steve Traylen	specify flags for set
2246	7f6cacc5	Steve Traylen
2247			Default value: `[]`
2248
2249	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2250	7f6cacc5	Steve Traylen
2251			Data type: `Optional[Integer]`
2252
2253	13f4e4c6	Steve Traylen	timeout in seconds
2254	7f6cacc5	Steve Traylen
2255	c24d3118	Tim Meusel	Default value: `undef`
2256	7f6cacc5	Steve Traylen
2257	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2258	7f6cacc5	Steve Traylen
2259			Data type: `Optional[Integer]`
2260
2261	13f4e4c6	Steve Traylen	garbage collection interval.
2262	7f6cacc5	Steve Traylen
2263	c24d3118	Tim Meusel	Default value: `undef`
2264	7f6cacc5	Steve Traylen
2265	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2266	7f6cacc5	Steve Traylen
2267			Data type: `Optional[Array[String]]`
2268
2269	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2270	7f6cacc5	Steve Traylen
2271	c24d3118	Tim Meusel	Default value: `undef`
2272	7f6cacc5	Steve Traylen
2273	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2274	7f6cacc5	Steve Traylen
2275			Data type: `Optional[Integer]`
2276
2277	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2278	7f6cacc5	Steve Traylen
2279	c24d3118	Tim Meusel	Default value: `undef`
2280	7f6cacc5	Steve Traylen
2281	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2282	7f6cacc5	Steve Traylen
2283			Data type: `Optional[Enum['performance', 'memory']]`
2284
2285	13f4e4c6	Steve Traylen	determines set selection policy.
2286	7f6cacc5	Steve Traylen
2287	c24d3118	Tim Meusel	Default value: `undef`
2288	7f6cacc5	Steve Traylen
2289	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2290	7f6cacc5	Steve Traylen
2291			Data type: `Boolean`
2292
2293	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2294	7f6cacc5	Steve Traylen
2295	c24d3118	Tim Meusel	Default value: `false`
2296	7f6cacc5	Steve Traylen
2297	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2298	7f6cacc5	Steve Traylen
2299			Data type: `Optional[String]`
2300
2301	13f4e4c6	Steve Traylen	specify content of set.
2302	7f6cacc5	Steve Traylen
2303	c24d3118	Tim Meusel	Default value: `undef`
2304	7f6cacc5	Steve Traylen
2305	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2306	7f6cacc5	Steve Traylen
2307			Data type: `Optional[Variant[String,Array[String,1]]]`
2308
2309	13f4e4c6	Steve Traylen	specify source of set.
2310	7f6cacc5	Steve Traylen
2311	c24d3118	Tim Meusel	Default value: `undef`
2312	7f6cacc5	Steve Traylen
2313	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2314	4d63adda	Nacho Barrientos
2315	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2316	4d63adda	Nacho Barrientos
2317	b46c9ce9	Nacho Barrientos	#### Examples
2318	4d63adda	Nacho Barrientos
2319	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2320	4d63adda	Nacho Barrientos
2321	b46c9ce9	Nacho Barrientos	```puppet
2322			nftables::simplerule{'my_service_in':
2323			action => 'accept',
2324			comment => 'allow traffic to port 543',
2325			counter => true,
2326			proto => 'tcp',
2327			dport => 543,
2328			daddr => '2001:1458::/32',
2329			sport => 541,
2330			}
2331			```
2332	4d63adda	Nacho Barrientos
2333	b46c9ce9	Nacho Barrientos	#### Parameters
2334	4d63adda	Nacho Barrientos
2335	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2336
2337	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2338			* [`rulename`](#-nftables--simplerule--rulename)
2339			* [`order`](#-nftables--simplerule--order)
2340			* [`chain`](#-nftables--simplerule--chain)
2341			* [`table`](#-nftables--simplerule--table)
2342			* [`action`](#-nftables--simplerule--action)
2343			* [`comment`](#-nftables--simplerule--comment)
2344			* [`dport`](#-nftables--simplerule--dport)
2345			* [`proto`](#-nftables--simplerule--proto)
2346			* [`daddr`](#-nftables--simplerule--daddr)
2347			* [`set_type`](#-nftables--simplerule--set_type)
2348			* [`sport`](#-nftables--simplerule--sport)
2349			* [`saddr`](#-nftables--simplerule--saddr)
2350			* [`counter`](#-nftables--simplerule--counter)
2351	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2352	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2353	c24d3118	Tim Meusel
2354			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2355	13f4e4c6	Steve Traylen
2356			Data type: `Enum['present','absent']`
2357
2358			Should the rule be created.
2359
2360			Default value: `'present'`
2361
2362	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2363	4d63adda	Nacho Barrientos
2364	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2365	4d63adda	Nacho Barrientos
2366	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2367	4d63adda	Nacho Barrientos
2368			Default value: `$title`
2369
2370	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2371	4d63adda	Nacho Barrientos
2372			Data type: `Pattern[/^\d\d$/]`
2373
2374	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2375	4d63adda	Nacho Barrientos
2376			Default value: `'50'`
2377
2378	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2379	4d63adda	Nacho Barrientos
2380			Data type: `String`
2381
2382	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2383	4d63adda	Nacho Barrientos
2384			Default value: `'default_in'`
2385
2386	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2387	4d63adda	Nacho Barrientos
2388			Data type: `String`
2389
2390	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2391	4d63adda	Nacho Barrientos
2392			Default value: `'inet-filter'`
2393
2394	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2395	4d63adda	Nacho Barrientos
2396			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2397
2398	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2399	4d63adda	Nacho Barrientos
2400			Default value: `'accept'`
2401
2402	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2403	4d63adda	Nacho Barrientos
2404			Data type: `Optional[String]`
2405
2406	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2407	4d63adda	Nacho Barrientos
2408	c24d3118	Tim Meusel	Default value: `undef`
2409	4d63adda	Nacho Barrientos
2410	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2411	4d63adda	Nacho Barrientos
2412			Data type: `Optional[Nftables::Port]`
2413
2414	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2415	4d63adda	Nacho Barrientos
2416	c24d3118	Tim Meusel	Default value: `undef`
2417	4d63adda	Nacho Barrientos
2418	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2419	4d63adda	Nacho Barrientos
2420			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2421
2422	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2423	4d63adda	Nacho Barrientos
2424	c24d3118	Tim Meusel	Default value: `undef`
2425	4d63adda	Nacho Barrientos
2426	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2427	4d63adda	Nacho Barrientos
2428			Data type: `Optional[Nftables::Addr]`
2429
2430	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2431	4d63adda	Nacho Barrientos
2432	c24d3118	Tim Meusel	Default value: `undef`
2433	4d63adda	Nacho Barrientos
2434	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2435	4d63adda	Nacho Barrientos
2436			Data type: `Enum['ip', 'ip6']`
2437
2438	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2439			Use `ip` for sets of type `ipv4_addr`.
2440	4d63adda	Nacho Barrientos
2441			Default value: `'ip6'`
2442
2443	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2444	4d63adda	Nacho Barrientos
2445			Data type: `Optional[Nftables::Port]`
2446
2447	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2448	4d63adda	Nacho Barrientos
2449	c24d3118	Tim Meusel	Default value: `undef`
2450	4d63adda	Nacho Barrientos
2451	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2452	4d63adda	Nacho Barrientos
2453			Data type: `Optional[Nftables::Addr]`
2454
2455	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2456	4d63adda	Nacho Barrientos
2457	c24d3118	Tim Meusel	Default value: `undef`
2458	4d63adda	Nacho Barrientos
2459	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2460	4d63adda	Nacho Barrientos
2461			Data type: `Boolean`
2462
2463	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2464	4d63adda	Nacho Barrientos
2465	c24d3118	Tim Meusel	Default value: `false`
2466	4d63adda	Nacho Barrientos
2467	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2468
2469	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2470	25b3f3f4	Tim Meusel
2471			Optional filter for the incoming interface
2472
2473	e846c98b	Tim Meusel	Default value: `[]`
2474	25b3f3f4	Tim Meusel
2475	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2476
2477	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2478	d7d6d5d3	Tim Meusel
2479			Optional filter for the outgoing interface
2480
2481	e846c98b	Tim Meusel	Default value: `[]`
2482	d7d6d5d3	Tim Meusel
2483	4d63adda	Nacho Barrientos	## Data types
2484
2485	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2486	4d63adda	Nacho Barrientos
2487			Represents an address expression to be used within a rule.
2488
2489	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2490	09cba182	Steve Traylen
2491	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2492	4d63adda	Nacho Barrientos
2493			Represents a set expression to be used within a rule.
2494
2495	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2496	4d63adda	Nacho Barrientos
2497	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2498	4d63adda	Nacho Barrientos
2499			Represents a port expression to be used within a rule.
2500
2501	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2502	4d63adda	Nacho Barrientos
2503	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2504	4d63adda	Nacho Barrientos
2505			Represents a port range expression to be used within a rule.
2506
2507	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2508	4d63adda	Nacho Barrientos
2509	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2510	8c00b818	Nacho Barrientos
2511			Represents a rule name to be used in a raw rule created via nftables::rule.
2512			It's a dash separated string. The first component describes the chain to
2513			add the rule to, the second the rule name and the (optional) third a number.
2514			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2515
2516	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2517	09cba182	Steve Traylen
2518	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2519	8c00b818	Nacho Barrientos
2520			Represents a simple rule name to be used in a rule created via nftables::simplerule
2521
2522	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ fa9253fc