Skip to content

Latest commit

 

History

History
2544 lines (1415 loc) · 64.3 KB

REFERENCE.md

File metadata and controls

2544 lines (1415 loc) · 64.3 KB

Reference

Table of Contents

Classes

Defined types

Data types

  • Nftables::Addr: Represents an address expression to be used within a rule.
  • Nftables::Addr::Set: Represents a set expression to be used within a rule.
  • Nftables::Port: Represents a port expression to be used within a rule.
  • Nftables::Port::Range: Represents a port range expression to be used within a rule.
  • Nftables::RuleName: Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.
  • Nftables::SimpleRuleName: Represents a simple rule name to be used in a rule created via nftables::simplerule

Classes

nftables

Configure nftables

Examples

allow dns out and do not allow ntp out
class{ 'nftables':
  out_ntp => false,
  out_dns => true,
}
do not flush particular tables, fail2ban in this case
class{ 'nftables':
  noflush_tables => ['inet-f2b-table'],
}

Parameters

The following parameters are available in the nftables class:

out_all

Data type: Boolean

Allow all outbound connections. If true then all other out parameters out_ntp, out_dns, ... will be assuemed false.

Default value: false

out_ntp

Data type: Boolean

Allow outbound to ntp servers.

Default value: true

out_http

Data type: Boolean

Allow outbound to http servers.

Default value: true

out_dns

Data type: Boolean

Allow outbound to dns servers.

Default value: true

out_https

Data type: Boolean

Allow outbound to https servers.

Default value: true

out_icmp

Data type: Boolean

Allow outbound ICMPv4/v6 traffic.

Default value: true

in_ssh

Data type: Boolean

Allow inbound to ssh servers.

Default value: true

in_icmp

Data type: Boolean

Allow inbound ICMPv4/v6 traffic.

Default value: true

inet_filter

Data type: Boolean

Add default tables, chains and rules to process traffic.

Default value: true

nat

Data type: Boolean

Add default tables and chains to process NAT traffic.

Default value: true

nat_table_name

Data type: String[1]

The name of the 'nat' table.

Default value: 'nat'

purge_unmanaged_rules

Data type: Boolean

Prohibits in-memory rules that are not declared in Puppet code. Setting this to true activates a check that reloads nftables if the rules in memory have been modified without Puppet.

Default value: false

inmem_rules_hash_file

Data type: Stdlib::Unixpath

The name of the file where the hash of the in-memory rules will be stored.

Default value: '/var/tmp/puppet-nft-memhash'

sets

Data type: Hash

Allows sourcing set definitions directly from Hiera.

Default value: {}

log_prefix

Data type: String

String that will be used as prefix when logging packets. It can contain two variables using standard sprintf() string-formatting:

  • chain: Will be replaced by the name of the chain.
  • comment: Allows chains to add extra comments.

Default value: '[nftables] %<chain>s %<comment>s'

log_discarded

Data type: Boolean

Allow to log discarded packets

Default value: true

log_limit

Data type: Variant[Boolean[false], String]

String with the content of a limit statement to be applied to the rules that log discarded traffic. Set to false to disable rate limiting.

Default value: '3/minute burst 5 packets'

reject_with

Data type: Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]

How to discard packets not matching any rule. If false, the fate of the packet will be defined by the chain policy (normally drop), otherwise the packet will be rejected with the REJECT_WITH policy indicated by the value of this parameter.

Default value: 'icmpx type port-unreachable'

in_out_conntrack

Data type: Boolean

Adds INPUT and OUTPUT rules to allow traffic that's part of an established connection and also to drop invalid packets.

Default value: true

in_out_drop_invalid

Data type: Boolean

Drops invalid packets in INPUT and OUTPUT

Default value: $in_out_conntrack

fwd_conntrack

Data type: Boolean

Adds FORWARD rules to allow traffic that's part of an established connection and also to drop invalid packets.

Default value: false

fwd_drop_invalid

Data type: Boolean

Drops invalid packets in FORWARD

Default value: $fwd_conntrack

firewalld_enable

Data type: Variant[Boolean[false], Enum['mask']]

Configures how the firewalld systemd service unit is enabled. It might be useful to set this to false if you're externaly removing firewalld from the system completely.

Default value: 'mask'

noflush_tables

Data type: Optional[Array[Pattern[/^(ip|ip6|inet|arp|bridge|netdev)-[-a-zA-Z0-9_]+$/],1]]

If specified only other existings tables will be flushed. If left unset all tables will be flushed via a flush ruleset

Default value: undef

rules

Data type: Hash

Specify hashes of nftables::rules via hiera

Default value: {}

configuration_path

Data type: Stdlib::Unixpath

The absolute path to the principal nftables configuration file. The default varies depending on the system, and is set in the module's data.

nft_path

Data type: Stdlib::Unixpath

Path to the nft binary

echo

Data type: Stdlib::Unixpath

Path to the echo binary

default_config_mode

Data type: Stdlib::Filemode

The default file & dir mode for configuration files and directories. The default varies depending on the system, and is set in the module's data.

clobber_default_config

Data type: Boolean

Should the existing OS provided rules in the configuration_path be removed? If they are not being removed this module will add all of its configuration to the end of the existing rules.

Default value: false

nftables::bridges

allow forwarding traffic on bridges

Parameters

The following parameters are available in the nftables::bridges class:

ensure

Data type: Enum['present','absent']

Default value: 'present'

bridgenames

Data type: Regexp

Default value: /^br.+/

nftables::inet_filter

manage basic chains in table inet filter

nftables::inet_filter::fwd_conntrack

enable conntrack for fwd

nftables::inet_filter::in_out_conntrack

manage input & output conntrack

nftables::ip_nat

manage basic chains in table ip nat

nftables::rules::activemq

Provides input rules for Apache ActiveMQ

Parameters

The following parameters are available in the nftables::rules::activemq class:

tcp

Data type: Boolean

Create the rule for TCP traffic.

Default value: true

udp

Data type: Boolean

Create the rule for UDP traffic.

Default value: true

port

Data type: Stdlib::Port

The port number for the ActiveMQ daemon.

Default value: 61616

nftables::rules::afs3_callback

Open call back port for AFS clients

Examples

allow call backs from particular hosts
class{'nftables::rules::afs3_callback':
  saddr => ['192.168.0.0/16', '10.0.0.222']
}

Parameters

The following parameters are available in the nftables::rules::afs3_callback class:

saddr

Data type: Array[Stdlib::IP::Address::V4,1]

list of source network ranges to a

Default value: ['0.0.0.0/0']

nftables::rules::ceph

Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).

nftables::rules::ceph_mon

Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.

Parameters

The following parameters are available in the nftables::rules::ceph_mon class:

ports

Data type: Array[Stdlib::Port,1]

specify ports for ceph service

Default value: [3300, 6789]

nftables::rules::dhcpv6_client

allow DHCPv6 requests in to a host

nftables::rules::dns

manage in dns

Examples

Allow access to stub dns resolver from docker containers
class { 'nftables::rules::dns':
  iifname => ['docker0'],
}

Parameters

The following parameters are available in the nftables::rules::dns class:

ports

Data type: Array[Stdlib::Port,1]

Specify ports for dns.

Default value: [53]

iifname

Data type: Optional[Array[String[1],1]]

Specify input interface names.

Default value: undef

nftables::rules::docker_ce

The configuration distributed in this class represents the default firewall configuration done by docker-ce when the iptables integration is enabled.

This class is needed as the default docker-ce rules added to ip-filter conflict with the inet-filter forward rules set by default in this module.

When using this class 'docker::iptables: false' should be set.

Parameters

The following parameters are available in the nftables::rules::docker_ce class:

docker_interface

Data type: String[1]

Interface name used by docker.

Default value: 'docker0'

docker_prefix

Data type: Stdlib::IP::Address::V4::CIDR

The address space used by docker.

Default value: '172.17.0.0/16'

manage_docker_chains

Data type: Boolean

Flag to control whether the class should create the docker related chains.

Default value: true

manage_base_chains

Data type: Boolean

Flag to control whether the class should create the base common chains.

Default value: true

nftables::rules::ftp

manage in ftp (with conntrack helper)

Parameters

The following parameters are available in the nftables::rules::ftp class:

enable_passive

Data type: Boolean

Enable FTP passive mode support

Default value: true

passive_ports

Data type: Nftables::Port::Range

Set the FTP passive mode port range

Default value: '10090-10100'

nftables::rules::http

manage in http

nftables::rules::https

manage in https

nftables::rules::icinga2

manage in icinga2

Parameters

The following parameters are available in the nftables::rules::icinga2 class:

ports

Data type: Array[Stdlib::Port,1]

Specify ports for icinga2

Default value: [5665]

nftables::rules::icmp

allows incoming ICMP

Parameters

The following parameters are available in the nftables::rules::icmp class:

v4_types

Data type: Optional[Array[String]]

ICMP v4 types that should be allowed

Default value: undef

v6_types

Data type: Optional[Array[String]]

ICMP v6 types that should be allowed

Default value: undef

order

Data type: String

the ordering of the rules

Default value: '10'

nftables::rules::igmp

allow incoming IGMP messages

nftables::rules::ldap

manage in ldap

Parameters

The following parameters are available in the nftables::rules::ldap class:

ports

Data type: Array[Integer,1]

ldap server ports

Default value: [389, 636]

nftables::rules::llmnr

allow incoming Link-Local Multicast Name Resolution

Parameters

The following parameters are available in the nftables::rules::llmnr class:

ipv4

Data type: Boolean

Allow LLMNR over IPv4

Default value: true

ipv6

Data type: Boolean

Allow LLMNR over IPv6

Default value: true

iifname

Data type: Array[String[1]]

optional list of incoming interfaces to filter on

Default value: []

nftables::rules::mdns

allow incoming multicast DNS

Parameters

The following parameters are available in the nftables::rules::mdns class:

ipv4

Data type: Boolean

Allow mdns over IPv4

Default value: true

ipv6

Data type: Boolean

Allow mdns over IPv6

Default value: true

iifname

Data type: Array[String[1]]

name for incoming interfaces to filter

Default value: []

nftables::rules::multicast

allow incoming multicast traffic

nftables::rules::nfs

manage in nfs4

nftables::rules::nfs3

manage in nfs3

nftables::rules::node_exporter

manage in node exporter

Parameters

The following parameters are available in the nftables::rules::node_exporter class:

prometheus_server

Data type: Optional[Variant[String,Array[String,1]]]

Specify server name

Default value: undef

port

Data type: Stdlib::Port

Specify port to open

Default value: 9100

nftables::rules::ospf

manage in ospf

nftables::rules::ospf3

manage in ospf3

Parameters

The following parameters are available in the nftables::rules::ospf3 class:

iifname

Data type: Array[String[1]]

optional list of incoming interfaces to allow traffic

Default value: []

nftables::rules::out::active_directory

manage outgoing active diectory

Parameters

The following parameters are available in the nftables::rules::out::active_directory class:

adserver

Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]

adserver IPs

adserver_ports

Data type: Array[Stdlib::Port,1]

adserver ports

Default value: [389, 636, 3268, 3269]

nftables::rules::out::all

allow all outbound

nftables::rules::out::ceph_client

Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).

Parameters

The following parameters are available in the nftables::rules::out::ceph_client class:

ports

Data type: Array[Stdlib::Port,1]

Specify ports to open

Default value: [3300, 6789]

nftables::rules::out::chrony

manage out chrony

Parameters

The following parameters are available in the nftables::rules::out::chrony class:

servers

Data type: Array[Stdlib::IP::Address]

single IP-Address or array of IP-addresses from NTP servers

Default value: []

nftables::rules::out::dhcp

manage out dhcp

nftables::rules::out::dhcpv6_client

Allow DHCPv6 requests out of a host

nftables::rules::out::dns

manage out dns

Parameters

The following parameters are available in the nftables::rules::out::dns class:

dns_server

Data type: Array[Stdlib::IP::Address]

specify dns_server name

Default value: []

nftables::rules::out::hkp

allow outgoing hkp connections to gpg keyservers

nftables::rules::out::http

manage out http

nftables::rules::out::https

manage out https

nftables::rules::out::icmp

control outbound icmp packages

Parameters

The following parameters are available in the nftables::rules::out::icmp class:

v4_types

Data type: Optional[Array[String]]

ICMP v4 types that should be allowed

Default value: undef

v6_types

Data type: Optional[Array[String]]

ICMP v6 types that should be allowed

Default value: undef

order

Data type: String

the ordering of the rules

Default value: '10'

nftables::rules::out::igmp

allow outgoing IGMP messages

nftables::rules::out::imap

allow outgoing imap

nftables::rules::out::kerberos

allows outbound access for kerberos

nftables::rules::out::ldap

manage outgoing ldap

Parameters

The following parameters are available in the nftables::rules::out::ldap class:

ldapserver

Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]

ldapserver IPs

ldapserver_ports

Data type: Array[Stdlib::Port,1]

ldapserver ports

Default value: [389, 636]

nftables::rules::out::mdns

allow outgoing multicast DNS

Parameters

The following parameters are available in the nftables::rules::out::mdns class:

ipv4

Data type: Boolean

Allow mdns over IPv4

Default value: true

ipv6

Data type: Boolean

Allow mdns over IPv6

Default value: true

oifname

Data type: Array[String[1]]

optional name for outgoing interfaces

Default value: []

nftables::rules::out::mldv2

allow multicast listener requests

nftables::rules::out::mysql

manage out mysql

nftables::rules::out::nfs

manage out nfs

nftables::rules::out::nfs3

manage out nfs3

nftables::rules::out::openafs_client

allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlserver

Parameters

The following parameters are available in the nftables::rules::out::openafs_client class:

ports

Data type: Array[Stdlib::Port,1]

port numbers to use

Default value: [7000, 7002, 7003]

nftables::rules::out::ospf

manage out ospf

nftables::rules::out::ospf3

manage out ospf3

Parameters

The following parameters are available in the nftables::rules::out::ospf3 class:

oifname

Data type: Array[String[1]]

optional list of outgoing interfaces to filter on

Default value: []

nftables::rules::out::pop3

allow outgoing pop3

nftables::rules::out::postgres

manage out postgres

nftables::rules::out::puppet

manage outgoing puppet

Parameters

The following parameters are available in the nftables::rules::out::puppet class:

puppetserver

Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]

puppetserver hostname

puppetserver_port

Data type: Stdlib::Port

puppetserver port

Default value: 8140

nftables::rules::out::pxp_agent

manage outgoing pxp-agent

  • See also
    • also
      • take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver

Parameters

The following parameters are available in the nftables::rules::out::pxp_agent class:

broker

Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]

PXP broker IP(s)

broker_port

Data type: Stdlib::Port

PXP broker port

Default value: 8142

nftables::rules::out::smtp

allow outgoing smtp

nftables::rules::out::smtp_client

allow outgoing smtp client

nftables::rules::out::ssdp

allow outgoing SSDP

Parameters

The following parameters are available in the nftables::rules::out::ssdp class:

ipv4

Data type: Boolean

Allow SSDP over IPv4

Default value: true

ipv6

Data type: Boolean

Allow SSDP over IPv6

Default value: true

nftables::rules::out::ssh

manage out ssh

nftables::rules::out::ssh::remove

disable outgoing ssh

nftables::rules::out::tor

manage out tor

nftables::rules::out::whois

allow clients to query remote whois server

nftables::rules::out::wireguard

manage out wireguard

Parameters

The following parameters are available in the nftables::rules::out::wireguard class:

ports

Data type: Array[Integer,1]

specify wireguard ports

Default value: [51820]

nftables::rules::podman

Rules for Podman, a tool for managing OCI containers and pods. This class defines additional forwarding rules to let root containers reach external networks when using Netavark (since v4.0) or CNI (deprecated). At the time of writing, Podman supports automatic configuration of firewall rules with iptables and firewalld only.

nftables::rules::puppet

manage in puppet

Parameters

The following parameters are available in the nftables::rules::puppet class:

ports

Data type: Array[Integer,1]

puppet server ports

Default value: [8140]

nftables::rules::pxp_agent

manage in pxp-agent

Parameters

The following parameters are available in the nftables::rules::pxp_agent class:

ports

Data type: Array[Stdlib::Port,1]

pxp server ports

Default value: [8142]

nftables::rules::qemu

This class configures the typical firewall setup that libvirt creates. Depending on your requirements you can switch on and off several aspects, for instance if you don't do DHCP to your guests you can disable the rules that accept DHCP traffic on the host or if you don't want your guests to talk to hosts outside you can disable forwarding and/or masquerading for IPv4 traffic.

Parameters

The following parameters are available in the nftables::rules::qemu class:

interface

Data type: String[1]

Interface name used by the bridge.

Default value: 'virbr0'

network_v4

Data type: Stdlib::IP::Address::V4::CIDR

The IPv4 network prefix used in the virtual network.

Default value: '192.168.122.0/24'

network_v6

Data type: Optional[Stdlib::IP::Address::V6::CIDR]

The IPv6 network prefix used in the virtual network.

Default value: undef

dns

Data type: Boolean

Allow DNS traffic from the guests to the host.

Default value: true

dhcpv4

Data type: Boolean

Allow DHCPv4 traffic from the guests to the host.

Default value: true

forward_traffic

Data type: Boolean

Allow forwarded traffic (out all, in related/established) generated by the virtual network.

Default value: true

internal_traffic

Data type: Boolean

Allow guests in the virtual network to talk to each other.

Default value: true

masquerade

Data type: Boolean

Do NAT masquerade on all IPv4 traffic generated by guests to external networks.

Default value: true

nftables::rules::samba

manage Samba, the suite to allow Windows file sharing on Linux resources.

Parameters

The following parameters are available in the nftables::rules::samba class:

ctdb

Data type: Boolean

Enable ctdb-driven clustered Samba setups

Default value: false

action

Data type: Enum['accept', 'drop']

if the traffic should be allowed or dropped

Default value: 'accept'

nftables::rules::smtp

manage in smtp

nftables::rules::smtp_submission

manage in smtp submission

nftables::rules::smtps

manage in smtps

nftables::rules::spotify

allow incoming spotify

nftables::rules::ssdp

allow incoming SSDP

Parameters

The following parameters are available in the nftables::rules::ssdp class:

ipv4

Data type: Boolean

Allow SSDP over IPv4

Default value: true

ipv6

Data type: Boolean

Allow SSDP over IPv6

Default value: true

nftables::rules::ssh

manage in ssh

Parameters

The following parameters are available in the nftables::rules::ssh class:

ports

Data type: Array[Stdlib::Port,1]

ssh ports

Default value: [22]

nftables::rules::tor

manage in tor

Parameters

The following parameters are available in the nftables::rules::tor class:

ports

Data type: Array[Stdlib::Port,1]

ports for tor

Default value: [9001]

nftables::rules::wireguard

manage in wireguard

Parameters

The following parameters are available in the nftables::rules::wireguard class:

ports

Data type: Array[Stdlib::Port,1]

wiregueard port

Default value: [51820]

nftables::rules::wsd

allow incoming webservice discovery

Parameters

The following parameters are available in the nftables::rules::wsd class:

ipv4

Data type: Boolean

Allow ws-discovery over IPv4

Default value: true

ipv6

Data type: Boolean

Allow ws-discovery over IPv6

Default value: true

nftables::services::dhcpv6_client

Allow in and outbound traffic for DHCPv6 server

nftables::services::openafs_client

Open inbound and outbound ports for an AFS client

Defined types

nftables::chain

manage a chain

Parameters

The following parameters are available in the nftables::chain defined type:

table

Data type: Pattern[/^(ip|ip6|inet|netdev|bridge)-[a-zA-Z0-9_]+$/]

Default value: 'inet-filter'

chain

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

inject

Data type: Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]

Default value: undef

inject_iif

Data type: Optional[String]

Default value: undef

inject_oif

Data type: Optional[String]

Default value: undef

nftables::config

manage a config snippet

Parameters

The following parameters are available in the nftables::config defined type:

tablespec

Data type: Pattern[/^\w+-\w+$/]

Default value: $title

content

Data type: Optional[String]

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

Default value: undef

prefix

Data type: String

Default value: 'custom-'

nftables::file

Insert a file into the nftables configuration

Examples

Include a file that includes other files
nftables::file{'geoip':
  content => @(EOT)
    include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
    include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
    |EOT,
}

Parameters

The following parameters are available in the nftables::file defined type:

label

Data type: String[1]

Unique name to include in filename.

Default value: $title

content

Data type: Optional[String]

The content to place in the file.

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

A source to obtain the file content from.

Default value: undef

prefix

Data type: String

Prefix of file name to be created, if left as file- it will be auto included in the main nft configuration

Default value: 'file-'

nftables::helper

manage a conntrack helper

Examples

FTP helper
nftables::helper { 'ftp-standard':
  content => 'type "ftp" protocol tcp;',
}

Parameters

The following parameters are available in the nftables::helper defined type:

content

Data type: String

Conntrack helper definition.

table

Data type: Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]

The name of the table to add this helper to.

Default value: 'inet-filter'

helper

Data type: Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]

The symbolic name for the helper.

Default value: $title

nftables::rule

Provides an interface to create a firewall rule

Examples

add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
nftables::rule {
  'default_in-myhttp':
    content => 'tcp dport 80 accept',
}
add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
nftables::rule {
  'PREROUTING6-count':
    content => 'counter',
    table   => 'ip6-nat'
}
Redirect port 443 to port 8443
nftables::rule { 'PREROUTING-redirect':
  content => 'tcp dport 443 redirect to :8443',
  table   => 'ip-nat',
}
nftables::rule{'PREROUTING6-redirect':
  content => 'tcp dport 443 redirect to :8443',
  table   => 'ip6-nat',
}

Parameters

The following parameters are available in the nftables::rule defined type:

ensure

Data type: Enum['present','absent']

Should the rule be created.

Default value: 'present'

rulename

Data type: Nftables::RuleName

The symbolic name for the rule and to what chain to add it. The format is defined by the Nftables::RuleName type.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

A number representing the order of the rule.

Default value: '50'

table

Data type: String

The name of the table to add this rule to.

Default value: 'inet-filter'

content

Data type: Optional[String]

The raw statements that compose the rule represented using the nftables language.

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

Same goal as content but sourcing the value from a file.

Default value: undef

nftables::rules::dnat4

manage a ipv4 dnat rule

Parameters

The following parameters are available in the nftables::rules::dnat4 defined type:

daddr

Data type: Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]

port

Data type: Variant[String,Stdlib::Port]

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '50'

chain

Data type: String[1]

Default value: 'default_fwd'

iif

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Enum['tcp','udp']

Default value: 'tcp'

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: undef

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::rules::masquerade

masquerade all outgoing traffic

Parameters

The following parameters are available in the nftables::rules::masquerade defined type:

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '70'

chain

Data type: String[1]

Default value: 'POSTROUTING'

oif

Data type: Optional[String[1]]

Default value: undef

saddr

Data type: Optional[String[1]]

Default value: undef

daddr

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Optional[Enum['tcp','udp']]

Default value: undef

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: undef

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::rules::snat4

manage a ipv4 snat rule

Parameters

The following parameters are available in the nftables::rules::snat4 defined type:

snat

Data type: String[1]

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '70'

chain

Data type: String[1]

Default value: 'POSTROUTING'

oif

Data type: Optional[String[1]]

Default value: undef

saddr

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Optional[Enum['tcp','udp']]

Default value: undef

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: undef

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::set

manage a named set

Examples

simple set
nftables::set{'my_set':
  type       => 'ipv4_addr',
  flags      => ['interval'],
  elements   => ['192.168.0.1/24', '10.0.0.2'],
  auto_merge => true,
}

Parameters

The following parameters are available in the nftables::set defined type:

ensure

Data type: Enum['present','absent']

should the set be created.

Default value: 'present'

setname

Data type: Pattern[/^[-a-zA-Z0-9_]+$/]

name of set, equal to to title.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

concat ordering.

Default value: '10'

type

Data type: Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]

type of set.

Default value: undef

table

Data type: Variant[String, Array[String, 1]]

table or array of tables to add the set to.

Default value: 'inet-filter'

flags

Data type: Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]

specify flags for set

Default value: []

timeout

Data type: Optional[Integer]

timeout in seconds

Default value: undef

gc_interval

Data type: Optional[Integer]

garbage collection interval.

Default value: undef

elements

Data type: Optional[Array[String]]

initialize the set with some elements in it.

Default value: undef

size

Data type: Optional[Integer]

limits the maximum number of elements of the set.

Default value: undef

policy

Data type: Optional[Enum['performance', 'memory']]

determines set selection policy.

Default value: undef

auto_merge

Data type: Boolean

automatically merge adjacent/overlapping set elements (only valid for interval sets)

Default value: false

content

Data type: Optional[String]

specify content of set.

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

specify source of set.

Default value: undef

nftables::simplerule

Provides a simplified interface to nftables::rule

Examples

allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
nftables::simplerule{'my_service_in':
  action  => 'accept',
  comment => 'allow traffic to port 543',
  counter => true,
  proto   => 'tcp',
  dport   => 543,
  daddr   => '2001:1458::/32',
  sport   => 541,
}

Parameters

The following parameters are available in the nftables::simplerule defined type:

ensure

Data type: Enum['present','absent']

Should the rule be created.

Default value: 'present'

rulename

Data type: Nftables::SimpleRuleName

The symbolic name for the rule to add. Defaults to the resource's title.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

A number representing the order of the rule.

Default value: '50'

chain

Data type: String

The name of the chain to add this rule to.

Default value: 'default_in'

table

Data type: String

The name of the table to add this rule to.

Default value: 'inet-filter'

action

Data type: Enum['accept', 'continue', 'drop', 'queue', 'return']

The verdict for the matched traffic.

Default value: 'accept'

comment

Data type: Optional[String]

A typically human-readable comment for the rule.

Default value: undef

dport

Data type: Optional[Nftables::Port]

The destination port, ports or port range.

Default value: undef

proto

Data type: Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]

The transport-layer protocol to match.

Default value: undef

daddr

Data type: Optional[Nftables::Addr]

The destination address, CIDR or set to match.

Default value: undef

set_type

Data type: Enum['ip', 'ip6']

When using sets as saddr or daddr, the type of the set. Use ip for sets of type ipv4_addr.

Default value: 'ip6'

sport

Data type: Optional[Nftables::Port]

The source port, ports or port range.

Default value: undef

saddr

Data type: Optional[Nftables::Addr]

The source address, CIDR or set to match.

Default value: undef

counter

Data type: Boolean

Enable traffic counters for the matched traffic.

Default value: false

iifname

Data type: Variant[Array[String[1]],String[1]]

Optional filter for the incoming interface

Default value: []

oifname

Data type: Variant[Array[String[1]],String[1]]

Optional filter for the outgoing interface

Default value: []

Data types

Nftables::Addr

Represents an address expression to be used within a rule.

Alias of Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set, Array[Stdlib::IP::Address::V6], Array[Stdlib::IP::Address::V4], Array[Nftables::Addr::Set]]

Nftables::Addr::Set

Represents a set expression to be used within a rule.

Alias of Pattern[/^@[-a-zA-Z0-9_]+$/]

Nftables::Port

Represents a port expression to be used within a rule.

Alias of Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]

Nftables::Port::Range

Represents a port range expression to be used within a rule.

Alias of Pattern[/^\d+-\d+$/]

Nftables::RuleName

Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.

Alias of Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]

Nftables::SimpleRuleName

Represents a simple rule name to be used in a rule created via nftables::simplerule

Alias of Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]