From 908a691e770fc06b3528cd3a2dc9a58807495e68 Mon Sep 17 00:00:00 2001 From: Nacho Barrientos Date: Wed, 9 Dec 2020 14:38:42 +0100 Subject: [PATCH] Refresh REFERENCE --- REFERENCE.md | 272 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 268 insertions(+), 4 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 44f3777c..e2c32f18 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -11,16 +11,21 @@ * [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter * [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat * [`nftables::rules::afs3_callback`](#nftablesrulesafs3_callback): Open call back port for AFS clients +* [`nftables::rules::ceph`](#nftablesrulesceph): Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS) +* [`nftables::rules::ceph_mon`](#nftablesrulesceph_mon): Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon. * [`nftables::rules::dhcpv6_client`](#nftablesrulesdhcpv6_client) * [`nftables::rules::dns`](#nftablesrulesdns): manage in dns * [`nftables::rules::http`](#nftablesruleshttp): manage in http * [`nftables::rules::https`](#nftablesruleshttps): manage in https * [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2 * [`nftables::rules::icmp`](#nftablesrulesicmp) +* [`nftables::rules::nfs`](#nftablesrulesnfs): manage in nfs4 +* [`nftables::rules::nfs3`](#nftablesrulesnfs3): manage in nfs3 * [`nftables::rules::node_exporter`](#nftablesrulesnode_exporter): manage in node exporter * [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf * [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3 * [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound +* [`nftables::rules::out::ceph_client`](#nftablesrulesoutceph_client): Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadat * [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony * [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp * [`nftables::rules::out::dhcpv6_client`](#nftablesrulesoutdhcpv6_client) @@ -30,6 +35,8 @@ * [`nftables::rules::out::icmp`](#nftablesrulesouticmp) * [`nftables::rules::out::kerberos`](#nftablesrulesoutkerberos): allows outbound access for kerberos * [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql +* [`nftables::rules::out::nfs`](#nftablesrulesoutnfs): manage out nfs +* [`nftables::rules::out::nfs3`](#nftablesrulesoutnfs3): manage out nfs3 * [`nftables::rules::out::openafs_client`](#nftablesrulesoutopenafs_client): allows outbound access for afs clients * [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf * [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3 @@ -59,16 +66,28 @@ * [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic * [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule * [`nftables::set`](#nftablesset): manage a named set +* [`nftables::simplerule`](#nftablessimplerule) + +### Data types + +* [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule. +* [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule. +* [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule. +* [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule. ## Classes ### `nftables` -Configure nftables +In this case ignoring the fail2ban maintained +table + class{'nftables': + noflush_tables = ['inet-f2b-table'], + } #### Examples -##### +##### allow dns out and do not allow ntp out ```puppet class{'nftables: @@ -77,6 +96,12 @@ class{'nftables: } ``` +##### do not flush particular tables + +```puppet + +``` + #### Parameters The following parameters are available in the `nftables` class. @@ -153,6 +178,14 @@ Add default tables and chains to process NAT traffic. Default value: ``true`` +##### `sets` + +Data type: `Hash` + +Allows sourcing set definitions directly from Hiera. + +Default value: `{}` + ##### `log_prefix` Data type: `String` @@ -164,10 +197,19 @@ two variables using standard sprintf() string-formatting: Default value: `'[nftables] %s %s'` +##### `log_limit` + +Data type: `Variant[Boolean[false], String]` + +String with the content of a limit statement to be applied +to the rules that log discarded traffic. Set to false to +disable rate limiting. + +Default value: `'3/minute burst 5 packets'` + ##### `reject_with` -Data type: `Variant[Boolean[false], Pattern[ - /icmp(v6|x)? type .+|tcp reset/]]` +Data type: `Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]` How to discard packets not matching any rule. If `false`, the fate of the packet will be defined by the chain policy (normally @@ -185,6 +227,15 @@ established connection and also to drop invalid packets. Default value: ``true`` +##### `fwd_conntrack` + +Data type: `Boolean` + +Adds FORWARD rules to allow traffic that's part of an +established connection and also to drop invalid packets. + +Default value: ``false`` + ##### `firewalld_enable` Data type: `Variant[Boolean[false], Enum['mask']]` @@ -195,6 +246,15 @@ the system completely. Default value: `'mask'` +##### `noflush_tables` + +Data type: `Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]` + +If specified only other existings tables will be flushed. +If left unset all tables will be flushed via a `flush ruleset` + +Default value: ``undef`` + ##### `out_dns` Data type: `Boolean` @@ -261,6 +321,29 @@ list of source network ranges to a Default value: `['0.0.0.0/0']` +### `nftables::rules::ceph` + +Ceph is a distributed object store and file system. +Enable this to support Ceph's Object Storage Daemons (OSD), +Metadata Server Daemons (MDS), or Manager Daemons (MGR). + +### `nftables::rules::ceph_mon` + +Ceph is a distributed object store and file system. +Enable this option to support Ceph's Monitor Daemon. + +#### Parameters + +The following parameters are available in the `nftables::rules::ceph_mon` class. + +##### `ports` + +Data type: `Array[Integer,1]` + + + +Default value: `[3300, 6789]` + ### `nftables::rules::dhcpv6_client` The nftables::rules::dhcpv6_client class. @@ -337,6 +420,14 @@ Data type: `String` Default value: `'10'` +### `nftables::rules::nfs` + +manage in nfs4 + +### `nftables::rules::nfs3` + +manage in nfs3 + ### `nftables::rules::node_exporter` manage in node exporter @@ -373,6 +464,25 @@ manage in ospf3 allow all outbound +### `nftables::rules::out::ceph_client` + +Ceph is a distributed object store and file system. +Enable this to be a client of Ceph's Monitor (MON), +Object Storage Daemons (OSD), Metadata Server Daemons (MDS), +and Manager Daemons (MGR). + +#### Parameters + +The following parameters are available in the `nftables::rules::out::ceph_client` class. + +##### `ports` + +Data type: `Array[Integer,1]` + + + +Default value: `[3300, 6789]` + ### `nftables::rules::out::chrony` manage out chrony @@ -449,6 +559,14 @@ allows outbound access for kerberos manage out mysql +### `nftables::rules::out::nfs` + +manage out nfs + +### `nftables::rules::out::nfs3` + +manage out nfs3 + ### `nftables::rules::out::openafs_client` 7000 - afs3-fileserver @@ -1107,3 +1225,149 @@ Data type: `Optional[Variant[String,Array[String,1]]]` Default value: ``undef`` +### `nftables::simplerule` + +The nftables::simplerule class. + +#### Parameters + +The following parameters are available in the `nftables::simplerule` defined type. + +##### `ensure` + +Data type: `Enum['present','absent']` + + + +Default value: `'present'` + +##### `rulename` + +Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]` + + + +Default value: `$title` + +##### `order` + +Data type: `Pattern[/^\d\d$/]` + + + +Default value: `'50'` + +##### `chain` + +Data type: `String` + + + +Default value: `'default_in'` + +##### `table` + +Data type: `String` + + + +Default value: `'inet-filter'` + +##### `action` + +Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']` + + + +Default value: `'accept'` + +##### `comment` + +Data type: `Optional[String]` + + + +Default value: ``undef`` + +##### `dport` + +Data type: `Optional[Nftables::Port]` + + + +Default value: ``undef`` + +##### `proto` + +Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]` + + + +Default value: ``undef`` + +##### `daddr` + +Data type: `Optional[Nftables::Addr]` + + + +Default value: ``undef`` + +##### `set_type` + +Data type: `Enum['ip', 'ip6']` + + + +Default value: `'ip6'` + +##### `sport` + +Data type: `Optional[Nftables::Port]` + + + +Default value: ``undef`` + +##### `saddr` + +Data type: `Optional[Nftables::Addr]` + + + +Default value: ``undef`` + +##### `counter` + +Data type: `Boolean` + + + +Default value: ``false`` + +## Data types + +### `Nftables::Addr` + +Represents an address expression to be used within a rule. + +Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]` + +### `Nftables::Addr::Set` + +Represents a set expression to be used within a rule. + +Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]` + +### `Nftables::Port` + +Represents a port expression to be used within a rule. + +Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]` + +### `Nftables::Port::Range` + +Represents a port range expression to be used within a rule. + +Alias of `Pattern[/^\d+-\d+$/]` +