Defined Type: nftables::rule

Defined in:
manifests/rule.pp

Summary

Provides an interface to create a firewall rule

Overview

Examples:

add a rule named ‘myhttp’ to the ‘default_in’ chain to allow incoming traffic to TCP port 80

nftables::rule {
  'default_in-myhttp':
    content => 'tcp dport 80 accept',
}

add a rule named ‘count’ to the ‘PREROUTING6’ chain in table ‘ip6 nat’ to count traffic

nftables::rule {
  'PREROUTING6-count':
    content => 'counter',
    table   => 'ip6-nat'
}

Redirect port 443 to port 8443

nftables::rule { 'PREROUTING-redirect':
  content => 'tcp dport 443 redirect to :8443',
  table   => 'ip-nat',
}
nftables::rule{'PREROUTING6-redirect':
  content => 'tcp dport 443 redirect to :8443',
  table   => 'ip6-nat',
}

Parameters:

  • ensure (Enum['present','absent']) (defaults to: 'present')

    Should the rule be created.

  • rulename (Nftables::RuleName) (defaults to: $title)

    The symbolic name for the rule and to what chain to add it. The format is defined by the Nftables::RuleName type.

  • order (Pattern[/^\d\d$/]) (defaults to: '50')

    A number representing the order of the rule.

  • table (String) (defaults to: 'inet-filter')

    The name of the table to add this rule to.

  • content (Optional[String]) (defaults to: undef)

    The raw statements that compose the rule represented using the nftables language.

  • source (Optional[Variant[String,Array[String,1]]]) (defaults to: undef)

    Same goal as content but sourcing the value from a file.



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'manifests/rule.pp', line 45

define nftables::rule (
  Enum['present','absent'] $ensure = 'present',
  Nftables::RuleName $rulename = $title,
  Pattern[/^\d\d$/] $order = '50',
  String $table = 'inet-filter',
  Optional[String] $content = undef,
  Optional[Variant[String,Array[String,1]]] $source = undef,
) {
  if $ensure == 'present' {
    $data = split($rulename, '-')

    if $data[2] {
      $fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}-${data[2]}"
    } else {
      $fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}"
    }

    concat::fragment { "${fragment}_header":
      content => "#   Start of fragment order:${order} rulename:${rulename}",
      order   => "${order}-${fragment}-a",
      target  => "nftables-${table}-chain-${data[0]}",
    }

    concat::fragment {
      $fragment:
        order  => "${order}-${fragment}-b",
        target => "nftables-${table}-chain-${data[0]}",
    }

    if $content {
      Concat::Fragment[$fragment] {
        content => "  ${content}",
      }
    } else {
      Concat::Fragment[$fragment] {
        source => $source,
      }
    }
  }
}