Skip to content

Latest commit

 

History

History
1417 lines (699 loc) · 24.4 KB

REFERENCE.md

File metadata and controls

1417 lines (699 loc) · 24.4 KB
Raw

Reference

Table of Contents

Classes

Defined types

Data types

Classes

nftables

Configure nftables

Examples

allow dns out and do not allow ntp out
class{'nftables:
  out_ntp = false,
  out_dns = true,
}
do not flush particular tables, fail2ban in this case
class{'nftables':
  noflush_tables = ['inet-f2b-table'],
}

Parameters

The following parameters are available in the nftables class.

out_all

Data type: Boolean

Allow all outbound connections. If true then all other out parameters out_ntp, out_dns, ... will be assuemed false.

Default value: false

out_ntp

Data type: Boolean

Allow outbound to ntp servers.

Default value: true

out_http

Data type: Boolean

Allow outbound to http servers.

Default value: true

out_https

Data type: Boolean

Allow outbound to https servers.

Default value: true

out_https

Allow outbound to https servers.

Default value: true

out_icmp

Data type: Boolean

Allow outbound ICMPv4/v6 traffic.

Default value: true

in_ssh

Data type: Boolean

Allow inbound to ssh servers.

Default value: true

in_icmp

Data type: Boolean

Allow inbound ICMPv4/v6 traffic.

Default value: true

nat

Data type: Boolean

Add default tables and chains to process NAT traffic.

Default value: true

sets

Data type: Hash

Allows sourcing set definitions directly from Hiera.

Default value: {}

log_prefix

Data type: String

String that will be used as prefix when logging packets. It can contain two variables using standard sprintf() string-formatting:

  • chain: Will be replaced by the name of the chain.
  • comment: Allows chains to add extra comments.

Default value: '[nftables] %<chain>s %<comment>s'

log_limit

Data type: Variant[Boolean[false], String]

String with the content of a limit statement to be applied to the rules that log discarded traffic. Set to false to disable rate limiting.

Default value: '3/minute burst 5 packets'

reject_with

Data type: Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]

How to discard packets not matching any rule. If false, the fate of the packet will be defined by the chain policy (normally drop), otherwise the packet will be rejected with the REJECT_WITH policy indicated by the value of this parameter.

Default value: 'icmpx type port-unreachable'

in_out_conntrack

Data type: Boolean

Adds INPUT and OUTPUT rules to allow traffic that's part of an established connection and also to drop invalid packets.

Default value: true

fwd_conntrack

Data type: Boolean

Adds FORWARD rules to allow traffic that's part of an established connection and also to drop invalid packets.

Default value: false

firewalld_enable

Data type: Variant[Boolean[false], Enum['mask']]

Configures how the firewalld systemd service unit is enabled. It might be useful to set this to false if you're externaly removing firewalld from the system completely.

Default value: 'mask'

noflush_tables

Data type: Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]

If specified only other existings tables will be flushed. If left unset all tables will be flushed via a flush ruleset

Default value: undef

out_dns

Data type: Boolean

Default value: true

rules

Data type: Hash

Default value: {}

nftables::bridges

allow forwarding traffic on bridges

Parameters

The following parameters are available in the nftables::bridges class.

ensure

Data type: Enum['present','absent']

Default value: 'present'

bridgenames

Data type: Regexp

Default value: /^br.+/

nftables::inet_filter

manage basic chains in table inet filter

nftables::ip_nat

manage basic chains in table ip nat

nftables::rules::afs3_callback

class{'nftables::rules::afs3_callback': saddr => ['192.168.0.0/16', '10.0.0.222'] }

Parameters

The following parameters are available in the nftables::rules::afs3_callback class.

saddr

Data type: Array[Stdlib::IP::Address::V4,1]

list of source network ranges to a

Default value: ['0.0.0.0/0']

nftables::rules::ceph

Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).

nftables::rules::ceph_mon

Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.

Parameters

The following parameters are available in the nftables::rules::ceph_mon class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [3300, 6789]

nftables::rules::dhcpv6_client

The nftables::rules::dhcpv6_client class.

nftables::rules::dns

manage in dns

Parameters

The following parameters are available in the nftables::rules::dns class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [53]

nftables::rules::http

manage in http

nftables::rules::https

manage in https

nftables::rules::icinga2

manage in icinga2

Parameters

The following parameters are available in the nftables::rules::icinga2 class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [5665]

nftables::rules::icmp

The nftables::rules::icmp class.

Parameters

The following parameters are available in the nftables::rules::icmp class.

v4_types

Data type: Optional[Array[String]]

Default value: undef

v6_types

Data type: Optional[Array[String]]

Default value: undef

order

Data type: String

Default value: '10'

nftables::rules::nfs

manage in nfs4

nftables::rules::nfs3

manage in nfs3

nftables::rules::node_exporter

manage in node exporter

Parameters

The following parameters are available in the nftables::rules::node_exporter class.

prometheus_server

Data type: Optional[Variant[String,Array[String,1]]]

Default value: undef

port

Data type: Stdlib::Port

Default value: 9100

nftables::rules::ospf

manage in ospf

nftables::rules::ospf3

manage in ospf3

nftables::rules::out::all

allow all outbound

nftables::rules::out::ceph_client

Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).

Parameters

The following parameters are available in the nftables::rules::out::ceph_client class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [3300, 6789]

nftables::rules::out::chrony

manage out chrony

nftables::rules::out::dhcp

manage out dhcp

nftables::rules::out::dhcpv6_client

The nftables::rules::out::dhcpv6_client class.

nftables::rules::out::dns

manage out dns

Parameters

The following parameters are available in the nftables::rules::out::dns class.

dns_server

Data type: Optional[Variant[String,Array[String,1]]]

Default value: undef

nftables::rules::out::http

manage out http

nftables::rules::out::https

manage out https

nftables::rules::out::icmp

The nftables::rules::out::icmp class.

Parameters

The following parameters are available in the nftables::rules::out::icmp class.

v4_types

Data type: Optional[Array[String]]

Default value: undef

v6_types

Data type: Optional[Array[String]]

Default value: undef

order

Data type: String

Default value: '10'

nftables::rules::out::kerberos

allows outbound access for kerberos

nftables::rules::out::mysql

manage out mysql

nftables::rules::out::nfs

manage out nfs

nftables::rules::out::nfs3

manage out nfs3

nftables::rules::out::openafs_client

7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlserver

Parameters

The following parameters are available in the nftables::rules::out::openafs_client class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [7000, 7002, 7003]

nftables::rules::out::ospf

manage out ospf

nftables::rules::out::ospf3

manage out ospf3

nftables::rules::out::postgres

manage out postgres

nftables::rules::out::puppet

manage outgoing puppet

Parameters

The following parameters are available in the nftables::rules::out::puppet class.

puppetserver

Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]

puppetserver_port

Data type: Stdlib::Port

Default value: 8140

nftables::rules::out::smtp

manage out smtp

nftables::rules::out::ssh

manage out ssh

nftables::rules::out::ssh::remove

disable outgoing ssh

nftables::rules::out::tor

manage out tor

nftables::rules::out::wireguard

manage out wireguard

Parameters

The following parameters are available in the nftables::rules::out::wireguard class.

ports

Data type: Array[Integer,1]

Default value: [51820]

nftables::rules::puppet

manage in puppet

Parameters

The following parameters are available in the nftables::rules::puppet class.

ports

Data type: Array[Integer,1]

Default value: [8140]

nftables::rules::smtp

manage in smtp

nftables::rules::smtp_submission

manage in smtp submission

nftables::rules::smtps

manage in smtps

nftables::rules::ssh

manage in ssh

Parameters

The following parameters are available in the nftables::rules::ssh class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [22]

nftables::rules::tor

manage in tor

Parameters

The following parameters are available in the nftables::rules::tor class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [9001]

nftables::rules::wireguard

manage in wireguard

Parameters

The following parameters are available in the nftables::rules::wireguard class.

ports

Data type: Array[Stdlib::Port,1]

Default value: [51820]

nftables::services::dhcpv6_client

The nftables::services::dhcpv6_client class.

nftables::services::openafs_client

The nftables::services::openafs_client class.

Defined types

nftables::chain

manage a chain

Parameters

The following parameters are available in the nftables::chain defined type.

table

Data type: Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]

Default value: 'inet-filter'

chain

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

inject

Data type: Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]

Default value: undef

inject_iif

Data type: Optional[String]

Default value: undef

inject_oif

Data type: Optional[String]

Default value: undef

nftables::config

manage a config snippet

Parameters

The following parameters are available in the nftables::config defined type.

tablespec

Data type: Pattern[/^\w+-\w+$/]

Default value: $title

content

Data type: Optional[String]

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

Default value: undef

prefix

Data type: String

Default value: 'custom-'

nftables::rule

manage a chain rule Name should be: CHAIN_NAME-rulename

Parameters

The following parameters are available in the nftables::rule defined type.

ensure

Data type: Enum['present','absent']

Default value: 'present'

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '50'

table

Data type: Optional[String]

Default value: 'inet-filter'

content

Data type: Optional[String]

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

Default value: undef

nftables::rules::dnat4

manage a ipv4 dnat rule

Parameters

The following parameters are available in the nftables::rules::dnat4 defined type.

daddr

Data type: Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]

port

Data type: Variant[String,Stdlib::Port]

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '50'

chain

Data type: String[1]

Default value: 'default_fwd'

iif

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Enum['tcp','udp']

Default value: 'tcp'

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: ''

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::rules::masquerade

masquerade all outgoing traffic

Parameters

The following parameters are available in the nftables::rules::masquerade defined type.

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '70'

chain

Data type: String[1]

Default value: 'POSTROUTING'

oif

Data type: Optional[String[1]]

Default value: undef

saddr

Data type: Optional[String[1]]

Default value: undef

daddr

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Optional[Enum['tcp','udp']]

Default value: undef

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: undef

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::rules::snat4

manage a ipv4 snat rule

Parameters

The following parameters are available in the nftables::rules::snat4 defined type.

snat

Data type: String[1]

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '70'

chain

Data type: String[1]

Default value: 'POSTROUTING'

oif

Data type: Optional[String[1]]

Default value: undef

saddr

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Optional[Enum['tcp','udp']]

Default value: undef

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: undef

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::set

manage a named set

Examples

simple set
nftables::set{'my_set':
  type       => 'ipv4_addr',
  flags      => ['interval'],
  elements   => ['192.168.0.1/24', '10.0.0.2'],
  auto_merge => true,
}

Parameters

The following parameters are available in the nftables::set defined type.

ensure

Data type: Enum['present','absent']

should the set be created.

Default value: 'present'

setname

Data type: Pattern[/^[-a-zA-Z0-9_]+$/]

name of set, equal to to title.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

concat ordering.

Default value: '10'

type

Data type: Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]

type of set.

Default value: undef

table

Data type: String

table to add set to.

Default value: 'inet-filter'

flags

Data type: Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]

specify flags for set

Default value: []

timeout

Data type: Optional[Integer]

timeout in seconds

Default value: undef

gc_interval

Data type: Optional[Integer]

garbage collection interval.

Default value: undef

elements

Data type: Optional[Array[String]]

initialize the set with some elements in it.

Default value: undef

size

Data type: Optional[Integer]

limits the maximum number of elements of the set.

Default value: undef

policy

Data type: Optional[Enum['performance', 'memory']]

determines set selection policy.

Default value: undef

auto_merge

Data type: Boolean

?

Default value: false

content

Data type: Optional[String]

specify content of set.

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

specify source of set.

Default value: undef

nftables::simplerule

Provides a simplified interface to nftables::rule

Examples

allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
nftables::simplerule{'my_service_in':
  action  => 'accept',
  comment => 'allow traffic to port 543',
  counter => true,
  proto   => 'tcp',
  dport   => 543,
  daddr   => '2001:1458::/32',
  sport   => 541,
}

Parameters

The following parameters are available in the nftables::simplerule defined type.

ensure

Data type: Enum['present','absent']

Should the rule be created.

Default value: 'present'

rulename

Data type: Pattern[/^[-a-zA-Z0-9_]+$/]

The symbolic name for the rule to add. Defaults to the resource's title.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

A number representing the order of the rule.

Default value: '50'

chain

Data type: String

The name of the chain to add this rule to.

Default value: 'default_in'

table

Data type: String

The name of the table to add this rule to.

Default value: 'inet-filter'

action

Data type: Enum['accept', 'continue', 'drop', 'queue', 'return']

The verdict for the matched traffic.

Default value: 'accept'

comment

Data type: Optional[String]

A typically human-readable comment for the rule.

Default value: undef

dport

Data type: Optional[Nftables::Port]

The destination port, ports or port range.

Default value: undef

proto

Data type: Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]

The transport-layer protocol to match.

Default value: undef

daddr

Data type: Optional[Nftables::Addr]

The destination address, CIDR or set to match.

Default value: undef

set_type

Data type: Enum['ip', 'ip6']

When using sets as saddr or daddr, the type of the set. Use ip for sets of type ipv4_addr.

Default value: 'ip6'

sport

Data type: Optional[Nftables::Port]

The source port, ports or port range.

Default value: undef

saddr

Data type: Optional[Nftables::Addr]

The source address, CIDR or set to match.

Default value: undef

counter

Data type: Boolean

Enable traffic counters for the matched traffic.

Default value: false

Data types

Nftables::Addr

Represents an address expression to be used within a rule.

Alias of Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]

Nftables::Addr::Set

Represents a set expression to be used within a rule.

Alias of Pattern[/^@[-a-zA-Z0-9_]+$/]

Nftables::Port

Represents a port expression to be used within a rule.

Alias of Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]

Nftables::Port::Range

Represents a port range expression to be used within a rule.

Alias of Pattern[/^\d+-\d+$/]