Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
- Puppet >= 6.1.0 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppet-nftables', '2.1.0'Learn more about managing modules with a PuppetfileDocumentation
nftables puppet module
This module manages an opinionated nftables configuration.
By default it sets up a firewall that drops every incoming and outgoing connection.
It only allows outgoing dns, ntp and web and ingoing ssh traffic, although this can be overridden using parameters.
The config file has a inet filter and a ip nat table setup.
Additionally, the module comes with a basic infrastructure to hook into different places.
Configuration
The main configuration file loaded by the nftables service
will be files/config/puppet.nft, all other files created
by that module go into files/config/puppet and will also
be purged if not managed anymore.
The main configuration file includes dedicated files for
the filter and nat tables, as well as processes any
custom-*.nft files before hand.
The filter and NAT tables both have all the master chains (INPUT, OUTPUT, FORWARD in case of filter and PREROUTING and POSTROUTING in case of NAT) configured, to which you can hook in your own chains that can contain specific rules.
All filter masterchains drop by default. By default we have a set of default_MASTERCHAIN chains configured to which you can easily add your custom rules.
For specific needs you can add your own chain.
There is a global chain, that defines the default behavior for all masterchains. This chain is empty by default.
INPUT and OUTPUT to the loopback device is allowed by default, though you could restrict it later.
On the other hand, if you don't want any of the default tables, chains
and rules created by the module, you can set nftables::inet_filter
and/or nftables::nat to false and build your whole nftables
configuration from scratch by using the building blocks provided by
this module. Looking at nftables::inet_filter for inspiration might
be a good idea.
Rules Validation
Initially puppet deploys all configuration to
/etc/nftables/puppet-preflight/ and
/etc/nftables/puppet-preflight.nft. This is validated with
nfc -c -L /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft.
If and only if successful the configuration will be copied to
the real locations before the service is reloaded.
Basic types
nftables::config
Manages a raw file in /etc/nftables/puppet/${name}.nft
Use this for any custom table files.
nftables::chain
Prepares a chain file as a concat file to which you will
be able to add dedicated rules through nftables::rule.
The name must be unique for all chains. The inject
parameter can be used to directly add a jump to a
masterchain. inject must follow the pattern
ORDER-MASTERCHAIN, where order references a 2-digit
number which defines the rule order (by default use e.g. 20)
and masterchain references the chain to hook in the new
chain. It's possible to specify the in-interface name and
out-interface name for the inject rule.
nftables::rule
A simple way to add rules to any chain. The name must be:
CHAIN_NAME-rulename, where CHAIN_NAME refers to your
chain and an arbitrary name for your rule.
The rule will be a concat::fragment to the chain
CHAIN_NAME.
You can define the order by using the order param.
Before defining your own rule, take a look to the list of ready-to-use rules available in the REFERENCE, somebody might have encapsulated a rule definition for you already.
nftables::set
Adds a named set to a given table. It allows composing the set using individual parameters but also takes raw input via the content and source parameters.
nftables::simplerule
Allows expressing firewall rules without having to use nftables's language by
adding an abstraction layer a-la-Firewall. It's rather limited how far you can
go so if you need rather complex rules or you can speak nftables it's
recommended to use nftables::rule directly.
Facts
One structured fact nftables is available
{
tables => [
"bridge-filter",
"bridge-nat",
"inet-firewalld",
"ip-firewalld",
"ip6-firewalld"
],
version => "0.9.3"
}
nftables.versionis the version of the nft command fromnft --version.nftables.tablesis the list of tables installed on the machine fromnft list tables.
Editor goodies
If you're using Emacs there are some snippets for Yasnippet available here that could make your life easier when using the module. This is third party configuration that's only included here for reference so changes in the interfaces exposed by this module are not guaranteed to be automatically applied there.
Reference
Table of Contents
Classes
nftables: Configure nftablesnftables::bridges: allow forwarding traffic on bridgesnftables::inet_filter: manage basic chains in table inet filternftables::ip_nat: manage basic chains in table ip natnftables::rules::activemq: Provides input rules for Apache ActiveMQnftables::rules::afs3_callback: Open call back port for AFS clientsnftables::rules::ceph: Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)nftables::rules::ceph_mon: Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.nftables::rules::dhcpv6_client: allow DHCPv6 requests in to a hostnftables::rules::dns: manage in dnsnftables::rules::docker_ce: Default firewall configuration for Docker-CEnftables::rules::http: manage in httpnftables::rules::https: manage in httpsnftables::rules::icinga2: manage in icinga2nftables::rules::icmpnftables::rules::nfs: manage in nfs4nftables::rules::nfs3: manage in nfs3nftables::rules::node_exporter: manage in node exporternftables::rules::ospf: manage in ospfnftables::rules::ospf3: manage in ospf3nftables::rules::out::all: allow all outboundnftables::rules::out::ceph_client: Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).nftables::rules::out::chrony: manage out chronynftables::rules::out::dhcp: manage out dhcpnftables::rules::out::dhcpv6_client: Allow DHCPv6 requests out of a hostnftables::rules::out::dns: manage out dnsnftables::rules::out::http: manage out httpnftables::rules::out::https: manage out httpsnftables::rules::out::icmp: control outbound icmp packagesnftables::rules::out::imap: allow outgoing imapnftables::rules::out::kerberos: allows outbound access for kerberosnftables::rules::out::mysql: manage out mysqlnftables::rules::out::nfs: manage out nfsnftables::rules::out::nfs3: manage out nfs3nftables::rules::out::openafs_client: allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlservernftables::rules::out::ospf: manage out ospfnftables::rules::out::ospf3: manage out ospf3nftables::rules::out::pop3: allow outgoing pop3nftables::rules::out::postgres: manage out postgresnftables::rules::out::puppet: manage outgoing puppetnftables::rules::out::smtp: allow outgoing smtpnftables::rules::out::smtp_client: allow outgoing smtp clientnftables::rules::out::ssh: manage out sshnftables::rules::out::ssh::remove: disable outgoing sshnftables::rules::out::tor: manage out tornftables::rules::out::wireguard: manage out wireguardnftables::rules::puppet: manage in puppetnftables::rules::qemu: Bridged network configuration for qemu/libvirtnftables::rules::samba: manage Samba, the suite to allow Windows file sharing on Linux resources.nftables::rules::smtp: manage in smtpnftables::rules::smtp_submission: manage in smtp submissionnftables::rules::smtps: manage in smtpsnftables::rules::ssh: manage in sshnftables::rules::tor: manage in tornftables::rules::wireguard: manage in wireguardnftables::services::dhcpv6_client: Allow in and outbound traffic for DHCPv6 servernftables::services::openafs_client: Open inbound and outbound ports for an AFS client
Defined types
nftables::chain: manage a chainnftables::config: manage a config snippetnftables::rule: Provides an interface to create a firewall rulenftables::rules::dnat4: manage a ipv4 dnat rulenftables::rules::masquerade: masquerade all outgoing trafficnftables::rules::snat4: manage a ipv4 snat rulenftables::set: manage a named setnftables::simplerule: Provides a simplified interface to nftables::rule
Data types
Nftables::Addr: Represents an address expression to be used within a rule.Nftables::Addr::Set: Represents a set expression to be used within a rule.Nftables::Port: Represents a port expression to be used within a rule.Nftables::Port::Range: Represents a port range expression to be used within a rule.Nftables::RuleName: Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.Nftables::SimpleRuleName: Represents a simple rule name to be used in a rule created via nftables::simplerule
Classes
nftables
Configure nftables
Examples
allow dns out and do not allow ntp out
class{'nftables:
out_ntp = false,
out_dns = true,
}
do not flush particular tables, fail2ban in this case
class{'nftables':
noflush_tables = ['inet-f2b-table'],
}
Parameters
The following parameters are available in the nftables class:
out_allout_ntpout_httpout_dnsout_httpsout_icmpin_sshin_icmpinet_filternatnat_table_namesetslog_prefixlog_limitreject_within_out_conntrackfwd_conntrackfirewalld_enablenoflush_tablesrules
out_all
Data type: Boolean
Allow all outbound connections. If true then all other
out parameters out_ntp, out_dns, ... will be assuemed
false.
Default value: false
out_ntp
Data type: Boolean
Allow outbound to ntp servers.
Default value: true
out_http
Data type: Boolean
Allow outbound to http servers.
Default value: true
out_dns
Data type: Boolean
Allow outbound to dns servers.
Default value: true
out_https
Data type: Boolean
Allow outbound to https servers.
Default value: true
out_icmp
Data type: Boolean
Allow outbound ICMPv4/v6 traffic.
Default value: true
in_ssh
Data type: Boolean
Allow inbound to ssh servers.
Default value: true
in_icmp
Data type: Boolean
Allow inbound ICMPv4/v6 traffic.
Default value: true
inet_filter
Data type: Boolean
Add default tables, chains and rules to process traffic.
Default value: true
nat
Data type: Boolean
Add default tables and chains to process NAT traffic.
Default value: true
nat_table_name
Data type: String[1]
The name of the 'nat' table.
Default value: 'nat'
sets
Data type: Hash
Allows sourcing set definitions directly from Hiera.
Default value: {}
log_prefix
Data type: String
String that will be used as prefix when logging packets. It can contain two variables using standard sprintf() string-formatting:
- chain: Will be replaced by the name of the chain.
- comment: Allows chains to add extra comments.
Default value: '[nftables] %<chain>s %<comment>s'
log_limit
Data type: Variant[Boolean[false], String]
String with the content of a limit statement to be applied to the rules that log discarded traffic. Set to false to disable rate limiting.
Default value: '3/minute burst 5 packets'
reject_with
Data type: Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]
How to discard packets not matching any rule. If false, the
fate of the packet will be defined by the chain policy (normally
drop), otherwise the packet will be rejected with the REJECT_WITH
policy indicated by the value of this parameter.
Default value: 'icmpx type port-unreachable'
in_out_conntrack
Data type: Boolean
Adds INPUT and OUTPUT rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: true
fwd_conntrack
Data type: Boolean
Adds FORWARD rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: false
firewalld_enable
Data type: Variant[Boolean[false], Enum['mask']]
Configures how the firewalld systemd service unit is enabled. It might be useful to set this to false if you're externaly removing firewalld from the system completely.
Default value: 'mask'
noflush_tables
Data type: Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]
If specified only other existings tables will be flushed.
If left unset all tables will be flushed via a flush ruleset
Default value: undef
rules
Data type: Hash
Specify hashes of nftables::rules via hiera
Default value: {}
nftables::bridges
allow forwarding traffic on bridges
Parameters
The following parameters are available in the nftables::bridges class:
ensure
Data type: Enum['present','absent']
Default value: 'present'
bridgenames
Data type: Regexp
Default value: /^br.+/
nftables::inet_filter
manage basic chains in table inet filter
nftables::ip_nat
manage basic chains in table ip nat
nftables::rules::activemq
Provides input rules for Apache ActiveMQ
Parameters
The following parameters are available in the nftables::rules::activemq class:
tcp
Data type: Boolean
Create the rule for TCP traffic.
Default value: true
udp
Data type: Boolean
Create the rule for UDP traffic.
Default value: true
port
Data type: Stdlib::Port
The port number for the ActiveMQ daemon.
Default value: 61616
nftables::rules::afs3_callback
Open call back port for AFS clients
Examples
allow call backs from particular hosts
class{'nftables::rules::afs3_callback':
saddr => ['192.168.0.0/16', '10.0.0.222']
}
Parameters
The following parameters are available in the nftables::rules::afs3_callback class:
saddr
Data type: Array[Stdlib::IP::Address::V4,1]
list of source network ranges to a
Default value: ['0.0.0.0/0']
nftables::rules::ceph
Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).
nftables::rules::ceph_mon
Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.
Parameters
The following parameters are available in the nftables::rules::ceph_mon class:
ports
Data type: Array[Stdlib::Port,1]
specify ports for ceph service
Default value: [3300, 6789]
nftables::rules::dhcpv6_client
allow DHCPv6 requests in to a host
nftables::rules::dns
manage in dns
Parameters
The following parameters are available in the nftables::rules::dns class:
ports
Data type: Array[Stdlib::Port,1]
Specify ports for dns.
Default value: [53]
nftables::rules::docker_ce
The configuration distributed in this class represents the default firewall configuration done by docker-ce when the iptables integration is enabled.
This class is needed as the default docker-ce rules added to ip-filter conflict with the inet-filter forward rules set by default in this module.
When using this class 'docker::iptables: false' should be set.
Parameters
The following parameters are available in the nftables::rules::docker_ce class:
docker_interface
Data type: String[1]
Interface name used by docker.
Default value: 'docker0'
docker_prefix
Data type: Stdlib::IP::Address::V4::CIDR
The address space used by docker.
Default value: '172.17.0.0/16'
manage_docker_chains
Data type: Boolean
Flag to control whether the class should create the docker related chains.
Default value: true
manage_base_chains
Data type: Boolean
Flag to control whether the class should create the base common chains.
Default value: true
nftables::rules::http
manage in http
nftables::rules::https
manage in https
nftables::rules::icinga2
manage in icinga2
Parameters
The following parameters are available in the nftables::rules::icinga2 class:
ports
Data type: Array[Stdlib::Port,1]
Specify ports for icinga1
Default value: [5665]
nftables::rules::icmp
The nftables::rules::icmp class.
Parameters
The following parameters are available in the nftables::rules::icmp class:
v4_types
Data type: Optional[Array[String]]
Default value: undef
v6_types
Data type: Optional[Array[String]]
Default value: undef
order
Data type: String
Default value: '10'
nftables::rules::nfs
manage in nfs4
nftables::rules::nfs3
manage in nfs3
nftables::rules::node_exporter
manage in node exporter
Parameters
The following parameters are available in the nftables::rules::node_exporter class:
prometheus_server
Data type: Optional[Variant[String,Array[String,1]]]
Specify server name
Default value: undef
port
Data type: Stdlib::Port
Specify port to open
Default value: 9100
nftables::rules::ospf
manage in ospf
nftables::rules::ospf3
manage in ospf3
nftables::rules::out::all
allow all outbound
nftables::rules::out::ceph_client
Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).
Parameters
The following parameters are available in the nftables::rules::out::ceph_client class:
ports
Data type: Array[Stdlib::Port,1]
Specify ports to open
Default value: [3300, 6789]
nftables::rules::out::chrony
manage out chrony
nftables::rules::out::dhcp
manage out dhcp
nftables::rules::out::dhcpv6_client
Allow DHCPv6 requests out of a host
nftables::rules::out::dns
manage out dns
Parameters
The following parameters are available in the nftables::rules::out::dns class:
dns_server
Data type: Optional[Variant[String,Array[String,1]]]
specify dns_server name
Default value: undef
nftables::rules::out::http
manage out http
nftables::rules::out::https
manage out https
nftables::rules::out::icmp
control outbound icmp packages
Parameters
The following parameters are available in the nftables::rules::out::icmp class:
v4_types
Data type: Optional[Array[String]]
Default value: undef
v6_types
Data type: Optional[Array[String]]
Default value: undef
order
Data type: String
Default value: '10'
nftables::rules::out::imap
allow outgoing imap
nftables::rules::out::kerberos
allows outbound access for kerberos
nftables::rules::out::mysql
manage out mysql
nftables::rules::out::nfs
manage out nfs
nftables::rules::out::nfs3
manage out nfs3
nftables::rules::out::openafs_client
allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlserver
- See also
- https://wiki.openafs.org/devel/AFSServicePorts/
- AFS Service Ports
- https://wiki.openafs.org/devel/AFSServicePorts/
Parameters
The following parameters are available in the nftables::rules::out::openafs_client class:
ports
Data type: Array[Stdlib::Port,1]
port numbers to use
Default value: [7000, 7002, 7003]
nftables::rules::out::ospf
manage out ospf
nftables::rules::out::ospf3
manage out ospf3
nftables::rules::out::pop3
allow outgoing pop3
nftables::rules::out::postgres
manage out postgres
nftables::rules::out::puppet
manage outgoing puppet
Parameters
The following parameters are available in the nftables::rules::out::puppet class:
puppetserver
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
puppetserver hostname
puppetserver_port
Data type: Stdlib::Port
puppetserver port
Default value: 8140
nftables::rules::out::smtp
allow outgoing smtp
nftables::rules::out::smtp_client
allow outgoing smtp client
nftables::rules::out::ssh
manage out ssh
nftables::rules::out::ssh::remove
disable outgoing ssh
nftables::rules::out::tor
manage out tor
nftables::rules::out::wireguard
manage out wireguard
Parameters
The following parameters are available in the nftables::rules::out::wireguard class:
ports
Data type: Array[Integer,1]
specify wireguard ports
Default value: [51820]
nftables::rules::puppet
manage in puppet
Parameters
The following parameters are available in the nftables::rules::puppet class:
ports
Data type: Array[Integer,1]
puppet server ports
Default value: [8140]
nftables::rules::qemu
This class configures the typical firewall setup that libvirt creates. Depending on your requirements you can switch on and off several aspects, for instance if you don't do DHCP to your guests you can disable the rules that accept DHCP traffic on the host or if you don't want your guests to talk to hosts outside you can disable forwarding and/or masquerading for IPv4 traffic.
Parameters
The following parameters are available in the nftables::rules::qemu class:
interface
Data type: String[1]
Interface name used by the bridge.
Default value: 'virbr0'
network_v4
Data type: Stdlib::IP::Address::V4::CIDR
The IPv4 network prefix used in the virtual network.
Default value: '192.168.122.0/24'
network_v6
Data type: Optional[Stdlib::IP::Address::V6::CIDR]
The IPv6 network prefix used in the virtual network.
Default value: undef
dns
Data type: Boolean
Allow DNS traffic from the guests to the host.
Default value: true
dhcpv4
Data type: Boolean
Allow DHCPv4 traffic from the guests to the host.
Default value: true
forward_traffic
Data type: Boolean
Allow forwarded traffic (out all, in related/established) generated by the virtual network.
Default value: true
internal_traffic
Data type: Boolean
Allow guests in the virtual network to talk to each other.
Default value: true
masquerade
Data type: Boolean
Do NAT masquerade on all IPv4 traffic generated by guests to external networks.
Default value: true
nftables::rules::samba
manage Samba, the suite to allow Windows file sharing on Linux resources.
Parameters
The following parameters are available in the nftables::rules::samba class:
ctdb
Data type: Boolean
Enable ctdb-driven clustered Samba setups.
Default value: false
nftables::rules::smtp
manage in smtp
nftables::rules::smtp_submission
manage in smtp submission
nftables::rules::smtps
manage in smtps
nftables::rules::ssh
manage in ssh
Parameters
The following parameters are available in the nftables::rules::ssh class:
ports
Data type: Array[Stdlib::Port,1]
ssh ports
Default value: [22]
nftables::rules::tor
manage in tor
Parameters
The following parameters are available in the nftables::rules::tor class:
ports
Data type: Array[Stdlib::Port,1]
ports for tor
Default value: [9001]
nftables::rules::wireguard
manage in wireguard
Parameters
The following parameters are available in the nftables::rules::wireguard class:
ports
Data type: Array[Stdlib::Port,1]
wiregueard port
Default value: [51820]
nftables::services::dhcpv6_client
Allow in and outbound traffic for DHCPv6 server
nftables::services::openafs_client
Open inbound and outbound ports for an AFS client
Defined types
nftables::chain
manage a chain
Parameters
The following parameters are available in the nftables::chain defined type:
table
Data type: Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]
Default value: 'inet-filter'
chain
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
inject
Data type: Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]
Default value: undef
inject_iif
Data type: Optional[String]
Default value: undef
inject_oif
Data type: Optional[String]
Default value: undef
nftables::config
manage a config snippet
Parameters
The following parameters are available in the nftables::config defined type:
tablespec
Data type: Pattern[/^\w+-\w+$/]
Default value: $title
content
Data type: Optional[String]
Default value: undef
source
Data type: Optional[Variant[String,Array[String,1]]]
Default value: undef
prefix
Data type: String
Default value: 'custom-'
nftables::rule
Provides an interface to create a firewall rule
Examples
add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
nftables::rule {
'default_in-myhttp':
content => 'tcp dport 80 accept',
}
add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
nftables::rule {
'PREROUTING6-count':
content => 'counter',
table => 'ip6-nat'
}
Parameters
The following parameters are available in the nftables::rule defined type:
ensure
Data type: Enum['present','absent']
Should the rule be created.
Default value: 'present'
rulename
Data type: Nftables::RuleName
The symbolic name for the rule and to what chain to add it. The format is defined by the Nftables::RuleName type.
Default value: $title
order
Data type: Pattern[/^\d\d$/]
A number representing the order of the rule.
Default value: '50'
table
Data type: String
The name of the table to add this rule to.
Default value: 'inet-filter'
content
Data type: Optional[String]
The raw statements that compose the rule represented using the nftables language.
Default value: undef
source
Data type: Optional[Variant[String,Array[String,1]]]
Same goal as content but sourcing the value from a file.
Default value: undef
nftables::rules::dnat4
manage a ipv4 dnat rule
Parameters
The following parameters are available in the nftables::rules::dnat4 defined type:
daddr
Data type: Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]
port
Data type: Variant[String,Stdlib::Port]
rulename
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
order
Data type: Pattern[/^\d\d$/]
Default value: '50'
chain
Data type: String[1]
Default value: 'default_fwd'
iif
Data type: Optional[String[1]]
Default value: undef
proto
Data type: Enum['tcp','udp']
Default value: 'tcp'
dport
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
ensure
Data type: Enum['present','absent']
Default value: 'present'
nftables::rules::masquerade
masquerade all outgoing traffic
Parameters
The following parameters are available in the nftables::rules::masquerade defined type:
rulename
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
order
Data type: Pattern[/^\d\d$/]
Default value: '70'
chain
Data type: String[1]
Default value: 'POSTROUTING'
oif
Data type: Optional[String[1]]
Default value: undef
saddr
Data type: Optional[String[1]]
Default value: undef
daddr
Data type: Optional[String[1]]
Default value: undef
proto
Data type: Optional[Enum['tcp','udp']]
Default value: undef
dport
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
ensure
Data type: Enum['present','absent']
Default value: 'present'
nftables::rules::snat4
manage a ipv4 snat rule
Parameters
The following parameters are available in the nftables::rules::snat4 defined type:
snat
Data type: String[1]
rulename
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
order
Data type: Pattern[/^\d\d$/]
Default value: '70'
chain
Data type: String[1]
Default value: 'POSTROUTING'
oif
Data type: Optional[String[1]]
Default value: undef
saddr
Data type: Optional[String[1]]
Default value: undef
proto
Data type: Optional[Enum['tcp','udp']]
Default value: undef
dport
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
ensure
Data type: Enum['present','absent']
Default value: 'present'
nftables::set
manage a named set
Examples
simple set
nftables::set{'my_set':
type => 'ipv4_addr',
flags => ['interval'],
elements => ['192.168.0.1/24', '10.0.0.2'],
auto_merge => true,
}
Parameters
The following parameters are available in the nftables::set defined type:
ensuresetnameordertypetableflagstimeoutgc_intervalelementssizepolicyauto_mergecontentsource
ensure
Data type: Enum['present','absent']
should the set be created.
Default value: 'present'
setname
Data type: Pattern[/^[-a-zA-Z0-9_]+$/]
name of set, equal to to title.
Default value: $title
order
Data type: Pattern[/^\d\d$/]
concat ordering.
Default value: '10'
type
Data type: Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]
type of set.
Default value: undef
table
Data type: Variant[String, Array[String, 1]]
table or array of tables to add the set to.
Default value: 'inet-filter'
flags
Data type: Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]
specify flags for set
Default value: []
timeout
Data type: Optional[Integer]
timeout in seconds
Default value: undef
gc_interval
Data type: Optional[Integer]
garbage collection interval.
Default value: undef
elements
Data type: Optional[Array[String]]
initialize the set with some elements in it.
Default value: undef
size
Data type: Optional[Integer]
limits the maximum number of elements of the set.
Default value: undef
policy
Data type: Optional[Enum['performance', 'memory']]
determines set selection policy.
Default value: undef
auto_merge
Data type: Boolean
?
Default value: false
content
Data type: Optional[String]
specify content of set.
Default value: undef
source
Data type: Optional[Variant[String,Array[String,1]]]
specify source of set.
Default value: undef
nftables::simplerule
Provides a simplified interface to nftables::rule
Examples
allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
nftables::simplerule{'my_service_in':
action => 'accept',
comment => 'allow traffic to port 543',
counter => true,
proto => 'tcp',
dport => 543,
daddr => '2001:1458::/32',
sport => 541,
}
Parameters
The following parameters are available in the nftables::simplerule defined type:
ensure
Data type: Enum['present','absent']
Should the rule be created.
Default value: 'present'
rulename
Data type: Nftables::SimpleRuleName
The symbolic name for the rule to add. Defaults to the resource's title.
Default value: $title
order
Data type: Pattern[/^\d\d$/]
A number representing the order of the rule.
Default value: '50'
chain
Data type: String
The name of the chain to add this rule to.
Default value: 'default_in'
table
Data type: String
The name of the table to add this rule to.
Default value: 'inet-filter'
action
Data type: Enum['accept', 'continue', 'drop', 'queue', 'return']
The verdict for the matched traffic.
Default value: 'accept'
comment
Data type: Optional[String]
A typically human-readable comment for the rule.
Default value: undef
dport
Data type: Optional[Nftables::Port]
The destination port, ports or port range.
Default value: undef
proto
Data type: Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]
The transport-layer protocol to match.
Default value: undef
daddr
Data type: Optional[Nftables::Addr]
The destination address, CIDR or set to match.
Default value: undef
set_type
Data type: Enum['ip', 'ip6']
When using sets as saddr or daddr, the type of the set.
Use ip for sets of type ipv4_addr.
Default value: 'ip6'
sport
Data type: Optional[Nftables::Port]
The source port, ports or port range.
Default value: undef
saddr
Data type: Optional[Nftables::Addr]
The source address, CIDR or set to match.
Default value: undef
counter
Data type: Boolean
Enable traffic counters for the matched traffic.
Default value: false
Data types
Nftables::Addr
Represents an address expression to be used within a rule.
Alias of
Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]
Nftables::Addr::Set
Represents a set expression to be used within a rule.
Alias of
Pattern[/^@[-a-zA-Z0-9_]+$/]
Nftables::Port
Represents a port expression to be used within a rule.
Alias of
Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]
Nftables::Port::Range
Represents a port range expression to be used within a rule.
Alias of
Pattern[/^\d+-\d+$/]
Nftables::RuleName
Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.
Alias of
Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]
Nftables::SimpleRuleName
Represents a simple rule name to be used in a rule created via nftables::simplerule
Alias of
Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]
Changelog
All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v2.1.0 (2021-09-14)
Implemented enhancements:
- nftables::set can only be assigned to 1 table #100
- support a different table name for 'nat' #107 (figless)
- Allow declaring the same set in several tables #102 (nbarrientos)
Fixed bugs:
- fix datatype for $table and $dport #104 (bastelfreak)
Merged pull requests:
- Allow stdlib 8.0.0 #106 (smortex)
- switch from camptocamp/systemd to voxpupuli/systemd #103 (bastelfreak)
- pull fixtures from git and not forge #99 (bastelfreak)
v2.0.0 (2021-06-03)
Breaking changes:
- Drop Puppet 5, puppetlabs/concat 7.x, puppetlabs/stdlib 7.x, camptocamp/systemd: 3.x #92 (traylenator)
- Drop Puppet 5 support #79 (kenyon)
Implemented enhancements:
- Ability to set base chains #95
- puppetlabs/concat: Allow 7.x #91 (bastelfreak)
- puppetlabs/stdlib: Allow 7.x #90 (bastelfreak)
- camptocamp/systemd: allow 3.x #89 (bastelfreak)
Fixed bugs:
- Fix IPv4 source address type detection #93 (nbarrientos)
Closed issues:
- Class[Nftables::Bridges]['bridgenames'] contains a Regexp value. It will be converted to the String '/^br.+/' #83
Merged pull requests:
- Allow creating a totally empty firewall #96 (nbarrientos)
- Amend link to Yasnippets #88 (nbarrientos)
v1.3.0 (2021-03-25)
Implemented enhancements:
- Add rules for QEMU/libvirt guests (bridged virtual networking) #85 (nbarrientos)
- Add nftables.version to structured fact. #84 (traylenator)
- Add rules for Apache ActiveMQ #82 (nbarrientos)
- Add Docker-CE default rules #80 (luisfdez)
Closed issues:
- Increase puppetlabs/concat version in metadata #78
Merged pull requests:
- Fix sections and add a pointer to code snippets for Emacs #81 (nbarrientos)
v1.2.0 (2021-03-03)
Implemented enhancements:
Fixed bugs:
- nftables service is broken after reboot #74
- fix #74 - ensure table are initialized before flushing them #75 (duritong)
v1.1.1 (2021-01-29)
Fixed bugs:
- Simplerule: wrong IP protocol version filter statement for IPv6 traffic #69
- Fix IP version filter for IPv6 traffic #70 (nbarrientos)
Merged pull requests:
- Improve nftables::rule's documentation #68 (nbarrientos)
v1.1.0 (2021-01-25)
Implemented enhancements:
- Enable parameter_documentation lint #64 (traylenator)
- Add Samba in rules #62 (glpatcern)
- Add some mail related outgoing rules #60 (duritong)
Fixed bugs:
- nftables::simplerule should follow the same rules as nftables::rule #58
- Align simplerule and rule rulename requirements #59 (nbarrientos)
Closed issues:
- Get it under the voxpupuli umbrella #35
Merged pull requests:
- Add badges to README #63 (traylenator)
- Check that all the predefined rules are declared in the all rules acceptance test #53 (nbarrientos)
v1.0.0 (2020-12-15)
Breaking changes:
Implemented enhancements:
- Use Stdlib::Port everywhere in place of Integer #56 (traylenator)
- Enable Puppet 7 support #51 (bastelfreak)
- Several fixes for nftables::config #48 (nbarrientos)
- rubocop corrections #41 (traylenator)
- Add basic configuration validation acceptance test #38 (traylenator)
- Remove duplicate flush on reload #34 (traylenator)
- Add nftables::simplerule #33 (nbarrientos)
- Add Ceph and NFS rules #32 (dvanders)
- New parameter noflush_tables to selectivly skip flush #31 (traylenator)
- Scientific Linux 8 will never exist #30 (traylenator)
- Enable conntrack in FORWARD #29 (keachi)
- Do not test nftables::rules repeatadly #28 (traylenator)
- Allow sourcing sets from Hiera #26 (nbarrientos)
- Allow disabling default NAT tables and chains #25 (nbarrientos)
- Set a customisable rate limit to the logging rules #22 (nbarrientos)
- Make masking Service['firewalld'] optional #20 (nbarrientos)
- Move ICMP stuff to separate classes allowing better customisation #16 (nbarrientos)
- Move conntrack rules from global to INPUT and OUTPUT #14 (nbarrientos)
- Add comments for all the nftable::rules entries #13 (traylenator)
- Allow tables to add comments to $log_prefix #12 (nbarrientos)
- Reload rules atomically and verify rules before deploy #10 (traylenator)
- Allow raw sets and dashes in set names #8 (nbarrientos)
- Add a parameter to control the fate of discarded traffic #7 (nbarrientos)
- Add rules for afs3_callback in and out rules for kerberos and openafs. #6 (traylenator)
- Allow customising the log prefix #5 (nbarrientos)
- Add classes encapsulating rules for DHCPv6 client traffic (in/out) #4 (nbarrientos)
- Add support for named sets #3 (nbarrientos)
- New parameter out_all, default false #1 (traylenator)
Fixed bugs:
- Correct nfs3 invalid udp /tcp matching rule and more tests #50 (traylenator)
- Prefix custom tables with custom- so they're loaded #47 (nbarrientos)
- Correct bad merge #15 (traylenator)
Closed issues:
- deploying custom tables is broken #45
- Switch to Stdlib::Port everywhere #37
- Add set definition from Hiera #24
- Add an option to disable NAT #23
- Add an option to limit the rate of logged messages #19
- Rule API #17
- Publish to forge.puppet.com #11
- The global chain contains INPUT specific rules #9
- The fate of forbidden packets should be configurable #2
Merged pull requests:
- Docs for nftables::set #55 (traylenator)
- Remove a blank separating the doc string and the code #52 (nbarrientos)
- Release 1.0.0 #49 (traylenator)
- Correct layout of ignore table example #44 (traylenator)
- Fix typos and formatting in the README #43 (nbarrientos)
- Comment why firewalld_enable parameter is required #40 (traylenator)
- modulesync 4.0.0 #36 (traylenator)
- Refresh REFERENCE #27 (traylenator)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/concat (>= 6.2.0 < 8.0.0)
- puppet/systemd (>= 2.0.0 < 4.0.0)
- puppetlabs/stdlib (>= 4.13.1 < 9.0.0)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2020 immerda / Puppet Modules
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.