/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ ffc8b86f

Historique | Voir | Annoter | Télécharger (57,3 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23			* [`nftables::rules::http`](#nftables--rules--http): manage in http
24			* [`nftables::rules::https`](#nftables--rules--https): manage in https
25			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
26			* [`nftables::rules::icmp`](#nftables--rules--icmp)
27	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
28	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
29	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
30	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
31	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
32	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
33			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
34			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
35			* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
36			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
37	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
38	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
39			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
40	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
41			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
42			and Manager Daemons (MGR).
43	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
44			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
45			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
46			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
47			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
48			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
49			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
50			* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
51	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
52	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
53			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
54	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
55	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
56	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
57	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
58			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
59			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
60			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
61	09cba182	Steve Traylen	7000 - afs3-fileserver
62			7002 - afs3-ptserver
63			7003 - vlserver
64	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
65			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
66			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
67			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
68			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
69			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
70			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
71			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
72	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
73	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
74			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
75			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
76			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
77			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
78			* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
79			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
80			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
81			* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
82			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
83			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
84			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
85	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
86	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
87	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
88			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
89			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
90	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
91	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
92			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
93	e17693e3	Steve Traylen
94			### Defined types
95
96	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
97			* [`nftables::config`](#nftables--config): manage a config snippet
98			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
99			* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
100			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
101			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
102			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
103			* [`nftables::set`](#nftables--set): manage a named set
104			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
105	4d63adda	Nacho Barrientos
106			### Data types
107
108	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
109			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
110			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
111			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
112			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
113	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
114			add the rule to, the second the rule name and the (optional) third a number.
115			Ex: 'default_in-sshd', 'default_out-my_service-2'.
116	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
117	e17693e3	Steve Traylen
118			## Classes
119
120	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
121	e17693e3	Steve Traylen
122			Configure nftables
123
124			#### Examples
125
126	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
127	e17693e3	Steve Traylen
128			```puppet
129	2063deaf	hashworks	class{ 'nftables':
130			out_ntp => false,
131			out_dns => true,
132	e17693e3	Steve Traylen	}
133			```
134
135	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
136
137			```puppet
138	2063deaf	hashworks	class{ 'nftables':
139			noflush_tables => ['inet-f2b-table'],
140	b9785000	Steve Traylen	}
141			```
142
143	e17693e3	Steve Traylen	#### Parameters
144
145	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
146
147	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
148			* [`out_ntp`](#-nftables--out_ntp)
149			* [`out_http`](#-nftables--out_http)
150			* [`out_dns`](#-nftables--out_dns)
151			* [`out_https`](#-nftables--out_https)
152			* [`out_icmp`](#-nftables--out_icmp)
153			* [`in_ssh`](#-nftables--in_ssh)
154			* [`in_icmp`](#-nftables--in_icmp)
155			* [`inet_filter`](#-nftables--inet_filter)
156			* [`nat`](#-nftables--nat)
157			* [`nat_table_name`](#-nftables--nat_table_name)
158			* [`sets`](#-nftables--sets)
159			* [`log_prefix`](#-nftables--log_prefix)
160			* [`log_limit`](#-nftables--log_limit)
161			* [`reject_with`](#-nftables--reject_with)
162			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
163			* [`fwd_conntrack`](#-nftables--fwd_conntrack)
164			* [`firewalld_enable`](#-nftables--firewalld_enable)
165			* [`noflush_tables`](#-nftables--noflush_tables)
166			* [`rules`](#-nftables--rules)
167			* [`configuration_path`](#-nftables--configuration_path)
168			* [`nft_path`](#-nftables--nft_path)
169			* [`echo`](#-nftables--echo)
170			* [`default_config_mode`](#-nftables--default_config_mode)
171
172			##### <a name="-nftables--out_all"></a>`out_all`
173	e17693e3	Steve Traylen
174			Data type: `Boolean`
175
176			Allow all outbound connections. If `true` then all other
177			out parameters `out_ntp`, `out_dns`, ... will be assuemed
178			false.
179
180	c24d3118	Tim Meusel	Default value: `false`
181	e17693e3	Steve Traylen
182	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
183	e17693e3	Steve Traylen
184			Data type: `Boolean`
185
186			Allow outbound to ntp servers.
187
188	c24d3118	Tim Meusel	Default value: `true`
189	e17693e3	Steve Traylen
190	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
191	e17693e3	Steve Traylen
192			Data type: `Boolean`
193
194			Allow outbound to http servers.
195
196	c24d3118	Tim Meusel	Default value: `true`
197	e17693e3	Steve Traylen
198	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
199	e17693e3	Steve Traylen
200			Data type: `Boolean`
201
202	09cba182	Steve Traylen	Allow outbound to dns servers.
203	e17693e3	Steve Traylen
204	c24d3118	Tim Meusel	Default value: `true`
205	e17693e3	Steve Traylen
206	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
207	09cba182	Steve Traylen
208			Data type: `Boolean`
209	e17693e3	Steve Traylen
210			Allow outbound to https servers.
211
212	c24d3118	Tim Meusel	Default value: `true`
213	e17693e3	Steve Traylen
214	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
215	7f6cacc5	Steve Traylen
216			Data type: `Boolean`
217
218			Allow outbound ICMPv4/v6 traffic.
219
220	c24d3118	Tim Meusel	Default value: `true`
221	7f6cacc5	Steve Traylen
222	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
223	e17693e3	Steve Traylen
224			Data type: `Boolean`
225
226			Allow inbound to ssh servers.
227
228	c24d3118	Tim Meusel	Default value: `true`
229	e17693e3	Steve Traylen
230	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
231	7f6cacc5	Steve Traylen
232			Data type: `Boolean`
233
234			Allow inbound ICMPv4/v6 traffic.
235
236	c24d3118	Tim Meusel	Default value: `true`
237	7f6cacc5	Steve Traylen
238	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
239	7b9d6ffc	Nacho Barrientos
240			Data type: `Boolean`
241
242			Add default tables, chains and rules to process traffic.
243
244	c24d3118	Tim Meusel	Default value: `true`
245	7b9d6ffc	Nacho Barrientos
246	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
247	7f6cacc5	Steve Traylen
248			Data type: `Boolean`
249
250			Add default tables and chains to process NAT traffic.
251
252	c24d3118	Tim Meusel	Default value: `true`
253	7f6cacc5	Steve Traylen
254	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
255	b02d6ea9	Nacho Barrientos
256			Data type: `String[1]`
257
258			The name of the 'nat' table.
259
260			Default value: `'nat'`
261
262	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
263	b9785000	Steve Traylen
264			Data type: `Hash`
265
266			Allows sourcing set definitions directly from Hiera.
267
268			Default value: `{}`
269
270	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
271	7f6cacc5	Steve Traylen
272			Data type: `String`
273
274			String that will be used as prefix when logging packets. It can contain
275			two variables using standard sprintf() string-formatting:
276			* chain: Will be replaced by the name of the chain.
277			* comment: Allows chains to add extra comments.
278
279			Default value: `'[nftables] %<chain>s %<comment>s'`
280
281	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
282	b9785000	Steve Traylen
283			Data type: `Variant[Boolean[false], String]`
284
285			String with the content of a limit statement to be applied
286			to the rules that log discarded traffic. Set to false to
287			disable rate limiting.
288
289			Default value: `'3/minute burst 5 packets'`
290
291	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
292	7f6cacc5	Steve Traylen
293	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
294	7f6cacc5	Steve Traylen
295			How to discard packets not matching any rule. If `false`, the
296			fate of the packet will be defined by the chain policy (normally
297			drop), otherwise the packet will be rejected with the REJECT_WITH
298			policy indicated by the value of this parameter.
299
300			Default value: `'icmpx type port-unreachable'`
301
302	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
303	7f6cacc5	Steve Traylen
304			Data type: `Boolean`
305
306			Adds INPUT and OUTPUT rules to allow traffic that's part of an
307			established connection and also to drop invalid packets.
308
309	c24d3118	Tim Meusel	Default value: `true`
310	7f6cacc5	Steve Traylen
311	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
312	b9785000	Steve Traylen
313			Data type: `Boolean`
314
315			Adds FORWARD rules to allow traffic that's part of an
316			established connection and also to drop invalid packets.
317
318	c24d3118	Tim Meusel	Default value: `false`
319	b9785000	Steve Traylen
320	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
321	7f6cacc5	Steve Traylen
322			Data type: `Variant[Boolean[false], Enum['mask']]`
323
324			Configures how the firewalld systemd service unit is enabled. It might be
325			useful to set this to false if you're externaly removing firewalld from
326			the system completely.
327
328			Default value: `'mask'`
329
330	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
331	b9785000	Steve Traylen
332	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
333	b9785000	Steve Traylen
334			If specified only other existings tables will be flushed.
335			If left unset all tables will be flushed via a `flush ruleset`
336
337	c24d3118	Tim Meusel	Default value: `undef`
338	b9785000	Steve Traylen
339	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
340	7f6cacc5	Steve Traylen
341			Data type: `Hash`
342
343	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
344	7f6cacc5	Steve Traylen
345			Default value: `{}`
346
347	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
348	d0a1ffef	hashworks
349			Data type: `Stdlib::Unixpath`
350
351			The absolute path to the principal nftables configuration file. The default
352			varies depending on the system, and is set in the module's data.
353
354	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
355	8842a597	Tim Meusel
356			Data type: `Stdlib::Unixpath`
357
358			Path to the nft binary
359
360	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
361	821ec83a	Tim Meusel
362			Data type: `Stdlib::Unixpath`
363
364			Path to the echo binary
365
366	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
367	7030bde0	Luis Fernández Álvarez
368			Data type: `Stdlib::Filemode`
369
370			The default file & dir mode for configuration files and directories. The
371			default varies depending on the system, and is set in the module's data.
372
373	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
374	7f6cacc5	Steve Traylen
375			allow forwarding traffic on bridges
376
377			#### Parameters
378
379	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
380	7f6cacc5	Steve Traylen
381	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
382			* [`bridgenames`](#-nftables--bridges--bridgenames)
383	09cba182	Steve Traylen
384	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
385	7f6cacc5	Steve Traylen
386			Data type: `Enum['present','absent']`
387
388
389
390			Default value: `'present'`
391
392	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
393	7f6cacc5	Steve Traylen
394			Data type: `Regexp`
395
396
397
398			Default value: `/^br.+/`
399
400	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
401	e17693e3	Steve Traylen
402			manage basic chains in table inet filter
403
404	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
405	a1f09048	Tim Meusel
406			enable conntrack for fwd
407
408	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
409	a1f09048	Tim Meusel
410			manage input & output conntrack
411
412	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
413	e17693e3	Steve Traylen
414			manage basic chains in table ip nat
415
416	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
417	771b3256	Nacho Barrientos
418			Provides input rules for Apache ActiveMQ
419
420			#### Parameters
421
422			The following parameters are available in the `nftables::rules::activemq` class:
423
424	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
425			* [`udp`](#-nftables--rules--activemq--udp)
426			* [`port`](#-nftables--rules--activemq--port)
427	771b3256	Nacho Barrientos
428	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
429	771b3256	Nacho Barrientos
430			Data type: `Boolean`
431
432			Create the rule for TCP traffic.
433
434	c24d3118	Tim Meusel	Default value: `true`
435	771b3256	Nacho Barrientos
436	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
437	771b3256	Nacho Barrientos
438			Data type: `Boolean`
439
440			Create the rule for UDP traffic.
441
442	c24d3118	Tim Meusel	Default value: `true`
443	771b3256	Nacho Barrientos
444	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
445	771b3256	Nacho Barrientos
446			Data type: `Stdlib::Port`
447
448			The port number for the ActiveMQ daemon.
449
450			Default value: `61616`
451
452	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
453	09cba182	Steve Traylen
454			Open call back port for AFS clients
455	7f6cacc5	Steve Traylen
456	09cba182	Steve Traylen	#### Examples
457
458			##### allow call backs from particular hosts
459
460			```puppet
461	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
462			saddr => ['192.168.0.0/16', '10.0.0.222']
463			}
464	09cba182	Steve Traylen	```
465	7f6cacc5	Steve Traylen
466			#### Parameters
467
468	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
469
470	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
471	7f6cacc5	Steve Traylen
472	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
473	7f6cacc5	Steve Traylen
474			Data type: `Array[Stdlib::IP::Address::V4,1]`
475
476			list of source network ranges to a
477
478			Default value: `['0.0.0.0/0']`
479
480	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
481	b9785000	Steve Traylen
482			Ceph is a distributed object store and file system.
483			Enable this to support Ceph's Object Storage Daemons (OSD),
484			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
485
486	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
487	b9785000	Steve Traylen
488			Ceph is a distributed object store and file system.
489			Enable this option to support Ceph's Monitor Daemon.
490
491			#### Parameters
492
493	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
494	b9785000	Steve Traylen
495	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
496	b9785000	Steve Traylen
497	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
498	b9785000	Steve Traylen
499	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
500	b9785000	Steve Traylen
501	09cba182	Steve Traylen	specify ports for ceph service
502	b9785000	Steve Traylen
503			Default value: `[3300, 6789]`
504
505	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
506	7f6cacc5	Steve Traylen
507	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
508	7f6cacc5	Steve Traylen
509	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
510	7f6cacc5	Steve Traylen
511			manage in dns
512
513			#### Parameters
514
515	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
516	7f6cacc5	Steve Traylen
517	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
518	7f6cacc5	Steve Traylen
519	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
520	7f6cacc5	Steve Traylen
521	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
522	7f6cacc5	Steve Traylen
523	09cba182	Steve Traylen	Specify ports for dns.
524	7f6cacc5	Steve Traylen
525			Default value: `[53]`
526
527	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
528	804b96e4	Nacho Barrientos
529			The configuration distributed in this class represents the default firewall
530			configuration done by docker-ce when the iptables integration is enabled.
531
532			This class is needed as the default docker-ce rules added to ip-filter conflict
533			with the inet-filter forward rules set by default in this module.
534
535			When using this class 'docker::iptables: false' should be set.
536
537			#### Parameters
538
539			The following parameters are available in the `nftables::rules::docker_ce` class:
540
541	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
542			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
543			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
544			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
545	804b96e4	Nacho Barrientos
546	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
547	804b96e4	Nacho Barrientos
548			Data type: `String[1]`
549
550			Interface name used by docker.
551
552			Default value: `'docker0'`
553
554	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
555	804b96e4	Nacho Barrientos
556			Data type: `Stdlib::IP::Address::V4::CIDR`
557
558			The address space used by docker.
559
560			Default value: `'172.17.0.0/16'`
561
562	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
563	804b96e4	Nacho Barrientos
564			Data type: `Boolean`
565
566			Flag to control whether the class should create the docker related chains.
567
568	c24d3118	Tim Meusel	Default value: `true`
569	804b96e4	Nacho Barrientos
570	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
571	804b96e4	Nacho Barrientos
572			Data type: `Boolean`
573
574			Flag to control whether the class should create the base common chains.
575
576	c24d3118	Tim Meusel	Default value: `true`
577	804b96e4	Nacho Barrientos
578	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
579	e17693e3	Steve Traylen
580			manage in http
581
582	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
583	e17693e3	Steve Traylen
584			manage in https
585
586	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
587	e17693e3	Steve Traylen
588			manage in icinga2
589
590			#### Parameters
591
592	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
593	e17693e3	Steve Traylen
594	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
595	e17693e3	Steve Traylen
596	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
597	e17693e3	Steve Traylen
598	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
599	e17693e3	Steve Traylen
600	8db66304	Steve Traylen	Specify ports for icinga2
601	e17693e3	Steve Traylen
602			Default value: `[5665]`
603
604	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
605	7f6cacc5	Steve Traylen
606			The nftables::rules::icmp class.
607
608			#### Parameters
609
610	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
611
612	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
613			* [`v6_types`](#-nftables--rules--icmp--v6_types)
614			* [`order`](#-nftables--rules--icmp--order)
615	7f6cacc5	Steve Traylen
616	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
617	7f6cacc5	Steve Traylen
618			Data type: `Optional[Array[String]]`
619
620
621
622	c24d3118	Tim Meusel	Default value: `undef`
623	7f6cacc5	Steve Traylen
624	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
625	7f6cacc5	Steve Traylen
626			Data type: `Optional[Array[String]]`
627
628
629
630	c24d3118	Tim Meusel	Default value: `undef`
631	7f6cacc5	Steve Traylen
632	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
633	7f6cacc5	Steve Traylen
634			Data type: `String`
635
636
637
638			Default value: `'10'`
639
640	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
641
642			allow incoming IGMP messages
643
644	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
645
646			manage in ldap
647
648			#### Parameters
649
650			The following parameters are available in the `nftables::rules::ldap` class:
651
652			* [`ports`](#-nftables--rules--ldap--ports)
653
654			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
655
656			Data type: `Array[Integer,1]`
657
658			ldap server ports
659
660			Default value: `[389, 636]`
661
662	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
663
664			allow incoming Link-Local Multicast Name Resolution
665
666			* See also
667			* https://datatracker.ietf.org/doc/html/rfc4795
668
669			#### Parameters
670
671			The following parameters are available in the `nftables::rules::llmnr` class:
672
673			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
674			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
675
676			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
677
678			Data type: `Boolean`
679
680			Allow LLMNR over IPv4
681
682			Default value: `true`
683
684			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
685
686			Data type: `Boolean`
687
688			Allow LLMNR over IPv6
689
690			Default value: `true`
691
692	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
693
694			allow incoming multicast DNS
695
696	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
697
698			The following parameters are available in the `nftables::rules::mdns` class:
699
700			* [`ipv4`](#-nftables--rules--mdns--ipv4)
701			* [`ipv6`](#-nftables--rules--mdns--ipv6)
702
703			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
704
705			Data type: `Boolean`
706
707			Allow mdns over IPv4
708
709			Default value: `true`
710
711			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
712
713			Data type: `Boolean`
714
715			Allow mdns over IPv6
716
717			Default value: `true`
718
719	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
720
721			allow incoming multicast traffic
722
723	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
724	b9785000	Steve Traylen
725			manage in nfs4
726
727	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
728	b9785000	Steve Traylen
729			manage in nfs3
730
731	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
732	7f6cacc5	Steve Traylen
733			manage in node exporter
734
735			#### Parameters
736
737	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
738	7f6cacc5	Steve Traylen
739	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
740			* [`port`](#-nftables--rules--node_exporter--port)
741	7f6cacc5	Steve Traylen
742	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
743	7f6cacc5	Steve Traylen
744	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
745	7f6cacc5	Steve Traylen
746	09cba182	Steve Traylen	Specify server name
747	7f6cacc5	Steve Traylen
748	c24d3118	Tim Meusel	Default value: `undef`
749	7f6cacc5	Steve Traylen
750	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
751	7f6cacc5	Steve Traylen
752	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
753	7f6cacc5	Steve Traylen
754	09cba182	Steve Traylen	Specify port to open
755	7f6cacc5	Steve Traylen
756			Default value: `9100`
757
758	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
759	e17693e3	Steve Traylen
760			manage in ospf
761
762	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
763	e17693e3	Steve Traylen
764			manage in ospf3
765
766	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
767
768			manage outgoing active diectory
769
770			#### Parameters
771
772			The following parameters are available in the `nftables::rules::out::active_directory` class:
773
774			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
775			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
776
777			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
778
779			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
780
781			adserver IPs
782
783			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
784
785			Data type: `Array[Stdlib::Port,1]`
786
787			adserver ports
788
789			Default value: `[389, 636, 3268, 3269]`
790
791	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
792	e17693e3	Steve Traylen
793			allow all outbound
794
795	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
796	b9785000	Steve Traylen
797			Ceph is a distributed object store and file system.
798			Enable this to be a client of Ceph's Monitor (MON),
799			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
800			and Manager Daemons (MGR).
801
802			#### Parameters
803
804	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
805	b9785000	Steve Traylen
806	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
807	b9785000	Steve Traylen
808	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
809	b9785000	Steve Traylen
810	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
811	b9785000	Steve Traylen
812	09cba182	Steve Traylen	Specify ports to open
813	b9785000	Steve Traylen
814			Default value: `[3300, 6789]`
815
816	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
817	e17693e3	Steve Traylen
818			manage out chrony
819
820	7937a13b	Tim Meusel	#### Parameters
821
822			The following parameters are available in the `nftables::rules::out::chrony` class:
823
824	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
825	7937a13b	Tim Meusel
826	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
827	7937a13b	Tim Meusel
828			Data type: `Array[Stdlib::IP::Address]`
829
830			single IP-Address or array of IP-addresses from NTP servers
831
832			Default value: `[]`
833
834	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
835	e17693e3	Steve Traylen
836			manage out dhcp
837
838	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
839	7f6cacc5	Steve Traylen
840	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
841	7f6cacc5	Steve Traylen
842	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
843	e17693e3	Steve Traylen
844			manage out dns
845
846			#### Parameters
847
848	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
849	e17693e3	Steve Traylen
850	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
851	e17693e3	Steve Traylen
852	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
853	e17693e3	Steve Traylen
854	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
855	e17693e3	Steve Traylen
856	09cba182	Steve Traylen	specify dns_server name
857	e17693e3	Steve Traylen
858	c24d3118	Tim Meusel	Default value: `undef`
859	e17693e3	Steve Traylen
860	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
861	a1f09048	Tim Meusel
862			allow outgoing hkp connections to gpg keyservers
863
864	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
865	e17693e3	Steve Traylen
866			manage out http
867
868	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
869	e17693e3	Steve Traylen
870			manage out https
871
872	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
873	7f6cacc5	Steve Traylen
874	09cba182	Steve Traylen	control outbound icmp packages
875	7f6cacc5	Steve Traylen
876			#### Parameters
877
878	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
879
880	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
881			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
882			* [`order`](#-nftables--rules--out--icmp--order)
883	7f6cacc5	Steve Traylen
884	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
885	7f6cacc5	Steve Traylen
886			Data type: `Optional[Array[String]]`
887
888
889
890	c24d3118	Tim Meusel	Default value: `undef`
891	7f6cacc5	Steve Traylen
892	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
893	7f6cacc5	Steve Traylen
894			Data type: `Optional[Array[String]]`
895
896
897
898	c24d3118	Tim Meusel	Default value: `undef`
899	7f6cacc5	Steve Traylen
900	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
901	7f6cacc5	Steve Traylen
902			Data type: `String`
903
904
905
906			Default value: `'10'`
907
908	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
909
910	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
911	020842af	Tim Meusel
912	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
913	19908f41	mh
914			allow outgoing imap
915
916	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
917	7f6cacc5	Steve Traylen
918			allows outbound access for kerberos
919
920	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
921
922			manage outgoing ldap
923
924			#### Parameters
925
926			The following parameters are available in the `nftables::rules::out::ldap` class:
927
928			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
929			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
930
931			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
932
933			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
934
935			ldapserver IPs
936
937			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
938
939			Data type: `Array[Stdlib::Port,1]`
940
941			ldapserver ports
942
943			Default value: `[389, 636]`
944
945	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
946
947			allow outgoing multicast DNS
948
949			#### Parameters
950
951			The following parameters are available in the `nftables::rules::out::mdns` class:
952
953			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
954			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
955
956			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
957
958			Data type: `Boolean`
959
960			Allow mdns over IPv4
961
962			Default value: `true`
963
964			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
965
966			Data type: `Boolean`
967
968			Allow mdns over IPv6
969
970			Default value: `true`
971
972	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
973
974			allow multicast listener requests
975
976	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
977	e17693e3	Steve Traylen
978			manage out mysql
979
980	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
981	b9785000	Steve Traylen
982			manage out nfs
983
984	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
985	b9785000	Steve Traylen
986			manage out nfs3
987
988	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
989	7f6cacc5	Steve Traylen
990	09cba182	Steve Traylen	allows outbound access for afs clients
991	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
992			7002 - afs3-ptserver
993			7003 - vlserver
994
995			* See also
996			* https://wiki.openafs.org/devel/AFSServicePorts/
997			* AFS Service Ports
998
999			#### Parameters
1000
1001	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1002	7f6cacc5	Steve Traylen
1003	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1004	7f6cacc5	Steve Traylen
1005	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1006	7f6cacc5	Steve Traylen
1007	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1008	7f6cacc5	Steve Traylen
1009	09cba182	Steve Traylen	port numbers to use
1010	7f6cacc5	Steve Traylen
1011			Default value: `[7000, 7002, 7003]`
1012
1013	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1014	e17693e3	Steve Traylen
1015			manage out ospf
1016
1017	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1018	e17693e3	Steve Traylen
1019			manage out ospf3
1020
1021	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1022	19908f41	mh
1023			allow outgoing pop3
1024
1025	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1026	e17693e3	Steve Traylen
1027			manage out postgres
1028
1029	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1030	e17693e3	Steve Traylen
1031			manage outgoing puppet
1032
1033			#### Parameters
1034
1035	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1036	e17693e3	Steve Traylen
1037	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1038			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1039	e17693e3	Steve Traylen
1040	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1041	e17693e3	Steve Traylen
1042	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1043	e17693e3	Steve Traylen
1044	09cba182	Steve Traylen	puppetserver hostname
1045	e17693e3	Steve Traylen
1046	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1047	e17693e3	Steve Traylen
1048	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1049	e17693e3	Steve Traylen
1050	09cba182	Steve Traylen	puppetserver port
1051	e17693e3	Steve Traylen
1052			Default value: `8140`
1053
1054	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1055	194e05d5	Tim Meusel
1056			manage outgoing pxp-agent
1057
1058			* See also
1059			* also
1060			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1061
1062			#### Parameters
1063
1064			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1065
1066	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1067			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1068	194e05d5	Tim Meusel
1069	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1070	194e05d5	Tim Meusel
1071			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1072
1073			PXP broker IP(s)
1074
1075	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1076	194e05d5	Tim Meusel
1077			Data type: `Stdlib::Port`
1078
1079			PXP broker port
1080
1081			Default value: `8142`
1082
1083	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1084	e17693e3	Steve Traylen
1085	19908f41	mh	allow outgoing smtp
1086
1087	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1088	19908f41	mh
1089			allow outgoing smtp client
1090	e17693e3	Steve Traylen
1091	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1092
1093			allow outgoing SSDP
1094
1095			* See also
1096			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1097
1098			#### Parameters
1099
1100			The following parameters are available in the `nftables::rules::out::ssdp` class:
1101
1102			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1103			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1104
1105			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1106
1107			Data type: `Boolean`
1108
1109			Allow SSDP over IPv4
1110
1111			Default value: `true`
1112
1113			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1114
1115			Data type: `Boolean`
1116
1117			Allow SSDP over IPv6
1118
1119			Default value: `true`
1120
1121	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1122	e17693e3	Steve Traylen
1123			manage out ssh
1124
1125	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1126	e17693e3	Steve Traylen
1127			disable outgoing ssh
1128
1129	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1130	e17693e3	Steve Traylen
1131			manage out tor
1132
1133	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1134	2b1896c1	Tim Meusel
1135			allow clients to query remote whois server
1136
1137	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1138	e17693e3	Steve Traylen
1139			manage out wireguard
1140
1141			#### Parameters
1142
1143	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1144	e17693e3	Steve Traylen
1145	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1146	e17693e3	Steve Traylen
1147	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1148	e17693e3	Steve Traylen
1149	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1150	e17693e3	Steve Traylen
1151	09cba182	Steve Traylen	specify wireguard ports
1152	e17693e3	Steve Traylen
1153			Default value: `[51820]`
1154
1155	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1156	e17693e3	Steve Traylen
1157			manage in puppet
1158
1159			#### Parameters
1160
1161	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1162	e17693e3	Steve Traylen
1163	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1164	e17693e3	Steve Traylen
1165	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1166	e17693e3	Steve Traylen
1167	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1168	e17693e3	Steve Traylen
1169	09cba182	Steve Traylen	puppet server ports
1170	e17693e3	Steve Traylen
1171			Default value: `[8140]`
1172
1173	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1174	7f74df2e	Tim Meusel
1175			manage in pxp-agent
1176
1177			#### Parameters
1178
1179			The following parameters are available in the `nftables::rules::pxp_agent` class:
1180
1181	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1182	7f74df2e	Tim Meusel
1183	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1184	7f74df2e	Tim Meusel
1185	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1186	7f74df2e	Tim Meusel
1187			pxp server ports
1188
1189			Default value: `[8142]`
1190
1191	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1192	cd2a3cbf	Nacho Barrientos
1193			This class configures the typical firewall setup that libvirt
1194			creates. Depending on your requirements you can switch on and off
1195			several aspects, for instance if you don't do DHCP to your guests
1196			you can disable the rules that accept DHCP traffic on the host or if
1197			you don't want your guests to talk to hosts outside you can disable
1198			forwarding and/or masquerading for IPv4 traffic.
1199
1200			#### Parameters
1201
1202			The following parameters are available in the `nftables::rules::qemu` class:
1203
1204	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1205			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1206			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1207			* [`dns`](#-nftables--rules--qemu--dns)
1208			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1209			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1210			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1211			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1212	cd2a3cbf	Nacho Barrientos
1213	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1214	cd2a3cbf	Nacho Barrientos
1215			Data type: `String[1]`
1216
1217			Interface name used by the bridge.
1218
1219			Default value: `'virbr0'`
1220
1221	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1222	cd2a3cbf	Nacho Barrientos
1223			Data type: `Stdlib::IP::Address::V4::CIDR`
1224
1225			The IPv4 network prefix used in the virtual network.
1226
1227			Default value: `'192.168.122.0/24'`
1228
1229	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1230	cd2a3cbf	Nacho Barrientos
1231			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1232
1233			The IPv6 network prefix used in the virtual network.
1234
1235	c24d3118	Tim Meusel	Default value: `undef`
1236	cd2a3cbf	Nacho Barrientos
1237	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1238	cd2a3cbf	Nacho Barrientos
1239			Data type: `Boolean`
1240
1241			Allow DNS traffic from the guests to the host.
1242
1243	c24d3118	Tim Meusel	Default value: `true`
1244	cd2a3cbf	Nacho Barrientos
1245	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1246	cd2a3cbf	Nacho Barrientos
1247			Data type: `Boolean`
1248
1249			Allow DHCPv4 traffic from the guests to the host.
1250
1251	c24d3118	Tim Meusel	Default value: `true`
1252	cd2a3cbf	Nacho Barrientos
1253	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1254	cd2a3cbf	Nacho Barrientos
1255			Data type: `Boolean`
1256
1257			Allow forwarded traffic (out all, in related/established)
1258			generated by the virtual network.
1259
1260	c24d3118	Tim Meusel	Default value: `true`
1261	cd2a3cbf	Nacho Barrientos
1262	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1263	cd2a3cbf	Nacho Barrientos
1264			Data type: `Boolean`
1265
1266			Allow guests in the virtual network to talk to each other.
1267
1268	c24d3118	Tim Meusel	Default value: `true`
1269	cd2a3cbf	Nacho Barrientos
1270	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1271	cd2a3cbf	Nacho Barrientos
1272			Data type: `Boolean`
1273
1274			Do NAT masquerade on all IPv4 traffic generated by guests
1275			to external networks.
1276
1277	c24d3118	Tim Meusel	Default value: `true`
1278	cd2a3cbf	Nacho Barrientos
1279	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1280	19908f41	mh
1281			manage Samba, the suite to allow Windows file sharing on Linux resources.
1282
1283			#### Parameters
1284
1285			The following parameters are available in the `nftables::rules::samba` class:
1286
1287	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1288	19908f41	mh
1289	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1290	19908f41	mh
1291			Data type: `Boolean`
1292
1293			Enable ctdb-driven clustered Samba setups.
1294
1295	c24d3118	Tim Meusel	Default value: `false`
1296	19908f41	mh
1297	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1298	e17693e3	Steve Traylen
1299			manage in smtp
1300
1301	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1302	e17693e3	Steve Traylen
1303			manage in smtp submission
1304
1305	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1306	e17693e3	Steve Traylen
1307			manage in smtps
1308
1309	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1310
1311			allow incoming spotify
1312
1313	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1314
1315			allow incoming SSDP
1316
1317			* See also
1318			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1319
1320			#### Parameters
1321
1322			The following parameters are available in the `nftables::rules::ssdp` class:
1323
1324			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1325			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1326
1327			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1328
1329			Data type: `Boolean`
1330
1331			Allow SSDP over IPv4
1332
1333			Default value: `true`
1334
1335			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1336
1337			Data type: `Boolean`
1338
1339			Allow SSDP over IPv6
1340
1341			Default value: `true`
1342
1343	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1344	e17693e3	Steve Traylen
1345			manage in ssh
1346
1347			#### Parameters
1348
1349	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1350	e17693e3	Steve Traylen
1351	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1352	e17693e3	Steve Traylen
1353	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1354	e17693e3	Steve Traylen
1355	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1356	e17693e3	Steve Traylen
1357	09cba182	Steve Traylen	ssh ports
1358	e17693e3	Steve Traylen
1359			Default value: `[22]`
1360
1361	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1362	e17693e3	Steve Traylen
1363			manage in tor
1364
1365			#### Parameters
1366
1367	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1368	e17693e3	Steve Traylen
1369	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1370	e17693e3	Steve Traylen
1371	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1372	e17693e3	Steve Traylen
1373	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1374	e17693e3	Steve Traylen
1375	09cba182	Steve Traylen	ports for tor
1376	e17693e3	Steve Traylen
1377			Default value: `[9001]`
1378
1379	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1380	e17693e3	Steve Traylen
1381			manage in wireguard
1382
1383			#### Parameters
1384
1385	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1386	e17693e3	Steve Traylen
1387	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1388	e17693e3	Steve Traylen
1389	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1390	e17693e3	Steve Traylen
1391	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1392	e17693e3	Steve Traylen
1393	09cba182	Steve Traylen	wiregueard port
1394	e17693e3	Steve Traylen
1395			Default value: `[51820]`
1396
1397	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1398
1399			allow incoming webservice discovery
1400
1401			* See also
1402			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1403
1404			#### Parameters
1405
1406			The following parameters are available in the `nftables::rules::wsd` class:
1407
1408			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1409			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1410
1411			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1412
1413			Data type: `Boolean`
1414
1415			Allow ws-discovery over IPv4
1416
1417			Default value: `true`
1418
1419			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1420
1421			Data type: `Boolean`
1422
1423			Allow ws-discovery over IPv6
1424
1425			Default value: `true`
1426
1427	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1428	7f6cacc5	Steve Traylen
1429	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1430	7f6cacc5	Steve Traylen
1431	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1432	7f6cacc5	Steve Traylen
1433	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1434	7f6cacc5	Steve Traylen
1435	e17693e3	Steve Traylen	## Defined types
1436
1437	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1438	e17693e3	Steve Traylen
1439			manage a chain
1440
1441			#### Parameters
1442
1443	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1444
1445	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1446			* [`chain`](#-nftables--chain--chain)
1447			* [`inject`](#-nftables--chain--inject)
1448			* [`inject_iif`](#-nftables--chain--inject_iif)
1449			* [`inject_oif`](#-nftables--chain--inject_oif)
1450	e17693e3	Steve Traylen
1451	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1452	e17693e3	Steve Traylen
1453	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1454	e17693e3	Steve Traylen
1455
1456
1457			Default value: `'inet-filter'`
1458
1459	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1460	e17693e3	Steve Traylen
1461			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1462
1463
1464
1465			Default value: `$title`
1466
1467	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1468	e17693e3	Steve Traylen
1469			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1470
1471
1472
1473	c24d3118	Tim Meusel	Default value: `undef`
1474	e17693e3	Steve Traylen
1475	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1476	e17693e3	Steve Traylen
1477			Data type: `Optional[String]`
1478
1479
1480
1481	c24d3118	Tim Meusel	Default value: `undef`
1482	e17693e3	Steve Traylen
1483	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1484	e17693e3	Steve Traylen
1485			Data type: `Optional[String]`
1486
1487
1488
1489	c24d3118	Tim Meusel	Default value: `undef`
1490	e17693e3	Steve Traylen
1491	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1492	e17693e3	Steve Traylen
1493			manage a config snippet
1494
1495			#### Parameters
1496
1497	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1498	e17693e3	Steve Traylen
1499	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1500			* [`content`](#-nftables--config--content)
1501			* [`source`](#-nftables--config--source)
1502			* [`prefix`](#-nftables--config--prefix)
1503	09cba182	Steve Traylen
1504	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1505	13f4e4c6	Steve Traylen
1506			Data type: `Pattern[/^\w+-\w+$/]`
1507
1508
1509
1510			Default value: `$title`
1511
1512	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1513	e17693e3	Steve Traylen
1514			Data type: `Optional[String]`
1515
1516
1517
1518	c24d3118	Tim Meusel	Default value: `undef`
1519	e17693e3	Steve Traylen
1520	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1521	e17693e3	Steve Traylen
1522			Data type: `Optional[Variant[String,Array[String,1]]]`
1523
1524
1525
1526	c24d3118	Tim Meusel	Default value: `undef`
1527	e17693e3	Steve Traylen
1528	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1529	13f4e4c6	Steve Traylen
1530			Data type: `String`
1531
1532
1533
1534			Default value: `'custom-'`
1535
1536	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1537	331b8d85	Steve Traylen
1538			Insert a file into the nftables configuration
1539
1540			#### Examples
1541
1542			##### Include a file that includes other files
1543
1544			```puppet
1545			nftables::file{'geoip':
1546			content => @(EOT)
1547			include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1548			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1549			\|EOT,
1550			}
1551			```
1552
1553			#### Parameters
1554
1555			The following parameters are available in the `nftables::file` defined type:
1556
1557	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1558			* [`content`](#-nftables--file--content)
1559			* [`source`](#-nftables--file--source)
1560			* [`prefix`](#-nftables--file--prefix)
1561	331b8d85	Steve Traylen
1562	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1563	331b8d85	Steve Traylen
1564			Data type: `String[1]`
1565
1566			Unique name to include in filename.
1567
1568			Default value: `$title`
1569
1570	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1571	331b8d85	Steve Traylen
1572			Data type: `Optional[String]`
1573
1574			The content to place in the file.
1575
1576	c24d3118	Tim Meusel	Default value: `undef`
1577	331b8d85	Steve Traylen
1578	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1579	331b8d85	Steve Traylen
1580			Data type: `Optional[Variant[String,Array[String,1]]]`
1581
1582			A source to obtain the file content from.
1583
1584	c24d3118	Tim Meusel	Default value: `undef`
1585	331b8d85	Steve Traylen
1586	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1587	331b8d85	Steve Traylen
1588			Data type: `String`
1589
1590			Prefix of file name to be created, if left as `file-` it will be
1591			auto included in the main nft configuration
1592
1593			Default value: `'file-'`
1594
1595	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1596	e17693e3	Steve Traylen
1597	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1598
1599			#### Examples
1600
1601			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1602
1603			```puppet
1604			nftables::rule {
1605			'default_in-myhttp':
1606			content => 'tcp dport 80 accept',
1607			}
1608			```
1609
1610			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1611
1612			```puppet
1613			nftables::rule {
1614			'PREROUTING6-count':
1615			content => 'counter',
1616			table => 'ip6-nat'
1617			}
1618			```
1619	e17693e3	Steve Traylen
1620			#### Parameters
1621
1622	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1623
1624	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1625			* [`rulename`](#-nftables--rule--rulename)
1626			* [`order`](#-nftables--rule--order)
1627			* [`table`](#-nftables--rule--table)
1628			* [`content`](#-nftables--rule--content)
1629			* [`source`](#-nftables--rule--source)
1630	e17693e3	Steve Traylen
1631	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1632	e17693e3	Steve Traylen
1633			Data type: `Enum['present','absent']`
1634
1635	13f26dfc	Nacho Barrientos	Should the rule be created.
1636	e17693e3	Steve Traylen
1637			Default value: `'present'`
1638
1639	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1640	e17693e3	Steve Traylen
1641	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1642	e17693e3	Steve Traylen
1643	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1644			format is defined by the Nftables::RuleName type.
1645	e17693e3	Steve Traylen
1646			Default value: `$title`
1647
1648	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1649	e17693e3	Steve Traylen
1650			Data type: `Pattern[/^\d\d$/]`
1651
1652	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1653	e17693e3	Steve Traylen
1654			Default value: `'50'`
1655
1656	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1657	e17693e3	Steve Traylen
1658	b02d6ea9	Nacho Barrientos	Data type: `String`
1659	e17693e3	Steve Traylen
1660	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1661	e17693e3	Steve Traylen
1662			Default value: `'inet-filter'`
1663
1664	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1665	e17693e3	Steve Traylen
1666			Data type: `Optional[String]`
1667
1668	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
1669			language.
1670	e17693e3	Steve Traylen
1671	c24d3118	Tim Meusel	Default value: `undef`
1672	e17693e3	Steve Traylen
1673	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
1674	e17693e3	Steve Traylen
1675			Data type: `Optional[Variant[String,Array[String,1]]]`
1676
1677	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
1678	e17693e3	Steve Traylen
1679	c24d3118	Tim Meusel	Default value: `undef`
1680	e17693e3	Steve Traylen
1681	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
1682	e17693e3	Steve Traylen
1683			manage a ipv4 dnat rule
1684
1685			#### Parameters
1686
1687	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
1688
1689	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
1690			* [`port`](#-nftables--rules--dnat4--port)
1691			* [`rulename`](#-nftables--rules--dnat4--rulename)
1692			* [`order`](#-nftables--rules--dnat4--order)
1693			* [`chain`](#-nftables--rules--dnat4--chain)
1694			* [`iif`](#-nftables--rules--dnat4--iif)
1695			* [`proto`](#-nftables--rules--dnat4--proto)
1696			* [`dport`](#-nftables--rules--dnat4--dport)
1697			* [`ensure`](#-nftables--rules--dnat4--ensure)
1698	e17693e3	Steve Traylen
1699	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
1700	e17693e3	Steve Traylen
1701			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
1702
1703
1704
1705	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
1706	e17693e3	Steve Traylen
1707	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
1708	e17693e3	Steve Traylen
1709
1710
1711	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
1712	e17693e3	Steve Traylen
1713			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1714
1715
1716
1717			Default value: `$title`
1718
1719	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
1720	e17693e3	Steve Traylen
1721			Data type: `Pattern[/^\d\d$/]`
1722
1723
1724
1725			Default value: `'50'`
1726
1727	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
1728	e17693e3	Steve Traylen
1729			Data type: `String[1]`
1730
1731
1732
1733			Default value: `'default_fwd'`
1734
1735	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
1736	e17693e3	Steve Traylen
1737			Data type: `Optional[String[1]]`
1738
1739
1740
1741	c24d3118	Tim Meusel	Default value: `undef`
1742	e17693e3	Steve Traylen
1743	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
1744	e17693e3	Steve Traylen
1745			Data type: `Enum['tcp','udp']`
1746
1747
1748
1749			Default value: `'tcp'`
1750
1751	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
1752	e17693e3	Steve Traylen
1753	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1754	e17693e3	Steve Traylen
1755
1756
1757	c24d3118	Tim Meusel	Default value: `undef`
1758	e17693e3	Steve Traylen
1759	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
1760	e17693e3	Steve Traylen
1761			Data type: `Enum['present','absent']`
1762
1763
1764
1765			Default value: `'present'`
1766
1767	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
1768	e17693e3	Steve Traylen
1769			masquerade all outgoing traffic
1770
1771			#### Parameters
1772
1773	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
1774	e17693e3	Steve Traylen
1775	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
1776			* [`order`](#-nftables--rules--masquerade--order)
1777			* [`chain`](#-nftables--rules--masquerade--chain)
1778			* [`oif`](#-nftables--rules--masquerade--oif)
1779			* [`saddr`](#-nftables--rules--masquerade--saddr)
1780			* [`daddr`](#-nftables--rules--masquerade--daddr)
1781			* [`proto`](#-nftables--rules--masquerade--proto)
1782			* [`dport`](#-nftables--rules--masquerade--dport)
1783			* [`ensure`](#-nftables--rules--masquerade--ensure)
1784	09cba182	Steve Traylen
1785	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
1786	e17693e3	Steve Traylen
1787			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1788
1789
1790
1791			Default value: `$title`
1792
1793	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
1794	e17693e3	Steve Traylen
1795			Data type: `Pattern[/^\d\d$/]`
1796
1797
1798
1799			Default value: `'70'`
1800
1801	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
1802	e17693e3	Steve Traylen
1803			Data type: `String[1]`
1804
1805
1806
1807			Default value: `'POSTROUTING'`
1808
1809	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
1810	e17693e3	Steve Traylen
1811			Data type: `Optional[String[1]]`
1812
1813
1814
1815	c24d3118	Tim Meusel	Default value: `undef`
1816	e17693e3	Steve Traylen
1817	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
1818	e17693e3	Steve Traylen
1819			Data type: `Optional[String[1]]`
1820
1821
1822
1823	c24d3118	Tim Meusel	Default value: `undef`
1824	e17693e3	Steve Traylen
1825	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
1826	e17693e3	Steve Traylen
1827			Data type: `Optional[String[1]]`
1828
1829
1830
1831	c24d3118	Tim Meusel	Default value: `undef`
1832	e17693e3	Steve Traylen
1833	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
1834	e17693e3	Steve Traylen
1835			Data type: `Optional[Enum['tcp','udp']]`
1836
1837
1838
1839	c24d3118	Tim Meusel	Default value: `undef`
1840	e17693e3	Steve Traylen
1841	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
1842	e17693e3	Steve Traylen
1843	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1844	e17693e3	Steve Traylen
1845
1846
1847	c24d3118	Tim Meusel	Default value: `undef`
1848	e17693e3	Steve Traylen
1849	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
1850	e17693e3	Steve Traylen
1851			Data type: `Enum['present','absent']`
1852
1853
1854
1855			Default value: `'present'`
1856
1857	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
1858	e17693e3	Steve Traylen
1859			manage a ipv4 snat rule
1860
1861			#### Parameters
1862
1863	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
1864
1865	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
1866			* [`rulename`](#-nftables--rules--snat4--rulename)
1867			* [`order`](#-nftables--rules--snat4--order)
1868			* [`chain`](#-nftables--rules--snat4--chain)
1869			* [`oif`](#-nftables--rules--snat4--oif)
1870			* [`saddr`](#-nftables--rules--snat4--saddr)
1871			* [`proto`](#-nftables--rules--snat4--proto)
1872			* [`dport`](#-nftables--rules--snat4--dport)
1873			* [`ensure`](#-nftables--rules--snat4--ensure)
1874	e17693e3	Steve Traylen
1875	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
1876	e17693e3	Steve Traylen
1877			Data type: `String[1]`
1878
1879
1880
1881	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
1882	e17693e3	Steve Traylen
1883			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1884
1885
1886
1887			Default value: `$title`
1888
1889	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
1890	e17693e3	Steve Traylen
1891			Data type: `Pattern[/^\d\d$/]`
1892
1893
1894
1895			Default value: `'70'`
1896
1897	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
1898	e17693e3	Steve Traylen
1899			Data type: `String[1]`
1900
1901
1902
1903			Default value: `'POSTROUTING'`
1904
1905	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
1906	e17693e3	Steve Traylen
1907			Data type: `Optional[String[1]]`
1908
1909
1910
1911	c24d3118	Tim Meusel	Default value: `undef`
1912	e17693e3	Steve Traylen
1913	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
1914	e17693e3	Steve Traylen
1915			Data type: `Optional[String[1]]`
1916
1917
1918
1919	c24d3118	Tim Meusel	Default value: `undef`
1920	e17693e3	Steve Traylen
1921	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
1922	e17693e3	Steve Traylen
1923			Data type: `Optional[Enum['tcp','udp']]`
1924
1925
1926
1927	c24d3118	Tim Meusel	Default value: `undef`
1928	e17693e3	Steve Traylen
1929	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
1930	e17693e3	Steve Traylen
1931	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
1932	e17693e3	Steve Traylen
1933
1934
1935	c24d3118	Tim Meusel	Default value: `undef`
1936	e17693e3	Steve Traylen
1937	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
1938	e17693e3	Steve Traylen
1939			Data type: `Enum['present','absent']`
1940
1941
1942
1943			Default value: `'present'`
1944
1945	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
1946	7f6cacc5	Steve Traylen
1947			manage a named set
1948
1949	13f4e4c6	Steve Traylen	#### Examples
1950
1951			##### simple set
1952
1953			```puppet
1954			nftables::set{'my_set':
1955			type => 'ipv4_addr',
1956			flags => ['interval'],
1957			elements => ['192.168.0.1/24', '10.0.0.2'],
1958			auto_merge => true,
1959			}
1960			```
1961
1962	7f6cacc5	Steve Traylen	#### Parameters
1963
1964	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
1965
1966	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
1967			* [`setname`](#-nftables--set--setname)
1968			* [`order`](#-nftables--set--order)
1969			* [`type`](#-nftables--set--type)
1970			* [`table`](#-nftables--set--table)
1971			* [`flags`](#-nftables--set--flags)
1972			* [`timeout`](#-nftables--set--timeout)
1973			* [`gc_interval`](#-nftables--set--gc_interval)
1974			* [`elements`](#-nftables--set--elements)
1975			* [`size`](#-nftables--set--size)
1976			* [`policy`](#-nftables--set--policy)
1977			* [`auto_merge`](#-nftables--set--auto_merge)
1978			* [`content`](#-nftables--set--content)
1979			* [`source`](#-nftables--set--source)
1980
1981			##### <a name="-nftables--set--ensure"></a>`ensure`
1982	7f6cacc5	Steve Traylen
1983			Data type: `Enum['present','absent']`
1984
1985	13f4e4c6	Steve Traylen	should the set be created.
1986	7f6cacc5	Steve Traylen
1987			Default value: `'present'`
1988
1989	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
1990	7f6cacc5	Steve Traylen
1991			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
1992
1993	13f4e4c6	Steve Traylen	name of set, equal to to title.
1994	7f6cacc5	Steve Traylen
1995			Default value: `$title`
1996
1997	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
1998	7f6cacc5	Steve Traylen
1999			Data type: `Pattern[/^\d\d$/]`
2000
2001	13f4e4c6	Steve Traylen	concat ordering.
2002	7f6cacc5	Steve Traylen
2003			Default value: `'10'`
2004
2005	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2006	7f6cacc5	Steve Traylen
2007			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2008
2009	13f4e4c6	Steve Traylen	type of set.
2010	7f6cacc5	Steve Traylen
2011	c24d3118	Tim Meusel	Default value: `undef`
2012	7f6cacc5	Steve Traylen
2013	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2014	7f6cacc5	Steve Traylen
2015	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2016	7f6cacc5	Steve Traylen
2017	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2018	7f6cacc5	Steve Traylen
2019			Default value: `'inet-filter'`
2020
2021	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2022	7f6cacc5	Steve Traylen
2023			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2024
2025	13f4e4c6	Steve Traylen	specify flags for set
2026	7f6cacc5	Steve Traylen
2027			Default value: `[]`
2028
2029	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2030	7f6cacc5	Steve Traylen
2031			Data type: `Optional[Integer]`
2032
2033	13f4e4c6	Steve Traylen	timeout in seconds
2034	7f6cacc5	Steve Traylen
2035	c24d3118	Tim Meusel	Default value: `undef`
2036	7f6cacc5	Steve Traylen
2037	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2038	7f6cacc5	Steve Traylen
2039			Data type: `Optional[Integer]`
2040
2041	13f4e4c6	Steve Traylen	garbage collection interval.
2042	7f6cacc5	Steve Traylen
2043	c24d3118	Tim Meusel	Default value: `undef`
2044	7f6cacc5	Steve Traylen
2045	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2046	7f6cacc5	Steve Traylen
2047			Data type: `Optional[Array[String]]`
2048
2049	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2050	7f6cacc5	Steve Traylen
2051	c24d3118	Tim Meusel	Default value: `undef`
2052	7f6cacc5	Steve Traylen
2053	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2054	7f6cacc5	Steve Traylen
2055			Data type: `Optional[Integer]`
2056
2057	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2058	7f6cacc5	Steve Traylen
2059	c24d3118	Tim Meusel	Default value: `undef`
2060	7f6cacc5	Steve Traylen
2061	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2062	7f6cacc5	Steve Traylen
2063			Data type: `Optional[Enum['performance', 'memory']]`
2064
2065	13f4e4c6	Steve Traylen	determines set selection policy.
2066	7f6cacc5	Steve Traylen
2067	c24d3118	Tim Meusel	Default value: `undef`
2068	7f6cacc5	Steve Traylen
2069	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2070	7f6cacc5	Steve Traylen
2071			Data type: `Boolean`
2072
2073	13f4e4c6	Steve Traylen	?
2074	7f6cacc5	Steve Traylen
2075	c24d3118	Tim Meusel	Default value: `false`
2076	7f6cacc5	Steve Traylen
2077	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2078	7f6cacc5	Steve Traylen
2079			Data type: `Optional[String]`
2080
2081	13f4e4c6	Steve Traylen	specify content of set.
2082	7f6cacc5	Steve Traylen
2083	c24d3118	Tim Meusel	Default value: `undef`
2084	7f6cacc5	Steve Traylen
2085	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2086	7f6cacc5	Steve Traylen
2087			Data type: `Optional[Variant[String,Array[String,1]]]`
2088
2089	13f4e4c6	Steve Traylen	specify source of set.
2090	7f6cacc5	Steve Traylen
2091	c24d3118	Tim Meusel	Default value: `undef`
2092	7f6cacc5	Steve Traylen
2093	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2094	4d63adda	Nacho Barrientos
2095	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2096	4d63adda	Nacho Barrientos
2097	b46c9ce9	Nacho Barrientos	#### Examples
2098	4d63adda	Nacho Barrientos
2099	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2100	4d63adda	Nacho Barrientos
2101	b46c9ce9	Nacho Barrientos	```puppet
2102			nftables::simplerule{'my_service_in':
2103			action => 'accept',
2104			comment => 'allow traffic to port 543',
2105			counter => true,
2106			proto => 'tcp',
2107			dport => 543,
2108			daddr => '2001:1458::/32',
2109			sport => 541,
2110			}
2111			```
2112	4d63adda	Nacho Barrientos
2113	b46c9ce9	Nacho Barrientos	#### Parameters
2114	4d63adda	Nacho Barrientos
2115	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2116
2117	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2118			* [`rulename`](#-nftables--simplerule--rulename)
2119			* [`order`](#-nftables--simplerule--order)
2120			* [`chain`](#-nftables--simplerule--chain)
2121			* [`table`](#-nftables--simplerule--table)
2122			* [`action`](#-nftables--simplerule--action)
2123			* [`comment`](#-nftables--simplerule--comment)
2124			* [`dport`](#-nftables--simplerule--dport)
2125			* [`proto`](#-nftables--simplerule--proto)
2126			* [`daddr`](#-nftables--simplerule--daddr)
2127			* [`set_type`](#-nftables--simplerule--set_type)
2128			* [`sport`](#-nftables--simplerule--sport)
2129			* [`saddr`](#-nftables--simplerule--saddr)
2130			* [`counter`](#-nftables--simplerule--counter)
2131
2132			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2133	13f4e4c6	Steve Traylen
2134			Data type: `Enum['present','absent']`
2135
2136			Should the rule be created.
2137
2138			Default value: `'present'`
2139
2140	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2141	4d63adda	Nacho Barrientos
2142	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2143	4d63adda	Nacho Barrientos
2144	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2145	4d63adda	Nacho Barrientos
2146			Default value: `$title`
2147
2148	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2149	4d63adda	Nacho Barrientos
2150			Data type: `Pattern[/^\d\d$/]`
2151
2152	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2153	4d63adda	Nacho Barrientos
2154			Default value: `'50'`
2155
2156	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2157	4d63adda	Nacho Barrientos
2158			Data type: `String`
2159
2160	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2161	4d63adda	Nacho Barrientos
2162			Default value: `'default_in'`
2163
2164	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2165	4d63adda	Nacho Barrientos
2166			Data type: `String`
2167
2168	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2169	4d63adda	Nacho Barrientos
2170			Default value: `'inet-filter'`
2171
2172	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2173	4d63adda	Nacho Barrientos
2174			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2175
2176	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2177	4d63adda	Nacho Barrientos
2178			Default value: `'accept'`
2179
2180	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2181	4d63adda	Nacho Barrientos
2182			Data type: `Optional[String]`
2183
2184	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2185	4d63adda	Nacho Barrientos
2186	c24d3118	Tim Meusel	Default value: `undef`
2187	4d63adda	Nacho Barrientos
2188	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2189	4d63adda	Nacho Barrientos
2190			Data type: `Optional[Nftables::Port]`
2191
2192	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2193	4d63adda	Nacho Barrientos
2194	c24d3118	Tim Meusel	Default value: `undef`
2195	4d63adda	Nacho Barrientos
2196	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2197	4d63adda	Nacho Barrientos
2198			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2199
2200	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2201	4d63adda	Nacho Barrientos
2202	c24d3118	Tim Meusel	Default value: `undef`
2203	4d63adda	Nacho Barrientos
2204	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2205	4d63adda	Nacho Barrientos
2206			Data type: `Optional[Nftables::Addr]`
2207
2208	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2209	4d63adda	Nacho Barrientos
2210	c24d3118	Tim Meusel	Default value: `undef`
2211	4d63adda	Nacho Barrientos
2212	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2213	4d63adda	Nacho Barrientos
2214			Data type: `Enum['ip', 'ip6']`
2215
2216	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2217			Use `ip` for sets of type `ipv4_addr`.
2218	4d63adda	Nacho Barrientos
2219			Default value: `'ip6'`
2220
2221	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2222	4d63adda	Nacho Barrientos
2223			Data type: `Optional[Nftables::Port]`
2224
2225	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2226	4d63adda	Nacho Barrientos
2227	c24d3118	Tim Meusel	Default value: `undef`
2228	4d63adda	Nacho Barrientos
2229	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2230	4d63adda	Nacho Barrientos
2231			Data type: `Optional[Nftables::Addr]`
2232
2233	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2234	4d63adda	Nacho Barrientos
2235	c24d3118	Tim Meusel	Default value: `undef`
2236	4d63adda	Nacho Barrientos
2237	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2238	4d63adda	Nacho Barrientos
2239			Data type: `Boolean`
2240
2241	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2242	4d63adda	Nacho Barrientos
2243	c24d3118	Tim Meusel	Default value: `false`
2244	4d63adda	Nacho Barrientos
2245			## Data types
2246
2247	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2248	4d63adda	Nacho Barrientos
2249			Represents an address expression to be used within a rule.
2250
2251	c24d3118	Tim Meusel	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
2252	09cba182	Steve Traylen
2253	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2254	4d63adda	Nacho Barrientos
2255			Represents a set expression to be used within a rule.
2256
2257	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2258	4d63adda	Nacho Barrientos
2259	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2260	4d63adda	Nacho Barrientos
2261			Represents a port expression to be used within a rule.
2262
2263	c24d3118	Tim Meusel	Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
2264	4d63adda	Nacho Barrientos
2265	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2266	4d63adda	Nacho Barrientos
2267			Represents a port range expression to be used within a rule.
2268
2269	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2270	4d63adda	Nacho Barrientos
2271	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2272	8c00b818	Nacho Barrientos
2273			Represents a rule name to be used in a raw rule created via nftables::rule.
2274			It's a dash separated string. The first component describes the chain to
2275			add the rule to, the second the rule name and the (optional) third a number.
2276			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2277
2278	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2279	09cba182	Steve Traylen
2280	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2281	8c00b818	Nacho Barrientos
2282			Represents a simple rule name to be used in a rule created via nftables::simplerule
2283
2284	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ ffc8b86f