nftables
: Configure nftablesnftables::bridges
: allow forwarding traffic on bridgesnftables::inet_filter
: manage basic chains in table inet filternftables::ip_nat
: manage basic chains in table ip natnftables::rules::afs3_callback
: Open call back port for AFS clientsnftables::rules::ceph
: Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)nftables::rules::ceph_mon
: Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.nftables::rules::dhcpv6_client
nftables::rules::dns
: manage in dnsnftables::rules::http
: manage in httpnftables::rules::https
: manage in httpsnftables::rules::icinga2
: manage in icinga2nftables::rules::icmp
nftables::rules::nfs
: manage in nfs4nftables::rules::nfs3
: manage in nfs3nftables::rules::node_exporter
: manage in node exporternftables::rules::ospf
: manage in ospfnftables::rules::ospf3
: manage in ospf3nftables::rules::out::all
: allow all outboundnftables::rules::out::ceph_client
: Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadatnftables::rules::out::chrony
: manage out chronynftables::rules::out::dhcp
: manage out dhcpnftables::rules::out::dhcpv6_client
nftables::rules::out::dns
: manage out dnsnftables::rules::out::http
: manage out httpnftables::rules::out::https
: manage out httpsnftables::rules::out::icmp
nftables::rules::out::kerberos
: allows outbound access for kerberosnftables::rules::out::mysql
: manage out mysqlnftables::rules::out::nfs
: manage out nfsnftables::rules::out::nfs3
: manage out nfs3nftables::rules::out::openafs_client
: allows outbound access for afs clientsnftables::rules::out::ospf
: manage out ospfnftables::rules::out::ospf3
: manage out ospf3nftables::rules::out::postgres
: manage out postgresnftables::rules::out::puppet
: manage outgoing puppetnftables::rules::out::smtp
: manage out smtpnftables::rules::out::ssh
: manage out sshnftables::rules::out::ssh::remove
: disable outgoing sshnftables::rules::out::tor
: manage out tornftables::rules::out::wireguard
: manage out wireguardnftables::rules::puppet
: manage in puppetnftables::rules::smtp
: manage in smtpnftables::rules::smtp_submission
: manage in smtp submissionnftables::rules::smtps
: manage in smtpsnftables::rules::ssh
: manage in sshnftables::rules::tor
: manage in tornftables::rules::wireguard
: manage in wireguardnftables::services::dhcpv6_client
nftables::services::openafs_client
nftables::chain
: manage a chainnftables::config
: manage a config snippetnftables::rule
: manage a chain rule Name should be: CHAIN_NAME-rulenamenftables::rules::dnat4
: manage a ipv4 dnat rulenftables::rules::masquerade
: masquerade all outgoing trafficnftables::rules::snat4
: manage a ipv4 snat rulenftables::set
: manage a named setnftables::simplerule
: Provides a simplified interface to nftables::rule
Nftables::Addr
: Represents an address expression to be used within a rule.Nftables::Addr::Set
: Represents a set expression to be used within a rule.Nftables::Port
: Represents a port expression to be used within a rule.Nftables::Port::Range
: Represents a port range expression to be used within a rule.
Configure nftables
class{'nftables:
out_ntp = false,
out_dns = true,
}
class{'nftables':
noflush_tables = ['inet-f2b-table'],
}
The following parameters are available in the nftables
class.
Data type: Boolean
Allow all outbound connections. If true
then all other
out parameters out_ntp
, out_dns
, ... will be assuemed
false.
Default value: false
Data type: Boolean
Allow outbound to ntp servers.
Default value: true
Data type: Boolean
Allow outbound to http servers.
Default value: true
Data type: Boolean
Allow outbound to https servers.
Default value: true
Allow outbound to https servers.
Default value: true
Data type: Boolean
Allow outbound ICMPv4/v6 traffic.
Default value: true
Data type: Boolean
Allow inbound to ssh servers.
Default value: true
Data type: Boolean
Allow inbound ICMPv4/v6 traffic.
Default value: true
Data type: Boolean
Add default tables and chains to process NAT traffic.
Default value: true
Data type: Hash
Allows sourcing set definitions directly from Hiera.
Default value: {}
Data type: String
String that will be used as prefix when logging packets. It can contain two variables using standard sprintf() string-formatting:
- chain: Will be replaced by the name of the chain.
- comment: Allows chains to add extra comments.
Default value: '[nftables] %<chain>s %<comment>s'
Data type: Variant[Boolean[false], String]
String with the content of a limit statement to be applied to the rules that log discarded traffic. Set to false to disable rate limiting.
Default value: '3/minute burst 5 packets'
Data type: Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]
How to discard packets not matching any rule. If false
, the
fate of the packet will be defined by the chain policy (normally
drop), otherwise the packet will be rejected with the REJECT_WITH
policy indicated by the value of this parameter.
Default value: 'icmpx type port-unreachable'
Data type: Boolean
Adds INPUT and OUTPUT rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: true
Data type: Boolean
Adds FORWARD rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: false
Data type: Variant[Boolean[false], Enum['mask']]
Configures how the firewalld systemd service unit is enabled. It might be useful to set this to false if you're externaly removing firewalld from the system completely.
Default value: 'mask'
Data type: Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]
If specified only other existings tables will be flushed.
If left unset all tables will be flushed via a flush ruleset
Default value: undef
Data type: Boolean
Default value: true
Data type: Hash
Default value: {}
allow forwarding traffic on bridges
The following parameters are available in the nftables::bridges
class.
Data type: Enum['present','absent']
Default value: 'present'
Data type: Regexp
Default value: /^br.+/
manage basic chains in table inet filter
manage basic chains in table ip nat
class{'nftables::rules::afs3_callback': saddr => ['192.168.0.0/16', '10.0.0.222'] }
The following parameters are available in the nftables::rules::afs3_callback
class.
Data type: Array[Stdlib::IP::Address::V4,1]
list of source network ranges to a
Default value: ['0.0.0.0/0']
Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).
Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.
The following parameters are available in the nftables::rules::ceph_mon
class.
Data type: Array[Stdlib::Port,1]
Default value: [3300, 6789]
The nftables::rules::dhcpv6_client class.
manage in dns
The following parameters are available in the nftables::rules::dns
class.
Data type: Array[Stdlib::Port,1]
Default value: [53]
manage in http
manage in https
manage in icinga2
The following parameters are available in the nftables::rules::icinga2
class.
Data type: Array[Stdlib::Port,1]
Default value: [5665]
The nftables::rules::icmp class.
The following parameters are available in the nftables::rules::icmp
class.
Data type: Optional[Array[String]]
Default value: undef
Data type: Optional[Array[String]]
Default value: undef
Data type: String
Default value: '10'
manage in nfs4
manage in nfs3
manage in node exporter
The following parameters are available in the nftables::rules::node_exporter
class.
Data type: Optional[Variant[String,Array[String,1]]]
Default value: undef
Data type: Stdlib::Port
Default value: 9100
manage in ospf
manage in ospf3
allow all outbound
Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).
The following parameters are available in the nftables::rules::out::ceph_client
class.
Data type: Array[Stdlib::Port,1]
Default value: [3300, 6789]
manage out chrony
manage out dhcp
The nftables::rules::out::dhcpv6_client class.
manage out dns
The following parameters are available in the nftables::rules::out::dns
class.
Data type: Optional[Variant[String,Array[String,1]]]
Default value: undef
manage out http
manage out https
The nftables::rules::out::icmp class.
The following parameters are available in the nftables::rules::out::icmp
class.
Data type: Optional[Array[String]]
Default value: undef
Data type: Optional[Array[String]]
Default value: undef
Data type: String
Default value: '10'
allows outbound access for kerberos
manage out mysql
manage out nfs
manage out nfs3
7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlserver
- See also
- https://wiki.openafs.org/devel/AFSServicePorts/
- AFS Service Ports
- https://wiki.openafs.org/devel/AFSServicePorts/
The following parameters are available in the nftables::rules::out::openafs_client
class.
Data type: Array[Stdlib::Port,1]
Default value: [7000, 7002, 7003]
manage out ospf
manage out ospf3
manage out postgres
manage outgoing puppet
The following parameters are available in the nftables::rules::out::puppet
class.
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
Data type: Stdlib::Port
Default value: 8140
manage out smtp
manage out ssh
disable outgoing ssh
manage out tor
manage out wireguard
The following parameters are available in the nftables::rules::out::wireguard
class.
Data type: Array[Integer,1]
Default value: [51820]
manage in puppet
The following parameters are available in the nftables::rules::puppet
class.
Data type: Array[Integer,1]
Default value: [8140]
manage in smtp
manage in smtp submission
manage in smtps
manage in ssh
The following parameters are available in the nftables::rules::ssh
class.
Data type: Array[Stdlib::Port,1]
Default value: [22]
manage in tor
The following parameters are available in the nftables::rules::tor
class.
Data type: Array[Stdlib::Port,1]
Default value: [9001]
manage in wireguard
The following parameters are available in the nftables::rules::wireguard
class.
Data type: Array[Stdlib::Port,1]
Default value: [51820]
The nftables::services::dhcpv6_client class.
The nftables::services::openafs_client class.
manage a chain
The following parameters are available in the nftables::chain
defined type.
Data type: Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]
Default value: 'inet-filter'
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]
Default value: undef
Data type: Optional[String]
Default value: undef
Data type: Optional[String]
Default value: undef
manage a config snippet
The following parameters are available in the nftables::config
defined type.
Data type: Pattern[/^\w+-\w+$/]
Default value: $title
Data type: Optional[String]
Default value: undef
Data type: Optional[Variant[String,Array[String,1]]]
Default value: undef
Data type: String
Default value: 'custom-'
manage a chain rule Name should be: CHAIN_NAME-rulename
The following parameters are available in the nftables::rule
defined type.
Data type: Enum['present','absent']
Default value: 'present'
Data type: Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]
Default value: $title
Data type: Pattern[/^\d\d$/]
Default value: '50'
Data type: Optional[String]
Default value: 'inet-filter'
Data type: Optional[String]
Default value: undef
Data type: Optional[Variant[String,Array[String,1]]]
Default value: undef
manage a ipv4 dnat rule
The following parameters are available in the nftables::rules::dnat4
defined type.
Data type: Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]
Data type: Variant[String,Stdlib::Port]
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Pattern[/^\d\d$/]
Default value: '50'
Data type: String[1]
Default value: 'default_fwd'
Data type: Optional[String[1]]
Default value: undef
Data type: Enum['tcp','udp']
Default value: 'tcp'
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: ''
Data type: Enum['present','absent']
Default value: 'present'
masquerade all outgoing traffic
The following parameters are available in the nftables::rules::masquerade
defined type.
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Pattern[/^\d\d$/]
Default value: '70'
Data type: String[1]
Default value: 'POSTROUTING'
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Enum['tcp','udp']]
Default value: undef
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
Data type: Enum['present','absent']
Default value: 'present'
manage a ipv4 snat rule
The following parameters are available in the nftables::rules::snat4
defined type.
Data type: String[1]
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
Data type: Pattern[/^\d\d$/]
Default value: '70'
Data type: String[1]
Default value: 'POSTROUTING'
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[String[1]]
Default value: undef
Data type: Optional[Enum['tcp','udp']]
Default value: undef
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
Data type: Enum['present','absent']
Default value: 'present'
manage a named set
nftables::set{'my_set':
type => 'ipv4_addr',
flags => ['interval'],
elements => ['192.168.0.1/24', '10.0.0.2'],
auto_merge => true,
}
The following parameters are available in the nftables::set
defined type.
Data type: Enum['present','absent']
should the set be created.
Default value: 'present'
Data type: Pattern[/^[-a-zA-Z0-9_]+$/]
name of set, equal to to title.
Default value: $title
Data type: Pattern[/^\d\d$/]
concat ordering.
Default value: '10'
Data type: Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]
type of set.
Default value: undef
Data type: String
table to add set to.
Default value: 'inet-filter'
Data type: Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]
specify flags for set
Default value: []
Data type: Optional[Integer]
timeout in seconds
Default value: undef
Data type: Optional[Integer]
garbage collection interval.
Default value: undef
Data type: Optional[Array[String]]
initialize the set with some elements in it.
Default value: undef
Data type: Optional[Integer]
limits the maximum number of elements of the set.
Default value: undef
Data type: Optional[Enum['performance', 'memory']]
determines set selection policy.
Default value: undef
Data type: Boolean
?
Default value: false
Data type: Optional[String]
specify content of set.
Default value: undef
Data type: Optional[Variant[String,Array[String,1]]]
specify source of set.
Default value: undef
Provides a simplified interface to nftables::rule
nftables::simplerule{'my_service_in':
action => 'accept',
comment => 'allow traffic to port 543',
counter => true,
proto => 'tcp',
dport => 543,
daddr => '2001:1458::/32',
sport => 541,
}
The following parameters are available in the nftables::simplerule
defined type.
Data type: Enum['present','absent']
Should the rule be created.
Default value: 'present'
Data type: Pattern[/^[-a-zA-Z0-9_]+$/]
The symbolic name for the rule to add. Defaults to the resource's title.
Default value: $title
Data type: Pattern[/^\d\d$/]
A number representing the order of the rule.
Default value: '50'
Data type: String
The name of the chain to add this rule to.
Default value: 'default_in'
Data type: String
The name of the table to add this rule to.
Default value: 'inet-filter'
Data type: Enum['accept', 'continue', 'drop', 'queue', 'return']
The verdict for the matched traffic.
Default value: 'accept'
Data type: Optional[String]
A typically human-readable comment for the rule.
Default value: undef
Data type: Optional[Nftables::Port]
The destination port, ports or port range.
Default value: undef
Data type: Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]
The transport-layer protocol to match.
Default value: undef
Data type: Optional[Nftables::Addr]
The destination address, CIDR or set to match.
Default value: undef
Data type: Enum['ip', 'ip6']
When using sets as saddr or daddr, the type of the set.
Use ip
for sets of type ipv4_addr
.
Default value: 'ip6'
Data type: Optional[Nftables::Port]
The source port, ports or port range.
Default value: undef
Data type: Optional[Nftables::Addr]
The source address, CIDR or set to match.
Default value: undef
Data type: Boolean
Enable traffic counters for the matched traffic.
Default value: false
Represents an address expression to be used within a rule.
Alias of Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]
Represents a set expression to be used within a rule.
Alias of Pattern[/^@[-a-zA-Z0-9_]+$/]
Represents a port expression to be used within a rule.
Alias of Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]
Represents a port range expression to be used within a rule.
Alias of Pattern[/^\d+-\d+$/]