Skip to content

Latest commit

 

History

History
1851 lines (1017 loc) · 39.5 KB

REFERENCE.md

File metadata and controls

1851 lines (1017 loc) · 39.5 KB
Raw

Reference

Table of Contents

Classes

Defined types

Data types

  • Nftables::Addr: Represents an address expression to be used within a rule.
  • Nftables::Addr::Set: Represents a set expression to be used within a rule.
  • Nftables::Port: Represents a port expression to be used within a rule.
  • Nftables::Port::Range: Represents a port range expression to be used within a rule.
  • Nftables::RuleName: Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.
  • Nftables::SimpleRuleName: Represents a simple rule name to be used in a rule created via nftables::simplerule

Classes

nftables

Configure nftables

Examples

allow dns out and do not allow ntp out
class{'nftables:
  out_ntp = false,
  out_dns = true,
}
do not flush particular tables, fail2ban in this case
class{'nftables':
  noflush_tables = ['inet-f2b-table'],
}

Parameters

The following parameters are available in the nftables class:

out_all

Data type: Boolean

Allow all outbound connections. If true then all other out parameters out_ntp, out_dns, ... will be assuemed false.

Default value: false

out_ntp

Data type: Boolean

Allow outbound to ntp servers.

Default value: true

out_http

Data type: Boolean

Allow outbound to http servers.

Default value: true

out_dns

Data type: Boolean

Allow outbound to dns servers.

Default value: true

out_https

Data type: Boolean

Allow outbound to https servers.

Default value: true

out_icmp

Data type: Boolean

Allow outbound ICMPv4/v6 traffic.

Default value: true

in_ssh

Data type: Boolean

Allow inbound to ssh servers.

Default value: true

in_icmp

Data type: Boolean

Allow inbound ICMPv4/v6 traffic.

Default value: true

inet_filter

Data type: Boolean

Add default tables, chains and rules to process traffic.

Default value: true

nat

Data type: Boolean

Add default tables and chains to process NAT traffic.

Default value: true

sets

Data type: Hash

Allows sourcing set definitions directly from Hiera.

Default value: {}

log_prefix

Data type: String

String that will be used as prefix when logging packets. It can contain two variables using standard sprintf() string-formatting:

  • chain: Will be replaced by the name of the chain.
  • comment: Allows chains to add extra comments.

Default value: '[nftables] %<chain>s %<comment>s'

log_limit

Data type: Variant[Boolean[false], String]

String with the content of a limit statement to be applied to the rules that log discarded traffic. Set to false to disable rate limiting.

Default value: '3/minute burst 5 packets'

reject_with

Data type: Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]

How to discard packets not matching any rule. If false, the fate of the packet will be defined by the chain policy (normally drop), otherwise the packet will be rejected with the REJECT_WITH policy indicated by the value of this parameter.

Default value: 'icmpx type port-unreachable'

in_out_conntrack

Data type: Boolean

Adds INPUT and OUTPUT rules to allow traffic that's part of an established connection and also to drop invalid packets.

Default value: true

fwd_conntrack

Data type: Boolean

Adds FORWARD rules to allow traffic that's part of an established connection and also to drop invalid packets.

Default value: false

firewalld_enable

Data type: Variant[Boolean[false], Enum['mask']]

Configures how the firewalld systemd service unit is enabled. It might be useful to set this to false if you're externaly removing firewalld from the system completely.

Default value: 'mask'

noflush_tables

Data type: Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]

If specified only other existings tables will be flushed. If left unset all tables will be flushed via a flush ruleset

Default value: undef

rules

Data type: Hash

Specify hashes of nftables::rules via hiera

Default value: {}

nftables::bridges

allow forwarding traffic on bridges

Parameters

The following parameters are available in the nftables::bridges class:

ensure

Data type: Enum['present','absent']

Default value: 'present'

bridgenames

Data type: Regexp

Default value: /^br.+/

nftables::inet_filter

manage basic chains in table inet filter

nftables::ip_nat

manage basic chains in table ip nat

nftables::rules::activemq

Provides input rules for Apache ActiveMQ

Parameters

The following parameters are available in the nftables::rules::activemq class:

tcp

Data type: Boolean

Create the rule for TCP traffic.

Default value: true

udp

Data type: Boolean

Create the rule for UDP traffic.

Default value: true

port

Data type: Stdlib::Port

The port number for the ActiveMQ daemon.

Default value: 61616

nftables::rules::afs3_callback

Open call back port for AFS clients

Examples

allow call backs from particular hosts
class{'nftables::rules::afs3_callback':
  saddr => ['192.168.0.0/16', '10.0.0.222']
}

Parameters

The following parameters are available in the nftables::rules::afs3_callback class:

saddr

Data type: Array[Stdlib::IP::Address::V4,1]

list of source network ranges to a

Default value: ['0.0.0.0/0']

nftables::rules::ceph

Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).

nftables::rules::ceph_mon

Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.

Parameters

The following parameters are available in the nftables::rules::ceph_mon class:

ports

Data type: Array[Stdlib::Port,1]

specify ports for ceph service

Default value: [3300, 6789]

nftables::rules::dhcpv6_client

allow DHCPv6 requests in to a host

nftables::rules::dns

manage in dns

Parameters

The following parameters are available in the nftables::rules::dns class:

ports

Data type: Array[Stdlib::Port,1]

Specify ports for dns.

Default value: [53]

nftables::rules::docker_ce

The configuration distributed in this class represents the default firewall configuration done by docker-ce when the iptables integration is enabled.

This class is needed as the default docker-ce rules added to ip-filter conflict with the inet-filter forward rules set by default in this module.

When using this class 'docker::iptables: false' should be set.

Parameters

The following parameters are available in the nftables::rules::docker_ce class:

docker_interface

Data type: String[1]

Interface name used by docker.

Default value: 'docker0'

docker_prefix

Data type: Stdlib::IP::Address::V4::CIDR

The address space used by docker.

Default value: '172.17.0.0/16'

manage_docker_chains

Data type: Boolean

Flag to control whether the class should create the docker related chains.

Default value: true

manage_base_chains

Data type: Boolean

Flag to control whether the class should create the base common chains.

Default value: true

nftables::rules::http

manage in http

nftables::rules::https

manage in https

nftables::rules::icinga2

manage in icinga2

Parameters

The following parameters are available in the nftables::rules::icinga2 class:

ports

Data type: Array[Stdlib::Port,1]

Specify ports for icinga1

Default value: [5665]

nftables::rules::icmp

The nftables::rules::icmp class.

Parameters

The following parameters are available in the nftables::rules::icmp class:

v4_types

Data type: Optional[Array[String]]

Default value: undef

v6_types

Data type: Optional[Array[String]]

Default value: undef

order

Data type: String

Default value: '10'

nftables::rules::nfs

manage in nfs4

nftables::rules::nfs3

manage in nfs3

nftables::rules::node_exporter

manage in node exporter

Parameters

The following parameters are available in the nftables::rules::node_exporter class:

prometheus_server

Data type: Optional[Variant[String,Array[String,1]]]

Specify server name

Default value: undef

port

Data type: Stdlib::Port

Specify port to open

Default value: 9100

nftables::rules::ospf

manage in ospf

nftables::rules::ospf3

manage in ospf3

nftables::rules::out::all

allow all outbound

nftables::rules::out::ceph_client

Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).

Parameters

The following parameters are available in the nftables::rules::out::ceph_client class:

ports

Data type: Array[Stdlib::Port,1]

Specify ports to open

Default value: [3300, 6789]

nftables::rules::out::chrony

manage out chrony

nftables::rules::out::dhcp

manage out dhcp

nftables::rules::out::dhcpv6_client

Allow DHCPv6 requests out of a host

nftables::rules::out::dns

manage out dns

Parameters

The following parameters are available in the nftables::rules::out::dns class:

dns_server

Data type: Optional[Variant[String,Array[String,1]]]

specify dns_server name

Default value: undef

nftables::rules::out::http

manage out http

nftables::rules::out::https

manage out https

nftables::rules::out::icmp

control outbound icmp packages

Parameters

The following parameters are available in the nftables::rules::out::icmp class:

v4_types

Data type: Optional[Array[String]]

Default value: undef

v6_types

Data type: Optional[Array[String]]

Default value: undef

order

Data type: String

Default value: '10'

nftables::rules::out::imap

allow outgoing imap

nftables::rules::out::kerberos

allows outbound access for kerberos

nftables::rules::out::mysql

manage out mysql

nftables::rules::out::nfs

manage out nfs

nftables::rules::out::nfs3

manage out nfs3

nftables::rules::out::openafs_client

allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlserver

Parameters

The following parameters are available in the nftables::rules::out::openafs_client class:

ports

Data type: Array[Stdlib::Port,1]

port numbers to use

Default value: [7000, 7002, 7003]

nftables::rules::out::ospf

manage out ospf

nftables::rules::out::ospf3

manage out ospf3

nftables::rules::out::pop3

allow outgoing pop3

nftables::rules::out::postgres

manage out postgres

nftables::rules::out::puppet

manage outgoing puppet

Parameters

The following parameters are available in the nftables::rules::out::puppet class:

puppetserver

Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]

puppetserver hostname

puppetserver_port

Data type: Stdlib::Port

puppetserver port

Default value: 8140

nftables::rules::out::smtp

allow outgoing smtp

nftables::rules::out::smtp_client

allow outgoing smtp client

nftables::rules::out::ssh

manage out ssh

nftables::rules::out::ssh::remove

disable outgoing ssh

nftables::rules::out::tor

manage out tor

nftables::rules::out::wireguard

manage out wireguard

Parameters

The following parameters are available in the nftables::rules::out::wireguard class:

ports

Data type: Array[Integer,1]

specify wireguard ports

Default value: [51820]

nftables::rules::puppet

manage in puppet

Parameters

The following parameters are available in the nftables::rules::puppet class:

ports

Data type: Array[Integer,1]

puppet server ports

Default value: [8140]

nftables::rules::qemu

This class configures the typical firewall setup that libvirt creates. Depending on your requirements you can switch on and off several aspects, for instance if you don't do DHCP to your guests you can disable the rules that accept DHCP traffic on the host or if you don't want your guests to talk to hosts outside you can disable forwarding and/or masquerading for IPv4 traffic.

Parameters

The following parameters are available in the nftables::rules::qemu class:

interface

Data type: String[1]

Interface name used by the bridge.

Default value: 'virbr0'

network_v4

Data type: Stdlib::IP::Address::V4::CIDR

The IPv4 network prefix used in the virtual network.

Default value: '192.168.122.0/24'

network_v6

Data type: Optional[Stdlib::IP::Address::V6::CIDR]

The IPv6 network prefix used in the virtual network.

Default value: undef

dns

Data type: Boolean

Allow DNS traffic from the guests to the host.

Default value: true

dhcpv4

Data type: Boolean

Allow DHCPv4 traffic from the guests to the host.

Default value: true

forward_traffic

Data type: Boolean

Allow forwarded traffic (out all, in related/established) generated by the virtual network.

Default value: true

internal_traffic

Data type: Boolean

Allow guests in the virtual network to talk to each other.

Default value: true

masquerade

Data type: Boolean

Do NAT masquerade on all IPv4 traffic generated by guests to external networks.

Default value: true

nftables::rules::samba

manage Samba, the suite to allow Windows file sharing on Linux resources.

Parameters

The following parameters are available in the nftables::rules::samba class:

ctdb

Data type: Boolean

Enable ctdb-driven clustered Samba setups.

Default value: false

nftables::rules::smtp

manage in smtp

nftables::rules::smtp_submission

manage in smtp submission

nftables::rules::smtps

manage in smtps

nftables::rules::ssh

manage in ssh

Parameters

The following parameters are available in the nftables::rules::ssh class:

ports

Data type: Array[Stdlib::Port,1]

ssh ports

Default value: [22]

nftables::rules::tor

manage in tor

Parameters

The following parameters are available in the nftables::rules::tor class:

ports

Data type: Array[Stdlib::Port,1]

ports for tor

Default value: [9001]

nftables::rules::wireguard

manage in wireguard

Parameters

The following parameters are available in the nftables::rules::wireguard class:

ports

Data type: Array[Stdlib::Port,1]

wiregueard port

Default value: [51820]

nftables::services::dhcpv6_client

Allow in and outbound traffic for DHCPv6 server

nftables::services::openafs_client

Open inbound and outbound ports for an AFS client

Defined types

nftables::chain

manage a chain

Parameters

The following parameters are available in the nftables::chain defined type:

table

Data type: Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]

Default value: 'inet-filter'

chain

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

inject

Data type: Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]

Default value: undef

inject_iif

Data type: Optional[String]

Default value: undef

inject_oif

Data type: Optional[String]

Default value: undef

nftables::config

manage a config snippet

Parameters

The following parameters are available in the nftables::config defined type:

tablespec

Data type: Pattern[/^\w+-\w+$/]

Default value: $title

content

Data type: Optional[String]

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

Default value: undef

prefix

Data type: String

Default value: 'custom-'

nftables::rule

Provides an interface to create a firewall rule

Examples

add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
nftables::rule {
  'default_in-myhttp':
    content => 'tcp dport 80 accept',
}
add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
nftables::rule {
  'PREROUTING6-count':
    content => 'counter',
    table   => 'ip6-nat'
}

Parameters

The following parameters are available in the nftables::rule defined type:

ensure

Data type: Enum['present','absent']

Should the rule be created.

Default value: 'present'

rulename

Data type: Nftables::RuleName

The symbolic name for the rule and to what chain to add it. The format is defined by the Nftables::RuleName type.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

A number representing the order of the rule.

Default value: '50'

table

Data type: Optional[String]

The name of the table to add this rule to.

Default value: 'inet-filter'

content

Data type: Optional[String]

The raw statements that compose the rule represented using the nftables language.

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

Same goal as content but sourcing the value from a file.

Default value: undef

nftables::rules::dnat4

manage a ipv4 dnat rule

Parameters

The following parameters are available in the nftables::rules::dnat4 defined type:

daddr

Data type: Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]

port

Data type: Variant[String,Stdlib::Port]

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '50'

chain

Data type: String[1]

Default value: 'default_fwd'

iif

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Enum['tcp','udp']

Default value: 'tcp'

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: ''

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::rules::masquerade

masquerade all outgoing traffic

Parameters

The following parameters are available in the nftables::rules::masquerade defined type:

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '70'

chain

Data type: String[1]

Default value: 'POSTROUTING'

oif

Data type: Optional[String[1]]

Default value: undef

saddr

Data type: Optional[String[1]]

Default value: undef

daddr

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Optional[Enum['tcp','udp']]

Default value: undef

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: undef

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::rules::snat4

manage a ipv4 snat rule

Parameters

The following parameters are available in the nftables::rules::snat4 defined type:

snat

Data type: String[1]

rulename

Data type: Pattern[/^[a-zA-Z0-9_]+$/]

Default value: $title

order

Data type: Pattern[/^\d\d$/]

Default value: '70'

chain

Data type: String[1]

Default value: 'POSTROUTING'

oif

Data type: Optional[String[1]]

Default value: undef

saddr

Data type: Optional[String[1]]

Default value: undef

proto

Data type: Optional[Enum['tcp','udp']]

Default value: undef

dport

Data type: Optional[Variant[String,Stdlib::Port]]

Default value: undef

ensure

Data type: Enum['present','absent']

Default value: 'present'

nftables::set

manage a named set

Examples

simple set
nftables::set{'my_set':
  type       => 'ipv4_addr',
  flags      => ['interval'],
  elements   => ['192.168.0.1/24', '10.0.0.2'],
  auto_merge => true,
}

Parameters

The following parameters are available in the nftables::set defined type:

ensure

Data type: Enum['present','absent']

should the set be created.

Default value: 'present'

setname

Data type: Pattern[/^[-a-zA-Z0-9_]+$/]

name of set, equal to to title.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

concat ordering.

Default value: '10'

type

Data type: Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]

type of set.

Default value: undef

table

Data type: Variant[String, Array[String, 1]]

table or array of tables to add the set to.

Default value: 'inet-filter'

flags

Data type: Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]

specify flags for set

Default value: []

timeout

Data type: Optional[Integer]

timeout in seconds

Default value: undef

gc_interval

Data type: Optional[Integer]

garbage collection interval.

Default value: undef

elements

Data type: Optional[Array[String]]

initialize the set with some elements in it.

Default value: undef

size

Data type: Optional[Integer]

limits the maximum number of elements of the set.

Default value: undef

policy

Data type: Optional[Enum['performance', 'memory']]

determines set selection policy.

Default value: undef

auto_merge

Data type: Boolean

?

Default value: false

content

Data type: Optional[String]

specify content of set.

Default value: undef

source

Data type: Optional[Variant[String,Array[String,1]]]

specify source of set.

Default value: undef

nftables::simplerule

Provides a simplified interface to nftables::rule

Examples

allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
nftables::simplerule{'my_service_in':
  action  => 'accept',
  comment => 'allow traffic to port 543',
  counter => true,
  proto   => 'tcp',
  dport   => 543,
  daddr   => '2001:1458::/32',
  sport   => 541,
}

Parameters

The following parameters are available in the nftables::simplerule defined type:

ensure

Data type: Enum['present','absent']

Should the rule be created.

Default value: 'present'

rulename

Data type: Nftables::SimpleRuleName

The symbolic name for the rule to add. Defaults to the resource's title.

Default value: $title

order

Data type: Pattern[/^\d\d$/]

A number representing the order of the rule.

Default value: '50'

chain

Data type: String

The name of the chain to add this rule to.

Default value: 'default_in'

table

Data type: String

The name of the table to add this rule to.

Default value: 'inet-filter'

action

Data type: Enum['accept', 'continue', 'drop', 'queue', 'return']

The verdict for the matched traffic.

Default value: 'accept'

comment

Data type: Optional[String]

A typically human-readable comment for the rule.

Default value: undef

dport

Data type: Optional[Nftables::Port]

The destination port, ports or port range.

Default value: undef

proto

Data type: Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]

The transport-layer protocol to match.

Default value: undef

daddr

Data type: Optional[Nftables::Addr]

The destination address, CIDR or set to match.

Default value: undef

set_type

Data type: Enum['ip', 'ip6']

When using sets as saddr or daddr, the type of the set. Use ip for sets of type ipv4_addr.

Default value: 'ip6'

sport

Data type: Optional[Nftables::Port]

The source port, ports or port range.

Default value: undef

saddr

Data type: Optional[Nftables::Addr]

The source address, CIDR or set to match.

Default value: undef

counter

Data type: Boolean

Enable traffic counters for the matched traffic.

Default value: false

Data types

Nftables::Addr

Represents an address expression to be used within a rule.

Alias of

Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]

Nftables::Addr::Set

Represents a set expression to be used within a rule.

Alias of

Pattern[/^@[-a-zA-Z0-9_]+$/]

Nftables::Port

Represents a port expression to be used within a rule.

Alias of

Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]

Nftables::Port::Range

Represents a port range expression to be used within a rule.

Alias of

Pattern[/^\d+-\d+$/]

Nftables::RuleName

Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.

Alias of

Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]

Nftables::SimpleRuleName

Represents a simple rule name to be used in a rule created via nftables::simplerule

Alias of

Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]