Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , , , Archlinux, ,
Start using this module
Add this module to your Puppetfile:
mod 'puppet-nftables', '4.0.0'Learn more about managing modules with a PuppetfileDocumentation
nftables puppet module
This module manages an opinionated nftables configuration.
By default it sets up a firewall that drops every connection, except outbound ICMP, DNS, NTP, HTTP, and HTTPS, and inbound ICMP and SSH traffic:
include nftables
This can be overridden using parameters, for example, this allows all outbound traffic:
class { 'nftables':
out_all => true,
}
There are also pre-built rules for specific services, for example this will allow a web server to serve traffic over HTTPS:
include nftables
include nftables::rules::https
Note that the module conflicts with the firewalld system and will
stop it in Puppet runs.
Configuration
The main configuration file loaded by the nftables service
will be files/config/puppet.nft, all other files created
by that module go into files/config/puppet and will also
be purged if not managed anymore.
The main configuration file includes dedicated files for
the filter and NAT tables, as well as processes any
custom-*.nft files before hand.
The filter and NAT tables both have all the master chains
(INPUT, OUTPUT, FORWARD in case of filter and PREROUTING
and POSTROUTING in case of NAT) configured, to which you
can hook in your own chains that can contain specific
rules.
All filter masterchains drop by default.
By default we have a set of default_MASTERCHAIN chains
configured to which you can easily add your custom rules.
For specific needs you can add your own chain.
There is a global chain, that defines the default behavior for all masterchains. This chain is empty by default.
INPUT and OUTPUT to the loopback device is allowed by
default, though you could restrict it later.
On the other hand, if you don't want any of the default tables, chains
and rules created by the module, you can set nftables::inet_filter
and/or nftables::nat to false and build your whole nftables
configuration from scratch by using the building blocks provided by
this module. Look at nftables::inet_filter for inspiration.
Rules Validation
Initially puppet deploys all configuration to
/etc/nftables/puppet-preflight/ and
/etc/nftables/puppet-preflight.nft. This is validated with
nft -c -I /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft.
If and only if successful the configuration will be copied to
the real locations before the service is reloaded.
Un-managed rules
By default, rules added manually by the administrator to the in-memory
ruleset will be left untouched. However,
nftables::purge_unmanaged_rules can be set to true to revert this
behaviour and force a reload of the ruleset during the Puppet run if
non-managed changes are detected.
Basic types
nftables::config
Manages a raw file in /etc/nftables/puppet/${name}.nft
Use this for any custom table files.
nftables::chain
Prepares a chain file as a concat file to which you will
be able to add dedicated rules through nftables::rule.
The name must be unique for all chains. The inject
parameter can be used to directly add a jump to a
masterchain. inject must follow the pattern
ORDER-MASTERCHAIN, where order references a 2-digit
number which defines the rule order (by default use e.g. 20)
and masterchain references the chain to hook in the new
chain. It's possible to specify the in-interface name and
out-interface name for the inject rule.
nftables::rule
A simple way to add rules to any chain. The name must be:
CHAIN_NAME-rulename, where CHAIN_NAME refers to your
chain and an arbitrary name for your rule.
The rule will be a concat::fragment to the chain
CHAIN_NAME.
You can define the order by using the order param.
Before defining your own rule, take a look to the list of ready-to-use rules available in the REFERENCE, somebody might have encapsulated a rule definition for you already.
nftables::set
Adds a named set to a given table. It allows composing the set using individual parameters but also takes raw input via the content and source parameters.
nftables::simplerule
Allows expressing firewall rules without having to use nftables's language by
adding an abstraction layer a-la-Firewall. It's rather limited how far you can
go so if you need rather complex rules or you can speak nftables it's
recommended to use nftables::rule directly.
Facts
One structured fact nftables is available
{
tables => [
"bridge-filter",
"bridge-nat",
"inet-firewalld",
"ip-firewalld",
"ip6-firewalld"
],
version => "0.9.3"
}
nftables.versionis the version of the nft command fromnft --version.nftables.tablesis the list of tables installed on the machine fromnft list tables.
Editor goodies
If you're using Emacs there are some snippets for Yasnippet available here that could make your life easier when using the module. This is third party configuration that's only included here for reference so changes in the interfaces exposed by this module are not guaranteed to be automatically applied there.
Reference
Table of Contents
Classes
nftables: Configure nftablesnftables::bridges: allow forwarding traffic on bridgesnftables::inet_filter: manage basic chains in table inet filternftables::inet_filter::fwd_conntrack: enable conntrack for fwdnftables::inet_filter::in_out_conntrack: manage input & output conntracknftables::ip_nat: manage basic chains in table ip natnftables::rules::activemq: Provides input rules for Apache ActiveMQnftables::rules::afs3_callback: Open call back port for AFS clientsnftables::rules::ceph: Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS)nftables::rules::ceph_mon: Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.nftables::rules::dhcpv6_client: allow DHCPv6 requests in to a hostnftables::rules::dns: manage in dnsnftables::rules::docker_ce: Default firewall configuration for Docker-CEnftables::rules::ftp: manage in ftp (with conntrack helper)nftables::rules::http: manage in httpnftables::rules::https: manage in httpsnftables::rules::icinga2: manage in icinga2nftables::rules::icmp: allows incoming ICMPnftables::rules::igmp: allow incoming IGMP messagesnftables::rules::ldap: manage in ldapnftables::rules::llmnr: allow incoming Link-Local Multicast Name Resolutionnftables::rules::mdns: allow incoming multicast DNSnftables::rules::multicast: allow incoming multicast trafficnftables::rules::nfs: manage in nfs4nftables::rules::nfs3: manage in nfs3nftables::rules::node_exporter: manage in node exporternftables::rules::ospf: manage in ospfnftables::rules::ospf3: manage in ospf3nftables::rules::out::active_directory: manage outgoing active diectorynftables::rules::out::all: allow all outboundnftables::rules::out::ceph_client: Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).nftables::rules::out::chrony: manage out chronynftables::rules::out::dhcp: manage out dhcpnftables::rules::out::dhcpv6_client: Allow DHCPv6 requests out of a hostnftables::rules::out::dns: manage out dnsnftables::rules::out::hkp: allow outgoing hkp connections to gpg keyserversnftables::rules::out::http: manage out httpnftables::rules::out::https: manage out httpsnftables::rules::out::icmp: control outbound icmp packagesnftables::rules::out::igmp: allow outgoing IGMP messagesnftables::rules::out::imap: allow outgoing imapnftables::rules::out::kerberos: allows outbound access for kerberosnftables::rules::out::ldap: manage outgoing ldapnftables::rules::out::mdns: allow outgoing multicast DNSnftables::rules::out::mldv2: allow multicast listener requestsnftables::rules::out::mysql: manage out mysqlnftables::rules::out::nfs: manage out nfsnftables::rules::out::nfs3: manage out nfs3nftables::rules::out::openafs_client: allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlservernftables::rules::out::ospf: manage out ospfnftables::rules::out::ospf3: manage out ospf3nftables::rules::out::pop3: allow outgoing pop3nftables::rules::out::postgres: manage out postgresnftables::rules::out::puppet: manage outgoing puppetnftables::rules::out::pxp_agent: manage outgoing pxp-agentnftables::rules::out::smtp: allow outgoing smtpnftables::rules::out::smtp_client: allow outgoing smtp clientnftables::rules::out::ssdp: allow outgoing SSDPnftables::rules::out::ssh: manage out sshnftables::rules::out::ssh::remove: disable outgoing sshnftables::rules::out::tor: manage out tornftables::rules::out::whois: allow clients to query remote whois servernftables::rules::out::wireguard: manage out wireguardnftables::rules::podman: Rules for Podman, a tool for managing OCI containers and pods. This class defines additional forwarding rules to let root containers reach external networks when using Netavark (since v4.0) or CNI (deprecated). At the time of writing, Podman supports automatic configuration of firewall rules with iptables and firewalld only.nftables::rules::puppet: manage in puppetnftables::rules::pxp_agent: manage in pxp-agentnftables::rules::qemu: Bridged network configuration for qemu/libvirtnftables::rules::samba: manage Samba, the suite to allow Windows file sharing on Linux resources.nftables::rules::smtp: manage in smtpnftables::rules::smtp_submission: manage in smtp submissionnftables::rules::smtps: manage in smtpsnftables::rules::spotify: allow incoming spotifynftables::rules::ssdp: allow incoming SSDPnftables::rules::ssh: manage in sshnftables::rules::tor: manage in tornftables::rules::wireguard: manage in wireguardnftables::rules::wsd: allow incoming webservice discoverynftables::services::dhcpv6_client: Allow in and outbound traffic for DHCPv6 servernftables::services::openafs_client: Open inbound and outbound ports for an AFS client
Defined types
nftables::chain: manage a chainnftables::config: manage a config snippetnftables::file: Insert a file into the nftables configurationnftables::helper: manage a conntrack helpernftables::rule: Provides an interface to create a firewall rulenftables::rules::dnat4: manage a ipv4 dnat rulenftables::rules::masquerade: masquerade all outgoing trafficnftables::rules::snat4: manage a ipv4 snat rulenftables::set: manage a named setnftables::simplerule: Provides a simplified interface to nftables::rule
Data types
Nftables::Addr: Represents an address expression to be used within a rule.Nftables::Addr::Set: Represents a set expression to be used within a rule.Nftables::Port: Represents a port expression to be used within a rule.Nftables::Port::Range: Represents a port range expression to be used within a rule.Nftables::RuleName: Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.Nftables::SimpleRuleName: Represents a simple rule name to be used in a rule created via nftables::simplerule
Classes
nftables
Configure nftables
Examples
allow dns out and do not allow ntp out
class{ 'nftables':
out_ntp => false,
out_dns => true,
}
do not flush particular tables, fail2ban in this case
class{ 'nftables':
noflush_tables => ['inet-f2b-table'],
}
Parameters
The following parameters are available in the nftables class:
out_allout_ntpout_httpout_dnsout_httpsout_icmpin_sshin_icmpinet_filternatnat_table_namepurge_unmanaged_rulesinmem_rules_hash_filesetslog_prefixlog_discardedlog_limitreject_within_out_conntrackin_out_drop_invalidfwd_conntrackfwd_drop_invalidfirewalld_enablenoflush_tablesrulesconfiguration_pathnft_pathechodefault_config_modeclobber_default_config
out_all
Data type: Boolean
Allow all outbound connections. If true then all other
out parameters out_ntp, out_dns, ... will be assuemed
false.
Default value: false
out_ntp
Data type: Boolean
Allow outbound to ntp servers.
Default value: true
out_http
Data type: Boolean
Allow outbound to http servers.
Default value: true
out_dns
Data type: Boolean
Allow outbound to dns servers.
Default value: true
out_https
Data type: Boolean
Allow outbound to https servers.
Default value: true
out_icmp
Data type: Boolean
Allow outbound ICMPv4/v6 traffic.
Default value: true
in_ssh
Data type: Boolean
Allow inbound to ssh servers.
Default value: true
in_icmp
Data type: Boolean
Allow inbound ICMPv4/v6 traffic.
Default value: true
inet_filter
Data type: Boolean
Add default tables, chains and rules to process traffic.
Default value: true
nat
Data type: Boolean
Add default tables and chains to process NAT traffic.
Default value: true
nat_table_name
Data type: String[1]
The name of the 'nat' table.
Default value: 'nat'
purge_unmanaged_rules
Data type: Boolean
Prohibits in-memory rules that are not declared in Puppet code. Setting this to true activates a check that reloads nftables if the rules in memory have been modified without Puppet.
Default value: false
inmem_rules_hash_file
Data type: Stdlib::Unixpath
The name of the file where the hash of the in-memory rules will be stored.
Default value: '/var/tmp/puppet-nft-memhash'
sets
Data type: Hash
Allows sourcing set definitions directly from Hiera.
Default value: {}
log_prefix
Data type: String
String that will be used as prefix when logging packets. It can contain two variables using standard sprintf() string-formatting:
- chain: Will be replaced by the name of the chain.
- comment: Allows chains to add extra comments.
Default value: '[nftables] %<chain>s %<comment>s'
log_discarded
Data type: Boolean
Allow to log discarded packets
Default value: true
log_limit
Data type: Variant[Boolean[false], String]
String with the content of a limit statement to be applied to the rules that log discarded traffic. Set to false to disable rate limiting.
Default value: '3/minute burst 5 packets'
reject_with
Data type: Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]]
How to discard packets not matching any rule. If false, the
fate of the packet will be defined by the chain policy (normally
drop), otherwise the packet will be rejected with the REJECT_WITH
policy indicated by the value of this parameter.
Default value: 'icmpx type port-unreachable'
in_out_conntrack
Data type: Boolean
Adds INPUT and OUTPUT rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: true
in_out_drop_invalid
Data type: Boolean
Drops invalid packets in INPUT and OUTPUT
Default value: $in_out_conntrack
fwd_conntrack
Data type: Boolean
Adds FORWARD rules to allow traffic that's part of an established connection and also to drop invalid packets.
Default value: false
fwd_drop_invalid
Data type: Boolean
Drops invalid packets in FORWARD
Default value: $fwd_conntrack
firewalld_enable
Data type: Variant[Boolean[false], Enum['mask']]
Configures how the firewalld systemd service unit is enabled. It might be useful to set this to false if you're externaly removing firewalld from the system completely.
Default value: 'mask'
noflush_tables
Data type: Optional[Array[Pattern[/^(ip|ip6|inet|arp|bridge|netdev)-[-a-zA-Z0-9_]+$/],1]]
If specified only other existings tables will be flushed.
If left unset all tables will be flushed via a flush ruleset
Default value: undef
rules
Data type: Hash
Specify hashes of nftables::rules via hiera
Default value: {}
configuration_path
Data type: Stdlib::Unixpath
The absolute path to the principal nftables configuration file. The default varies depending on the system, and is set in the module's data.
nft_path
Data type: Stdlib::Unixpath
Path to the nft binary
echo
Data type: Stdlib::Unixpath
Path to the echo binary
default_config_mode
Data type: Stdlib::Filemode
The default file & dir mode for configuration files and directories. The default varies depending on the system, and is set in the module's data.
clobber_default_config
Data type: Boolean
Should the existing OS provided rules in the configuration_path be removed? If
they are not being removed this module will add all of its configuration to the end of
the existing rules.
Default value: false
nftables::bridges
allow forwarding traffic on bridges
Parameters
The following parameters are available in the nftables::bridges class:
ensure
Data type: Enum['present','absent']
Default value: 'present'
bridgenames
Data type: Regexp
Default value: /^br.+/
nftables::inet_filter
manage basic chains in table inet filter
nftables::inet_filter::fwd_conntrack
enable conntrack for fwd
nftables::inet_filter::in_out_conntrack
manage input & output conntrack
nftables::ip_nat
manage basic chains in table ip nat
nftables::rules::activemq
Provides input rules for Apache ActiveMQ
Parameters
The following parameters are available in the nftables::rules::activemq class:
tcp
Data type: Boolean
Create the rule for TCP traffic.
Default value: true
udp
Data type: Boolean
Create the rule for UDP traffic.
Default value: true
port
Data type: Stdlib::Port
The port number for the ActiveMQ daemon.
Default value: 61616
nftables::rules::afs3_callback
Open call back port for AFS clients
Examples
allow call backs from particular hosts
class{'nftables::rules::afs3_callback':
saddr => ['192.168.0.0/16', '10.0.0.222']
}
Parameters
The following parameters are available in the nftables::rules::afs3_callback class:
saddr
Data type: Array[Stdlib::IP::Address::V4,1]
list of source network ranges to a
Default value: ['0.0.0.0/0']
nftables::rules::ceph
Ceph is a distributed object store and file system. Enable this to support Ceph's Object Storage Daemons (OSD), Metadata Server Daemons (MDS), or Manager Daemons (MGR).
nftables::rules::ceph_mon
Ceph is a distributed object store and file system. Enable this option to support Ceph's Monitor Daemon.
Parameters
The following parameters are available in the nftables::rules::ceph_mon class:
ports
Data type: Array[Stdlib::Port,1]
specify ports for ceph service
Default value: [3300, 6789]
nftables::rules::dhcpv6_client
allow DHCPv6 requests in to a host
nftables::rules::dns
manage in dns
Examples
Allow access to stub dns resolver from docker containers
class { 'nftables::rules::dns':
iifname => ['docker0'],
}
Parameters
The following parameters are available in the nftables::rules::dns class:
ports
Data type: Array[Stdlib::Port,1]
Specify ports for dns.
Default value: [53]
iifname
Data type: Optional[Array[String[1],1]]
Specify input interface names.
Default value: undef
nftables::rules::docker_ce
The configuration distributed in this class represents the default firewall configuration done by docker-ce when the iptables integration is enabled.
This class is needed as the default docker-ce rules added to ip-filter conflict with the inet-filter forward rules set by default in this module.
When using this class 'docker::iptables: false' should be set.
Parameters
The following parameters are available in the nftables::rules::docker_ce class:
docker_interface
Data type: String[1]
Interface name used by docker.
Default value: 'docker0'
docker_prefix
Data type: Stdlib::IP::Address::V4::CIDR
The address space used by docker.
Default value: '172.17.0.0/16'
manage_docker_chains
Data type: Boolean
Flag to control whether the class should create the docker related chains.
Default value: true
manage_base_chains
Data type: Boolean
Flag to control whether the class should create the base common chains.
Default value: true
nftables::rules::ftp
manage in ftp (with conntrack helper)
Parameters
The following parameters are available in the nftables::rules::ftp class:
enable_passive
Data type: Boolean
Enable FTP passive mode support
Default value: true
passive_ports
Data type: Nftables::Port::Range
Set the FTP passive mode port range
Default value: '10090-10100'
nftables::rules::http
manage in http
nftables::rules::https
manage in https
nftables::rules::icinga2
manage in icinga2
Parameters
The following parameters are available in the nftables::rules::icinga2 class:
ports
Data type: Array[Stdlib::Port,1]
Specify ports for icinga2
Default value: [5665]
nftables::rules::icmp
allows incoming ICMP
Parameters
The following parameters are available in the nftables::rules::icmp class:
v4_types
Data type: Optional[Array[String]]
ICMP v4 types that should be allowed
Default value: undef
v6_types
Data type: Optional[Array[String]]
ICMP v6 types that should be allowed
Default value: undef
order
Data type: String
the ordering of the rules
Default value: '10'
nftables::rules::igmp
allow incoming IGMP messages
nftables::rules::ldap
manage in ldap
Parameters
The following parameters are available in the nftables::rules::ldap class:
ports
Data type: Array[Integer,1]
ldap server ports
Default value: [389, 636]
nftables::rules::llmnr
allow incoming Link-Local Multicast Name Resolution
Parameters
The following parameters are available in the nftables::rules::llmnr class:
ipv4
Data type: Boolean
Allow LLMNR over IPv4
Default value: true
ipv6
Data type: Boolean
Allow LLMNR over IPv6
Default value: true
iifname
Data type: Array[String[1]]
optional list of incoming interfaces to filter on
Default value: []
nftables::rules::mdns
allow incoming multicast DNS
Parameters
The following parameters are available in the nftables::rules::mdns class:
ipv4
Data type: Boolean
Allow mdns over IPv4
Default value: true
ipv6
Data type: Boolean
Allow mdns over IPv6
Default value: true
iifname
Data type: Array[String[1]]
name for incoming interfaces to filter
Default value: []
nftables::rules::multicast
allow incoming multicast traffic
nftables::rules::nfs
manage in nfs4
nftables::rules::nfs3
manage in nfs3
nftables::rules::node_exporter
manage in node exporter
Parameters
The following parameters are available in the nftables::rules::node_exporter class:
prometheus_server
Data type: Optional[Variant[String,Array[String,1]]]
Specify server name
Default value: undef
port
Data type: Stdlib::Port
Specify port to open
Default value: 9100
nftables::rules::ospf
manage in ospf
nftables::rules::ospf3
manage in ospf3
Parameters
The following parameters are available in the nftables::rules::ospf3 class:
iifname
Data type: Array[String[1]]
optional list of incoming interfaces to allow traffic
Default value: []
nftables::rules::out::active_directory
manage outgoing active diectory
Parameters
The following parameters are available in the nftables::rules::out::active_directory class:
adserver
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
adserver IPs
adserver_ports
Data type: Array[Stdlib::Port,1]
adserver ports
Default value: [389, 636, 3268, 3269]
nftables::rules::out::all
allow all outbound
nftables::rules::out::ceph_client
Ceph is a distributed object store and file system. Enable this to be a client of Ceph's Monitor (MON), Object Storage Daemons (OSD), Metadata Server Daemons (MDS), and Manager Daemons (MGR).
Parameters
The following parameters are available in the nftables::rules::out::ceph_client class:
ports
Data type: Array[Stdlib::Port,1]
Specify ports to open
Default value: [3300, 6789]
nftables::rules::out::chrony
manage out chrony
Parameters
The following parameters are available in the nftables::rules::out::chrony class:
servers
Data type: Array[Stdlib::IP::Address]
single IP-Address or array of IP-addresses from NTP servers
Default value: []
nftables::rules::out::dhcp
manage out dhcp
nftables::rules::out::dhcpv6_client
Allow DHCPv6 requests out of a host
nftables::rules::out::dns
manage out dns
Parameters
The following parameters are available in the nftables::rules::out::dns class:
dns_server
Data type: Array[Stdlib::IP::Address]
specify dns_server name
Default value: []
nftables::rules::out::hkp
allow outgoing hkp connections to gpg keyservers
nftables::rules::out::http
manage out http
nftables::rules::out::https
manage out https
nftables::rules::out::icmp
control outbound icmp packages
Parameters
The following parameters are available in the nftables::rules::out::icmp class:
v4_types
Data type: Optional[Array[String]]
ICMP v4 types that should be allowed
Default value: undef
v6_types
Data type: Optional[Array[String]]
ICMP v6 types that should be allowed
Default value: undef
order
Data type: String
the ordering of the rules
Default value: '10'
nftables::rules::out::igmp
allow outgoing IGMP messages
nftables::rules::out::imap
allow outgoing imap
nftables::rules::out::kerberos
allows outbound access for kerberos
nftables::rules::out::ldap
manage outgoing ldap
Parameters
The following parameters are available in the nftables::rules::out::ldap class:
ldapserver
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
ldapserver IPs
ldapserver_ports
Data type: Array[Stdlib::Port,1]
ldapserver ports
Default value: [389, 636]
nftables::rules::out::mdns
allow outgoing multicast DNS
Parameters
The following parameters are available in the nftables::rules::out::mdns class:
ipv4
Data type: Boolean
Allow mdns over IPv4
Default value: true
ipv6
Data type: Boolean
Allow mdns over IPv6
Default value: true
oifname
Data type: Array[String[1]]
optional name for outgoing interfaces
Default value: []
nftables::rules::out::mldv2
allow multicast listener requests
nftables::rules::out::mysql
manage out mysql
nftables::rules::out::nfs
manage out nfs
nftables::rules::out::nfs3
manage out nfs3
nftables::rules::out::openafs_client
allows outbound access for afs clients 7000 - afs3-fileserver 7002 - afs3-ptserver 7003 - vlserver
- See also
- https://wiki.openafs.org/devel/AFSServicePorts/
- AFS Service Ports
- https://wiki.openafs.org/devel/AFSServicePorts/
Parameters
The following parameters are available in the nftables::rules::out::openafs_client class:
ports
Data type: Array[Stdlib::Port,1]
port numbers to use
Default value: [7000, 7002, 7003]
nftables::rules::out::ospf
manage out ospf
nftables::rules::out::ospf3
manage out ospf3
Parameters
The following parameters are available in the nftables::rules::out::ospf3 class:
oifname
Data type: Array[String[1]]
optional list of outgoing interfaces to filter on
Default value: []
nftables::rules::out::pop3
allow outgoing pop3
nftables::rules::out::postgres
manage out postgres
nftables::rules::out::puppet
manage outgoing puppet
Parameters
The following parameters are available in the nftables::rules::out::puppet class:
puppetserver
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
puppetserver hostname
puppetserver_port
Data type: Stdlib::Port
puppetserver port
Default value: 8140
nftables::rules::out::pxp_agent
manage outgoing pxp-agent
- See also
- also
- take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver
- also
Parameters
The following parameters are available in the nftables::rules::out::pxp_agent class:
broker
Data type: Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]
PXP broker IP(s)
broker_port
Data type: Stdlib::Port
PXP broker port
Default value: 8142
nftables::rules::out::smtp
allow outgoing smtp
nftables::rules::out::smtp_client
allow outgoing smtp client
nftables::rules::out::ssdp
allow outgoing SSDP
Parameters
The following parameters are available in the nftables::rules::out::ssdp class:
ipv4
Data type: Boolean
Allow SSDP over IPv4
Default value: true
ipv6
Data type: Boolean
Allow SSDP over IPv6
Default value: true
nftables::rules::out::ssh
manage out ssh
nftables::rules::out::ssh::remove
disable outgoing ssh
nftables::rules::out::tor
manage out tor
nftables::rules::out::whois
allow clients to query remote whois server
nftables::rules::out::wireguard
manage out wireguard
Parameters
The following parameters are available in the nftables::rules::out::wireguard class:
ports
Data type: Array[Integer,1]
specify wireguard ports
Default value: [51820]
nftables::rules::podman
Rules for Podman, a tool for managing OCI containers and pods. This class defines additional forwarding rules to let root containers reach external networks when using Netavark (since v4.0) or CNI (deprecated). At the time of writing, Podman supports automatic configuration of firewall rules with iptables and firewalld only.
nftables::rules::puppet
manage in puppet
Parameters
The following parameters are available in the nftables::rules::puppet class:
ports
Data type: Array[Integer,1]
puppet server ports
Default value: [8140]
nftables::rules::pxp_agent
manage in pxp-agent
Parameters
The following parameters are available in the nftables::rules::pxp_agent class:
ports
Data type: Array[Stdlib::Port,1]
pxp server ports
Default value: [8142]
nftables::rules::qemu
This class configures the typical firewall setup that libvirt creates. Depending on your requirements you can switch on and off several aspects, for instance if you don't do DHCP to your guests you can disable the rules that accept DHCP traffic on the host or if you don't want your guests to talk to hosts outside you can disable forwarding and/or masquerading for IPv4 traffic.
Parameters
The following parameters are available in the nftables::rules::qemu class:
interface
Data type: String[1]
Interface name used by the bridge.
Default value: 'virbr0'
network_v4
Data type: Stdlib::IP::Address::V4::CIDR
The IPv4 network prefix used in the virtual network.
Default value: '192.168.122.0/24'
network_v6
Data type: Optional[Stdlib::IP::Address::V6::CIDR]
The IPv6 network prefix used in the virtual network.
Default value: undef
dns
Data type: Boolean
Allow DNS traffic from the guests to the host.
Default value: true
dhcpv4
Data type: Boolean
Allow DHCPv4 traffic from the guests to the host.
Default value: true
forward_traffic
Data type: Boolean
Allow forwarded traffic (out all, in related/established) generated by the virtual network.
Default value: true
internal_traffic
Data type: Boolean
Allow guests in the virtual network to talk to each other.
Default value: true
masquerade
Data type: Boolean
Do NAT masquerade on all IPv4 traffic generated by guests to external networks.
Default value: true
nftables::rules::samba
manage Samba, the suite to allow Windows file sharing on Linux resources.
Parameters
The following parameters are available in the nftables::rules::samba class:
ctdb
Data type: Boolean
Enable ctdb-driven clustered Samba setups
Default value: false
action
Data type: Enum['accept', 'drop']
if the traffic should be allowed or dropped
Default value: 'accept'
nftables::rules::smtp
manage in smtp
nftables::rules::smtp_submission
manage in smtp submission
nftables::rules::smtps
manage in smtps
nftables::rules::spotify
allow incoming spotify
nftables::rules::ssdp
allow incoming SSDP
Parameters
The following parameters are available in the nftables::rules::ssdp class:
ipv4
Data type: Boolean
Allow SSDP over IPv4
Default value: true
ipv6
Data type: Boolean
Allow SSDP over IPv6
Default value: true
nftables::rules::ssh
manage in ssh
Parameters
The following parameters are available in the nftables::rules::ssh class:
ports
Data type: Array[Stdlib::Port,1]
ssh ports
Default value: [22]
nftables::rules::tor
manage in tor
Parameters
The following parameters are available in the nftables::rules::tor class:
ports
Data type: Array[Stdlib::Port,1]
ports for tor
Default value: [9001]
nftables::rules::wireguard
manage in wireguard
Parameters
The following parameters are available in the nftables::rules::wireguard class:
ports
Data type: Array[Stdlib::Port,1]
wiregueard port
Default value: [51820]
nftables::rules::wsd
allow incoming webservice discovery
Parameters
The following parameters are available in the nftables::rules::wsd class:
ipv4
Data type: Boolean
Allow ws-discovery over IPv4
Default value: true
ipv6
Data type: Boolean
Allow ws-discovery over IPv6
Default value: true
nftables::services::dhcpv6_client
Allow in and outbound traffic for DHCPv6 server
nftables::services::openafs_client
Open inbound and outbound ports for an AFS client
Defined types
nftables::chain
manage a chain
Parameters
The following parameters are available in the nftables::chain defined type:
table
Data type: Pattern[/^(ip|ip6|inet|netdev|bridge)-[a-zA-Z0-9_]+$/]
Default value: 'inet-filter'
chain
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
inject
Data type: Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]
Default value: undef
inject_iif
Data type: Optional[String]
Default value: undef
inject_oif
Data type: Optional[String]
Default value: undef
nftables::config
manage a config snippet
Parameters
The following parameters are available in the nftables::config defined type:
tablespec
Data type: Pattern[/^\w+-\w+$/]
Default value: $title
content
Data type: Optional[String]
Default value: undef
source
Data type: Optional[Variant[String,Array[String,1]]]
Default value: undef
prefix
Data type: String
Default value: 'custom-'
nftables::file
Insert a file into the nftables configuration
Examples
Include a file that includes other files
nftables::file{'geoip':
content => @(EOT)
include "/var/local/geoipsets/dbip/nftset/ipv4/*.ipv4"
include "/var/local/geoipsets/dbip/nftset/ipv6/*.ipv6"
|EOT,
}
Parameters
The following parameters are available in the nftables::file defined type:
label
Data type: String[1]
Unique name to include in filename.
Default value: $title
content
Data type: Optional[String]
The content to place in the file.
Default value: undef
source
Data type: Optional[Variant[String,Array[String,1]]]
A source to obtain the file content from.
Default value: undef
prefix
Data type: String
Prefix of file name to be created, if left as file- it will be
auto included in the main nft configuration
Default value: 'file-'
nftables::helper
manage a conntrack helper
Examples
FTP helper
nftables::helper { 'ftp-standard':
content => 'type "ftp" protocol tcp;',
}
Parameters
The following parameters are available in the nftables::helper defined type:
content
Data type: String
Conntrack helper definition.
table
Data type: Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]
The name of the table to add this helper to.
Default value: 'inet-filter'
helper
Data type: Pattern[/^[a-zA-Z0-9_][A-z0-9_-]*$/]
The symbolic name for the helper.
Default value: $title
nftables::rule
Provides an interface to create a firewall rule
Examples
add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80
nftables::rule {
'default_in-myhttp':
content => 'tcp dport 80 accept',
}
add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic
nftables::rule {
'PREROUTING6-count':
content => 'counter',
table => 'ip6-nat'
}
Redirect port 443 to port 8443
nftables::rule { 'PREROUTING-redirect':
content => 'tcp dport 443 redirect to :8443',
table => 'ip-nat',
}
nftables::rule{'PREROUTING6-redirect':
content => 'tcp dport 443 redirect to :8443',
table => 'ip6-nat',
}
Parameters
The following parameters are available in the nftables::rule defined type:
ensure
Data type: Enum['present','absent']
Should the rule be created.
Default value: 'present'
rulename
Data type: Nftables::RuleName
The symbolic name for the rule and to what chain to add it. The format is defined by the Nftables::RuleName type.
Default value: $title
order
Data type: Pattern[/^\d\d$/]
A number representing the order of the rule.
Default value: '50'
table
Data type: String
The name of the table to add this rule to.
Default value: 'inet-filter'
content
Data type: Optional[String]
The raw statements that compose the rule represented using the nftables language.
Default value: undef
source
Data type: Optional[Variant[String,Array[String,1]]]
Same goal as content but sourcing the value from a file.
Default value: undef
nftables::rules::dnat4
manage a ipv4 dnat rule
Parameters
The following parameters are available in the nftables::rules::dnat4 defined type:
daddr
Data type: Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]
port
Data type: Variant[String,Stdlib::Port]
rulename
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
order
Data type: Pattern[/^\d\d$/]
Default value: '50'
chain
Data type: String[1]
Default value: 'default_fwd'
iif
Data type: Optional[String[1]]
Default value: undef
proto
Data type: Enum['tcp','udp']
Default value: 'tcp'
dport
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
ensure
Data type: Enum['present','absent']
Default value: 'present'
nftables::rules::masquerade
masquerade all outgoing traffic
Parameters
The following parameters are available in the nftables::rules::masquerade defined type:
rulename
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
order
Data type: Pattern[/^\d\d$/]
Default value: '70'
chain
Data type: String[1]
Default value: 'POSTROUTING'
oif
Data type: Optional[String[1]]
Default value: undef
saddr
Data type: Optional[String[1]]
Default value: undef
daddr
Data type: Optional[String[1]]
Default value: undef
proto
Data type: Optional[Enum['tcp','udp']]
Default value: undef
dport
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
ensure
Data type: Enum['present','absent']
Default value: 'present'
nftables::rules::snat4
manage a ipv4 snat rule
Parameters
The following parameters are available in the nftables::rules::snat4 defined type:
snat
Data type: String[1]
rulename
Data type: Pattern[/^[a-zA-Z0-9_]+$/]
Default value: $title
order
Data type: Pattern[/^\d\d$/]
Default value: '70'
chain
Data type: String[1]
Default value: 'POSTROUTING'
oif
Data type: Optional[String[1]]
Default value: undef
saddr
Data type: Optional[String[1]]
Default value: undef
proto
Data type: Optional[Enum['tcp','udp']]
Default value: undef
dport
Data type: Optional[Variant[String,Stdlib::Port]]
Default value: undef
ensure
Data type: Enum['present','absent']
Default value: 'present'
nftables::set
manage a named set
Examples
simple set
nftables::set{'my_set':
type => 'ipv4_addr',
flags => ['interval'],
elements => ['192.168.0.1/24', '10.0.0.2'],
auto_merge => true,
}
Parameters
The following parameters are available in the nftables::set defined type:
ensuresetnameordertypetableflagstimeoutgc_intervalelementssizepolicyauto_mergecontentsource
ensure
Data type: Enum['present','absent']
should the set be created.
Default value: 'present'
setname
Data type: Pattern[/^[-a-zA-Z0-9_]+$/]
name of set, equal to to title.
Default value: $title
order
Data type: Pattern[/^\d\d$/]
concat ordering.
Default value: '10'
type
Data type: Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]
type of set.
Default value: undef
table
Data type: Variant[String, Array[String, 1]]
table or array of tables to add the set to.
Default value: 'inet-filter'
flags
Data type: Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]
specify flags for set
Default value: []
timeout
Data type: Optional[Integer]
timeout in seconds
Default value: undef
gc_interval
Data type: Optional[Integer]
garbage collection interval.
Default value: undef
elements
Data type: Optional[Array[String]]
initialize the set with some elements in it.
Default value: undef
size
Data type: Optional[Integer]
limits the maximum number of elements of the set.
Default value: undef
policy
Data type: Optional[Enum['performance', 'memory']]
determines set selection policy.
Default value: undef
auto_merge
Data type: Boolean
automatically merge adjacent/overlapping set elements (only valid for interval sets)
Default value: false
content
Data type: Optional[String]
specify content of set.
Default value: undef
source
Data type: Optional[Variant[String,Array[String,1]]]
specify source of set.
Default value: undef
nftables::simplerule
Provides a simplified interface to nftables::rule
Examples
allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
nftables::simplerule{'my_service_in':
action => 'accept',
comment => 'allow traffic to port 543',
counter => true,
proto => 'tcp',
dport => 543,
daddr => '2001:1458::/32',
sport => 541,
}
Parameters
The following parameters are available in the nftables::simplerule defined type:
ensurerulenameorderchaintableactioncommentdportprotodaddrset_typesportsaddrcounteriifnameoifname
ensure
Data type: Enum['present','absent']
Should the rule be created.
Default value: 'present'
rulename
Data type: Nftables::SimpleRuleName
The symbolic name for the rule to add. Defaults to the resource's title.
Default value: $title
order
Data type: Pattern[/^\d\d$/]
A number representing the order of the rule.
Default value: '50'
chain
Data type: String
The name of the chain to add this rule to.
Default value: 'default_in'
table
Data type: String
The name of the table to add this rule to.
Default value: 'inet-filter'
action
Data type: Enum['accept', 'continue', 'drop', 'queue', 'return']
The verdict for the matched traffic.
Default value: 'accept'
comment
Data type: Optional[String]
A typically human-readable comment for the rule.
Default value: undef
dport
Data type: Optional[Nftables::Port]
The destination port, ports or port range.
Default value: undef
proto
Data type: Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]
The transport-layer protocol to match.
Default value: undef
daddr
Data type: Optional[Nftables::Addr]
The destination address, CIDR or set to match.
Default value: undef
set_type
Data type: Enum['ip', 'ip6']
When using sets as saddr or daddr, the type of the set.
Use ip for sets of type ipv4_addr.
Default value: 'ip6'
sport
Data type: Optional[Nftables::Port]
The source port, ports or port range.
Default value: undef
saddr
Data type: Optional[Nftables::Addr]
The source address, CIDR or set to match.
Default value: undef
counter
Data type: Boolean
Enable traffic counters for the matched traffic.
Default value: false
iifname
Data type: Variant[Array[String[1]],String[1]]
Optional filter for the incoming interface
Default value: []
oifname
Data type: Variant[Array[String[1]],String[1]]
Optional filter for the outgoing interface
Default value: []
Data types
Nftables::Addr
Represents an address expression to be used within a rule.
Alias of Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set, Array[Stdlib::IP::Address::V6], Array[Stdlib::IP::Address::V4], Array[Nftables::Addr::Set]]
Nftables::Addr::Set
Represents a set expression to be used within a rule.
Alias of Pattern[/^@[-a-zA-Z0-9_]+$/]
Nftables::Port
Represents a port expression to be used within a rule.
Alias of Variant[Array[Variant[Nftables::Port::Range, Stdlib::Port], 1], Stdlib::Port, Nftables::Port::Range]
Nftables::Port::Range
Represents a port range expression to be used within a rule.
Alias of Pattern[/^\d+-\d+$/]
Nftables::RuleName
Represents a rule name to be used in a raw rule created via nftables::rule. It's a dash separated string. The first component describes the chain to add the rule to, the second the rule name and the (optional) third a number. Ex: 'default_in-sshd', 'default_out-my_service-2'.
Alias of Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]
Nftables::SimpleRuleName
Represents a simple rule name to be used in a rule created via nftables::simplerule
Alias of Pattern[/^[a-zA-Z0-9_]+(-\d+)?$/]
Changelog
All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v4.0.0 (2024-08-05)
Breaking changes:
- Drop EOL CentOS 8 support #245 (traylenator)
Implemented enhancements:
- add support for conntrack helpers #207
- New parameter purge_unmanaged_rules to reload nftables if configuration does not match reality #253 (canihavethisone)
- Add support Arrays of source/destination IP addresses for nftables::simplerule #252 (phaedriel)
- New clobber_default_config paramater #247 (traylenator)
- update puppet-systemd upper bound to 8.0.0 #242 (TheMeier)
- rules::llmnr: Allow interface filtering #235 (bastelfreak)
- rules::ospf3 & rules::out::ospf3: Allow filtering on outgoing interfaces #234 (bastelfreak)
- rules::out::mdns & rules::mdns: Allow interface filtering #233 (bastelfreak)
Merged pull requests:
- Run default destroying acceptance tests at end #249 (traylenator)
- Accept on Debian 11 nftables::set will fail #246 (traylenator)
v3.7.1 (2023-12-29)
Fixed bugs:
- rules::icmp: Allow ICMP packets with extensions #231 (bastelfreak)
- out::icmp: simplify filtering/fix ICMP bug #230 (bastelfreak)
v3.7.0 (2023-12-27)
Implemented enhancements:
- simplerule: Allow multiple oifname/iifname #228 (bastelfreak)
v3.6.0 (2023-12-20)
Implemented enhancements:
- Make "dropping invalid packets" configureable #225 (bastelfreak)
- simplerule: Add support for outgoing interface filtering #224 (bastelfreak)
- simplerule: Add support for incoming interface filtering #221 (bastelfreak)
Merged pull requests:
- rules::out:dns: refactor for better readability #222 (bastelfreak)
- Document what the 'auto_merge' set parameter does. #219 (Tamerz)
v3.5.0 (2023-11-27)
Implemented enhancements:
- Support input interface specification to dns server #215 (traylenator)
- Additional rules for podman root containers #214 (traylenator)
- nftables::simplerule::dport - takes port ranges as part of the array #189 (tskirvin)
Merged pull requests:
- Example how to redirect one port to another #183 (traylenator)
v3.4.0 (2023-11-17)
Implemented enhancements:
- allow puppet/systemd v6 #213 (vchepkov)
- Add Debian 12 support #211 (bastelfreak)
- provide an option to disable logging rejected packets #209 (vchepkov)
- add ftp helper #208 (vchepkov)
v3.3.0 (2023-08-28)
Implemented enhancements:
- samba: Add option to drop traffic #204 (bastelfreak)
- Add nftables rules for ws-discovery #203 (bastelfreak)
- Add rule for incoming SSDP #202 (bastelfreak)
- Add rule for incoming LLMNR #201 (bastelfreak)
v3.2.0 (2023-08-19)
Implemented enhancements:
- Add rule for outgoing multicast DNS #199 (bastelfreak)
- Add rule for multicast listener requests (MLDv2) #198 (bastelfreak)
- Add rules for IGMP #194 (bastelfreak)
- mDNS: Allow udp port 5353 #193 (bastelfreak)
- Add rule to allow incoming spotify broadcast #192 (bastelfreak)
- Add rule to allow multicast DNS #191 (bastelfreak)
- Add rule to allow incoming multicast traffic #190 (bastelfreak)
- Declare stdlib v9 support #180 (traylenator)
Fixed bugs:
- Add missing unit string for timeout,gc-interval #187 (javier-angulo)
Merged pull requests:
v3.1.0 (2023-07-30)
Implemented enhancements:
- puppetlabs/stdlib: Allow 9.x #182 (bastelfreak)
- Declare puppet v8 support #181 (traylenator)
Merged pull requests:
- puppetlabs/concat: Allow 9.x #185 (bastelfreak)
v3.0.1 (2023-06-20)
Implemented enhancements:
- add ldap and active directory rules #177 (SimonHoenscheid)
Closed issues:
- rspec tests fail on docker again. #167
Merged pull requests:
- Increased puppet/systemd upper limit to \< 6.0.0 #176 (canihavethisone)
v3.0.0 (2023-05-25)
Breaking changes:
- Drop puppet 6 support #173 (traylenator)
Implemented enhancements:
- Raise puppetlabs/concat upper limit to \< 9.0.0 #170 (canihavethisone)
Merged pull requests:
- Refresh REFERENCE #171 (traylenator)
- Fix typo in icinga2 rule documentation #169 (baldurmen)
v2.6.1 (2023-03-24)
Implemented enhancements:
- Add bridge as a valid family for chain tables #165 (luisfdez)
- Add Rocky 8 and 9 support #161 (bastelfreak)
- Declare AlmaLinux8 and AlmaLinux9 support #160 (nbarrientos)
- bump puppet/systemd to \< 5.0.0 #159 (jhoblitt)
- Allow netdev as table family in defined type nftables::chain #149 (hugendudel)
Fixed bugs:
Closed issues:
- failing to setup a basic firewall #158
Merged pull requests:
v2.6.0 (2022-10-25)
Implemented enhancements:
- Add class for outgoing HKP firewalling #153 (bastelfreak)
- Add Ubuntu support #152 (bastelfreak)
- split conntrack management into dedicated classes #148 (duritong)
- New nftables::file type to include raw file #147 (traylenator)
Closed issues:
v2.5.0 (2022-08-26)
Implemented enhancements:
Fixed bugs:
Closed issues:
- nftables::bridges creates invalid rule names when bridge devices have multiple IP addresses #143
v2.4.0 (2022-07-11)
Implemented enhancements:
- Add rule to allow outgoing whois queries #140 (bastelfreak)
- chrony: Allow filtering for outgoing NTP servers #139 (bastelfreak)
- Add class for pxp-agent firewalling #138 (bastelfreak)
v2.3.0 (2022-07-06)
Implemented enhancements:
- systemctl: Use relative path #136 (bastelfreak)
- Add Debian support #134 (bastelfreak)
- make path to echo configureable #133 (bastelfreak)
- make path to
nftbinary configureable #132 (bastelfreak)
v2.2.1 (2022-05-02)
Merged pull requests:
- rspec mock systemd process on docker #128 (traylenator)
v2.2.0 (2022-02-27)
Implemented enhancements:
- Add support for Arch Linux #124 (hashworks)
- Declare support for RHEL9, CentOS9 and OL9 #120 (nbarrientos)
- Rubocop corrections for rubocop 1.22.3 #118 (traylenator)
- Use protocol number instead of label #112 (keachi)
Fixed bugs:
Merged pull requests:
v2.1.0 (2021-09-14)
Implemented enhancements:
- nftables::set can only be assigned to 1 table #100
- support a different table name for 'nat' #107 (figless)
- Allow declaring the same set in several tables #102 (nbarrientos)
Fixed bugs:
- fix datatype for $table and $dport #104 (bastelfreak)
Merged pull requests:
- Allow stdlib 8.0.0 #106 (smortex)
- switch from camptocamp/systemd to voxpupuli/systemd #103 (bastelfreak)
- pull fixtures from git and not forge #99 (bastelfreak)
v2.0.0 (2021-06-03)
Breaking changes:
- Drop Puppet 5, puppetlabs/concat 7.x, puppetlabs/stdlib 7.x, camptocamp/systemd: 3.x #92 (traylenator)
- Drop Puppet 5 support #79 (kenyon)
Implemented enhancements:
- Ability to set base chains #95
- puppetlabs/concat: Allow 7.x #91 (bastelfreak)
- puppetlabs/stdlib: Allow 7.x #90 (bastelfreak)
- camptocamp/systemd: allow 3.x #89 (bastelfreak)
Fixed bugs:
- Fix IPv4 source address type detection #93 (nbarrientos)
Closed issues:
- Class[Nftables::Bridges]['bridgenames'] contains a Regexp value. It will be converted to the String '/^br.+/' #83
Merged pull requests:
- Allow creating a totally empty firewall #96 (nbarrientos)
- Amend link to Yasnippets #88 (nbarrientos)
v1.3.0 (2021-03-25)
Implemented enhancements:
- Add rules for QEMU/libvirt guests (bridged virtual networking) #85 (nbarrientos)
- Add nftables.version to structured fact. #84 (traylenator)
- Add rules for Apache ActiveMQ #82 (nbarrientos)
- Add Docker-CE default rules #80 (luisfdez)
Closed issues:
- Increase puppetlabs/concat version in metadata #78
Merged pull requests:
- Fix sections and add a pointer to code snippets for Emacs #81 (nbarrientos)
v1.2.0 (2021-03-03)
Implemented enhancements:
Fixed bugs:
- nftables service is broken after reboot #74
- fix #74 - ensure table are initialized before flushing them #75 (duritong)
v1.1.1 (2021-01-29)
Fixed bugs:
- Simplerule: wrong IP protocol version filter statement for IPv6 traffic #69
- Fix IP version filter for IPv6 traffic #70 (nbarrientos)
Merged pull requests:
- Improve nftables::rule's documentation #68 (nbarrientos)
v1.1.0 (2021-01-25)
Implemented enhancements:
- Enable parameter_documentation lint #64 (traylenator)
- Add Samba in rules #62 (glpatcern)
- Add some mail related outgoing rules #60 (duritong)
Fixed bugs:
- nftables::simplerule should follow the same rules as nftables::rule #58
- Align simplerule and rule rulename requirements #59 (nbarrientos)
Closed issues:
- Get it under the voxpupuli umbrella #35
Merged pull requests:
- Add badges to README #63 (traylenator)
- Check that all the predefined rules are declared in the all rules acceptance test #53 (nbarrientos)
v1.0.0 (2020-12-15)
Breaking changes:
Implemented enhancements:
- Use Stdlib::Port everywhere in place of Integer #56 (traylenator)
- Enable Puppet 7 support #51 (bastelfreak)
- Several fixes for nftables::config #48 (nbarrientos)
- rubocop corrections #41 (traylenator)
- Add basic configuration validation acceptance test #38 (traylenator)
- Remove duplicate flush on reload #34 (traylenator)
- Add nftables::simplerule #33 (nbarrientos)
- Add Ceph and NFS rules #32 (dvanders)
- New parameter noflush_tables to selectivly skip flush #31 (traylenator)
- Scientific Linux 8 will never exist #30 (traylenator)
- Enable conntrack in FORWARD #29 (keachi)
- Do not test nftables::rules repeatadly #28 (traylenator)
- Allow sourcing sets from Hiera #26 (nbarrientos)
- Allow disabling default NAT tables and chains #25 (nbarrientos)
- Set a customisable rate limit to the logging rules #22 (nbarrientos)
- Make masking Service['firewalld'] optional #20 (nbarrientos)
- Move ICMP stuff to separate classes allowing better customisation #16 (nbarrientos)
- Move conntrack rules from global to INPUT and OUTPUT #14 (nbarrientos)
- Add comments for all the nftable::rules entries #13 (traylenator)
- Allow tables to add comments to $log_prefix #12 (nbarrientos)
- Reload rules atomically and verify rules before deploy #10 (traylenator)
- Allow raw sets and dashes in set names #8 (nbarrientos)
- Add a parameter to control the fate of discarded traffic #7 (nbarrientos)
- Add rules for afs3_callback in and out rules for kerberos and openafs. #6 (traylenator)
- Allow customising the log prefix #5 (nbarrientos)
- Add classes encapsulating rules for DHCPv6 client traffic (in/out) #4 (nbarrientos)
- Add support for named sets #3 (nbarrientos)
- New parameter out_all, default false #1 (traylenator)
Fixed bugs:
- Correct nfs3 invalid udp /tcp matching rule and more tests #50 (traylenator)
- Prefix custom tables with custom- so they're loaded #47 (nbarrientos)
- Correct bad merge #15 (traylenator)
Closed issues:
- deploying custom tables is broken #45
- Switch to Stdlib::Port everywhere #37
- Add set definition from Hiera #24
- Add an option to disable NAT #23
- Add an option to limit the rate of logged messages #19
- Rule API #17
- Publish to forge.puppet.com #11
- The global chain contains INPUT specific rules #9
- The fate of forbidden packets should be configurable #2
Merged pull requests:
- Docs for nftables::set #55 (traylenator)
- Remove a blank separating the doc string and the code #52 (nbarrientos)
- Release 1.0.0 #49 (traylenator)
- Correct layout of ignore table example #44 (traylenator)
- Fix typos and formatting in the README #43 (nbarrientos)
- Comment why firewalld_enable parameter is required #40 (traylenator)
- modulesync 4.0.0 #36 (traylenator)
- Refresh REFERENCE #27 (traylenator)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/concat (>= 6.2.0 < 10.0.0)
- puppet/systemd (>= 2.0.0 < 8.0.0)
- puppetlabs/stdlib (>= 4.13.1 < 10.0.0)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2020 immerda / Puppet Modules
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.