/REFERENCE.md - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / REFERENCE.md @ master

Historique | Voir | Annoter | Télécharger (66,5 ko)

1	e17693e3	Steve Traylen	# Reference
2
3			<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
4
5			## Table of Contents
6
7			### Classes
8
9			* [`nftables`](#nftables): Configure nftables
10	c24d3118	Tim Meusel	* [`nftables::bridges`](#nftables--bridges): allow forwarding traffic on bridges
11			* [`nftables::inet_filter`](#nftables--inet_filter): manage basic chains in table inet filter
12			* [`nftables::inet_filter::fwd_conntrack`](#nftables--inet_filter--fwd_conntrack): enable conntrack for fwd
13			* [`nftables::inet_filter::in_out_conntrack`](#nftables--inet_filter--in_out_conntrack): manage input & output conntrack
14			* [`nftables::ip_nat`](#nftables--ip_nat): manage basic chains in table ip nat
15			* [`nftables::rules::activemq`](#nftables--rules--activemq): Provides input rules for Apache ActiveMQ
16			* [`nftables::rules::afs3_callback`](#nftables--rules--afs3_callback): Open call back port for AFS clients
17			* [`nftables::rules::ceph`](#nftables--rules--ceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)
18			* [`nftables::rules::ceph_mon`](#nftables--rules--ceph_mon): Ceph is a distributed object store and file system.
19	09cba182	Steve Traylen	Enable this option to support Ceph's Monitor Daemon.
20	c24d3118	Tim Meusel	* [`nftables::rules::dhcpv6_client`](#nftables--rules--dhcpv6_client): allow DHCPv6 requests in to a host
21			* [`nftables::rules::dns`](#nftables--rules--dns): manage in dns
22			* [`nftables::rules::docker_ce`](#nftables--rules--docker_ce): Default firewall configuration for Docker-CE
23	baad986e	Vadym Chepkov	* [`nftables::rules::ftp`](#nftables--rules--ftp): manage in ftp (with conntrack helper)
24	c24d3118	Tim Meusel	* [`nftables::rules::http`](#nftables--rules--http): manage in http
25			* [`nftables::rules::https`](#nftables--rules--https): manage in https
26			* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2
27	8cdd24a5	Tim Meusel	* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
28	020842af	Tim Meusel	* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages
29	ea29e235	Simon Hoenscheid	* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap
30	3b26826f	Tim Meusel	* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution
31	5ffd0328	Tim Meusel	* [`nftables::rules::mdns`](#nftables--rules--mdns): allow incoming multicast DNS
32	80b384c8	Tim Meusel	* [`nftables::rules::multicast`](#nftables--rules--multicast): allow incoming multicast traffic
33	c24d3118	Tim Meusel	* [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
34			* [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
35			* [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
36	5dedf86c	Steve Traylen	* [`nftables::rules::nomad`](#nftables--rules--nomad): manage port openings for a nomad cluster
37	c24d3118	Tim Meusel	* [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
38			* [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
39	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
40	c24d3118	Tim Meusel	* [`nftables::rules::out::all`](#nftables--rules--out--all): allow all outbound
41			* [`nftables::rules::out::ceph_client`](#nftables--rules--out--ceph_client): Ceph is a distributed object store and file system.
42	09cba182	Steve Traylen	Enable this to be a client of Ceph's Monitor (MON),
43			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
44			and Manager Daemons (MGR).
45	c24d3118	Tim Meusel	* [`nftables::rules::out::chrony`](#nftables--rules--out--chrony): manage out chrony
46			* [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
47			* [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
48			* [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
49			* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
50			* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
51			* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
52	ee93f2de	Simon Hoenscheid	* [`nftables::rules::out::icinga2`](#nftables--rules--out--icinga2): allow outgoing icinga2
53	c24d3118	Tim Meusel	* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
54	a8bf4ad5	Romain Tartière	* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
55	c24d3118	Tim Meusel	* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
56			* [`nftables::rules::out::kerberos`](#nftables--rules--out--kerberos): allows outbound access for kerberos
57	ea29e235	Simon Hoenscheid	* [`nftables::rules::out::ldap`](#nftables--rules--out--ldap): manage outgoing ldap
58	6b350264	Tim Meusel	* [`nftables::rules::out::mdns`](#nftables--rules--out--mdns): allow outgoing multicast DNS
59	e499cece	Tim Meusel	* [`nftables::rules::out::mldv2`](#nftables--rules--out--mldv2): allow multicast listener requests
60	c24d3118	Tim Meusel	* [`nftables::rules::out::mysql`](#nftables--rules--out--mysql): manage out mysql
61			* [`nftables::rules::out::nfs`](#nftables--rules--out--nfs): manage out nfs
62			* [`nftables::rules::out::nfs3`](#nftables--rules--out--nfs3): manage out nfs3
63			* [`nftables::rules::out::openafs_client`](#nftables--rules--out--openafs_client): allows outbound access for afs clients
64	09cba182	Steve Traylen	7000 - afs3-fileserver
65			7002 - afs3-ptserver
66			7003 - vlserver
67	c24d3118	Tim Meusel	* [`nftables::rules::out::ospf`](#nftables--rules--out--ospf): manage out ospf
68			* [`nftables::rules::out::ospf3`](#nftables--rules--out--ospf3): manage out ospf3
69			* [`nftables::rules::out::pop3`](#nftables--rules--out--pop3): allow outgoing pop3
70			* [`nftables::rules::out::postgres`](#nftables--rules--out--postgres): manage out postgres
71			* [`nftables::rules::out::puppet`](#nftables--rules--out--puppet): manage outgoing puppet
72			* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
73			* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
74			* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
75	50a5be8b	Tim Meusel	* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
76	c24d3118	Tim Meusel	* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
77			* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
78			* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
79			* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
80			* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
81	08b9f1d0	Steve Traylen	* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
82			This class defines additional forwarding rules to let root containers
83			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
84			At the time of writing, Podman supports automatic configuration
85			of firewall rules with iptables and firewalld only.
86	c24d3118	Tim Meusel	* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
87			* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
88			* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
89	53aa1fa8	Tim Meusel	* [`nftables::rules::rsync`](#nftables--rules--rsync): allow rsync connections
90	c24d3118	Tim Meusel	* [`nftables::rules::samba`](#nftables--rules--samba): manage Samba, the suite to allow Windows file sharing on Linux resources.
91			* [`nftables::rules::smtp`](#nftables--rules--smtp): manage in smtp
92			* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
93			* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
94	8b131276	Tim Meusel	* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
95	50a5be8b	Tim Meusel	* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
96	c24d3118	Tim Meusel	* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
97			* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
98			* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
99	ffc8b86f	Tim Meusel	* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
100	c24d3118	Tim Meusel	* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
101			* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
102	e17693e3	Steve Traylen
103			### Defined types
104
105	c24d3118	Tim Meusel	* [`nftables::chain`](#nftables--chain): manage a chain
106			* [`nftables::config`](#nftables--config): manage a config snippet
107			* [`nftables::file`](#nftables--file): Insert a file into the nftables configuration
108	baad986e	Vadym Chepkov	* [`nftables::helper`](#nftables--helper): manage a conntrack helper
109	c24d3118	Tim Meusel	* [`nftables::rule`](#nftables--rule): Provides an interface to create a firewall rule
110			* [`nftables::rules::dnat4`](#nftables--rules--dnat4): manage a ipv4 dnat rule
111			* [`nftables::rules::masquerade`](#nftables--rules--masquerade): masquerade all outgoing traffic
112			* [`nftables::rules::snat4`](#nftables--rules--snat4): manage a ipv4 snat rule
113			* [`nftables::set`](#nftables--set): manage a named set
114			* [`nftables::simplerule`](#nftables--simplerule): Provides a simplified interface to nftables::rule
115	4d63adda	Nacho Barrientos
116			### Data types
117
118	c24d3118	Tim Meusel	* [`Nftables::Addr`](#Nftables--Addr): Represents an address expression to be used within a rule.
119			* [`Nftables::Addr::Set`](#Nftables--Addr--Set): Represents a set expression to be used within a rule.
120			* [`Nftables::Port`](#Nftables--Port): Represents a port expression to be used within a rule.
121			* [`Nftables::Port::Range`](#Nftables--Port--Range): Represents a port range expression to be used within a rule.
122			* [`Nftables::RuleName`](#Nftables--RuleName): Represents a rule name to be used in a raw rule created via nftables::rule.
123	8c00b818	Nacho Barrientos	It's a dash separated string. The first component describes the chain to
124			add the rule to, the second the rule name and the (optional) third a number.
125			Ex: 'default_in-sshd', 'default_out-my_service-2'.
126	c24d3118	Tim Meusel	* [`Nftables::SimpleRuleName`](#Nftables--SimpleRuleName): Represents a simple rule name to be used in a rule created via nftables::simplerule
127	e17693e3	Steve Traylen
128			## Classes
129
130	09cba182	Steve Traylen	### <a name="nftables"></a>`nftables`
131	e17693e3	Steve Traylen
132			Configure nftables
133
134			#### Examples
135
136	b9785000	Steve Traylen	##### allow dns out and do not allow ntp out
137	e17693e3	Steve Traylen
138			```puppet
139	2063deaf	hashworks	class{ 'nftables':
140			out_ntp => false,
141			out_dns => true,
142	e17693e3	Steve Traylen	}
143			```
144
145	b9785000	Steve Traylen	##### do not flush particular tables, fail2ban in this case
146
147			```puppet
148	2063deaf	hashworks	class{ 'nftables':
149			noflush_tables => ['inet-f2b-table'],
150	b9785000	Steve Traylen	}
151			```
152
153	e17693e3	Steve Traylen	#### Parameters
154
155	09cba182	Steve Traylen	The following parameters are available in the `nftables` class:
156
157	c24d3118	Tim Meusel	* [`out_all`](#-nftables--out_all)
158			* [`out_ntp`](#-nftables--out_ntp)
159			* [`out_http`](#-nftables--out_http)
160			* [`out_dns`](#-nftables--out_dns)
161			* [`out_https`](#-nftables--out_https)
162			* [`out_icmp`](#-nftables--out_icmp)
163			* [`in_ssh`](#-nftables--in_ssh)
164			* [`in_icmp`](#-nftables--in_icmp)
165			* [`inet_filter`](#-nftables--inet_filter)
166			* [`nat`](#-nftables--nat)
167			* [`nat_table_name`](#-nftables--nat_table_name)
168	3f278f1c	canihavethisone	* [`purge_unmanaged_rules`](#-nftables--purge_unmanaged_rules)
169			* [`inmem_rules_hash_file`](#-nftables--inmem_rules_hash_file)
170	c24d3118	Tim Meusel	* [`sets`](#-nftables--sets)
171			* [`log_prefix`](#-nftables--log_prefix)
172	a9bbb10d	Vadym Chepkov	* [`log_discarded`](#-nftables--log_discarded)
173	c24d3118	Tim Meusel	* [`log_limit`](#-nftables--log_limit)
174	2ad7193b	Tomas Barton	* [`log_group`](#-nftables--log_group)
175	c24d3118	Tim Meusel	* [`reject_with`](#-nftables--reject_with)
176			* [`in_out_conntrack`](#-nftables--in_out_conntrack)
177	eac19d14	Tim Meusel	* [`in_out_drop_invalid`](#-nftables--in_out_drop_invalid)
178	c24d3118	Tim Meusel	* [`fwd_conntrack`](#-nftables--fwd_conntrack)
179	eac19d14	Tim Meusel	* [`fwd_drop_invalid`](#-nftables--fwd_drop_invalid)
180	c24d3118	Tim Meusel	* [`firewalld_enable`](#-nftables--firewalld_enable)
181			* [`noflush_tables`](#-nftables--noflush_tables)
182			* [`rules`](#-nftables--rules)
183			* [`configuration_path`](#-nftables--configuration_path)
184			* [`nft_path`](#-nftables--nft_path)
185			* [`echo`](#-nftables--echo)
186			* [`default_config_mode`](#-nftables--default_config_mode)
187	a528bf59	Steve Traylen	* [`clobber_default_config`](#-nftables--clobber_default_config)
188	c24d3118	Tim Meusel
189			##### <a name="-nftables--out_all"></a>`out_all`
190	e17693e3	Steve Traylen
191			Data type: `Boolean`
192
193			Allow all outbound connections. If `true` then all other
194			out parameters `out_ntp`, `out_dns`, ... will be assuemed
195			false.
196
197	c24d3118	Tim Meusel	Default value: `false`
198	e17693e3	Steve Traylen
199	c24d3118	Tim Meusel	##### <a name="-nftables--out_ntp"></a>`out_ntp`
200	e17693e3	Steve Traylen
201			Data type: `Boolean`
202
203			Allow outbound to ntp servers.
204
205	c24d3118	Tim Meusel	Default value: `true`
206	e17693e3	Steve Traylen
207	c24d3118	Tim Meusel	##### <a name="-nftables--out_http"></a>`out_http`
208	e17693e3	Steve Traylen
209			Data type: `Boolean`
210
211			Allow outbound to http servers.
212
213	c24d3118	Tim Meusel	Default value: `true`
214	e17693e3	Steve Traylen
215	c24d3118	Tim Meusel	##### <a name="-nftables--out_dns"></a>`out_dns`
216	e17693e3	Steve Traylen
217			Data type: `Boolean`
218
219	09cba182	Steve Traylen	Allow outbound to dns servers.
220	e17693e3	Steve Traylen
221	c24d3118	Tim Meusel	Default value: `true`
222	e17693e3	Steve Traylen
223	c24d3118	Tim Meusel	##### <a name="-nftables--out_https"></a>`out_https`
224	09cba182	Steve Traylen
225			Data type: `Boolean`
226	e17693e3	Steve Traylen
227			Allow outbound to https servers.
228
229	c24d3118	Tim Meusel	Default value: `true`
230	e17693e3	Steve Traylen
231	c24d3118	Tim Meusel	##### <a name="-nftables--out_icmp"></a>`out_icmp`
232	7f6cacc5	Steve Traylen
233			Data type: `Boolean`
234
235			Allow outbound ICMPv4/v6 traffic.
236
237	c24d3118	Tim Meusel	Default value: `true`
238	7f6cacc5	Steve Traylen
239	c24d3118	Tim Meusel	##### <a name="-nftables--in_ssh"></a>`in_ssh`
240	e17693e3	Steve Traylen
241			Data type: `Boolean`
242
243			Allow inbound to ssh servers.
244
245	c24d3118	Tim Meusel	Default value: `true`
246	e17693e3	Steve Traylen
247	c24d3118	Tim Meusel	##### <a name="-nftables--in_icmp"></a>`in_icmp`
248	7f6cacc5	Steve Traylen
249			Data type: `Boolean`
250
251			Allow inbound ICMPv4/v6 traffic.
252
253	c24d3118	Tim Meusel	Default value: `true`
254	7f6cacc5	Steve Traylen
255	c24d3118	Tim Meusel	##### <a name="-nftables--inet_filter"></a>`inet_filter`
256	7b9d6ffc	Nacho Barrientos
257			Data type: `Boolean`
258
259			Add default tables, chains and rules to process traffic.
260
261	c24d3118	Tim Meusel	Default value: `true`
262	7b9d6ffc	Nacho Barrientos
263	c24d3118	Tim Meusel	##### <a name="-nftables--nat"></a>`nat`
264	7f6cacc5	Steve Traylen
265			Data type: `Boolean`
266
267			Add default tables and chains to process NAT traffic.
268
269	c24d3118	Tim Meusel	Default value: `true`
270	7f6cacc5	Steve Traylen
271	c24d3118	Tim Meusel	##### <a name="-nftables--nat_table_name"></a>`nat_table_name`
272	b02d6ea9	Nacho Barrientos
273			Data type: `String[1]`
274
275			The name of the 'nat' table.
276
277			Default value: `'nat'`
278
279	3f278f1c	canihavethisone	##### <a name="-nftables--purge_unmanaged_rules"></a>`purge_unmanaged_rules`
280
281			Data type: `Boolean`
282
283			Prohibits in-memory rules that are not declared in Puppet
284			code. Setting this to true activates a check that reloads nftables
285			if the rules in memory have been modified without Puppet.
286
287			Default value: `false`
288
289			##### <a name="-nftables--inmem_rules_hash_file"></a>`inmem_rules_hash_file`
290
291			Data type: `Stdlib::Unixpath`
292
293			The name of the file where the hash of the in-memory rules
294			will be stored.
295
296	efb04acd	canihavethisone	Default value: `'/var/tmp/puppet-nft-memhash'`
297	3f278f1c	canihavethisone
298	c24d3118	Tim Meusel	##### <a name="-nftables--sets"></a>`sets`
299	b9785000	Steve Traylen
300			Data type: `Hash`
301
302			Allows sourcing set definitions directly from Hiera.
303
304			Default value: `{}`
305
306	c24d3118	Tim Meusel	##### <a name="-nftables--log_prefix"></a>`log_prefix`
307	7f6cacc5	Steve Traylen
308			Data type: `String`
309
310			String that will be used as prefix when logging packets. It can contain
311			two variables using standard sprintf() string-formatting:
312			* chain: Will be replaced by the name of the chain.
313			* comment: Allows chains to add extra comments.
314
315			Default value: `'[nftables] %<chain>s %<comment>s'`
316
317	a9bbb10d	Vadym Chepkov	##### <a name="-nftables--log_discarded"></a>`log_discarded`
318
319			Data type: `Boolean`
320
321			Allow to log discarded packets
322
323			Default value: `true`
324
325	c24d3118	Tim Meusel	##### <a name="-nftables--log_limit"></a>`log_limit`
326	b9785000	Steve Traylen
327			Data type: `Variant[Boolean[false], String]`
328
329			String with the content of a limit statement to be applied
330			to the rules that log discarded traffic. Set to false to
331			disable rate limiting.
332
333			Default value: `'3/minute burst 5 packets'`
334
335	2ad7193b	Tomas Barton	##### <a name="-nftables--log_group"></a>`log_group`
336
337	08d8ebb7	Tomas Barton	Data type: `Optional[Integer[0]]`
338	2ad7193b	Tomas Barton
339			When specified, the Linux kernel will pass the packet to nfnetlink_log
340			which will send the log through a netlink socket to the specified group.
341
342			Default value: `undef`
343
344	c24d3118	Tim Meusel	##### <a name="-nftables--reject_with"></a>`reject_with`
345	7f6cacc5	Steve Traylen
346	b9785000	Steve Traylen	Data type: `Variant[Boolean[false], Pattern[/icmp(v6\|x)? type .+\|tcp reset/]]`
347	7f6cacc5	Steve Traylen
348			How to discard packets not matching any rule. If `false`, the
349			fate of the packet will be defined by the chain policy (normally
350			drop), otherwise the packet will be rejected with the REJECT_WITH
351			policy indicated by the value of this parameter.
352
353			Default value: `'icmpx type port-unreachable'`
354
355	c24d3118	Tim Meusel	##### <a name="-nftables--in_out_conntrack"></a>`in_out_conntrack`
356	7f6cacc5	Steve Traylen
357			Data type: `Boolean`
358
359			Adds INPUT and OUTPUT rules to allow traffic that's part of an
360			established connection and also to drop invalid packets.
361
362	c24d3118	Tim Meusel	Default value: `true`
363	7f6cacc5	Steve Traylen
364	eac19d14	Tim Meusel	##### <a name="-nftables--in_out_drop_invalid"></a>`in_out_drop_invalid`
365
366			Data type: `Boolean`
367
368			Drops invalid packets in INPUT and OUTPUT
369
370			Default value: `$in_out_conntrack`
371
372	c24d3118	Tim Meusel	##### <a name="-nftables--fwd_conntrack"></a>`fwd_conntrack`
373	b9785000	Steve Traylen
374			Data type: `Boolean`
375
376			Adds FORWARD rules to allow traffic that's part of an
377			established connection and also to drop invalid packets.
378
379	c24d3118	Tim Meusel	Default value: `false`
380	b9785000	Steve Traylen
381	eac19d14	Tim Meusel	##### <a name="-nftables--fwd_drop_invalid"></a>`fwd_drop_invalid`
382
383			Data type: `Boolean`
384
385			Drops invalid packets in FORWARD
386
387			Default value: `$fwd_conntrack`
388
389	c24d3118	Tim Meusel	##### <a name="-nftables--firewalld_enable"></a>`firewalld_enable`
390	7f6cacc5	Steve Traylen
391			Data type: `Variant[Boolean[false], Enum['mask']]`
392
393			Configures how the firewalld systemd service unit is enabled. It might be
394			useful to set this to false if you're externaly removing firewalld from
395			the system completely.
396
397			Default value: `'mask'`
398
399	c24d3118	Tim Meusel	##### <a name="-nftables--noflush_tables"></a>`noflush_tables`
400	b9785000	Steve Traylen
401	3b8f5945	Steve Traylen	Data type: `Optional[Array[Pattern[/^(ip\|ip6\|inet\|arp\|bridge\|netdev)-[-a-zA-Z0-9_]+$/],1]]`
402	b9785000	Steve Traylen
403			If specified only other existings tables will be flushed.
404			If left unset all tables will be flushed via a `flush ruleset`
405
406	c24d3118	Tim Meusel	Default value: `undef`
407	b9785000	Steve Traylen
408	c24d3118	Tim Meusel	##### <a name="-nftables--rules"></a>`rules`
409	7f6cacc5	Steve Traylen
410			Data type: `Hash`
411
412	09cba182	Steve Traylen	Specify hashes of `nftables::rule`s via hiera
413	7f6cacc5	Steve Traylen
414			Default value: `{}`
415
416	c24d3118	Tim Meusel	##### <a name="-nftables--configuration_path"></a>`configuration_path`
417	d0a1ffef	hashworks
418			Data type: `Stdlib::Unixpath`
419
420			The absolute path to the principal nftables configuration file. The default
421			varies depending on the system, and is set in the module's data.
422
423	c24d3118	Tim Meusel	##### <a name="-nftables--nft_path"></a>`nft_path`
424	8842a597	Tim Meusel
425			Data type: `Stdlib::Unixpath`
426
427			Path to the nft binary
428
429	c24d3118	Tim Meusel	##### <a name="-nftables--echo"></a>`echo`
430	821ec83a	Tim Meusel
431			Data type: `Stdlib::Unixpath`
432
433			Path to the echo binary
434
435	c24d3118	Tim Meusel	##### <a name="-nftables--default_config_mode"></a>`default_config_mode`
436	7030bde0	Luis Fernández Álvarez
437			Data type: `Stdlib::Filemode`
438
439			The default file & dir mode for configuration files and directories. The
440			default varies depending on the system, and is set in the module's data.
441
442	a528bf59	Steve Traylen	##### <a name="-nftables--clobber_default_config"></a>`clobber_default_config`
443
444			Data type: `Boolean`
445
446			Should the existing OS provided rules in the `configuration_path` be removed? If
447			they are not being removed this module will add all of its configuration to the end of
448			the existing rules.
449
450			Default value: `false`
451
452	c24d3118	Tim Meusel	### <a name="nftables--bridges"></a>`nftables::bridges`
453	7f6cacc5	Steve Traylen
454			allow forwarding traffic on bridges
455
456			#### Parameters
457
458	09cba182	Steve Traylen	The following parameters are available in the `nftables::bridges` class:
459	7f6cacc5	Steve Traylen
460	c24d3118	Tim Meusel	* [`ensure`](#-nftables--bridges--ensure)
461			* [`bridgenames`](#-nftables--bridges--bridgenames)
462	09cba182	Steve Traylen
463	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--ensure"></a>`ensure`
464	7f6cacc5	Steve Traylen
465			Data type: `Enum['present','absent']`
466
467
468
469			Default value: `'present'`
470
471	c24d3118	Tim Meusel	##### <a name="-nftables--bridges--bridgenames"></a>`bridgenames`
472	7f6cacc5	Steve Traylen
473			Data type: `Regexp`
474
475
476
477			Default value: `/^br.+/`
478
479	c24d3118	Tim Meusel	### <a name="nftables--inet_filter"></a>`nftables::inet_filter`
480	e17693e3	Steve Traylen
481			manage basic chains in table inet filter
482
483	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--fwd_conntrack"></a>`nftables::inet_filter::fwd_conntrack`
484	a1f09048	Tim Meusel
485			enable conntrack for fwd
486
487	c24d3118	Tim Meusel	### <a name="nftables--inet_filter--in_out_conntrack"></a>`nftables::inet_filter::in_out_conntrack`
488	a1f09048	Tim Meusel
489			manage input & output conntrack
490
491	c24d3118	Tim Meusel	### <a name="nftables--ip_nat"></a>`nftables::ip_nat`
492	e17693e3	Steve Traylen
493			manage basic chains in table ip nat
494
495	c24d3118	Tim Meusel	### <a name="nftables--rules--activemq"></a>`nftables::rules::activemq`
496	771b3256	Nacho Barrientos
497			Provides input rules for Apache ActiveMQ
498
499			#### Parameters
500
501			The following parameters are available in the `nftables::rules::activemq` class:
502
503	c24d3118	Tim Meusel	* [`tcp`](#-nftables--rules--activemq--tcp)
504			* [`udp`](#-nftables--rules--activemq--udp)
505			* [`port`](#-nftables--rules--activemq--port)
506	771b3256	Nacho Barrientos
507	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--tcp"></a>`tcp`
508	771b3256	Nacho Barrientos
509			Data type: `Boolean`
510
511			Create the rule for TCP traffic.
512
513	c24d3118	Tim Meusel	Default value: `true`
514	771b3256	Nacho Barrientos
515	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--udp"></a>`udp`
516	771b3256	Nacho Barrientos
517			Data type: `Boolean`
518
519			Create the rule for UDP traffic.
520
521	c24d3118	Tim Meusel	Default value: `true`
522	771b3256	Nacho Barrientos
523	c24d3118	Tim Meusel	##### <a name="-nftables--rules--activemq--port"></a>`port`
524	771b3256	Nacho Barrientos
525			Data type: `Stdlib::Port`
526
527			The port number for the ActiveMQ daemon.
528
529			Default value: `61616`
530
531	c24d3118	Tim Meusel	### <a name="nftables--rules--afs3_callback"></a>`nftables::rules::afs3_callback`
532	09cba182	Steve Traylen
533			Open call back port for AFS clients
534	7f6cacc5	Steve Traylen
535	09cba182	Steve Traylen	#### Examples
536
537			##### allow call backs from particular hosts
538
539			```puppet
540	7f6cacc5	Steve Traylen	class{'nftables::rules::afs3_callback':
541			saddr => ['192.168.0.0/16', '10.0.0.222']
542			}
543	09cba182	Steve Traylen	```
544	7f6cacc5	Steve Traylen
545			#### Parameters
546
547	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::afs3_callback` class:
548
549	c24d3118	Tim Meusel	* [`saddr`](#-nftables--rules--afs3_callback--saddr)
550	7f6cacc5	Steve Traylen
551	c24d3118	Tim Meusel	##### <a name="-nftables--rules--afs3_callback--saddr"></a>`saddr`
552	7f6cacc5	Steve Traylen
553			Data type: `Array[Stdlib::IP::Address::V4,1]`
554
555			list of source network ranges to a
556
557			Default value: `['0.0.0.0/0']`
558
559	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph"></a>`nftables::rules::ceph`
560	b9785000	Steve Traylen
561			Ceph is a distributed object store and file system.
562			Enable this to support Ceph's Object Storage Daemons (OSD),
563			Metadata Server Daemons (MDS), or Manager Daemons (MGR).
564
565	c24d3118	Tim Meusel	### <a name="nftables--rules--ceph_mon"></a>`nftables::rules::ceph_mon`
566	b9785000	Steve Traylen
567			Ceph is a distributed object store and file system.
568			Enable this option to support Ceph's Monitor Daemon.
569
570			#### Parameters
571
572	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ceph_mon` class:
573	b9785000	Steve Traylen
574	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ceph_mon--ports)
575	b9785000	Steve Traylen
576	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ceph_mon--ports"></a>`ports`
577	b9785000	Steve Traylen
578	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
579	b9785000	Steve Traylen
580	09cba182	Steve Traylen	specify ports for ceph service
581	b9785000	Steve Traylen
582			Default value: `[3300, 6789]`
583
584	c24d3118	Tim Meusel	### <a name="nftables--rules--dhcpv6_client"></a>`nftables::rules::dhcpv6_client`
585	7f6cacc5	Steve Traylen
586	09cba182	Steve Traylen	allow DHCPv6 requests in to a host
587	7f6cacc5	Steve Traylen
588	c24d3118	Tim Meusel	### <a name="nftables--rules--dns"></a>`nftables::rules::dns`
589	7f6cacc5	Steve Traylen
590			manage in dns
591
592	67cdcf15	Steve Traylen	#### Examples
593
594			##### Allow access to stub dns resolver from docker containers
595
596			```puppet
597			class { 'nftables::rules::dns':
598			iifname => ['docker0'],
599			}
600			```
601
602	7f6cacc5	Steve Traylen	#### Parameters
603
604	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dns` class:
605	7f6cacc5	Steve Traylen
606	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--dns--ports)
607	67cdcf15	Steve Traylen	* [`iifname`](#-nftables--rules--dns--iifname)
608	7f6cacc5	Steve Traylen
609	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dns--ports"></a>`ports`
610	7f6cacc5	Steve Traylen
611	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
612	7f6cacc5	Steve Traylen
613	09cba182	Steve Traylen	Specify ports for dns.
614	7f6cacc5	Steve Traylen
615			Default value: `[53]`
616
617	67cdcf15	Steve Traylen	##### <a name="-nftables--rules--dns--iifname"></a>`iifname`
618
619			Data type: `Optional[Array[String[1],1]]`
620
621			Specify input interface names.
622
623			Default value: `undef`
624
625	c24d3118	Tim Meusel	### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce`
626	804b96e4	Nacho Barrientos
627			The configuration distributed in this class represents the default firewall
628			configuration done by docker-ce when the iptables integration is enabled.
629
630			This class is needed as the default docker-ce rules added to ip-filter conflict
631			with the inet-filter forward rules set by default in this module.
632
633			When using this class 'docker::iptables: false' should be set.
634
635			#### Parameters
636
637			The following parameters are available in the `nftables::rules::docker_ce` class:
638
639	c24d3118	Tim Meusel	* [`docker_interface`](#-nftables--rules--docker_ce--docker_interface)
640			* [`docker_prefix`](#-nftables--rules--docker_ce--docker_prefix)
641			* [`manage_docker_chains`](#-nftables--rules--docker_ce--manage_docker_chains)
642			* [`manage_base_chains`](#-nftables--rules--docker_ce--manage_base_chains)
643	804b96e4	Nacho Barrientos
644	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_interface"></a>`docker_interface`
645	804b96e4	Nacho Barrientos
646			Data type: `String[1]`
647
648			Interface name used by docker.
649
650			Default value: `'docker0'`
651
652	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--docker_prefix"></a>`docker_prefix`
653	804b96e4	Nacho Barrientos
654			Data type: `Stdlib::IP::Address::V4::CIDR`
655
656			The address space used by docker.
657
658			Default value: `'172.17.0.0/16'`
659
660	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_docker_chains"></a>`manage_docker_chains`
661	804b96e4	Nacho Barrientos
662			Data type: `Boolean`
663
664			Flag to control whether the class should create the docker related chains.
665
666	c24d3118	Tim Meusel	Default value: `true`
667	804b96e4	Nacho Barrientos
668	c24d3118	Tim Meusel	##### <a name="-nftables--rules--docker_ce--manage_base_chains"></a>`manage_base_chains`
669	804b96e4	Nacho Barrientos
670			Data type: `Boolean`
671
672			Flag to control whether the class should create the base common chains.
673
674	c24d3118	Tim Meusel	Default value: `true`
675	804b96e4	Nacho Barrientos
676	baad986e	Vadym Chepkov	### <a name="nftables--rules--ftp"></a>`nftables::rules::ftp`
677
678			manage in ftp (with conntrack helper)
679
680			#### Parameters
681
682			The following parameters are available in the `nftables::rules::ftp` class:
683
684			* [`enable_passive`](#-nftables--rules--ftp--enable_passive)
685			* [`passive_ports`](#-nftables--rules--ftp--passive_ports)
686
687			##### <a name="-nftables--rules--ftp--enable_passive"></a>`enable_passive`
688
689			Data type: `Boolean`
690
691			Enable FTP passive mode support
692
693			Default value: `true`
694
695			##### <a name="-nftables--rules--ftp--passive_ports"></a>`passive_ports`
696
697			Data type: `Nftables::Port::Range`
698
699			Set the FTP passive mode port range
700
701			Default value: `'10090-10100'`
702
703	c24d3118	Tim Meusel	### <a name="nftables--rules--http"></a>`nftables::rules::http`
704	e17693e3	Steve Traylen
705			manage in http
706
707	c24d3118	Tim Meusel	### <a name="nftables--rules--https"></a>`nftables::rules::https`
708	e17693e3	Steve Traylen
709			manage in https
710
711	c24d3118	Tim Meusel	### <a name="nftables--rules--icinga2"></a>`nftables::rules::icinga2`
712	e17693e3	Steve Traylen
713			manage in icinga2
714
715			#### Parameters
716
717	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icinga2` class:
718	e17693e3	Steve Traylen
719	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--icinga2--ports)
720	e17693e3	Steve Traylen
721	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icinga2--ports"></a>`ports`
722	e17693e3	Steve Traylen
723	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
724	e17693e3	Steve Traylen
725	8db66304	Steve Traylen	Specify ports for icinga2
726	e17693e3	Steve Traylen
727			Default value: `[5665]`
728
729	c24d3118	Tim Meusel	### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp`
730	7f6cacc5	Steve Traylen
731	8cdd24a5	Tim Meusel	allows incoming ICMP
732	7f6cacc5	Steve Traylen
733			#### Parameters
734
735	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::icmp` class:
736
737	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--icmp--v4_types)
738			* [`v6_types`](#-nftables--rules--icmp--v6_types)
739			* [`order`](#-nftables--rules--icmp--order)
740	7f6cacc5	Steve Traylen
741	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v4_types"></a>`v4_types`
742	7f6cacc5	Steve Traylen
743			Data type: `Optional[Array[String]]`
744
745	8cdd24a5	Tim Meusel	ICMP v4 types that should be allowed
746	7f6cacc5	Steve Traylen
747	c24d3118	Tim Meusel	Default value: `undef`
748	7f6cacc5	Steve Traylen
749	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--v6_types"></a>`v6_types`
750	7f6cacc5	Steve Traylen
751			Data type: `Optional[Array[String]]`
752
753	8cdd24a5	Tim Meusel	ICMP v6 types that should be allowed
754	7f6cacc5	Steve Traylen
755	c24d3118	Tim Meusel	Default value: `undef`
756	7f6cacc5	Steve Traylen
757	c24d3118	Tim Meusel	##### <a name="-nftables--rules--icmp--order"></a>`order`
758	7f6cacc5	Steve Traylen
759			Data type: `String`
760
761	8cdd24a5	Tim Meusel	the ordering of the rules
762	7f6cacc5	Steve Traylen
763			Default value: `'10'`
764
765	020842af	Tim Meusel	### <a name="nftables--rules--igmp"></a>`nftables::rules::igmp`
766
767			allow incoming IGMP messages
768
769	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--ldap"></a>`nftables::rules::ldap`
770
771			manage in ldap
772
773			#### Parameters
774
775			The following parameters are available in the `nftables::rules::ldap` class:
776
777			* [`ports`](#-nftables--rules--ldap--ports)
778
779			##### <a name="-nftables--rules--ldap--ports"></a>`ports`
780
781			Data type: `Array[Integer,1]`
782
783			ldap server ports
784
785			Default value: `[389, 636]`
786
787	3b26826f	Tim Meusel	### <a name="nftables--rules--llmnr"></a>`nftables::rules::llmnr`
788
789			allow incoming Link-Local Multicast Name Resolution
790
791			* See also
792			* https://datatracker.ietf.org/doc/html/rfc4795
793
794			#### Parameters
795
796			The following parameters are available in the `nftables::rules::llmnr` class:
797
798			* [`ipv4`](#-nftables--rules--llmnr--ipv4)
799			* [`ipv6`](#-nftables--rules--llmnr--ipv6)
800	1ef7d5c4	Tim Meusel	* [`iifname`](#-nftables--rules--llmnr--iifname)
801	3b26826f	Tim Meusel
802			##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
803
804			Data type: `Boolean`
805
806			Allow LLMNR over IPv4
807
808			Default value: `true`
809
810			##### <a name="-nftables--rules--llmnr--ipv6"></a>`ipv6`
811
812			Data type: `Boolean`
813
814			Allow LLMNR over IPv6
815
816			Default value: `true`
817
818	1ef7d5c4	Tim Meusel	##### <a name="-nftables--rules--llmnr--iifname"></a>`iifname`
819
820			Data type: `Array[String[1]]`
821
822			optional list of incoming interfaces to filter on
823
824			Default value: `[]`
825
826	5ffd0328	Tim Meusel	### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
827
828			allow incoming multicast DNS
829
830	ad3dbd7d	Ewoud Kohl van Wijngaarden	#### Parameters
831
832			The following parameters are available in the `nftables::rules::mdns` class:
833
834			* [`ipv4`](#-nftables--rules--mdns--ipv4)
835			* [`ipv6`](#-nftables--rules--mdns--ipv6)
836	4c3d5d6b	Tim Meusel	* [`iifname`](#-nftables--rules--mdns--iifname)
837	ad3dbd7d	Ewoud Kohl van Wijngaarden
838			##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
839
840			Data type: `Boolean`
841
842			Allow mdns over IPv4
843
844			Default value: `true`
845
846			##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`
847
848			Data type: `Boolean`
849
850			Allow mdns over IPv6
851
852			Default value: `true`
853
854	4c3d5d6b	Tim Meusel	##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
855
856			Data type: `Array[String[1]]`
857
858			name for incoming interfaces to filter
859
860			Default value: `[]`
861
862	80b384c8	Tim Meusel	### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
863
864			allow incoming multicast traffic
865
866	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs"></a>`nftables::rules::nfs`
867	b9785000	Steve Traylen
868			manage in nfs4
869
870	c24d3118	Tim Meusel	### <a name="nftables--rules--nfs3"></a>`nftables::rules::nfs3`
871	b9785000	Steve Traylen
872			manage in nfs3
873
874	c24d3118	Tim Meusel	### <a name="nftables--rules--node_exporter"></a>`nftables::rules::node_exporter`
875	7f6cacc5	Steve Traylen
876			manage in node exporter
877
878			#### Parameters
879
880	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::node_exporter` class:
881	7f6cacc5	Steve Traylen
882	c24d3118	Tim Meusel	* [`prometheus_server`](#-nftables--rules--node_exporter--prometheus_server)
883			* [`port`](#-nftables--rules--node_exporter--port)
884	7f6cacc5	Steve Traylen
885	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--prometheus_server"></a>`prometheus_server`
886	7f6cacc5	Steve Traylen
887	09cba182	Steve Traylen	Data type: `Optional[Variant[String,Array[String,1]]]`
888	7f6cacc5	Steve Traylen
889	09cba182	Steve Traylen	Specify server name
890	7f6cacc5	Steve Traylen
891	c24d3118	Tim Meusel	Default value: `undef`
892	7f6cacc5	Steve Traylen
893	c24d3118	Tim Meusel	##### <a name="-nftables--rules--node_exporter--port"></a>`port`
894	7f6cacc5	Steve Traylen
895	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
896	7f6cacc5	Steve Traylen
897	09cba182	Steve Traylen	Specify port to open
898	7f6cacc5	Steve Traylen
899			Default value: `9100`
900
901	5dedf86c	Steve Traylen	### <a name="nftables--rules--nomad"></a>`nftables::rules::nomad`
902
903			manage port openings for a nomad cluster
904
905			#### Examples
906
907			##### Simple two node nomad cluster
908
909			```puppet
910			class{ 'nftables::rules::nomad':
911			cluster_elements = [
912			'10.0.0.1','10.0.0.2',
913			'::1', '::2'',
914			],
915			}
916			```
917
918			#### Parameters
919
920			The following parameters are available in the `nftables::rules::nomad` class:
921
922			* [`cluster_elements`](#-nftables--rules--nomad--cluster_elements)
923			* [`http`](#-nftables--rules--nomad--http)
924			* [`rpc`](#-nftables--rules--nomad--rpc)
925			* [`serf`](#-nftables--rules--nomad--serf)
926
927			##### <a name="-nftables--rules--nomad--cluster_elements"></a>`cluster_elements`
928
929			Data type: `Array[Stdlib::IP::Address,1]`
930
931			IP addreses of nomad cluster nodes
932
933			Default value: `['127.0.0.1','::1']`
934
935			##### <a name="-nftables--rules--nomad--http"></a>`http`
936
937			Data type: `Stdlib::Port`
938
939			Specify http api port to open to the world.
940
941			Default value: `4646`
942
943			##### <a name="-nftables--rules--nomad--rpc"></a>`rpc`
944
945			Data type: `Stdlib::Port`
946
947			Specify rpc port to open within the nomad cluster
948
949			Default value: `4647`
950
951			##### <a name="-nftables--rules--nomad--serf"></a>`serf`
952
953			Data type: `Stdlib::Port`
954
955			Specify serf port to open within the nomad cluster
956
957			Default value: `4648`
958
959	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
960	e17693e3	Steve Traylen
961			manage in ospf
962
963	c24d3118	Tim Meusel	### <a name="nftables--rules--ospf3"></a>`nftables::rules::ospf3`
964	e17693e3	Steve Traylen
965			manage in ospf3
966
967	3e2b5119	Tim Meusel	#### Parameters
968
969			The following parameters are available in the `nftables::rules::ospf3` class:
970
971			* [`iifname`](#-nftables--rules--ospf3--iifname)
972
973			##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
974
975			Data type: `Array[String[1]]`
976
977			optional list of incoming interfaces to allow traffic
978
979			Default value: `[]`
980
981	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
982
983			manage outgoing active diectory
984
985			#### Parameters
986
987			The following parameters are available in the `nftables::rules::out::active_directory` class:
988
989			* [`adserver`](#-nftables--rules--out--active_directory--adserver)
990			* [`adserver_ports`](#-nftables--rules--out--active_directory--adserver_ports)
991
992			##### <a name="-nftables--rules--out--active_directory--adserver"></a>`adserver`
993
994			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
995
996			adserver IPs
997
998			##### <a name="-nftables--rules--out--active_directory--adserver_ports"></a>`adserver_ports`
999
1000			Data type: `Array[Stdlib::Port,1]`
1001
1002			adserver ports
1003
1004			Default value: `[389, 636, 3268, 3269]`
1005
1006	c24d3118	Tim Meusel	### <a name="nftables--rules--out--all"></a>`nftables::rules::out::all`
1007	e17693e3	Steve Traylen
1008			allow all outbound
1009
1010	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ceph_client"></a>`nftables::rules::out::ceph_client`
1011	b9785000	Steve Traylen
1012			Ceph is a distributed object store and file system.
1013			Enable this to be a client of Ceph's Monitor (MON),
1014			Object Storage Daemons (OSD), Metadata Server Daemons (MDS),
1015			and Manager Daemons (MGR).
1016
1017			#### Parameters
1018
1019	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::ceph_client` class:
1020	b9785000	Steve Traylen
1021	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--ceph_client--ports)
1022	b9785000	Steve Traylen
1023	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--ceph_client--ports"></a>`ports`
1024	b9785000	Steve Traylen
1025	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1026	b9785000	Steve Traylen
1027	09cba182	Steve Traylen	Specify ports to open
1028	b9785000	Steve Traylen
1029			Default value: `[3300, 6789]`
1030
1031	c24d3118	Tim Meusel	### <a name="nftables--rules--out--chrony"></a>`nftables::rules::out::chrony`
1032	e17693e3	Steve Traylen
1033			manage out chrony
1034
1035	7937a13b	Tim Meusel	#### Parameters
1036
1037			The following parameters are available in the `nftables::rules::out::chrony` class:
1038
1039	c24d3118	Tim Meusel	* [`servers`](#-nftables--rules--out--chrony--servers)
1040	7937a13b	Tim Meusel
1041	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--chrony--servers"></a>`servers`
1042	7937a13b	Tim Meusel
1043			Data type: `Array[Stdlib::IP::Address]`
1044
1045			single IP-Address or array of IP-addresses from NTP servers
1046
1047			Default value: `[]`
1048
1049	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcp"></a>`nftables::rules::out::dhcp`
1050	e17693e3	Steve Traylen
1051			manage out dhcp
1052
1053	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dhcpv6_client"></a>`nftables::rules::out::dhcpv6_client`
1054	7f6cacc5	Steve Traylen
1055	09cba182	Steve Traylen	Allow DHCPv6 requests out of a host
1056	7f6cacc5	Steve Traylen
1057	c24d3118	Tim Meusel	### <a name="nftables--rules--out--dns"></a>`nftables::rules::out::dns`
1058	e17693e3	Steve Traylen
1059			manage out dns
1060
1061			#### Parameters
1062
1063	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::dns` class:
1064	e17693e3	Steve Traylen
1065	c24d3118	Tim Meusel	* [`dns_server`](#-nftables--rules--out--dns--dns_server)
1066	e17693e3	Steve Traylen
1067	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
1068	e17693e3	Steve Traylen
1069	9d1ee648	Tim Meusel	Data type: `Array[Stdlib::IP::Address]`
1070	e17693e3	Steve Traylen
1071	09cba182	Steve Traylen	specify dns_server name
1072	e17693e3	Steve Traylen
1073	9d1ee648	Tim Meusel	Default value: `[]`
1074	e17693e3	Steve Traylen
1075	c24d3118	Tim Meusel	### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
1076	a1f09048	Tim Meusel
1077			allow outgoing hkp connections to gpg keyservers
1078
1079	c24d3118	Tim Meusel	### <a name="nftables--rules--out--http"></a>`nftables::rules::out::http`
1080	e17693e3	Steve Traylen
1081			manage out http
1082
1083	c24d3118	Tim Meusel	### <a name="nftables--rules--out--https"></a>`nftables::rules::out::https`
1084	e17693e3	Steve Traylen
1085			manage out https
1086
1087	ee93f2de	Simon Hoenscheid	### <a name="nftables--rules--out--icinga2"></a>`nftables::rules::out::icinga2`
1088
1089			allow outgoing icinga2
1090
1091			#### Parameters
1092
1093			The following parameters are available in the `nftables::rules::out::icinga2` class:
1094
1095			* [`ports`](#-nftables--rules--out--icinga2--ports)
1096
1097			##### <a name="-nftables--rules--out--icinga2--ports"></a>`ports`
1098
1099			Data type: `Array[Stdlib::Port,1]`
1100
1101			icinga2 ports
1102
1103			Default value: `[5665]`
1104
1105	c24d3118	Tim Meusel	### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
1106	7f6cacc5	Steve Traylen
1107	09cba182	Steve Traylen	control outbound icmp packages
1108	7f6cacc5	Steve Traylen
1109			#### Parameters
1110
1111	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::icmp` class:
1112
1113	c24d3118	Tim Meusel	* [`v4_types`](#-nftables--rules--out--icmp--v4_types)
1114			* [`v6_types`](#-nftables--rules--out--icmp--v6_types)
1115			* [`order`](#-nftables--rules--out--icmp--order)
1116	7f6cacc5	Steve Traylen
1117	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v4_types"></a>`v4_types`
1118	7f6cacc5	Steve Traylen
1119			Data type: `Optional[Array[String]]`
1120
1121	5d554e75	Tim Meusel	ICMP v4 types that should be allowed
1122	7f6cacc5	Steve Traylen
1123	c24d3118	Tim Meusel	Default value: `undef`
1124	7f6cacc5	Steve Traylen
1125	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`
1126	7f6cacc5	Steve Traylen
1127			Data type: `Optional[Array[String]]`
1128
1129	5d554e75	Tim Meusel	ICMP v6 types that should be allowed
1130	7f6cacc5	Steve Traylen
1131	c24d3118	Tim Meusel	Default value: `undef`
1132	7f6cacc5	Steve Traylen
1133	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--icmp--order"></a>`order`
1134	7f6cacc5	Steve Traylen
1135			Data type: `String`
1136
1137	5d554e75	Tim Meusel	the ordering of the rules
1138	7f6cacc5	Steve Traylen
1139			Default value: `'10'`
1140
1141	020842af	Tim Meusel	### <a name="nftables--rules--out--igmp"></a>`nftables::rules::out::igmp`
1142
1143	a8bf4ad5	Romain Tartière	allow outgoing IGMP messages
1144	020842af	Tim Meusel
1145	c24d3118	Tim Meusel	### <a name="nftables--rules--out--imap"></a>`nftables::rules::out::imap`
1146	19908f41	mh
1147			allow outgoing imap
1148
1149	c24d3118	Tim Meusel	### <a name="nftables--rules--out--kerberos"></a>`nftables::rules::out::kerberos`
1150	7f6cacc5	Steve Traylen
1151			allows outbound access for kerberos
1152
1153	ea29e235	Simon Hoenscheid	### <a name="nftables--rules--out--ldap"></a>`nftables::rules::out::ldap`
1154
1155			manage outgoing ldap
1156
1157			#### Parameters
1158
1159			The following parameters are available in the `nftables::rules::out::ldap` class:
1160
1161			* [`ldapserver`](#-nftables--rules--out--ldap--ldapserver)
1162			* [`ldapserver_ports`](#-nftables--rules--out--ldap--ldapserver_ports)
1163
1164			##### <a name="-nftables--rules--out--ldap--ldapserver"></a>`ldapserver`
1165
1166			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1167
1168			ldapserver IPs
1169
1170			##### <a name="-nftables--rules--out--ldap--ldapserver_ports"></a>`ldapserver_ports`
1171
1172			Data type: `Array[Stdlib::Port,1]`
1173
1174			ldapserver ports
1175
1176			Default value: `[389, 636]`
1177
1178	6b350264	Tim Meusel	### <a name="nftables--rules--out--mdns"></a>`nftables::rules::out::mdns`
1179
1180			allow outgoing multicast DNS
1181
1182			#### Parameters
1183
1184			The following parameters are available in the `nftables::rules::out::mdns` class:
1185
1186			* [`ipv4`](#-nftables--rules--out--mdns--ipv4)
1187			* [`ipv6`](#-nftables--rules--out--mdns--ipv6)
1188	51850192	Tim Meusel	* [`oifname`](#-nftables--rules--out--mdns--oifname)
1189	6b350264	Tim Meusel
1190			##### <a name="-nftables--rules--out--mdns--ipv4"></a>`ipv4`
1191
1192			Data type: `Boolean`
1193
1194			Allow mdns over IPv4
1195
1196			Default value: `true`
1197
1198			##### <a name="-nftables--rules--out--mdns--ipv6"></a>`ipv6`
1199
1200			Data type: `Boolean`
1201
1202			Allow mdns over IPv6
1203
1204			Default value: `true`
1205
1206	51850192	Tim Meusel	##### <a name="-nftables--rules--out--mdns--oifname"></a>`oifname`
1207
1208			Data type: `Array[String[1]]`
1209
1210			optional name for outgoing interfaces
1211
1212			Default value: `[]`
1213
1214	e499cece	Tim Meusel	### <a name="nftables--rules--out--mldv2"></a>`nftables::rules::out::mldv2`
1215
1216			allow multicast listener requests
1217
1218	c24d3118	Tim Meusel	### <a name="nftables--rules--out--mysql"></a>`nftables::rules::out::mysql`
1219	e17693e3	Steve Traylen
1220			manage out mysql
1221
1222	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs"></a>`nftables::rules::out::nfs`
1223	b9785000	Steve Traylen
1224			manage out nfs
1225
1226	c24d3118	Tim Meusel	### <a name="nftables--rules--out--nfs3"></a>`nftables::rules::out::nfs3`
1227	b9785000	Steve Traylen
1228			manage out nfs3
1229
1230	c24d3118	Tim Meusel	### <a name="nftables--rules--out--openafs_client"></a>`nftables::rules::out::openafs_client`
1231	7f6cacc5	Steve Traylen
1232	09cba182	Steve Traylen	allows outbound access for afs clients
1233	7f6cacc5	Steve Traylen	7000 - afs3-fileserver
1234			7002 - afs3-ptserver
1235			7003 - vlserver
1236
1237			* See also
1238			* https://wiki.openafs.org/devel/AFSServicePorts/
1239			* AFS Service Ports
1240
1241			#### Parameters
1242
1243	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::openafs_client` class:
1244	7f6cacc5	Steve Traylen
1245	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--openafs_client--ports)
1246	7f6cacc5	Steve Traylen
1247	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--openafs_client--ports"></a>`ports`
1248	7f6cacc5	Steve Traylen
1249	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1250	7f6cacc5	Steve Traylen
1251	09cba182	Steve Traylen	port numbers to use
1252	7f6cacc5	Steve Traylen
1253			Default value: `[7000, 7002, 7003]`
1254
1255	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf"></a>`nftables::rules::out::ospf`
1256	e17693e3	Steve Traylen
1257			manage out ospf
1258
1259	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ospf3"></a>`nftables::rules::out::ospf3`
1260	e17693e3	Steve Traylen
1261			manage out ospf3
1262
1263	925c358d	Tim Meusel	#### Parameters
1264
1265			The following parameters are available in the `nftables::rules::out::ospf3` class:
1266
1267			* [`oifname`](#-nftables--rules--out--ospf3--oifname)
1268
1269			##### <a name="-nftables--rules--out--ospf3--oifname"></a>`oifname`
1270
1271			Data type: `Array[String[1]]`
1272
1273			optional list of outgoing interfaces to filter on
1274
1275			Default value: `[]`
1276
1277	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pop3"></a>`nftables::rules::out::pop3`
1278	19908f41	mh
1279			allow outgoing pop3
1280
1281	c24d3118	Tim Meusel	### <a name="nftables--rules--out--postgres"></a>`nftables::rules::out::postgres`
1282	e17693e3	Steve Traylen
1283			manage out postgres
1284
1285	c24d3118	Tim Meusel	### <a name="nftables--rules--out--puppet"></a>`nftables::rules::out::puppet`
1286	e17693e3	Steve Traylen
1287			manage outgoing puppet
1288
1289			#### Parameters
1290
1291	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::puppet` class:
1292	e17693e3	Steve Traylen
1293	c24d3118	Tim Meusel	* [`puppetserver`](#-nftables--rules--out--puppet--puppetserver)
1294			* [`puppetserver_port`](#-nftables--rules--out--puppet--puppetserver_port)
1295	e17693e3	Steve Traylen
1296	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver"></a>`puppetserver`
1297	e17693e3	Steve Traylen
1298	09cba182	Steve Traylen	Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1299	e17693e3	Steve Traylen
1300	09cba182	Steve Traylen	puppetserver hostname
1301	e17693e3	Steve Traylen
1302	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--puppet--puppetserver_port"></a>`puppetserver_port`
1303	e17693e3	Steve Traylen
1304	bc1b0f1a	Steve Traylen	Data type: `Stdlib::Port`
1305	e17693e3	Steve Traylen
1306	09cba182	Steve Traylen	puppetserver port
1307	e17693e3	Steve Traylen
1308			Default value: `8140`
1309
1310	c24d3118	Tim Meusel	### <a name="nftables--rules--out--pxp_agent"></a>`nftables::rules::out::pxp_agent`
1311	194e05d5	Tim Meusel
1312			manage outgoing pxp-agent
1313
1314			* See also
1315			* also
1316			* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
1317
1318			#### Parameters
1319
1320			The following parameters are available in the `nftables::rules::out::pxp_agent` class:
1321
1322	c24d3118	Tim Meusel	* [`broker`](#-nftables--rules--out--pxp_agent--broker)
1323			* [`broker_port`](#-nftables--rules--out--pxp_agent--broker_port)
1324	194e05d5	Tim Meusel
1325	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker"></a>`broker`
1326	194e05d5	Tim Meusel
1327			Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]`
1328
1329			PXP broker IP(s)
1330
1331	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--pxp_agent--broker_port"></a>`broker_port`
1332	194e05d5	Tim Meusel
1333			Data type: `Stdlib::Port`
1334
1335			PXP broker port
1336
1337			Default value: `8142`
1338
1339	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp"></a>`nftables::rules::out::smtp`
1340	e17693e3	Steve Traylen
1341	19908f41	mh	allow outgoing smtp
1342
1343	c24d3118	Tim Meusel	### <a name="nftables--rules--out--smtp_client"></a>`nftables::rules::out::smtp_client`
1344	19908f41	mh
1345			allow outgoing smtp client
1346	e17693e3	Steve Traylen
1347	50a5be8b	Tim Meusel	### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`
1348
1349			allow outgoing SSDP
1350
1351			* See also
1352			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1353
1354			#### Parameters
1355
1356			The following parameters are available in the `nftables::rules::out::ssdp` class:
1357
1358			* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)
1359			* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)
1360
1361			##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`
1362
1363			Data type: `Boolean`
1364
1365			Allow SSDP over IPv4
1366
1367			Default value: `true`
1368
1369			##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`
1370
1371			Data type: `Boolean`
1372
1373			Allow SSDP over IPv6
1374
1375			Default value: `true`
1376
1377	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`
1378	e17693e3	Steve Traylen
1379			manage out ssh
1380
1381	c24d3118	Tim Meusel	### <a name="nftables--rules--out--ssh--remove"></a>`nftables::rules::out::ssh::remove`
1382	e17693e3	Steve Traylen
1383			disable outgoing ssh
1384
1385	c24d3118	Tim Meusel	### <a name="nftables--rules--out--tor"></a>`nftables::rules::out::tor`
1386	e17693e3	Steve Traylen
1387			manage out tor
1388
1389	c24d3118	Tim Meusel	### <a name="nftables--rules--out--whois"></a>`nftables::rules::out::whois`
1390	2b1896c1	Tim Meusel
1391			allow clients to query remote whois server
1392
1393	c24d3118	Tim Meusel	### <a name="nftables--rules--out--wireguard"></a>`nftables::rules::out::wireguard`
1394	e17693e3	Steve Traylen
1395			manage out wireguard
1396
1397			#### Parameters
1398
1399	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::out::wireguard` class:
1400	e17693e3	Steve Traylen
1401	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--out--wireguard--ports)
1402	e17693e3	Steve Traylen
1403	c24d3118	Tim Meusel	##### <a name="-nftables--rules--out--wireguard--ports"></a>`ports`
1404	e17693e3	Steve Traylen
1405	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1406	e17693e3	Steve Traylen
1407	09cba182	Steve Traylen	specify wireguard ports
1408	e17693e3	Steve Traylen
1409			Default value: `[51820]`
1410
1411	08b9f1d0	Steve Traylen	### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
1412
1413			Rules for Podman, a tool for managing OCI containers and pods.
1414			This class defines additional forwarding rules to let root containers
1415			reach external networks when using Netavark (since v4.0) or CNI (deprecated).
1416			At the time of writing, Podman supports automatic configuration
1417			of firewall rules with iptables and firewalld only.
1418
1419	c24d3118	Tim Meusel	### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
1420	e17693e3	Steve Traylen
1421			manage in puppet
1422
1423			#### Parameters
1424
1425	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::puppet` class:
1426	e17693e3	Steve Traylen
1427	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--puppet--ports)
1428	e17693e3	Steve Traylen
1429	c24d3118	Tim Meusel	##### <a name="-nftables--rules--puppet--ports"></a>`ports`
1430	e17693e3	Steve Traylen
1431	09cba182	Steve Traylen	Data type: `Array[Integer,1]`
1432	e17693e3	Steve Traylen
1433	09cba182	Steve Traylen	puppet server ports
1434	e17693e3	Steve Traylen
1435			Default value: `[8140]`
1436
1437	c24d3118	Tim Meusel	### <a name="nftables--rules--pxp_agent"></a>`nftables::rules::pxp_agent`
1438	7f74df2e	Tim Meusel
1439			manage in pxp-agent
1440
1441			#### Parameters
1442
1443			The following parameters are available in the `nftables::rules::pxp_agent` class:
1444
1445	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--pxp_agent--ports)
1446	7f74df2e	Tim Meusel
1447	c24d3118	Tim Meusel	##### <a name="-nftables--rules--pxp_agent--ports"></a>`ports`
1448	7f74df2e	Tim Meusel
1449	2b1896c1	Tim Meusel	Data type: `Array[Stdlib::Port,1]`
1450	7f74df2e	Tim Meusel
1451			pxp server ports
1452
1453			Default value: `[8142]`
1454
1455	c24d3118	Tim Meusel	### <a name="nftables--rules--qemu"></a>`nftables::rules::qemu`
1456	cd2a3cbf	Nacho Barrientos
1457			This class configures the typical firewall setup that libvirt
1458			creates. Depending on your requirements you can switch on and off
1459			several aspects, for instance if you don't do DHCP to your guests
1460			you can disable the rules that accept DHCP traffic on the host or if
1461			you don't want your guests to talk to hosts outside you can disable
1462			forwarding and/or masquerading for IPv4 traffic.
1463
1464			#### Parameters
1465
1466			The following parameters are available in the `nftables::rules::qemu` class:
1467
1468	c24d3118	Tim Meusel	* [`interface`](#-nftables--rules--qemu--interface)
1469			* [`network_v4`](#-nftables--rules--qemu--network_v4)
1470			* [`network_v6`](#-nftables--rules--qemu--network_v6)
1471			* [`dns`](#-nftables--rules--qemu--dns)
1472			* [`dhcpv4`](#-nftables--rules--qemu--dhcpv4)
1473			* [`forward_traffic`](#-nftables--rules--qemu--forward_traffic)
1474			* [`internal_traffic`](#-nftables--rules--qemu--internal_traffic)
1475			* [`masquerade`](#-nftables--rules--qemu--masquerade)
1476	cd2a3cbf	Nacho Barrientos
1477	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--interface"></a>`interface`
1478	cd2a3cbf	Nacho Barrientos
1479			Data type: `String[1]`
1480
1481			Interface name used by the bridge.
1482
1483			Default value: `'virbr0'`
1484
1485	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v4"></a>`network_v4`
1486	cd2a3cbf	Nacho Barrientos
1487			Data type: `Stdlib::IP::Address::V4::CIDR`
1488
1489			The IPv4 network prefix used in the virtual network.
1490
1491			Default value: `'192.168.122.0/24'`
1492
1493	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--network_v6"></a>`network_v6`
1494	cd2a3cbf	Nacho Barrientos
1495			Data type: `Optional[Stdlib::IP::Address::V6::CIDR]`
1496
1497			The IPv6 network prefix used in the virtual network.
1498
1499	c24d3118	Tim Meusel	Default value: `undef`
1500	cd2a3cbf	Nacho Barrientos
1501	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dns"></a>`dns`
1502	cd2a3cbf	Nacho Barrientos
1503			Data type: `Boolean`
1504
1505			Allow DNS traffic from the guests to the host.
1506
1507	c24d3118	Tim Meusel	Default value: `true`
1508	cd2a3cbf	Nacho Barrientos
1509	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--dhcpv4"></a>`dhcpv4`
1510	cd2a3cbf	Nacho Barrientos
1511			Data type: `Boolean`
1512
1513			Allow DHCPv4 traffic from the guests to the host.
1514
1515	c24d3118	Tim Meusel	Default value: `true`
1516	cd2a3cbf	Nacho Barrientos
1517	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--forward_traffic"></a>`forward_traffic`
1518	cd2a3cbf	Nacho Barrientos
1519			Data type: `Boolean`
1520
1521			Allow forwarded traffic (out all, in related/established)
1522			generated by the virtual network.
1523
1524	c24d3118	Tim Meusel	Default value: `true`
1525	cd2a3cbf	Nacho Barrientos
1526	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--internal_traffic"></a>`internal_traffic`
1527	cd2a3cbf	Nacho Barrientos
1528			Data type: `Boolean`
1529
1530			Allow guests in the virtual network to talk to each other.
1531
1532	c24d3118	Tim Meusel	Default value: `true`
1533	cd2a3cbf	Nacho Barrientos
1534	c24d3118	Tim Meusel	##### <a name="-nftables--rules--qemu--masquerade"></a>`masquerade`
1535	cd2a3cbf	Nacho Barrientos
1536			Data type: `Boolean`
1537
1538			Do NAT masquerade on all IPv4 traffic generated by guests
1539			to external networks.
1540
1541	c24d3118	Tim Meusel	Default value: `true`
1542	cd2a3cbf	Nacho Barrientos
1543	53aa1fa8	Tim Meusel	### <a name="nftables--rules--rsync"></a>`nftables::rules::rsync`
1544
1545			allow rsync connections
1546
1547	c24d3118	Tim Meusel	### <a name="nftables--rules--samba"></a>`nftables::rules::samba`
1548	19908f41	mh
1549			manage Samba, the suite to allow Windows file sharing on Linux resources.
1550
1551			#### Parameters
1552
1553			The following parameters are available in the `nftables::rules::samba` class:
1554
1555	c24d3118	Tim Meusel	* [`ctdb`](#-nftables--rules--samba--ctdb)
1556	64404839	Tim Meusel	* [`action`](#-nftables--rules--samba--action)
1557	19908f41	mh
1558	c24d3118	Tim Meusel	##### <a name="-nftables--rules--samba--ctdb"></a>`ctdb`
1559	19908f41	mh
1560			Data type: `Boolean`
1561
1562	64404839	Tim Meusel	Enable ctdb-driven clustered Samba setups
1563	19908f41	mh
1564	c24d3118	Tim Meusel	Default value: `false`
1565	19908f41	mh
1566	64404839	Tim Meusel	##### <a name="-nftables--rules--samba--action"></a>`action`
1567
1568			Data type: `Enum['accept', 'drop']`
1569
1570			if the traffic should be allowed or dropped
1571
1572			Default value: `'accept'`
1573
1574	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp"></a>`nftables::rules::smtp`
1575	e17693e3	Steve Traylen
1576			manage in smtp
1577
1578	c24d3118	Tim Meusel	### <a name="nftables--rules--smtp_submission"></a>`nftables::rules::smtp_submission`
1579	e17693e3	Steve Traylen
1580			manage in smtp submission
1581
1582	c24d3118	Tim Meusel	### <a name="nftables--rules--smtps"></a>`nftables::rules::smtps`
1583	e17693e3	Steve Traylen
1584			manage in smtps
1585
1586	8b131276	Tim Meusel	### <a name="nftables--rules--spotify"></a>`nftables::rules::spotify`
1587
1588			allow incoming spotify
1589
1590	50a5be8b	Tim Meusel	### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`
1591
1592			allow incoming SSDP
1593
1594			* See also
1595			* https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03
1596
1597			#### Parameters
1598
1599			The following parameters are available in the `nftables::rules::ssdp` class:
1600
1601			* [`ipv4`](#-nftables--rules--ssdp--ipv4)
1602			* [`ipv6`](#-nftables--rules--ssdp--ipv6)
1603
1604			##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`
1605
1606			Data type: `Boolean`
1607
1608			Allow SSDP over IPv4
1609
1610			Default value: `true`
1611
1612			##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`
1613
1614			Data type: `Boolean`
1615
1616			Allow SSDP over IPv6
1617
1618			Default value: `true`
1619
1620	c24d3118	Tim Meusel	### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`
1621	e17693e3	Steve Traylen
1622			manage in ssh
1623
1624			#### Parameters
1625
1626	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::ssh` class:
1627	e17693e3	Steve Traylen
1628	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--ssh--ports)
1629	e17693e3	Steve Traylen
1630	c24d3118	Tim Meusel	##### <a name="-nftables--rules--ssh--ports"></a>`ports`
1631	e17693e3	Steve Traylen
1632	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1633	e17693e3	Steve Traylen
1634	09cba182	Steve Traylen	ssh ports
1635	e17693e3	Steve Traylen
1636			Default value: `[22]`
1637
1638	c24d3118	Tim Meusel	### <a name="nftables--rules--tor"></a>`nftables::rules::tor`
1639	e17693e3	Steve Traylen
1640			manage in tor
1641
1642			#### Parameters
1643
1644	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::tor` class:
1645	e17693e3	Steve Traylen
1646	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--tor--ports)
1647	e17693e3	Steve Traylen
1648	c24d3118	Tim Meusel	##### <a name="-nftables--rules--tor--ports"></a>`ports`
1649	e17693e3	Steve Traylen
1650	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1651	e17693e3	Steve Traylen
1652	09cba182	Steve Traylen	ports for tor
1653	e17693e3	Steve Traylen
1654			Default value: `[9001]`
1655
1656	c24d3118	Tim Meusel	### <a name="nftables--rules--wireguard"></a>`nftables::rules::wireguard`
1657	e17693e3	Steve Traylen
1658			manage in wireguard
1659
1660			#### Parameters
1661
1662	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::wireguard` class:
1663	e17693e3	Steve Traylen
1664	c24d3118	Tim Meusel	* [`ports`](#-nftables--rules--wireguard--ports)
1665	e17693e3	Steve Traylen
1666	c24d3118	Tim Meusel	##### <a name="-nftables--rules--wireguard--ports"></a>`ports`
1667	e17693e3	Steve Traylen
1668	09cba182	Steve Traylen	Data type: `Array[Stdlib::Port,1]`
1669	e17693e3	Steve Traylen
1670	09cba182	Steve Traylen	wiregueard port
1671	e17693e3	Steve Traylen
1672			Default value: `[51820]`
1673
1674	ffc8b86f	Tim Meusel	### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
1675
1676			allow incoming webservice discovery
1677
1678			* See also
1679			* https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
1680
1681			#### Parameters
1682
1683			The following parameters are available in the `nftables::rules::wsd` class:
1684
1685			* [`ipv4`](#-nftables--rules--wsd--ipv4)
1686			* [`ipv6`](#-nftables--rules--wsd--ipv6)
1687
1688			##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
1689
1690			Data type: `Boolean`
1691
1692			Allow ws-discovery over IPv4
1693
1694			Default value: `true`
1695
1696			##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
1697
1698			Data type: `Boolean`
1699
1700			Allow ws-discovery over IPv6
1701
1702			Default value: `true`
1703
1704	c24d3118	Tim Meusel	### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
1705	7f6cacc5	Steve Traylen
1706	09cba182	Steve Traylen	Allow in and outbound traffic for DHCPv6 server
1707	7f6cacc5	Steve Traylen
1708	c24d3118	Tim Meusel	### <a name="nftables--services--openafs_client"></a>`nftables::services::openafs_client`
1709	7f6cacc5	Steve Traylen
1710	09cba182	Steve Traylen	Open inbound and outbound ports for an AFS client
1711	7f6cacc5	Steve Traylen
1712	e17693e3	Steve Traylen	## Defined types
1713
1714	c24d3118	Tim Meusel	### <a name="nftables--chain"></a>`nftables::chain`
1715	e17693e3	Steve Traylen
1716			manage a chain
1717
1718			#### Parameters
1719
1720	09cba182	Steve Traylen	The following parameters are available in the `nftables::chain` defined type:
1721
1722	c24d3118	Tim Meusel	* [`table`](#-nftables--chain--table)
1723			* [`chain`](#-nftables--chain--chain)
1724			* [`inject`](#-nftables--chain--inject)
1725			* [`inject_iif`](#-nftables--chain--inject_iif)
1726			* [`inject_oif`](#-nftables--chain--inject_oif)
1727	e17693e3	Steve Traylen
1728	c24d3118	Tim Meusel	##### <a name="-nftables--chain--table"></a>`table`
1729	e17693e3	Steve Traylen
1730	7030bde0	Luis Fernández Álvarez	Data type: `Pattern[/^(ip\|ip6\|inet\|netdev\|bridge)-[a-zA-Z0-9_]+$/]`
1731	e17693e3	Steve Traylen
1732
1733
1734			Default value: `'inet-filter'`
1735
1736	c24d3118	Tim Meusel	##### <a name="-nftables--chain--chain"></a>`chain`
1737	e17693e3	Steve Traylen
1738			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
1739
1740
1741
1742			Default value: `$title`
1743
1744	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject"></a>`inject`
1745	e17693e3	Steve Traylen
1746			Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
1747
1748
1749
1750	c24d3118	Tim Meusel	Default value: `undef`
1751	e17693e3	Steve Traylen
1752	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_iif"></a>`inject_iif`
1753	e17693e3	Steve Traylen
1754			Data type: `Optional[String]`
1755
1756
1757
1758	c24d3118	Tim Meusel	Default value: `undef`
1759	e17693e3	Steve Traylen
1760	c24d3118	Tim Meusel	##### <a name="-nftables--chain--inject_oif"></a>`inject_oif`
1761	e17693e3	Steve Traylen
1762			Data type: `Optional[String]`
1763
1764
1765
1766	c24d3118	Tim Meusel	Default value: `undef`
1767	e17693e3	Steve Traylen
1768	c24d3118	Tim Meusel	### <a name="nftables--config"></a>`nftables::config`
1769	e17693e3	Steve Traylen
1770			manage a config snippet
1771
1772			#### Parameters
1773
1774	09cba182	Steve Traylen	The following parameters are available in the `nftables::config` defined type:
1775	e17693e3	Steve Traylen
1776	c24d3118	Tim Meusel	* [`tablespec`](#-nftables--config--tablespec)
1777			* [`content`](#-nftables--config--content)
1778			* [`source`](#-nftables--config--source)
1779			* [`prefix`](#-nftables--config--prefix)
1780	09cba182	Steve Traylen
1781	c24d3118	Tim Meusel	##### <a name="-nftables--config--tablespec"></a>`tablespec`
1782	13f4e4c6	Steve Traylen
1783			Data type: `Pattern[/^\w+-\w+$/]`
1784
1785
1786
1787			Default value: `$title`
1788
1789	c24d3118	Tim Meusel	##### <a name="-nftables--config--content"></a>`content`
1790	e17693e3	Steve Traylen
1791			Data type: `Optional[String]`
1792
1793
1794
1795	c24d3118	Tim Meusel	Default value: `undef`
1796	e17693e3	Steve Traylen
1797	c24d3118	Tim Meusel	##### <a name="-nftables--config--source"></a>`source`
1798	e17693e3	Steve Traylen
1799			Data type: `Optional[Variant[String,Array[String,1]]]`
1800
1801
1802
1803	c24d3118	Tim Meusel	Default value: `undef`
1804	e17693e3	Steve Traylen
1805	c24d3118	Tim Meusel	##### <a name="-nftables--config--prefix"></a>`prefix`
1806	13f4e4c6	Steve Traylen
1807			Data type: `String`
1808
1809
1810
1811			Default value: `'custom-'`
1812
1813	c24d3118	Tim Meusel	### <a name="nftables--file"></a>`nftables::file`
1814	331b8d85	Steve Traylen
1815			Insert a file into the nftables configuration
1816
1817			#### Examples
1818
1819			##### Include a file that includes other files
1820
1821			```puppet
1822			nftables::file{'geoip':
1823	dab19d29	Kenyon Ralph	content => @(EOT),
1824	331b8d85	Steve Traylen	include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
1825			include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
1826	dab19d29	Kenyon Ralph	\|EOT
1827	331b8d85	Steve Traylen	}
1828			```
1829
1830			#### Parameters
1831
1832			The following parameters are available in the `nftables::file` defined type:
1833
1834	c24d3118	Tim Meusel	* [`label`](#-nftables--file--label)
1835			* [`content`](#-nftables--file--content)
1836			* [`source`](#-nftables--file--source)
1837			* [`prefix`](#-nftables--file--prefix)
1838	331b8d85	Steve Traylen
1839	c24d3118	Tim Meusel	##### <a name="-nftables--file--label"></a>`label`
1840	331b8d85	Steve Traylen
1841			Data type: `String[1]`
1842
1843			Unique name to include in filename.
1844
1845			Default value: `$title`
1846
1847	c24d3118	Tim Meusel	##### <a name="-nftables--file--content"></a>`content`
1848	331b8d85	Steve Traylen
1849			Data type: `Optional[String]`
1850
1851			The content to place in the file.
1852
1853	c24d3118	Tim Meusel	Default value: `undef`
1854	331b8d85	Steve Traylen
1855	c24d3118	Tim Meusel	##### <a name="-nftables--file--source"></a>`source`
1856	331b8d85	Steve Traylen
1857			Data type: `Optional[Variant[String,Array[String,1]]]`
1858
1859			A source to obtain the file content from.
1860
1861	c24d3118	Tim Meusel	Default value: `undef`
1862	331b8d85	Steve Traylen
1863	c24d3118	Tim Meusel	##### <a name="-nftables--file--prefix"></a>`prefix`
1864	331b8d85	Steve Traylen
1865			Data type: `String`
1866
1867			Prefix of file name to be created, if left as `file-` it will be
1868			auto included in the main nft configuration
1869
1870			Default value: `'file-'`
1871
1872	baad986e	Vadym Chepkov	### <a name="nftables--helper"></a>`nftables::helper`
1873
1874			manage a conntrack helper
1875
1876			#### Examples
1877
1878			##### FTP helper
1879
1880			```puppet
1881			nftables::helper { 'ftp-standard':
1882			content => 'type "ftp" protocol tcp;',
1883			}
1884			```
1885
1886			#### Parameters
1887
1888			The following parameters are available in the `nftables::helper` defined type:
1889
1890			* [`content`](#-nftables--helper--content)
1891			* [`table`](#-nftables--helper--table)
1892			* [`helper`](#-nftables--helper--helper)
1893
1894			##### <a name="-nftables--helper--content"></a>`content`
1895
1896			Data type: `String`
1897
1898			Conntrack helper definition.
1899
1900			##### <a name="-nftables--helper--table"></a>`table`
1901
1902			Data type: `Pattern[/^(ip\|ip6\|inet)-[a-zA-Z0-9_]+$/]`
1903
1904			The name of the table to add this helper to.
1905
1906			Default value: `'inet-filter'`
1907
1908			##### <a name="-nftables--helper--helper"></a>`helper`
1909
1910			Data type: `Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]`
1911
1912			The symbolic name for the helper.
1913
1914			Default value: `$title`
1915
1916	c24d3118	Tim Meusel	### <a name="nftables--rule"></a>`nftables::rule`
1917	e17693e3	Steve Traylen
1918	13f26dfc	Nacho Barrientos	Provides an interface to create a firewall rule
1919
1920			#### Examples
1921
1922			##### add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
1923
1924			```puppet
1925			nftables::rule {
1926			'default_in-myhttp':
1927			content => 'tcp dport 80 accept',
1928			}
1929			```
1930
1931			##### add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
1932
1933			```puppet
1934			nftables::rule {
1935			'PREROUTING6-count':
1936			content => 'counter',
1937			table => 'ip6-nat'
1938			}
1939			```
1940	e17693e3	Steve Traylen
1941	94285e5f	Steve Traylen	##### Redirect port 443 to port 8443
1942
1943			```puppet
1944			nftables::rule { 'PREROUTING-redirect':
1945			content => 'tcp dport 443 redirect to :8443',
1946			table => 'ip-nat',
1947			}
1948			nftables::rule{'PREROUTING6-redirect':
1949			content => 'tcp dport 443 redirect to :8443',
1950			table => 'ip6-nat',
1951			}
1952			```
1953
1954	e17693e3	Steve Traylen	#### Parameters
1955
1956	09cba182	Steve Traylen	The following parameters are available in the `nftables::rule` defined type:
1957
1958	c24d3118	Tim Meusel	* [`ensure`](#-nftables--rule--ensure)
1959			* [`rulename`](#-nftables--rule--rulename)
1960			* [`order`](#-nftables--rule--order)
1961			* [`table`](#-nftables--rule--table)
1962			* [`content`](#-nftables--rule--content)
1963			* [`source`](#-nftables--rule--source)
1964	e17693e3	Steve Traylen
1965	c24d3118	Tim Meusel	##### <a name="-nftables--rule--ensure"></a>`ensure`
1966	e17693e3	Steve Traylen
1967			Data type: `Enum['present','absent']`
1968
1969	13f26dfc	Nacho Barrientos	Should the rule be created.
1970	e17693e3	Steve Traylen
1971			Default value: `'present'`
1972
1973	c24d3118	Tim Meusel	##### <a name="-nftables--rule--rulename"></a>`rulename`
1974	e17693e3	Steve Traylen
1975	8c00b818	Nacho Barrientos	Data type: `Nftables::RuleName`
1976	e17693e3	Steve Traylen
1977	13f26dfc	Nacho Barrientos	The symbolic name for the rule and to what chain to add it. The
1978			format is defined by the Nftables::RuleName type.
1979	e17693e3	Steve Traylen
1980			Default value: `$title`
1981
1982	c24d3118	Tim Meusel	##### <a name="-nftables--rule--order"></a>`order`
1983	e17693e3	Steve Traylen
1984			Data type: `Pattern[/^\d\d$/]`
1985
1986	13f26dfc	Nacho Barrientos	A number representing the order of the rule.
1987	e17693e3	Steve Traylen
1988			Default value: `'50'`
1989
1990	c24d3118	Tim Meusel	##### <a name="-nftables--rule--table"></a>`table`
1991	e17693e3	Steve Traylen
1992	b02d6ea9	Nacho Barrientos	Data type: `String`
1993	e17693e3	Steve Traylen
1994	13f26dfc	Nacho Barrientos	The name of the table to add this rule to.
1995	e17693e3	Steve Traylen
1996			Default value: `'inet-filter'`
1997
1998	c24d3118	Tim Meusel	##### <a name="-nftables--rule--content"></a>`content`
1999	e17693e3	Steve Traylen
2000			Data type: `Optional[String]`
2001
2002	13f26dfc	Nacho Barrientos	The raw statements that compose the rule represented using the nftables
2003			language.
2004	e17693e3	Steve Traylen
2005	c24d3118	Tim Meusel	Default value: `undef`
2006	e17693e3	Steve Traylen
2007	c24d3118	Tim Meusel	##### <a name="-nftables--rule--source"></a>`source`
2008	e17693e3	Steve Traylen
2009			Data type: `Optional[Variant[String,Array[String,1]]]`
2010
2011	13f26dfc	Nacho Barrientos	Same goal as content but sourcing the value from a file.
2012	e17693e3	Steve Traylen
2013	c24d3118	Tim Meusel	Default value: `undef`
2014	e17693e3	Steve Traylen
2015	c24d3118	Tim Meusel	### <a name="nftables--rules--dnat4"></a>`nftables::rules::dnat4`
2016	e17693e3	Steve Traylen
2017			manage a ipv4 dnat rule
2018
2019			#### Parameters
2020
2021	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::dnat4` defined type:
2022
2023	c24d3118	Tim Meusel	* [`daddr`](#-nftables--rules--dnat4--daddr)
2024			* [`port`](#-nftables--rules--dnat4--port)
2025			* [`rulename`](#-nftables--rules--dnat4--rulename)
2026			* [`order`](#-nftables--rules--dnat4--order)
2027			* [`chain`](#-nftables--rules--dnat4--chain)
2028			* [`iif`](#-nftables--rules--dnat4--iif)
2029			* [`proto`](#-nftables--rules--dnat4--proto)
2030			* [`dport`](#-nftables--rules--dnat4--dport)
2031			* [`ensure`](#-nftables--rules--dnat4--ensure)
2032	e17693e3	Steve Traylen
2033	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--daddr"></a>`daddr`
2034	e17693e3	Steve Traylen
2035			Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
2036
2037
2038
2039	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--port"></a>`port`
2040	e17693e3	Steve Traylen
2041	bc1b0f1a	Steve Traylen	Data type: `Variant[String,Stdlib::Port]`
2042	e17693e3	Steve Traylen
2043
2044
2045	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--rulename"></a>`rulename`
2046	e17693e3	Steve Traylen
2047			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2048
2049
2050
2051			Default value: `$title`
2052
2053	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--order"></a>`order`
2054	e17693e3	Steve Traylen
2055			Data type: `Pattern[/^\d\d$/]`
2056
2057
2058
2059			Default value: `'50'`
2060
2061	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--chain"></a>`chain`
2062	e17693e3	Steve Traylen
2063			Data type: `String[1]`
2064
2065
2066
2067			Default value: `'default_fwd'`
2068
2069	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--iif"></a>`iif`
2070	e17693e3	Steve Traylen
2071			Data type: `Optional[String[1]]`
2072
2073
2074
2075	c24d3118	Tim Meusel	Default value: `undef`
2076	e17693e3	Steve Traylen
2077	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--proto"></a>`proto`
2078	e17693e3	Steve Traylen
2079			Data type: `Enum['tcp','udp']`
2080
2081
2082
2083			Default value: `'tcp'`
2084
2085	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--dport"></a>`dport`
2086	e17693e3	Steve Traylen
2087	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2088	e17693e3	Steve Traylen
2089
2090
2091	c24d3118	Tim Meusel	Default value: `undef`
2092	e17693e3	Steve Traylen
2093	c24d3118	Tim Meusel	##### <a name="-nftables--rules--dnat4--ensure"></a>`ensure`
2094	e17693e3	Steve Traylen
2095			Data type: `Enum['present','absent']`
2096
2097
2098
2099			Default value: `'present'`
2100
2101	c24d3118	Tim Meusel	### <a name="nftables--rules--masquerade"></a>`nftables::rules::masquerade`
2102	e17693e3	Steve Traylen
2103			masquerade all outgoing traffic
2104
2105			#### Parameters
2106
2107	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::masquerade` defined type:
2108	e17693e3	Steve Traylen
2109	c24d3118	Tim Meusel	* [`rulename`](#-nftables--rules--masquerade--rulename)
2110			* [`order`](#-nftables--rules--masquerade--order)
2111			* [`chain`](#-nftables--rules--masquerade--chain)
2112			* [`oif`](#-nftables--rules--masquerade--oif)
2113			* [`saddr`](#-nftables--rules--masquerade--saddr)
2114			* [`daddr`](#-nftables--rules--masquerade--daddr)
2115			* [`proto`](#-nftables--rules--masquerade--proto)
2116			* [`dport`](#-nftables--rules--masquerade--dport)
2117			* [`ensure`](#-nftables--rules--masquerade--ensure)
2118	09cba182	Steve Traylen
2119	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--rulename"></a>`rulename`
2120	e17693e3	Steve Traylen
2121			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2122
2123
2124
2125			Default value: `$title`
2126
2127	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--order"></a>`order`
2128	e17693e3	Steve Traylen
2129			Data type: `Pattern[/^\d\d$/]`
2130
2131
2132
2133			Default value: `'70'`
2134
2135	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--chain"></a>`chain`
2136	e17693e3	Steve Traylen
2137			Data type: `String[1]`
2138
2139
2140
2141			Default value: `'POSTROUTING'`
2142
2143	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--oif"></a>`oif`
2144	e17693e3	Steve Traylen
2145			Data type: `Optional[String[1]]`
2146
2147
2148
2149	c24d3118	Tim Meusel	Default value: `undef`
2150	e17693e3	Steve Traylen
2151	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--saddr"></a>`saddr`
2152	e17693e3	Steve Traylen
2153			Data type: `Optional[String[1]]`
2154
2155
2156
2157	c24d3118	Tim Meusel	Default value: `undef`
2158	e17693e3	Steve Traylen
2159	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--daddr"></a>`daddr`
2160	e17693e3	Steve Traylen
2161			Data type: `Optional[String[1]]`
2162
2163
2164
2165	c24d3118	Tim Meusel	Default value: `undef`
2166	e17693e3	Steve Traylen
2167	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--proto"></a>`proto`
2168	e17693e3	Steve Traylen
2169			Data type: `Optional[Enum['tcp','udp']]`
2170
2171
2172
2173	c24d3118	Tim Meusel	Default value: `undef`
2174	e17693e3	Steve Traylen
2175	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--dport"></a>`dport`
2176	e17693e3	Steve Traylen
2177	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2178	e17693e3	Steve Traylen
2179
2180
2181	c24d3118	Tim Meusel	Default value: `undef`
2182	e17693e3	Steve Traylen
2183	c24d3118	Tim Meusel	##### <a name="-nftables--rules--masquerade--ensure"></a>`ensure`
2184	e17693e3	Steve Traylen
2185			Data type: `Enum['present','absent']`
2186
2187
2188
2189			Default value: `'present'`
2190
2191	c24d3118	Tim Meusel	### <a name="nftables--rules--snat4"></a>`nftables::rules::snat4`
2192	e17693e3	Steve Traylen
2193			manage a ipv4 snat rule
2194
2195			#### Parameters
2196
2197	09cba182	Steve Traylen	The following parameters are available in the `nftables::rules::snat4` defined type:
2198
2199	c24d3118	Tim Meusel	* [`snat`](#-nftables--rules--snat4--snat)
2200			* [`rulename`](#-nftables--rules--snat4--rulename)
2201			* [`order`](#-nftables--rules--snat4--order)
2202			* [`chain`](#-nftables--rules--snat4--chain)
2203			* [`oif`](#-nftables--rules--snat4--oif)
2204			* [`saddr`](#-nftables--rules--snat4--saddr)
2205			* [`proto`](#-nftables--rules--snat4--proto)
2206			* [`dport`](#-nftables--rules--snat4--dport)
2207			* [`ensure`](#-nftables--rules--snat4--ensure)
2208	e17693e3	Steve Traylen
2209	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--snat"></a>`snat`
2210	e17693e3	Steve Traylen
2211			Data type: `String[1]`
2212
2213
2214
2215	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--rulename"></a>`rulename`
2216	e17693e3	Steve Traylen
2217			Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
2218
2219
2220
2221			Default value: `$title`
2222
2223	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--order"></a>`order`
2224	e17693e3	Steve Traylen
2225			Data type: `Pattern[/^\d\d$/]`
2226
2227
2228
2229			Default value: `'70'`
2230
2231	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--chain"></a>`chain`
2232	e17693e3	Steve Traylen
2233			Data type: `String[1]`
2234
2235
2236
2237			Default value: `'POSTROUTING'`
2238
2239	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--oif"></a>`oif`
2240	e17693e3	Steve Traylen
2241			Data type: `Optional[String[1]]`
2242
2243
2244
2245	c24d3118	Tim Meusel	Default value: `undef`
2246	e17693e3	Steve Traylen
2247	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--saddr"></a>`saddr`
2248	e17693e3	Steve Traylen
2249			Data type: `Optional[String[1]]`
2250
2251
2252
2253	c24d3118	Tim Meusel	Default value: `undef`
2254	e17693e3	Steve Traylen
2255	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--proto"></a>`proto`
2256	e17693e3	Steve Traylen
2257			Data type: `Optional[Enum['tcp','udp']]`
2258
2259
2260
2261	c24d3118	Tim Meusel	Default value: `undef`
2262	e17693e3	Steve Traylen
2263	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--dport"></a>`dport`
2264	e17693e3	Steve Traylen
2265	bc1b0f1a	Steve Traylen	Data type: `Optional[Variant[String,Stdlib::Port]]`
2266	e17693e3	Steve Traylen
2267
2268
2269	c24d3118	Tim Meusel	Default value: `undef`
2270	e17693e3	Steve Traylen
2271	c24d3118	Tim Meusel	##### <a name="-nftables--rules--snat4--ensure"></a>`ensure`
2272	e17693e3	Steve Traylen
2273			Data type: `Enum['present','absent']`
2274
2275
2276
2277			Default value: `'present'`
2278
2279	c24d3118	Tim Meusel	### <a name="nftables--set"></a>`nftables::set`
2280	7f6cacc5	Steve Traylen
2281			manage a named set
2282
2283	13f4e4c6	Steve Traylen	#### Examples
2284
2285			##### simple set
2286
2287			```puppet
2288			nftables::set{'my_set':
2289			type => 'ipv4_addr',
2290			flags => ['interval'],
2291			elements => ['192.168.0.1/24', '10.0.0.2'],
2292			auto_merge => true,
2293			}
2294			```
2295
2296	7f6cacc5	Steve Traylen	#### Parameters
2297
2298	09cba182	Steve Traylen	The following parameters are available in the `nftables::set` defined type:
2299
2300	c24d3118	Tim Meusel	* [`ensure`](#-nftables--set--ensure)
2301			* [`setname`](#-nftables--set--setname)
2302			* [`order`](#-nftables--set--order)
2303			* [`type`](#-nftables--set--type)
2304			* [`table`](#-nftables--set--table)
2305			* [`flags`](#-nftables--set--flags)
2306			* [`timeout`](#-nftables--set--timeout)
2307			* [`gc_interval`](#-nftables--set--gc_interval)
2308			* [`elements`](#-nftables--set--elements)
2309			* [`size`](#-nftables--set--size)
2310			* [`policy`](#-nftables--set--policy)
2311			* [`auto_merge`](#-nftables--set--auto_merge)
2312			* [`content`](#-nftables--set--content)
2313			* [`source`](#-nftables--set--source)
2314
2315			##### <a name="-nftables--set--ensure"></a>`ensure`
2316	7f6cacc5	Steve Traylen
2317			Data type: `Enum['present','absent']`
2318
2319	13f4e4c6	Steve Traylen	should the set be created.
2320	7f6cacc5	Steve Traylen
2321			Default value: `'present'`
2322
2323	c24d3118	Tim Meusel	##### <a name="-nftables--set--setname"></a>`setname`
2324	7f6cacc5	Steve Traylen
2325			Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
2326
2327	13f4e4c6	Steve Traylen	name of set, equal to to title.
2328	7f6cacc5	Steve Traylen
2329			Default value: `$title`
2330
2331	c24d3118	Tim Meusel	##### <a name="-nftables--set--order"></a>`order`
2332	7f6cacc5	Steve Traylen
2333			Data type: `Pattern[/^\d\d$/]`
2334
2335	13f4e4c6	Steve Traylen	concat ordering.
2336	7f6cacc5	Steve Traylen
2337			Default value: `'10'`
2338
2339	c24d3118	Tim Meusel	##### <a name="-nftables--set--type"></a>`type`
2340	7f6cacc5	Steve Traylen
2341			Data type: `Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]`
2342
2343	13f4e4c6	Steve Traylen	type of set.
2344	7f6cacc5	Steve Traylen
2345	c24d3118	Tim Meusel	Default value: `undef`
2346	7f6cacc5	Steve Traylen
2347	c24d3118	Tim Meusel	##### <a name="-nftables--set--table"></a>`table`
2348	7f6cacc5	Steve Traylen
2349	c94658e1	Nacho Barrientos	Data type: `Variant[String, Array[String, 1]]`
2350	7f6cacc5	Steve Traylen
2351	c94658e1	Nacho Barrientos	table or array of tables to add the set to.
2352	7f6cacc5	Steve Traylen
2353			Default value: `'inet-filter'`
2354
2355	c24d3118	Tim Meusel	##### <a name="-nftables--set--flags"></a>`flags`
2356	7f6cacc5	Steve Traylen
2357			Data type: `Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]`
2358
2359	13f4e4c6	Steve Traylen	specify flags for set
2360	7f6cacc5	Steve Traylen
2361			Default value: `[]`
2362
2363	c24d3118	Tim Meusel	##### <a name="-nftables--set--timeout"></a>`timeout`
2364	7f6cacc5	Steve Traylen
2365			Data type: `Optional[Integer]`
2366
2367	13f4e4c6	Steve Traylen	timeout in seconds
2368	7f6cacc5	Steve Traylen
2369	c24d3118	Tim Meusel	Default value: `undef`
2370	7f6cacc5	Steve Traylen
2371	c24d3118	Tim Meusel	##### <a name="-nftables--set--gc_interval"></a>`gc_interval`
2372	7f6cacc5	Steve Traylen
2373			Data type: `Optional[Integer]`
2374
2375	13f4e4c6	Steve Traylen	garbage collection interval.
2376	7f6cacc5	Steve Traylen
2377	c24d3118	Tim Meusel	Default value: `undef`
2378	7f6cacc5	Steve Traylen
2379	c24d3118	Tim Meusel	##### <a name="-nftables--set--elements"></a>`elements`
2380	7f6cacc5	Steve Traylen
2381			Data type: `Optional[Array[String]]`
2382
2383	13f4e4c6	Steve Traylen	initialize the set with some elements in it.
2384	7f6cacc5	Steve Traylen
2385	c24d3118	Tim Meusel	Default value: `undef`
2386	7f6cacc5	Steve Traylen
2387	c24d3118	Tim Meusel	##### <a name="-nftables--set--size"></a>`size`
2388	7f6cacc5	Steve Traylen
2389			Data type: `Optional[Integer]`
2390
2391	13f4e4c6	Steve Traylen	limits the maximum number of elements of the set.
2392	7f6cacc5	Steve Traylen
2393	c24d3118	Tim Meusel	Default value: `undef`
2394	7f6cacc5	Steve Traylen
2395	c24d3118	Tim Meusel	##### <a name="-nftables--set--policy"></a>`policy`
2396	7f6cacc5	Steve Traylen
2397			Data type: `Optional[Enum['performance', 'memory']]`
2398
2399	13f4e4c6	Steve Traylen	determines set selection policy.
2400	7f6cacc5	Steve Traylen
2401	c24d3118	Tim Meusel	Default value: `undef`
2402	7f6cacc5	Steve Traylen
2403	c24d3118	Tim Meusel	##### <a name="-nftables--set--auto_merge"></a>`auto_merge`
2404	7f6cacc5	Steve Traylen
2405			Data type: `Boolean`
2406
2407	f1d50c1e	Tim Meusel	automatically merge adjacent/overlapping set elements (only valid for interval sets)
2408	7f6cacc5	Steve Traylen
2409	c24d3118	Tim Meusel	Default value: `false`
2410	7f6cacc5	Steve Traylen
2411	c24d3118	Tim Meusel	##### <a name="-nftables--set--content"></a>`content`
2412	7f6cacc5	Steve Traylen
2413			Data type: `Optional[String]`
2414
2415	13f4e4c6	Steve Traylen	specify content of set.
2416	7f6cacc5	Steve Traylen
2417	c24d3118	Tim Meusel	Default value: `undef`
2418	7f6cacc5	Steve Traylen
2419	c24d3118	Tim Meusel	##### <a name="-nftables--set--source"></a>`source`
2420	7f6cacc5	Steve Traylen
2421			Data type: `Optional[Variant[String,Array[String,1]]]`
2422
2423	13f4e4c6	Steve Traylen	specify source of set.
2424	7f6cacc5	Steve Traylen
2425	c24d3118	Tim Meusel	Default value: `undef`
2426	7f6cacc5	Steve Traylen
2427	c24d3118	Tim Meusel	### <a name="nftables--simplerule"></a>`nftables::simplerule`
2428	4d63adda	Nacho Barrientos
2429	b46c9ce9	Nacho Barrientos	Provides a simplified interface to nftables::rule
2430	4d63adda	Nacho Barrientos
2431	b46c9ce9	Nacho Barrientos	#### Examples
2432	4d63adda	Nacho Barrientos
2433	b46c9ce9	Nacho Barrientos	##### allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
2434	4d63adda	Nacho Barrientos
2435	b46c9ce9	Nacho Barrientos	```puppet
2436			nftables::simplerule{'my_service_in':
2437			action => 'accept',
2438			comment => 'allow traffic to port 543',
2439			counter => true,
2440			proto => 'tcp',
2441			dport => 543,
2442			daddr => '2001:1458::/32',
2443			sport => 541,
2444			}
2445			```
2446	4d63adda	Nacho Barrientos
2447	b46c9ce9	Nacho Barrientos	#### Parameters
2448	4d63adda	Nacho Barrientos
2449	09cba182	Steve Traylen	The following parameters are available in the `nftables::simplerule` defined type:
2450
2451	c24d3118	Tim Meusel	* [`ensure`](#-nftables--simplerule--ensure)
2452			* [`rulename`](#-nftables--simplerule--rulename)
2453			* [`order`](#-nftables--simplerule--order)
2454			* [`chain`](#-nftables--simplerule--chain)
2455			* [`table`](#-nftables--simplerule--table)
2456			* [`action`](#-nftables--simplerule--action)
2457			* [`comment`](#-nftables--simplerule--comment)
2458			* [`dport`](#-nftables--simplerule--dport)
2459			* [`proto`](#-nftables--simplerule--proto)
2460			* [`daddr`](#-nftables--simplerule--daddr)
2461			* [`set_type`](#-nftables--simplerule--set_type)
2462			* [`sport`](#-nftables--simplerule--sport)
2463			* [`saddr`](#-nftables--simplerule--saddr)
2464			* [`counter`](#-nftables--simplerule--counter)
2465	25b3f3f4	Tim Meusel	* [`iifname`](#-nftables--simplerule--iifname)
2466	d7d6d5d3	Tim Meusel	* [`oifname`](#-nftables--simplerule--oifname)
2467	c24d3118	Tim Meusel
2468			##### <a name="-nftables--simplerule--ensure"></a>`ensure`
2469	13f4e4c6	Steve Traylen
2470			Data type: `Enum['present','absent']`
2471
2472			Should the rule be created.
2473
2474			Default value: `'present'`
2475
2476	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--rulename"></a>`rulename`
2477	4d63adda	Nacho Barrientos
2478	8c00b818	Nacho Barrientos	Data type: `Nftables::SimpleRuleName`
2479	4d63adda	Nacho Barrientos
2480	b46c9ce9	Nacho Barrientos	The symbolic name for the rule to add. Defaults to the resource's title.
2481	4d63adda	Nacho Barrientos
2482			Default value: `$title`
2483
2484	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--order"></a>`order`
2485	4d63adda	Nacho Barrientos
2486			Data type: `Pattern[/^\d\d$/]`
2487
2488	b46c9ce9	Nacho Barrientos	A number representing the order of the rule.
2489	4d63adda	Nacho Barrientos
2490			Default value: `'50'`
2491
2492	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--chain"></a>`chain`
2493	4d63adda	Nacho Barrientos
2494			Data type: `String`
2495
2496	b46c9ce9	Nacho Barrientos	The name of the chain to add this rule to.
2497	4d63adda	Nacho Barrientos
2498			Default value: `'default_in'`
2499
2500	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--table"></a>`table`
2501	4d63adda	Nacho Barrientos
2502			Data type: `String`
2503
2504	b46c9ce9	Nacho Barrientos	The name of the table to add this rule to.
2505	4d63adda	Nacho Barrientos
2506			Default value: `'inet-filter'`
2507
2508	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--action"></a>`action`
2509	4d63adda	Nacho Barrientos
2510			Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
2511
2512	b46c9ce9	Nacho Barrientos	The verdict for the matched traffic.
2513	4d63adda	Nacho Barrientos
2514			Default value: `'accept'`
2515
2516	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--comment"></a>`comment`
2517	4d63adda	Nacho Barrientos
2518			Data type: `Optional[String]`
2519
2520	b46c9ce9	Nacho Barrientos	A typically human-readable comment for the rule.
2521	4d63adda	Nacho Barrientos
2522	c24d3118	Tim Meusel	Default value: `undef`
2523	4d63adda	Nacho Barrientos
2524	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--dport"></a>`dport`
2525	4d63adda	Nacho Barrientos
2526			Data type: `Optional[Nftables::Port]`
2527
2528	b46c9ce9	Nacho Barrientos	The destination port, ports or port range.
2529	4d63adda	Nacho Barrientos
2530	c24d3118	Tim Meusel	Default value: `undef`
2531	4d63adda	Nacho Barrientos
2532	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--proto"></a>`proto`
2533	4d63adda	Nacho Barrientos
2534			Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
2535
2536	b46c9ce9	Nacho Barrientos	The transport-layer protocol to match.
2537	4d63adda	Nacho Barrientos
2538	c24d3118	Tim Meusel	Default value: `undef`
2539	4d63adda	Nacho Barrientos
2540	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--daddr"></a>`daddr`
2541	4d63adda	Nacho Barrientos
2542			Data type: `Optional[Nftables::Addr]`
2543
2544	b46c9ce9	Nacho Barrientos	The destination address, CIDR or set to match.
2545	4d63adda	Nacho Barrientos
2546	c24d3118	Tim Meusel	Default value: `undef`
2547	4d63adda	Nacho Barrientos
2548	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--set_type"></a>`set_type`
2549	4d63adda	Nacho Barrientos
2550			Data type: `Enum['ip', 'ip6']`
2551
2552	b46c9ce9	Nacho Barrientos	When using sets as saddr or daddr, the type of the set.
2553			Use `ip` for sets of type `ipv4_addr`.
2554	4d63adda	Nacho Barrientos
2555			Default value: `'ip6'`
2556
2557	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--sport"></a>`sport`
2558	4d63adda	Nacho Barrientos
2559			Data type: `Optional[Nftables::Port]`
2560
2561	b46c9ce9	Nacho Barrientos	The source port, ports or port range.
2562	4d63adda	Nacho Barrientos
2563	c24d3118	Tim Meusel	Default value: `undef`
2564	4d63adda	Nacho Barrientos
2565	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--saddr"></a>`saddr`
2566	4d63adda	Nacho Barrientos
2567			Data type: `Optional[Nftables::Addr]`
2568
2569	b46c9ce9	Nacho Barrientos	The source address, CIDR or set to match.
2570	4d63adda	Nacho Barrientos
2571	c24d3118	Tim Meusel	Default value: `undef`
2572	4d63adda	Nacho Barrientos
2573	c24d3118	Tim Meusel	##### <a name="-nftables--simplerule--counter"></a>`counter`
2574	4d63adda	Nacho Barrientos
2575			Data type: `Boolean`
2576
2577	b46c9ce9	Nacho Barrientos	Enable traffic counters for the matched traffic.
2578	4d63adda	Nacho Barrientos
2579	c24d3118	Tim Meusel	Default value: `false`
2580	4d63adda	Nacho Barrientos
2581	25b3f3f4	Tim Meusel	##### <a name="-nftables--simplerule--iifname"></a>`iifname`
2582
2583	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2584	25b3f3f4	Tim Meusel
2585			Optional filter for the incoming interface
2586
2587	e846c98b	Tim Meusel	Default value: `[]`
2588	25b3f3f4	Tim Meusel
2589	d7d6d5d3	Tim Meusel	##### <a name="-nftables--simplerule--oifname"></a>`oifname`
2590
2591	e846c98b	Tim Meusel	Data type: `Variant[Array[String[1]],String[1]]`
2592	d7d6d5d3	Tim Meusel
2593			Optional filter for the outgoing interface
2594
2595	e846c98b	Tim Meusel	Default value: `[]`
2596	d7d6d5d3	Tim Meusel
2597	4d63adda	Nacho Barrientos	## Data types
2598
2599	c24d3118	Tim Meusel	### <a name="Nftables--Addr"></a>`Nftables::Addr`
2600	4d63adda	Nacho Barrientos
2601			Represents an address expression to be used within a rule.
2602
2603	9d02e9f8	Stéphanie Jaumotte	Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set, Array[Stdlib::IP::Address::V6], Array[Stdlib::IP::Address::V4], Array[Nftables::Addr::Set]]`
2604	09cba182	Steve Traylen
2605	c24d3118	Tim Meusel	### <a name="Nftables--Addr--Set"></a>`Nftables::Addr::Set`
2606	4d63adda	Nacho Barrientos
2607			Represents a set expression to be used within a rule.
2608
2609	c24d3118	Tim Meusel	Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
2610	4d63adda	Nacho Barrientos
2611	c24d3118	Tim Meusel	### <a name="Nftables--Port"></a>`Nftables::Port`
2612	4d63adda	Nacho Barrientos
2613			Represents a port expression to be used within a rule.
2614
2615	4acda787	Tim Skirvin	Alias of `Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]`
2616	4d63adda	Nacho Barrientos
2617	c24d3118	Tim Meusel	### <a name="Nftables--Port--Range"></a>`Nftables::Port::Range`
2618	4d63adda	Nacho Barrientos
2619			Represents a port range expression to be used within a rule.
2620
2621	c24d3118	Tim Meusel	Alias of `Pattern[/^\d+-\d+$/]`
2622	4d63adda	Nacho Barrientos
2623	c24d3118	Tim Meusel	### <a name="Nftables--RuleName"></a>`Nftables::RuleName`
2624	8c00b818	Nacho Barrientos
2625			Represents a rule name to be used in a raw rule created via nftables::rule.
2626			It's a dash separated string. The first component describes the chain to
2627			add the rule to, the second the rule name and the (optional) third a number.
2628			Ex: 'default_in-sshd', 'default_out-my_service-2'.
2629
2630	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
2631	09cba182	Steve Traylen
2632	c24d3118	Tim Meusel	### <a name="Nftables--SimpleRuleName"></a>`Nftables::SimpleRuleName`
2633	8c00b818	Nacho Barrientos
2634			Represents a simple rule name to be used in a rule created via nftables::simplerule
2635
2636	c24d3118	Tim Meusel	Alias of `Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]`

Projet

Général

Profil

puppet nftables

root / REFERENCE.md @ master