Defined Type: nftables::simplerule

Defined in:
manifests/simplerule.pp

Summary

Provides a simplified interface to nftables::rule

Overview

Examples:

allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets

nftables::simplerule{'my_service_in':
  action  => 'accept',
  comment => 'allow traffic to port 543',
  counter => true,
  proto   => 'tcp',
  dport   => 543,
  daddr   => '2001:1458::/32',
  sport   => 541,
}

Parameters:

  • ensure (Enum['present','absent']) (defaults to: 'present')

    Should the rule be created.

  • rulename (Nftables::SimpleRuleName) (defaults to: $title)

    The symbolic name for the rule to add. Defaults to the resource’s title.

  • order (Pattern[/^\d\d$/]) (defaults to: '50')

    A number representing the order of the rule.

  • chain (String) (defaults to: 'default_in')

    The name of the chain to add this rule to.

  • table (String) (defaults to: 'inet-filter')

    The name of the table to add this rule to.

  • action (Enum['accept', 'continue', 'drop', 'queue', 'return']) (defaults to: 'accept')

    The verdict for the matched traffic.

  • comment (Optional[String]) (defaults to: undef)

    A typically human-readable comment for the rule.

  • dport (Optional[Nftables::Port]) (defaults to: undef)

    The destination port, ports or port range.

  • proto (Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]) (defaults to: undef)

    The transport-layer protocol to match.

  • daddr (Optional[Nftables::Addr]) (defaults to: undef)

    The destination address, CIDR or set to match.

  • set_type (Enum['ip', 'ip6']) (defaults to: 'ip6')

    When using sets as saddr or daddr, the type of the set. Use ‘ip` for sets of type `ipv4_addr`.

  • sport (Optional[Nftables::Port]) (defaults to: undef)

    The source port, ports or port range.

  • saddr (Optional[Nftables::Addr]) (defaults to: undef)

    The source address, CIDR or set to match.

  • counter (Boolean) (defaults to: false)

    Enable traffic counters for the matched traffic.

  • iifname (Variant[Array[String[1]],String[1]]) (defaults to: [])

    Optional filter for the incoming interface

  • oifname (Variant[Array[String[1]],String[1]]) (defaults to: [])

    Optional filter for the outgoing interface



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'manifests/simplerule.pp', line 60

define nftables::simplerule (
  Enum['present','absent'] $ensure = 'present',
  Nftables::SimpleRuleName $rulename = $title,
  Pattern[/^\d\d$/] $order = '50',
  String $chain  = 'default_in',
  String $table = 'inet-filter',
  Enum['accept', 'continue', 'drop', 'queue', 'return'] $action = 'accept',
  Optional[String] $comment = undef,
  Optional[Nftables::Port] $dport = undef,
  Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']] $proto = undef,
  Optional[Nftables::Addr] $daddr = undef,
  Enum['ip', 'ip6'] $set_type = 'ip6',
  Optional[Nftables::Port] $sport = undef,
  Optional[Nftables::Addr] $saddr = undef,
  Boolean $counter = false,
  Variant[Array[String[1]],String[1]] $iifname = [],
  Variant[Array[String[1]],String[1]] $oifname = [],
) {
  if $dport and !$proto {
    fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
  }

  if $sport and !$proto {
    fail('Specifying a transport protocol via $proto is mandatory when passing a $sport')
  }

  if $ensure == 'present' {
    nftables::rule { "${chain}-${rulename}":
      content => epp('nftables/simplerule.epp',
        {
          'action'   => $action,
          'comment'  => $comment,
          'counter'  => $counter,
          'daddr'    => $daddr,
          'dport'    => $dport,
          'proto'    => $proto,
          'saddr'    => $saddr,
          'set_type' => $set_type,
          'sport'    => $sport,
          'iifname'  => [$iifname].flatten,
          'oifname'  => [$oifname].flatten,
        }
      ),
      order   => $order,
      table   => $table,
    }
  }
}