nftables
: Configure nftablesnftables::bridges
: allow forwarding traffic on bridgesnftables::inet_filter
: manage basic chains in table inet filternftables::inet_filter::fwd_conntrack
: enable conntrack for fwdnftables::inet_filter::in_out_conntrack
: manage input & output conntracknftables::ip_nat
: manage basic chains in table ip natnftables::rules::activemq
: Provides input rules for Apache ActiveMQnftables::rules::afs3_callback
: Open call back port for AFS clientsnftables::rules::ceph
: Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)nftables::rules::ceph_mon
: Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.nftables::rules::dhcpv6_client
: allow DHCPv6 requests in to a hostnftables::rules::dns
: manage in dnsnftables::rules::docker_ce
: Default firewall configuration for Docker-CEnftables::rules::ftp
: manage in ftp (with conntrack helper)nftables::rules::http
: manage in httpnftables::rules::https
: manage in httpsnftables::rules::icinga2
: manage in icinga2nftables::rules::icmp
: allows incoming ICMPnftables::rules::igmp
: allow incoming IGMP messagesnftables::rules::ldap
: manage in ldapnftables::rules::llmnr
: allow incoming Link-Local Multicast Name Resolutionnftables::rules::mdns
: allow incoming multicast DNSnftables::rules::multicast
: allow incoming multicast trafficnftables::rules::nfs
: manage in nfs4nftables::rules::nfs3
: manage in nfs3nftables::rules::node_exporter
: manage in node exporternftables::rules::ospf
: manage in ospfnftables::rules::ospf3
: manage in ospf3nftables::rules::out::active_directory
: manage outgoing active diectorynftables::rules::out::all
: allow all outboundnftables::rules::out::ceph_client
: Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).nftables::rules::out::chrony
: manage out chronynftables::rules::out::dhcp
: manage out dhcpnftables::rules::out::dhcpv6_client
: Allow DHCPv6 requests out of a hostnftables::rules::out::dns
: manage out dnsnftables::rules::out::hkp
: allow outgoing hkp connections to gpg keyserversnftables::rules::out::http
: manage out httpnftables::rules::out::https
: manage out httpsnftables::rules::out::icmp
: control outbound icmp packagesnftables::rules::out::igmp
: allow outgoing IGMP messagesnftables::rules::out::imap
: allow outgoing imapnftables::rules::out::kerberos
: allows outbound access for kerberosnftables::rules::out::ldap
: manage outgoing ldapnftables::rules::out::mdns
: allow outgoing multicast DNSnftables::rules::out::mldv2
: allow multicast listener requestsnftables::rules::out::mysql
: manage out mysqlnftables::rules::out::nfs
: manage out nfsnftables::rules::out::nfs3
: manage out nfs3nftables::rules::out::openafs_client
: allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlservernftables::rules::out::ospf
: manage out ospfnftables::rules::out::ospf3
: manage out ospf3nftables::rules::out::pop3
: allow outgoing pop3nftables::rules::out::postgres
: manage out postgresnftables::rules::out::puppet
: manage outgoing puppetnftables::rules::out::pxp_agent
: manage outgoing pxp-agentnftables::rules::out::smtp
: allow outgoing smtpnftables::rules::out::smtp_client
: allow outgoing smtp clientnftables::rules::out::ssdp
: allow outgoing SSDPnftables::rules::out::ssh
: manage out sshnftables::rules::out::ssh::remove
: disable outgoing sshnftables::rules::out::tor
: manage out tornftables::rules::out::whois
: allow clients to query remote whois servernftables::rules::out::wireguard
: manage out wireguardnftables::rules::podman
: Rules for Podman, a tool for managing OCI containers and pods. This class defines additional forwarding rules to let root containers reach external networks when using Netavark (since v4.0) or CNI (deprecated). At the time of writing, Podman supports automatic configuration of firewall rules with iptables and firewalld only.nftables::rules::puppet
: manage in puppetnftables::rules::pxp_agent
: manage in pxp-agentnftables::rules::qemu
: Bridged network configuration for qemu/libvirtnftables::rules::samba
: manage Samba, the suite to allow Windows file sharing on Linux resources.nftables::rules::smtp
: manage in smtpnftables::rules::smtp_submission
: manage in smtp submissionnftables::rules::smtps
: manage in smtpsnftables::rules::spotify
: allow incoming spotifynftables::rules::ssdp
: allow incoming SSDPnftables::rules::ssh
: manage in sshnftables::rules::tor
: manage in tornftables::rules::wireguard
: manage in wireguardnftables::rules::wsd
: allow incoming webservice discoverynftables::services::dhcpv6_client
: Allow in and outbound traffic for DHCPv6 servernftables::services::openafs_client
: Open inbound and outbound ports for an AFS client
nftables::chain
: manage a chainnftables::config
: manage a config snippetnftables::file
: Insert a file into the nftables configurationnftables::helper
: manage a conntrack helpernftables::rule
: Provides an interface to create a firewall rulenftables::rules::dnat4
: manage a ipv4 dnat rulenftables::rules::masquerade
: masquerade all outgoing trafficnftables::rules::snat4
: manage a ipv4 snat rulenftables::set
: manage a named setnftables::simplerule
: Provides a simplified interface to nftables::rule
Nftables::Addr
: Represents an address expression to be used within a rule.Nftables::Addr::Set
: Represents a set expression to be used within a rule.Nftables::Port
: Represents a port expression to be used within a rule.Nftables::Port::Range
: Represents a port range expression to be used within a rule.Nftables::RuleName
: Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.Nftables::SimpleRuleName
: Represents a simple rule name to be used in a rule created via nftables::simplerule
Configure nftables
class{ 'nftables':
out_ntp => false,
out_dns => true,
}
class{ 'nftables':
noflush_tables => ['inet-f2b-table'],
}
The following parameters are available in the nftables
class:
out_all
out_ntp
out_http
out_dns
out_https
out_icmp
in_ssh
in_icmp
inet_filter
nat
nat_table_name
purge_unmanaged_rules
inmem_rules_hash_file
sets
log_prefix
log_discarded
log_limit
reject_with
in_out_conntrack
in_out_drop_invalid
fwd_conntrack
fwd_drop_invalid
firewalld_enable
noflush_tables
rules
configuration_path
nft_path
echo
default_config_mode
clobber_default_config
Data type: Boolean
Allow all outbound connections. If true
then all other
out parameters out_ntp
, out_dns
, ... will be assuemed
false.
Default value: false
Data type: Boolean
Allow outbound to ntp servers.
Default value: true
Data type: Boolean
Allow outbound to http servers.
Default value: true
Data type: Boolean
Allow outbound to dns servers.
Default value: true
Data type: Boolean
Allow outbound to https servers.
Default value: true
Data type: Boolean
Allow outbound ICMPv4/v6 traffic.
Default value: true
Data type: Boolean
Allow inbound to ssh servers.
Default value: true
Data type: Boolean
Allow inbound ICMPv4/v6 traffic.
Default value: true
Data type: Boolean
Add default tables, chains and rules to process traffic.
Default value: true
Data type: Boolean
Add default tables and chains to process NAT traffic.
Default value: true
Data type: String[1]
The name of the 'nat' table.
Default value: 'nat'
Data type: Boolean
Prohibits in-memory rules that are not declared in Puppet code. Setting this to true activates a check that reloads nftables if the rules in memory have been modified without Puppet.
Default value: false
Data type: Stdlib::Unixpath
The name of the file where the hash of the in-memory rules will be stored.
Default value: '/var/tmp/puppet-nft-memhash'
Data type: Hash
Allows sourcing set definitions directly from Hiera.
Default value: {}
Data type: String
String that will be used as prefix when logging packets. It can contain two variables using standard sprintf() string-formatting:
- chain: Will be replaced by the name of the chain.
- comment: Allows chains to add extra comments.
Default value: '[nftables] %<chain>s %<comment>s'
Data type: Boolean
Allow to log discarded packets
Default value: true
Data type: Variant[Boolean[false], String]
String with the content of a limit statement to be applied to the rules that log discarded traffic. Set to false to disable rate limiting.
Default value: '3/minute burst 5 packets'
Data type: Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]
How to discard packets not matching any rule. If false
, the
fate of the packet will be defined by the chain policy (normally
drop), otherwise the packet will be rejected with the REJECT_WITH
policy indicated by the value of this parameter.
Default value: 'icmpx type port-unreachable'
Data type: Boolean
Adds INPUT and OUTPUT rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: true
Data type: Boolean
Drops invalid packets in INPUT and OUTPUT
Default value: $in_out_conntrack
Data type: Boolean
Adds FORWARD rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: false
Data type: Boolean
Drops invalid packets in FORWARD
Default value: $fwd_conntrack
Data type: Variant[Boolean[false], Enum['mask']]
Configures how the firewalld systemd service unit is enabled. It might be useful to set this to false if you're externaly removing firewalld from the system completely.
Default value: 'mask'
Data type: Optional[Array[Pattern[/^(ip|ip6|inet|arp|bridge|netdev)-[-a-zA-Z0-9_]+$/],1]]
If specified only other existings tables will be flushed.
If left unset all tables will be flushed via a flush ruleset
Default value: undef
Data type: Hash
Specify hashes of nftables::rule
s via hiera
Default value: {}
Data type: Stdlib::Unixpath
The absolute path to the principal nftables configuration file. The default varies depending on the system, and is set in the module's data.
Data type: Stdlib::Unixpath
Path to the nft binary
Data type: Stdlib::Unixpath
Path to the echo binary
Data type: Stdlib::Filemode
The default file & dir mode for configuration files and directories. The default varies depending on the system, and is set in the module's data.
Data type: Boolean
Should the existing OS provided rules in the configuration_path
be removed? If
they are not being removed this module will add all of its configuration to the end of
the existing rules.
Default value: false
allow forwarding traffic on bridges
The following parameters are available in the nftables::bridges
class:
Data type: Enum['present','absent']
Default value: 'present'
Data type: Regexp
Default value: /^br.+/
manage basic chains in table inet filter
enable conntrack for fwd
manage input & output conntrack
manage basic chains in table ip nat
Provides input rules for Apache ActiveMQ
The following parameters are available in the nftables::rules::activemq
class:
Data type: Boolean
Create the rule for TCP traffic.
Default value: true
Data type: Boolean
Create the rule for UDP traffic.
Default value: true
Data type: Stdlib::Port
The port number for the ActiveMQ daemon.
Default value: 61616
Open call back port for AFS clients
class{'nftables::rules::afs3_callback':
saddr => ['192.168.0.0/16', '10.0.0.222']
}
The following parameters are available in the nftables::rules::afs3_callback
class:
Data type: Array[Stdlib::IP::Address::V4,1]
list of source network ranges to a
Default value: ['0.0.0.0/0']
Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).
Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.
The following parameters are available in the nftables::rules::ceph_mon
class:
Data type: Array[Stdlib::Port,1]
specify ports for ceph service
Default value: [3300, 6789]
allow DHCPv6 requests in to a host
manage in dns
class { 'nftables::rules::dns':
iifname => ['docker0'],
}
The following parameters are available in the nftables::rules::dns
class:
Data type: Array[Stdlib::Port,1]
Specify ports for dns.
Default value: [53]
Data type: Optional[Array[String[1],1]]
Specify input interface names.
Default value: undef
The configuration distributed in this class represents the default firewall configuration done by docker-ce when the iptables integration is enabled.
This class is needed as the default docker-ce rules added to ip-filter conflict with the inet-filter forward rules set by default in this module.
When using this class 'docker::iptables: false' should be set.
The following parameters are available in the nftables::rules::docker_ce
class:
Data type: String[1]
Interface name used by docker.
Default value: 'docker0'
Data type: Stdlib::IP::Address::V4::CIDR
The address space used by docker.
Default value: '172.17.0.0/16'
Data type: Boolean
Flag to control whether the class should create the docker related chains.
Default value: true
Data type: Boolean
Flag to control whether the class should create the base common chains.
Default value: true
manage in ftp (with conntrack helper)
The following parameters are available in the nftables::rules::ftp
class:
Data type: Boolean
Enable FTP passive mode support
Default value: true
Data type: Nftables::Port::Range
Set the FTP passive mode port range
Default value: '10090-10100'
manage in http
manage in https
manage in icinga2
The following parameters are available in the nftables::rules::icinga2
class:
Data type: Array[Stdlib::Port,1]
Specify ports for icinga2
Default value: [5665]
allows incoming ICMP
The following parameters are available in the nftables::rules::icmp
class:
Data type: Optional[Array[String]]
ICMP v4 types that should be allowed
Default value: undef
Data type: Optional[Array[String]]
ICMP v6 types that should be allowed
Default value: undef
Data type: String
the ordering of the rules
Default value: '10'
allow incoming IGMP messages
manage in ldap
The following parameters are available in the nftables::rules::ldap
class:
Data type: Array[Integer,1]
ldap server ports
Default value: [389, 636]
allow incoming Link-Local Multicast Name Resolution
The following parameters are available in the nftables::rules::llmnr
class:
Data type: Boolean
Allow LLMNR over IPv4
Default value: true
Data type: Boolean
Allow LLMNR over IPv6
Default value: true
Data type: Array[String[1]]
optional list of incoming interfaces to filter on
Default value: []
allow incoming multicast DNS
The following parameters are available in the nftables::rules::mdns
class:
Data type: Boolean
Allow mdns over IPv4
Default value: true
Data type: Boolean
Allow mdns over IPv6
Default value: true
Data type: Array[String[1]]
name for incoming interfaces to filter
Default value: []
allow incoming multicast traffic
manage in nfs4
manage in nfs3
manage in node exporter
The following parameters are available in the nftables::rules::node_exporter
class:
Data type: Optional[Variant[String,Array[String,1]]]
Specify server name
Default value: undef
Data type: Stdlib::Port
Specify port to open
Default value: 9100
manage in ospf
manage in ospf3
The following parameters are available in the nftables::rules::ospf3
class:
Data type: Array[String[1]]
optional list of incoming interfaces to allow traffic
Default value: []
manage outgoing active diectory
The following parameters are available in the nftables::rules::out::active_directory
class:
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
adserver IPs
Data type: Array[Stdlib::Port,1]
adserver ports
Default value: [389, 636, 3268, 3269]
allow all outbound
Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).
The following parameters are available in the nftables::rules::out::ceph_client
class:
Data type: Array[Stdlib::Port,1]
Specify ports to open
Default value: [3300, 6789]
manage out chrony
The following parameters are available in the nftables::rules::out::chrony
class:
Data type: Array[Stdlib::IP::Address]
single IP-Address or array of IP-addresses from NTP servers
Default value: []
manage out dhcp
Allow DHCPv6 requests out of a host
manage out dns
The following parameters are available in the nftables::rules::out::dns
class:
Data type: Array[Stdlib::IP::Address]
specify dns_server name
Default value: []
allow outgoing hkp connections to gpg keyservers
manage out http
manage out https
control outbound icmp packages
The following parameters are available in the nftables::rules::out::icmp
class:
Data type: Optional[Array[String]]
ICMP v4 types that should be allowed
Default value: undef
Data type: Optional[Array[String]]
ICMP v6 types that should be allowed
Default value: undef
Data type: String
the ordering of the rules
Default value: '10'
allow outgoing IGMP messages
allow outgoing imap
allows outbound access for kerberos
manage outgoing ldap
The following parameters are available in the nftables::rules::out::ldap
class:
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
ldapserver IPs
Data type: Array[Stdlib::Port,1]
ldapserver ports
Default value: [389, 636]
allow outgoing multicast DNS
The following parameters are available in the nftables::rules::out::mdns
class:
Data type: Boolean
Allow mdns over IPv4
Default value: true
Data type: Boolean
Allow mdns over IPv6
Default value: true
Data type: Array[String[1]]
optional name for outgoing interfaces
Default value: []
allow multicast listener requests
manage out mysql
manage out nfs
manage out nfs3
allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlserver
- See also
- https://wiki.openafs.org/devel/AFSServicePorts/
- AFS Service Ports
- https://wiki.openafs.org/devel/AFSServicePorts/
The following parameters are available in the nftables::rules::out::openafs_client
class:
Data type: Array[Stdlib::Port,1]
port numbers to use
Default value: [7000, 7002, 7003]
manage out ospf
manage out ospf3
The following parameters are available in the nftables::rules::out::ospf3
class:
Data type: Array[String[1]]
optional list of outgoing interfaces to filter on
Default value: []
allow outgoing pop3
manage out postgres
manage outgoing puppet
The following parameters are available in the nftables::rules::out::puppet
class:
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
puppetserver hostname
Data type: Stdlib::Port
puppetserver port
Default value: 8140
manage outgoing pxp-agent
- See also
- also
- take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
- also
The following parameters are available in the nftables::rules::out::pxp_agent
class:
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
PXP broker IP(s)
Data type: Stdlib::Port
PXP broker port
Default value: 8142
allow outgoing smtp
allow outgoing smtp client
allow outgoing SSDP
The following parameters are available in the nftables::rules::out::ssdp
class:
Data type: Boolean
Allow SSDP over IPv4
Default value: true
Data type: Boolean
Allow SSDP over IPv6
Default value: true
manage out ssh
disable outgoing ssh
manage out tor
allow clients to query remote whois server
manage out wireguard
The following parameters are available in the nftables::rules::out::wireguard
class:
Data type: Array[Integer,1]
specify wireguard ports
Default value: [51820]
Rules for Podman, a tool for managing OCI containers and pods. This class defines additional forwarding rules to let root containers reach external networks when using Netavark (since v4.0) or CNI (deprecated). At the time of writing, Podman supports automatic configuration of firewall rules with iptables and firewalld only.
manage in puppet
The following parameters are available in the nftables::rules::puppet
class:
Data type: Array[Integer,1]
puppet server ports
Default value: [8140]
manage in pxp-agent
The following parameters are available in the nftables::rules::pxp_agent
class:
Data type: Array[Stdlib::Port,1]
pxp server ports
Default value: [8142]
This class configures the typical firewall setup that libvirt creates. Depending on your requirements you can switch on and off several aspects, for instance if you don't do DHCP to your guests you can disable the rules that accept DHCP traffic on the host or if you don't want your guests to talk to hosts outside you can disable forwarding and/or masquerading for IPv4 traffic.
The following parameters are available in the nftables::rules::qemu
class:
Data type: String[1]
Interface name used by the bridge.
Default value: 'virbr0'
Data type: Stdlib::IP::Address::V4::CIDR
The IPv4 network prefix used in the virtual network.
Default value: '192.168.122.0/24'
Data type: Optional[Stdlib::IP::Address::V6::CIDR]
The IPv6 network prefix used in the virtual network.
Default value: undef
Data type: Boolean
Allow DNS traffic from the guests to the host.
Default value: true
Data type: Boolean
Allow DHCPv4 traffic from the guests to the host.
Default value: true
Data type: Boolean
Allow forwarded traffic (out all, in related/established) generated by the virtual network.
Default value: true
Data type: Boolean
Allow guests in the virtual network to talk to each other.
Default value: true
Data type: Boolean
Do NAT masquerade on all IPv4 traffic generated by guests to external networks.
Default value: true
manage Samba, the suite to allow Windows file sharing on Linux resources.
The following parameters are available in the nftables::rules::samba
class:
Data type: Boolean
Enable ctdb-driven clustered Samba setups
Default value: false
Data type: Enum['accept', 'drop']
if the traffic should be allowed or dropped
Default value: 'accept'
manage in smtp
manage in smtp submission
manage in smtps
allow incoming spotify
allow incoming SSDP
The following parameters are available in the nftables::rules::ssdp
class:
Data type: Boolean
Allow SSDP over IPv4
Default value: true
Data type: Boolean
Allow SSDP over IPv6
Default value: true
manage in ssh
The following parameters are available in the nftables::rules::ssh
class:
Data type: Array[Stdlib::Port,1]
ssh ports
Default value: [22]
manage in tor
The following parameters are available in the nftables::rules::tor
class:
Data type: Array[Stdlib::Port,1]
ports for tor
Default value: [9001]
manage in wireguard
The following parameters are available in the nftables::rules::wireguard
class:
Data type: Array[Stdlib::Port,1]
wiregueard port
Default value: [51820]
allow incoming webservice discovery
The following parameters are available in the nftables::rules::wsd
class:
Data type: Boolean
Allow ws-discovery over IPv4
Default value: true
Data type: Boolean
Allow ws-discovery over IPv6
Default value: true
Allow in and outbound traffic for DHCPv6 server
Open inbound and outbound ports for an AFS client
manage a chain
The following parameters are available in the nftables::chain
defined type:
Data type: Pattern[/^(ip|ip6|inet|netdev|bridge)-[a-zA-Z0-9_]+$/]
Default value: 'inet-filter'
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
manage a config snippet
The following parameters are available in the nftables::config
defined type:
Data type: Pattern[/^\w+-\w+$/]
Default value: $title
Data type: Optional[String]
Default value: undef
Data type: Optional[Variant[String,Array[String,1]]]
Default value: undef
Data type: String
Default value: 'custom-'
Insert a file into the nftables configuration
nftables::file{'geoip':
content => @(EOT)
include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
|EOT,
}
The following parameters are available in the nftables::file
defined type:
Data type: String[1]
Unique name to include in filename.
Default value: $title
Data type: Optional[String]
The content to place in the file.
Default value: undef
Data type: Optional[Variant[String,Array[String,1]]]
A source to obtain the file content from.
Default value: undef
Data type: String
Prefix of file name to be created, if left as file-
it will be
auto included in the main nft configuration
Default value: 'file-'
manage a conntrack helper
nftables::helper { 'ftp-standard':
content => 'type "ftp" protocol tcp;',
}
The following parameters are available in the nftables::helper
defined type:
Data type: String
Conntrack helper definition.
Data type: Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]
The name of the table to add this helper to.
Default value: 'inet-filter'
Data type: Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]
The symbolic name for the helper.
Default value: $title
Provides an interface to create a firewall rule
nftables::rule {
'default_in-myhttp':
content => 'tcp dport 80 accept',
}
nftables::rule {
'PREROUTING6-count':
content => 'counter',
table => 'ip6-nat'
}
nftables::rule { 'PREROUTING-redirect':
content => 'tcp dport 443 redirect to :8443',
table => 'ip-nat',
}
nftables::rule{'PREROUTING6-redirect':
content => 'tcp dport 443 redirect to :8443',
table => 'ip6-nat',
}
The following parameters are available in the nftables::rule
defined type:
Data type: Enum['present','absent']
Should the rule be created.
Default value: 'present'
Data type: Nftables::RuleName
The symbolic name for the rule and to what chain to add it. The format is defined by the Nftables::RuleName type.
Default value: $title
Data type: Pattern[/^\d\d$/]
A number representing the order of the rule.
Default value: '50'
Data type: String
The name of the table to add this rule to.
Default value: 'inet-filter'
Data type: Optional[String]
The raw statements that compose the rule represented using the nftables language.
Default value: undef
Data type: Optional[Variant[String,Array[String,1]]]
Same goal as content but sourcing the value from a file.
Default value: undef
manage a ipv4 dnat rule
The following parameters are available in the nftables::rules::dnat4
defined type:
Data type: Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]
Data type: Variant[String,Stdlib::Port]
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Pattern[/^\d\d$/]
Default value: '50'
Data type: String[1]
Default value: 'default_fwd'
Data type: Optional[String[1]]
Default value: undef
Data type: Enum['tcp','udp']
Default value: 'tcp'
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
Data type: Enum['present','absent']
Default value: 'present'
masquerade all outgoing traffic
The following parameters are available in the nftables::rules::masquerade
defined type:
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Pattern[/^\d\d$/]
Default value: '70'
Data type: String[1]
Default value: 'POSTROUTING'
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Enum['tcp','udp']]
Default value: undef
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
Data type: Enum['present','absent']
Default value: 'present'
manage a ipv4 snat rule
The following parameters are available in the nftables::rules::snat4
defined type:
Data type: String[1]
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Pattern[/^\d\d$/]
Default value: '70'
Data type: String[1]
Default value: 'POSTROUTING'
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Enum['tcp','udp']]
Default value: undef
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
Data type: Enum['present','absent']
Default value: 'present'
manage a named set
nftables::set{'my_set':
type => 'ipv4_addr',
flags => ['interval'],
elements => ['192.168.0.1/24', '10.0.0.2'],
auto_merge => true,
}
The following parameters are available in the nftables::set
defined type:
ensure
setname
order
type
table
flags
timeout
gc_interval
elements
size
policy
auto_merge
content
source
Data type: Enum['present','absent']
should the set be created.
Default value: 'present'
Data type: Pattern[/^[-a-zA-Z0-9_]+$/]
name of set, equal to to title.
Default value: $title
Data type: Pattern[/^\d\d$/]
concat ordering.
Default value: '10'
Data type: Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]
type of set.
Default value: undef
Data type: Variant[String, Array[String, 1]]
table or array of tables to add the set to.
Default value: 'inet-filter'
Data type: Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]
specify flags for set
Default value: []
Data type: Optional[Integer]
timeout in seconds
Default value: undef
Data type: Optional[Integer]
garbage collection interval.
Default value: undef
Data type: Optional[Array[String]]
initialize the set with some elements in it.
Default value: undef
Data type: Optional[Integer]
limits the maximum number of elements of the set.
Default value: undef
Data type: Optional[Enum['performance', 'memory']]
determines set selection policy.
Default value: undef
Data type: Boolean
automatically merge adjacent/overlapping set elements (only valid for interval sets)
Default value: false
Data type: Optional[String]
specify content of set.
Default value: undef
Data type: Optional[Variant[String,Array[String,1]]]
specify source of set.
Default value: undef
Provides a simplified interface to nftables::rule
nftables::simplerule{'my_service_in':
action => 'accept',
comment => 'allow traffic to port 543',
counter => true,
proto => 'tcp',
dport => 543,
daddr => '2001:1458::/32',
sport => 541,
}
The following parameters are available in the nftables::simplerule
defined type:
ensure
rulename
order
chain
table
action
comment
dport
proto
daddr
set_type
sport
saddr
counter
iifname
oifname
Data type: Enum['present','absent']
Should the rule be created.
Default value: 'present'
Data type: Nftables::SimpleRuleName
The symbolic name for the rule to add. Defaults to the resource's title.
Default value: $title
Data type: Pattern[/^\d\d$/]
A number representing the order of the rule.
Default value: '50'
Data type: String
The name of the chain to add this rule to.
Default value: 'default_in'
Data type: String
The name of the table to add this rule to.
Default value: 'inet-filter'
Data type: Enum['accept', 'continue', 'drop', 'queue', 'return']
The verdict for the matched traffic.
Default value: 'accept'
Data type: Optional[String]
A typically human-readable comment for the rule.
Default value: undef
Data type: Optional[Nftables::Port]
The destination port, ports or port range.
Default value: undef
Data type: Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]
The transport-layer protocol to match.
Default value: undef
Data type: Optional[Nftables::Addr]
The destination address, CIDR or set to match.
Default value: undef
Data type: Enum['ip', 'ip6']
When using sets as saddr or daddr, the type of the set.
Use ip
for sets of type ipv4_addr
.
Default value: 'ip6'
Data type: Optional[Nftables::Port]
The source port, ports or port range.
Default value: undef
Data type: Optional[Nftables::Addr]
The source address, CIDR or set to match.
Default value: undef
Data type: Boolean
Enable traffic counters for the matched traffic.
Default value: false
Data type: Variant[Array[String[1]],String[1]]
Optional filter for the incoming interface
Default value: []
Data type: Variant[Array[String[1]],String[1]]
Optional filter for the outgoing interface
Default value: []
Represents an address expression to be used within a rule.
Alias of Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set, Array[Stdlib::IP::Address::V6], Array[Stdlib::IP::Address::V4], Array[Nftables::Addr::Set]]
Represents a set expression to be used within a rule.
Alias of Pattern[/^@[-a-zA-Z0-9_]+$/]
Represents a port expression to be used within a rule.
Alias of Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]
Represents a port range expression to be used within a rule.
Alias of Pattern[/^\d+-\d+$/]
Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.
Alias of Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]
Represents a simple rule name to be used in a rule created via nftables::simplerule
Alias of Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]