# Reference
+
<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
## Table of Contents
-**Classes**
+### Classes
-_Public Classes_
+#### Public Classes
* [`firewall`](#firewall): Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins
-_Private Classes_
+#### Private Classes
* `firewall::linux`: Main linux class, includes all other classes
* `firewall::linux::archlinux`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems.
* `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems.
* `firewall::params`: Provides defaults for the Apt module parameters.
-**Resource types**
+### Resource types
* [`firewall`](#firewall): This type provides the capability to manage firewall rules within puppet.
* [`firewallchain`](#firewallchain): This type provides the capability to manage rule chains for firewalls.
## Classes
-### firewall
+### `firewall`
Performs the basic setup tasks required for using the firewall resources.
Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.
-Default value: running
+Default value: `running`
##### `ensure_v6`
Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
-Default value: `undef`
+Default value: ``undef``
##### `pkg_ensure`
Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.
-Default value: present
+Default value: `present`
##### `service_name`
Specify the name of the IPv4 iptables service.
-Default value: $::firewall::params::service_name
+Default value: `$::firewall::params::service_name`
##### `service_name_v6`
Specify the name of the IPv6 iptables service.
-Default value: $::firewall::params::service_name_v6
+Default value: `$::firewall::params::service_name_v6`
##### `package_name`
Specify the platform-specific package(s) to install.
-Default value: $::firewall::params::package_name
+Default value: `$::firewall::params::package_name`
##### `ebtables_manage`
Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
-Default value: `false`
+Default value: ``false``
## Resource types
-### firewall
+### `firewall`
**Autorequires:**
* Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match,
interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid,
- log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, nflog_group, nflog_prefix, nflog_range, nflog_threshold,
+ log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss,
owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
The following properties are available in the `firewall` type.
-##### `ensure`
-
-Valid values: present, absent
-
-Manage the state of this rule.
-
-Default value: present
-
##### `action`
-Valid values: accept, reject, drop
+Valid values: `accept`, `reject`, `drop`
This is the action to perform on a match. Can be one of:
If you specify no value it will simply match the rule but perform no
action unless you provide a provider specific parameter (such as *jump*).
-##### `source`
+##### `burst`
-The source address. For example:
+Valid values: `%r{^\d+$}`
- source => '192.168.2.0/24'
+Rate limiting burst value (per second) before limit checks apply.
-You can also negate a mask by putting ! in front. For example:
+##### `bytecode`
- source => '! 192.168.2.0/24'
+Match using Linux Socket Filter. Expects a BPF program in decimal format.
+This is the format generated by the nfbpf_compile utility.
-The source can also be an IPv6 address if your provider supports it.
+##### `cgroup`
-##### `src_range`
+Matches against the net_cls cgroup ID of the packet.
-The source IP range. For example:
+##### `chain`
- src_range => '192.168.1.1-192.168.1.10'
+Valid values: `%r{^[a-zA-Z0-9\-_]+$}`
-The source IP range must be in 'IP1-IP2' format.
+Name of the chain to use. Can be one of the built-ins:
-##### `destination`
+* INPUT
+* FORWARD
+* OUTPUT
+* PREROUTING
+* POSTROUTING
-The destination address to match. For example:
+Or you can provide a user-based chain.
- destination => '192.168.1.0/24'
+Default value: `INPUT`
-You can also negate a mask by putting ! in front. For example:
+##### `checksum_fill`
- destination => '! 192.168.2.0/24'
+Valid values: ``true``, ``false``
-The destination can also be an IPv6 address if your provider supports it.
+Compute and fill missing packet checksums.
-##### `dst_range`
+##### `clamp_mss_to_pmtu`
-The destination IP range. For example:
+Valid values: ``true``, ``false``
- dst_range => '192.168.1.1-192.168.1.10'
+Sets the clamp mss to pmtu flag.
-The destination IP range must be in 'IP1-IP2' format.
+##### `clusterip_clustermac`
-##### `sport`
+Valid values: `%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i`
-The source port to match for this filter (if the protocol supports
-ports). Will accept a single element or an array.
+Used with the CLUSTERIP jump target.
+Specify the ClusterIP MAC address. Has to be a link-layer multicast address.
-For some firewall providers you can pass a range of ports in the format:
+##### `clusterip_hash_init`
- <start_number>-<ending_number>
+Used with the CLUSTERIP jump target.
+Specify the random seed used for hash initialization.
-For example:
+##### `clusterip_hashmode`
- 1-1024
+Valid values: `sourceip`, `sourceip-sourceport`, `sourceip-sourceport-destport`
-This would cover ports 1 to 1024.
+Used with the CLUSTERIP jump target.
+Specify the hashing mode.
-##### `dport`
+##### `clusterip_local_node`
-The destination port to match for this filter (if the protocol supports
-ports). Will accept a single element or an array.
+Valid values: `%r{\d+}`
-For some firewall providers you can pass a range of ports in the format:
+Used with the CLUSTERIP jump target.
+Specify the random seed used for hash initialization.
- <start_number>-<ending_number>
+##### `clusterip_new`
-For example:
+Valid values: ``true``, ``false``
- 1-1024
+Used with the CLUSTERIP jump target.
+Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
-This would cover ports 1 to 1024.
+##### `clusterip_total_nodes`
-##### `port`
+Valid values: `%r{\d+}`
-*note* This property has been DEPRECATED
+Used with the CLUSTERIP jump target.
+Number of total nodes within this cluster.
-The destination or source port to match for this filter (if the protocol
-supports ports). Will accept a single element or an array.
+##### `connlimit_above`
-For some firewall providers you can pass a range of ports in the format:
+Valid values: `%r{^\d+$}`
- <start_number>-<ending_number>
+Connection limiting value for matched connections above n.
-For example:
+##### `connlimit_mask`
- 1-1024
+Valid values: `%r{^\d+$}`
-This would cover ports 1 to 1024.
+Connection limiting by subnet mask for matched connections.
+IPv4: 0-32
+IPv6: 0-128
-##### `dst_type`
+##### `connmark`
-Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
- :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
- [
- address_type,
- "! #{address_type}".to_sym,
- "#{address_type} --limit-iface-in".to_sym,
- "#{address_type} --limit-iface-out".to_sym,
- "! #{address_type} --limit-iface-in".to_sym,
- "! #{address_type} --limit-iface-out".to_sym,
- ]
- }.flatten
+Match the Netfilter mark value associated with the packet. Accepts either of:
+mark/mask or mark. These will be converted to hex if they are not already.
-The destination address type. For example:
+##### `ctdir`
- dst_type => ['LOCAL']
+Valid values: `REPLY`, `ORIGINAL`
-Can be one of:
+Matches a packet that is flowing in the specified direction using the
+conntrack module. If this flag is not specified at all, matches packets
+in both directions. Values can be:
-* UNSPEC - an unspecified address
-* UNICAST - a unicast address
-* LOCAL - a local address
-* BROADCAST - a broadcast address
-* ANYCAST - an anycast packet
-* MULTICAST - a multicast address
-* BLACKHOLE - a blackhole address
-* UNREACHABLE - an unreachable address
-* PROHIBIT - a prohibited address
-* THROW - undocumented
-* NAT - undocumented
-* XRESOLVE - undocumented
+* REPLY
+* ORIGINAL
-In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
+##### `ctexpire`
- dst_type => ['LOCAL --limit-iface-in']
+Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}`
-It can also be negated using '!':
+Matches a packet based on lifetime remaining in seconds or range of values
+using the conntrack module. For example:
- dst_type => ['! LOCAL']
+ ctexpire => '100:150'
-Will accept a single element or an array.
+##### `ctorigdst`
-##### `src_type`
+The original destination address using the conntrack module. For example:
-Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
- :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
- [
- address_type,
- "! #{address_type}".to_sym,
- "#{address_type} --limit-iface-in".to_sym,
- "#{address_type} --limit-iface-out".to_sym,
- "! #{address_type} --limit-iface-in".to_sym,
- "! #{address_type} --limit-iface-out".to_sym,
- ]
- }.flatten
+ ctorigdst => '192.168.2.0/24'
-The source address type. For example:
+You can also negate a mask by putting ! in front. For example:
- src_type => ['LOCAL']
+ ctorigdst => '! 192.168.2.0/24'
-Can be one of:
+The ctorigdst can also be an IPv6 address if your provider supports it.
-* UNSPEC - an unspecified address
-* UNICAST - a unicast address
-* LOCAL - a local address
-* BROADCAST - a broadcast address
-* ANYCAST - an anycast packet
-* MULTICAST - a multicast address
-* BLACKHOLE - a blackhole address
-* UNREACHABLE - an unreachable address
-* PROHIBIT - a prohibited address
-* THROW - undocumented
-* NAT - undocumented
-* XRESOLVE - undocumented
+##### `ctorigdstport`
-In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
+Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}`
- src_type => ['LOCAL --limit-iface-in']
+The original destination port to match for this filter using the conntrack module.
+For example:
-It can also be negated using '!':
+ ctorigdstport => '80'
- src_type => ['! LOCAL']
+You can also specify a port range: For example:
-Will accept a single element or an array.
+ ctorigdstport => '80:81'
-##### `proto`
+You can also negate a port by putting ! in front. For example:
-Valid values: [:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
- [proto, "! #{proto}".to_sym]
- }.flatten
+ ctorigdstport => '! 80'
-The specific protocol to match for this rule.
+##### `ctorigsrc`
-Default value: tcp
+The original source address using the conntrack module. For example:
-##### `mss`
+ ctorigsrc => '192.168.2.0/24'
-Match a given TCP MSS value or range.
+You can also negate a mask by putting ! in front. For example:
-##### `tcp_flags`
+ ctorigsrc => '! 192.168.2.0/24'
-Match when the TCP flags are as specified.
-Is a string with a list of comma-separated flag names for the mask,
-then a space, then a comma-separated list of flags that should be set.
-The flags are: SYN ACK FIN RST URG PSH ALL NONE
-Note that you specify them in the order that iptables --list-rules
-would list them to avoid having puppet think you changed the flags.
-Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
-ACK,RST and FIN bits cleared. Such packets are used to request
-TCP connection initiation.
+The ctorigsrc can also be an IPv6 address if your provider supports it.
-##### `chain`
+##### `ctorigsrcport`
-Valid values: %r{^[a-zA-Z0-9\-_]+$}
+Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}`
-Name of the chain to use. Can be one of the built-ins:
+The original source port to match for this filter using the conntrack module.
+For example:
-* INPUT
-* FORWARD
-* OUTPUT
-* PREROUTING
-* POSTROUTING
+ ctorigsrcport => '80'
-Or you can provide a user-based chain.
+You can also specify a port range: For example:
-Default value: INPUT
+ ctorigsrcport => '80:81'
-##### `table`
+You can also negate a port by putting ! in front. For example:
-Valid values: nat, mangle, filter, raw, rawpost
+ ctorigsrcport => '! 80'
-Table to use. Can be one of:
+##### `ctproto`
-* nat
-* mangle
-* filter
-* raw
-* rawpost
+Valid values: `%r{^!?\s?\d+$}`
-Default value: filter
+The specific layer-4 protocol number to match for this rule using the
+conntrack module.
-##### `jump`
+##### `ctrepldst`
-The value for the iptables --jump parameter. Normal values are:
+The reply destination address using the conntrack module. For example:
-* QUEUE
-* RETURN
-* DNAT
-* SNAT
-* LOG
-* NFLOG
-* MASQUERADE
-* REDIRECT
-* MARK
-* CT
+ ctrepldst => '192.168.2.0/24'
-But any valid chain name is allowed.
+You can also negate a mask by putting ! in front. For example:
-For the values ACCEPT, DROP, and REJECT, you must use the generic
-'action' parameter. This is to enfore the use of generic parameters where
-possible for maximum cross-platform modelling.
+ ctrepldst => '! 192.168.2.0/24'
-If you set both 'accept' and 'jump' parameters, you will get an error as
-only one of the options should be set.
+The ctrepldst can also be an IPv6 address if your provider supports it.
-##### `goto`
+##### `ctrepldstport`
-The value for the iptables --goto parameter. Normal values are:
+Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}`
-* QUEUE
-* RETURN
-* DNAT
+The reply destination port to match for this filter using the conntrack module.
+For example:
+
+ ctrepldstport => '80'
+
+You can also specify a port range: For example:
+
+ ctrepldstport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+ ctrepldstport => '! 80'
+
+##### `ctreplsrc`
+
+The reply source address using the conntrack module. For example:
+
+ ctreplsrc => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+ ctreplsrc => '! 192.168.2.0/24'
+
+The ctreplsrc can also be an IPv6 address if your provider supports it.
+
+##### `ctreplsrcport`
+
+Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}`
+
+The reply source port to match for this filter using the conntrack module.
+For example:
+
+ ctreplsrcport => '80'
+
+You can also specify a port range: For example:
+
+ ctreplsrcport => '80:81'
+
+You can also negate a port by putting ! in front. For example:
+
+ ctreplsrcport => '! 80'
+
+##### `ctstate`
+
+Valid values: `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`, `UNTRACKED`, `SNAT`, `DNAT`
+
+Matches a packet based on its state in the firewall stateful inspection
+table, using the conntrack module. Values can be:
+
+* INVALID
+* ESTABLISHED
+* NEW
+* RELATED
+* UNTRACKED
* SNAT
-* LOG
-* MASQUERADE
-* REDIRECT
-* MARK
+* DNAT
-But any valid chain name is allowed.
+##### `ctstatus`
-##### `iniface`
+Valid values: `NONE`, `EXPECTED`, `SEEN_REPLY`, `ASSURED`, `CONFIRMED`
-Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
+Matches a packet based on its status using the conntrack module. Values can be:
-Input interface to filter on. Supports interface alias like eth0:0.
-To negate the match try this:
+* EXPECTED
+* SEEN_REPLY
+* ASSURED
+* CONFIRMED
- iniface => '! lo',
+##### `date_start`
-##### `outiface`
+Only match during the given time, which must be in ISO 8601 "T" notation.
+The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
-Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
+##### `date_stop`
- Output interface to filter on. Supports interface alias like eth0:0.
-To negate the match try this:
+Only match during the given time, which must be in ISO 8601 "T" notation.
+The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
- outiface => '! lo',
+##### `destination`
-##### `tosource`
+The destination address to match. For example:
-When using jump => "SNAT" you can specify the new source address using
-this parameter.
+ destination => '192.168.1.0/24'
-##### `todest`
+You can also negate a mask by putting ! in front. For example:
-When using jump => "DNAT" you can specify the new destination address
-using this paramter.
+ destination => '! 192.168.2.0/24'
-##### `toports`
+The destination can also be an IPv6 address if your provider supports it.
-For DNAT this is the port that will replace the destination port.
+##### `dport`
-##### `to`
+The destination port to match for this filter (if the protocol supports
+ports). Will accept a single element or an array.
-For NETMAP this will replace the destination IP
+For some firewall providers you can pass a range of ports in the format:
-##### `random_fully`
+ <start_number>-<ending_number>
-Valid values: `true`, `false`
+For example:
-When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
-this boolean will enable fully randomized port mapping.
+ 1-1024
-**NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2
+This would cover ports 1 to 1024.
-##### `random`
+##### `dst_cc`
-Valid values: `true`, `false`
+Valid values: `%r{^[A-Z]{2}(,[A-Z]{2})*$}`
-When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
-this boolean will enable randomized port mapping.
+dst attribute for the module geoip
-##### `reject`
+##### `dst_range`
-When combined with action => "REJECT" you can specify a different icmp
-response to be sent back to the packet sender.
+The destination IP range. For example:
-##### `log_level`
+ dst_range => '192.168.1.1-192.168.1.10'
-When combined with jump => "LOG" specifies the system log level to log
-to.
+The destination IP range must be in 'IP1-IP2' format.
-##### `log_prefix`
+##### `dst_type`
-When combined with jump => "LOG" specifies the log prefix to use when
-logging.
+Valid values: `[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+ :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
+ [
+ address_type,
+ "! #{address_type}".to_sym,
+ "#{address_type} --limit-iface-in".to_sym,
+ "#{address_type} --limit-iface-out".to_sym,
+ "! #{address_type} --limit-iface-in".to_sym,
+ "! #{address_type} --limit-iface-out".to_sym,
+ ]
+ }.flatten`
-##### `log_uid`
+The destination address type. For example:
-Valid values: `true`, `false`
+ dst_type => ['LOCAL']
-When combined with jump => "LOG" specifies the uid of the process making
-the connection.
+Can be one of:
-##### `log_tcp_sequence`
+* UNSPEC - an unspecified address
+* UNICAST - a unicast address
+* LOCAL - a local address
+* BROADCAST - a broadcast address
+* ANYCAST - an anycast packet
+* MULTICAST - a multicast address
+* BLACKHOLE - a blackhole address
+* UNREACHABLE - an unreachable address
+* PROHIBIT - a prohibited address
+* THROW - undocumented
+* NAT - undocumented
+* XRESOLVE - undocumented
-Valid values: `true`, `false`
+In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
-When combined with jump => "LOG" enables logging of the TCP sequence
-numbers.
+ dst_type => ['LOCAL --limit-iface-in']
-##### `log_tcp_options`
+It can also be negated using '!':
-Valid values: `true`, `false`
+ dst_type => ['! LOCAL']
-When combined with jump => "LOG" logging of the TCP packet
-header.
+Will accept a single element or an array.
-##### `log_ip_options`
+##### `ensure`
-Valid values: `true`, `false`
+Valid values: `present`, `absent`
-When combined with jump => "LOG" logging of the TCP IP/IPv6
-packet header.
+Manage the state of this rule.
-##### `nflog_group`
+Default value: `present`
-Used with the jump target NFLOG.
-The netlink group (0 - 2^16-1) to which packets are (only applicable
-for nfnetlink_log). Defaults to 0.
+##### `gateway`
-##### `nflog_prefix`
+The TEE target will clone a packet and redirect this clone to another
+machine on the local network segment. gateway is the target host's IP.
-Used with the jump target NFLOG.
-A prefix string to include in the log message, up to 64 characters long,
-useful for distinguishing messages in the logs.
+##### `gid`
-##### `nflog_range`
+GID or Group owner matching rule. Accepts a string argument
+only, as iptables does not accept multiple gid in a single
+statement.
-Used with the jump target NFLOG.
-The number of bytes to be copied to userspace (only applicable for nfnetlink_log).
-nfnetlink_log instances may specify their own range, this option overrides it.
+##### `goto`
-##### `nflog_threshold`
+The value for the iptables --goto parameter. Normal values are:
-Used with the jump target NFLOG.
-Number of packets to queue inside the kernel before sending them to userspace
-(only applicable for nfnetlink_log). Higher values result in less overhead
-per packet, but increase delay until the packets reach userspace. Defaults to 1.
+* QUEUE
+* RETURN
+* DNAT
+* SNAT
+* LOG
+* MASQUERADE
+* REDIRECT
+* MARK
+
+But any valid chain name is allowed.
+
+##### `hashlimit_above`
+
+Match if the rate is above amount/quantum.
+This parameter or hashlimit_upto is required.
+Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
+
+##### `hashlimit_burst`
+
+Valid values: `%r{^\d+$}`
+
+Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too.
+
+##### `hashlimit_dstmask`
+
+Like --hashlimit-srcmask, but for destination addresses.
+
+##### `hashlimit_htable_expire`
+
+After how many milliseconds do hash entries expire.
+
+##### `hashlimit_htable_gcinterval`
+
+How many milliseconds between garbage collection intervals.
+
+##### `hashlimit_htable_max`
+
+Maximum entries in the hash.
+
+##### `hashlimit_htable_size`
+
+The number of buckets of the hash table
+
+##### `hashlimit_mode`
+
+A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
+Allowed values are: srcip, srcport, dstip, dstport
+
+##### `hashlimit_name`
+
+The name for the /proc/net/ipt_hashlimit/foo entry.
+This parameter is required.
+
+##### `hashlimit_srcmask`
+
+When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
+
+##### `hashlimit_upto`
+
+Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second).
+This parameter or hashlimit_above is required.
+Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
+
+##### `helper`
+
+Invoke the nf_conntrack_xxx helper module for this packet.
+
+##### `hop_limit`
+
+Valid values: `%r{^\d+$}`
+
+Hop limiting value for matched packets.
##### `icmp`
An array of values is also not supported. To match against multiple ICMP
types, please use separate rules for each ICMP type.
-##### `state`
+##### `iniface`
-Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED
+Valid values: `%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}`
-Matches a packet based on its state in the firewall stateful inspection
-table. Values can be:
+Input interface to filter on. Supports interface alias like eth0:0.
+To negate the match try this:
-* INVALID
-* ESTABLISHED
-* NEW
-* RELATED
-* UNTRACKED
+ iniface => '! lo',
-##### `ctstate`
+##### `ipsec_dir`
-Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED, SNAT, DNAT
+Valid values: `in`, `out`
-Matches a packet based on its state in the firewall stateful inspection
-table, using the conntrack module. Values can be:
+Sets the ipsec policy direction
-* INVALID
-* ESTABLISHED
-* NEW
-* RELATED
-* UNTRACKED
-* SNAT
-* DNAT
+##### `ipsec_policy`
-##### `ctproto`
+Valid values: `none`, `ipsec`
-Valid values: %r{^!?\s?\d+$}
+Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc.
-The specific layer-4 protocol number to match for this rule using the
-conntrack module.
+##### `ipset`
-##### `ctorigsrc`
+Matches against the specified ipset list.
+Requires ipset kernel module. Will accept a single element or an array.
+The value is the name of the blacklist, followed by a space, and then
+'src' and/or 'dst' separated by a comma.
+For example: 'blacklist src,dst'
-The original source address using the conntrack module. For example:
+##### `ipvs`
- ctorigsrc => '192.168.2.0/24'
+Valid values: ``true``, ``false``
-You can also negate a mask by putting ! in front. For example:
+Indicates that the current packet belongs to an IPVS connection.
- ctorigsrc => '! 192.168.2.0/24'
+##### `isfirstfrag`
-The ctorigsrc can also be an IPv6 address if your provider supports it.
+Valid values: ``true``, ``false``
-##### `ctorigdst`
+If true, matches if the packet is the first fragment.
+Sadly cannot be negated. ipv6.
-The original destination address using the conntrack module. For example:
+##### `isfragment`
- ctorigdst => '192.168.2.0/24'
+Valid values: ``true``, ``false``
-You can also negate a mask by putting ! in front. For example:
+Set to true to match tcp fragments (requires type to be set to tcp)
- ctorigdst => '! 192.168.2.0/24'
+##### `ishasmorefrags`
-The ctorigdst can also be an IPv6 address if your provider supports it.
+Valid values: ``true``, ``false``
-##### `ctreplsrc`
+If true, matches if the packet has it's 'more fragments' bit set. ipv6.
-The reply source address using the conntrack module. For example:
+##### `islastfrag`
- ctreplsrc => '192.168.2.0/24'
+Valid values: ``true``, ``false``
-You can also negate a mask by putting ! in front. For example:
+If true, matches if the packet is the last fragment. ipv6.
- ctreplsrc => '! 192.168.2.0/24'
+##### `jump`
-The ctreplsrc can also be an IPv6 address if your provider supports it.
+The value for the iptables --jump parameter. Normal values are:
-##### `ctrepldst`
+* QUEUE
+* RETURN
+* DNAT
+* SNAT
+* LOG
+* NFLOG
+* MASQUERADE
+* REDIRECT
+* MARK
+* CT
-The reply destination address using the conntrack module. For example:
+But any valid chain name is allowed.
- ctrepldst => '192.168.2.0/24'
+For the values ACCEPT, DROP, and REJECT, you must use the generic
+'action' parameter. This is to enfore the use of generic parameters where
+possible for maximum cross-platform modelling.
-You can also negate a mask by putting ! in front. For example:
+If you set both 'accept' and 'jump' parameters, you will get an error as
+only one of the options should be set.
- ctrepldst => '! 192.168.2.0/24'
+##### `kernel_timezone`
-The ctrepldst can also be an IPv6 address if your provider supports it.
+Valid values: ``true``, ``false``
-##### `ctorigsrcport`
+Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
-Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+##### `length`
-The original source port to match for this filter using the conntrack module.
-For example:
+Sets the length of layer-3 payload to match.
- ctorigsrcport => '80'
+##### `limit`
-You can also specify a port range: For example:
+Rate limiting value for matched packets. The format is:
+rate/[/second/|/minute|/hour|/day].
- ctorigsrcport => '80:81'
+Example values are: '50/sec', '40/min', '30/hour', '10/day'."
-You can also negate a port by putting ! in front. For example:
+##### `log_ip_options`
- ctorigsrcport => '! 80'
+Valid values: ``true``, ``false``
-##### `ctorigdstport`
+When combined with jump => "LOG" logging of the TCP IP/IPv6
+packet header.
-Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+##### `log_level`
-The original destination port to match for this filter using the conntrack module.
-For example:
+When combined with jump => "LOG" specifies the system log level to log
+to.
- ctorigdstport => '80'
+##### `log_prefix`
-You can also specify a port range: For example:
+When combined with jump => "LOG" specifies the log prefix to use when
+logging.
- ctorigdstport => '80:81'
+##### `log_tcp_options`
-You can also negate a port by putting ! in front. For example:
+Valid values: ``true``, ``false``
- ctorigdstport => '! 80'
+When combined with jump => "LOG" logging of the TCP packet
+header.
-##### `ctreplsrcport`
+##### `log_tcp_sequence`
-Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+Valid values: ``true``, ``false``
-The reply source port to match for this filter using the conntrack module.
-For example:
+When combined with jump => "LOG" enables logging of the TCP sequence
+numbers.
- ctreplsrcport => '80'
+##### `log_uid`
-You can also specify a port range: For example:
+Valid values: ``true``, ``false``
- ctreplsrcport => '80:81'
+When combined with jump => "LOG" specifies the uid of the process making
+the connection.
-You can also negate a port by putting ! in front. For example:
+##### `mac_source`
- ctreplsrcport => '! 80'
+Valid values: `%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i`
-##### `ctrepldstport`
+MAC Source
-Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+##### `mask`
-The reply destination port to match for this filter using the conntrack module.
-For example:
+Sets the mask to use when `recent` is enabled.
+
+##### `match_mark`
+
+Match the Netfilter mark value associated with the packet. Accepts either of:
+mark/mask or mark. These will be converted to hex if they are not already.
+
+##### `month_days`
+
+Only match on the given days of the month. Possible values are 1 to 31.
+Note that specifying 31 will of course not match on months which do not have a 31st day;
+the same goes for 28- or 29-day February.
+
+##### `mss`
+
+Match a given TCP MSS value or range.
+
+##### `nflog_group`
+
+Used with the jump target NFLOG.
+The netlink group (0 - 2^16-1) to which packets are (only applicable
+for nfnetlink_log). Defaults to 0.
+
+##### `nflog_prefix`
+
+Used with the jump target NFLOG.
+A prefix string to include in the log message, up to 64 characters long,
+useful for distinguishing messages in the logs.
+
+##### `nflog_range`
+
+Used with the jump target NFLOG.
+The number of bytes to be copied to userspace (only applicable for nfnetlink_log).
+nfnetlink_log instances may specify their own range, this option overrides it.
- ctrepldstport => '80'
+##### `nflog_threshold`
-You can also specify a port range: For example:
+Used with the jump target NFLOG.
+Number of packets to queue inside the kernel before sending them to userspace
+(only applicable for nfnetlink_log). Higher values result in less overhead
+per packet, but increase delay until the packets reach userspace. Defaults to 1.
- ctrepldstport => '80:81'
+##### `notrack`
-You can also negate a port by putting ! in front. For example:
+Valid values: ``true``, ``false``
- ctrepldstport => '! 80'
+Invoke the disable connection tracking for this packet.
+This parameter can be used with iptables version >= 1.8.3
-##### `ctstatus`
+##### `outiface`
-Valid values: NONE, EXPECTED, SEEN_REPLY, ASSURED, CONFIRMED
+Valid values: `%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}`
-Matches a packet based on its status using the conntrack module. Values can be:
+ Output interface to filter on. Supports interface alias like eth0:0.
+To negate the match try this:
-* EXPECTED
-* SEEN_REPLY
-* ASSURED
-* CONFIRMED
+ outiface => '! lo',
-##### `ctexpire`
+##### `physdev_in`
-Valid values: %r{^!?\s?\d+$|^!?\s?\d+\:\d+$}
+Valid values: `%r{^[a-zA-Z0-9\-\._\+]+$}`
-Matches a packet based on lifetime remaining in seconds or range of values
-using the conntrack module. For example:
+Match if the packet is entering a bridge from the given interface.
- ctexpire => '100:150'
+##### `physdev_is_bridged`
-##### `ctdir`
+Valid values: ``true``, ``false``
-Valid values: REPLY, ORIGINAL
+Match if the packet is transversing a bridge.
-Matches a packet that is flowing in the specified direction using the
-conntrack module. If this flag is not specified at all, matches packets
-in both directions. Values can be:
+##### `physdev_is_in`
-* REPLY
-* ORIGINAL
+Valid values: ``true``, ``false``
-##### `connmark`
+Matches if the packet has entered through a bridge interface.
-Match the Netfilter mark value associated with the packet. Accepts either of:
-mark/mask or mark. These will be converted to hex if they are not already.
+##### `physdev_is_out`
-##### `connlimit_above`
+Valid values: ``true``, ``false``
-Valid values: %r{^\d+$}
+Matches if the packet will leave through a bridge interface.
-Connection limiting value for matched connections above n.
+##### `physdev_out`
-##### `connlimit_mask`
+Valid values: `%r{^[a-zA-Z0-9\-\._\+]+$}`
-Valid values: %r{^\d+$}
+Match if the packet is leaving a bridge via the given interface.
-Connection limiting by subnet mask for matched connections.
-IPv4: 0-32
-IPv6: 0-128
+##### `pkttype`
-##### `hop_limit`
+Valid values: `unicast`, `broadcast`, `multicast`
-Valid values: %r{^\d+$}
+Sets the packet type to match.
-Hop limiting value for matched packets.
+##### `port`
-##### `limit`
+*note* This property has been DEPRECATED
-Rate limiting value for matched packets. The format is:
-rate/[/second/|/minute|/hour|/day].
+The destination or source port to match for this filter (if the protocol
+supports ports). Will accept a single element or an array.
-Example values are: '50/sec', '40/min', '30/hour', '10/day'."
+For some firewall providers you can pass a range of ports in the format:
-##### `burst`
+ <start_number>-<ending_number>
-Valid values: %r{^\d+$}
+For example:
-Rate limiting burst value (per second) before limit checks apply.
+ 1-1024
-##### `uid`
+This would cover ports 1 to 1024.
-UID or Username owner matching rule. Accepts a string argument
-only, as iptables does not accept multiple uid in a single
-statement.
+##### `proto`
-##### `gid`
+Valid values: `[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
+ [proto, "! #{proto}".to_sym]
+ }.flatten`
-GID or Group owner matching rule. Accepts a string argument
-only, as iptables does not accept multiple gid in a single
-statement.
+The specific protocol to match for this rule.
-##### `match_mark`
+Default value: `tcp`
-Match the Netfilter mark value associated with the packet. Accepts either of:
-mark/mask or mark. These will be converted to hex if they are not already.
+##### `queue_bypass`
-##### `set_mark`
+Valid values: ``true``, ``false``
-Set the Netfilter mark value associated with the packet. Accepts either of:
-mark/mask or mark. These will be converted to hex if they are not already.
+Used with NFQUEUE jump target
+Allow packets to bypass :queue_num if userspace process is not listening
-##### `clamp_mss_to_pmtu`
+##### `queue_num`
-Valid values: `true`, `false`
+Used with NFQUEUE jump target.
+What queue number to send packets to
-Sets the clamp mss to pmtu flag.
+##### `random`
-##### `set_dscp`
+Valid values: ``true``, ``false``
-Set DSCP Markings.
+When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+this boolean will enable randomized port mapping.
-##### `set_dscp_class`
+##### `random_fully`
-This sets the DSCP field according to a predefined DiffServ class.
+Valid values: ``true``, ``false``
-##### `set_mss`
+When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+this boolean will enable fully randomized port mapping.
-Sets the TCP MSS value for packets.
+**NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2
-##### `pkttype`
+##### `rdest`
-Valid values: unicast, broadcast, multicast
+Valid values: ``true``, ``false``
-Sets the packet type to match.
+Recent module; add the destination IP address to the list.
+Must be boolean true.
-##### `isfragment`
+##### `reap`
-Valid values: `true`, `false`
+Valid values: ``true``, ``false``
-Set to true to match tcp fragments (requires type to be set to tcp)
+Recent module; can only be used in conjunction with the `rseconds`
+attribute. When used, this will cause entries older than 'seconds' to be
+purged. Must be boolean true.
##### `recent`
-Valid values: set, update, rcheck, remove
+Valid values: `set`, `update`, `rcheck`, `remove`
Enable the recent module. Takes as an argument one of set, update,
rcheck or remove. For example:
}
```
-##### `rdest`
-
-Valid values: `true`, `false`
-
-Recent module; add the destination IP address to the list.
-Must be boolean true.
+##### `reject`
-##### `rsource`
+When combined with action => "REJECT" you can specify a different icmp
+response to be sent back to the packet sender.
-Valid values: `true`, `false`
+##### `rhitcount`
-Recent module; add the source IP address to the list.
-Must be boolean true.
+Recent module; used in conjunction with `recent => 'update'` or `recent
+=> 'rcheck'. When used, this will narrow the match to only happen when
+the address is in the list and packets had been received greater than or
+equal to the given value.
##### `rname`
Recent module; The name of the list. Takes a string argument.
+##### `rpfilter`
+
+Valid values: `loose`, `validmark`, `accept-local`, `invert`
+
+Enable the rpfilter module.
+
##### `rseconds`
Recent module; used in conjunction with one of `recent => 'rcheck'` or
happen when the address is in the list and was seen within the last given
number of seconds.
-##### `reap`
-
-Valid values: `true`, `false`
-
-Recent module; can only be used in conjunction with the `rseconds`
-attribute. When used, this will cause entries older than 'seconds' to be
-purged. Must be boolean true.
+##### `rsource`
-##### `rhitcount`
+Valid values: ``true``, ``false``
-Recent module; used in conjunction with `recent => 'update'` or `recent
-=> 'rcheck'. When used, this will narrow the match to only happen when
-the address is in the list and packets had been received greater than or
-equal to the given value.
+Recent module; add the source IP address to the list.
+Must be boolean true.
##### `rttl`
-Valid values: `true`, `false`
+Valid values: ``true``, ``false``
Recent module; may only be used in conjunction with one of `recent =>
'rcheck'` or `recent => 'update'`. When used, this will narrow the match
address in order to DoS you via this module by disallowing others access
to your site by sending bogus packets to you. Must be boolean true.
-##### `rpfilter`
-
-Valid values: loose, validmark, accept-local, invert
-
-Enable the rpfilter module.
-
-##### `socket`
-
-Valid values: `true`, `false`
-
-If true, matches if an open socket can be found by doing a coket lookup
-on the packet.
-
-##### `ishasmorefrags`
-
-Valid values: `true`, `false`
-
-If true, matches if the packet has it's 'more fragments' bit set. ipv6.
-
-##### `islastfrag`
-
-Valid values: `true`, `false`
-
-If true, matches if the packet is the last fragment. ipv6.
-
-##### `isfirstfrag`
-
-Valid values: `true`, `false`
-
-If true, matches if the packet is the first fragment.
-Sadly cannot be negated. ipv6.
-
-##### `ipsec_policy`
-
-Valid values: none, ipsec
-
-Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc.
-
-##### `ipsec_dir`
-
-Valid values: in, out
-
-Sets the ipsec policy direction
-
-##### `stat_mode`
-
-Valid values: nth, random
-
-Set the matching mode for statistic matching.
-
-##### `stat_every`
-
-Match one packet every nth packet. Requires `stat_mode => 'nth'`
-
-##### `stat_packet`
-
-Valid values: %r{^\d+$}
-
-Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'`
-
-##### `stat_probability`
-
-Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
-
-##### `mask`
-
-Sets the mask to use when `recent` is enabled.
-
-##### `gateway`
-
-The TEE target will clone a packet and redirect this clone to another
-machine on the local network segment. gateway is the target host's IP.
-
-##### `ipset`
-
-Matches against the specified ipset list.
-Requires ipset kernel module. Will accept a single element or an array.
-The value is the name of the blacklist, followed by a space, and then
-'src' and/or 'dst' separated by a comma.
-For example: 'blacklist src,dst'
-
-##### `checksum_fill`
-
-Valid values: `true`, `false`
-
-Compute and fill missing packet checksums.
-
-##### `mac_source`
+##### `set_dscp`
-Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
+Set DSCP Markings.
-MAC Source
+##### `set_dscp_class`
-##### `physdev_in`
+This sets the DSCP field according to a predefined DiffServ class.
-Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
+##### `set_mark`
-Match if the packet is entering a bridge from the given interface.
+Set the Netfilter mark value associated with the packet. Accepts either of:
+mark/mask or mark. These will be converted to hex if they are not already.
-##### `physdev_out`
+##### `set_mss`
-Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
+Sets the TCP MSS value for packets.
-Match if the packet is leaving a bridge via the given interface.
+##### `socket`
-##### `physdev_is_bridged`
+Valid values: ``true``, ``false``
-Valid values: `true`, `false`
+If true, matches if an open socket can be found by doing a coket lookup
+on the packet.
-Match if the packet is transversing a bridge.
+##### `source`
-##### `physdev_is_in`
+The source address. For example:
-Valid values: `true`, `false`
+ source => '192.168.2.0/24'
-Matches if the packet has entered through a bridge interface.
+You can also negate a mask by putting ! in front. For example:
-##### `physdev_is_out`
+ source => '! 192.168.2.0/24'
-Valid values: `true`, `false`
+The source can also be an IPv6 address if your provider supports it.
-Matches if the packet will leave through a bridge interface.
+##### `sport`
-##### `date_start`
+The source port to match for this filter (if the protocol supports
+ports). Will accept a single element or an array.
-Only match during the given time, which must be in ISO 8601 "T" notation.
-The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
+For some firewall providers you can pass a range of ports in the format:
-##### `date_stop`
+ <start_number>-<ending_number>
-Only match during the given time, which must be in ISO 8601 "T" notation.
-The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
+For example:
-##### `time_start`
+ 1-1024
-Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
-Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
+This would cover ports 1 to 1024.
-##### `time_stop`
+##### `src_cc`
-Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
-Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
+Valid values: `%r{^[A-Z]{2}(,[A-Z]{2})*$}`
-##### `month_days`
+src attribute for the module geoip
-Only match on the given days of the month. Possible values are 1 to 31.
-Note that specifying 31 will of course not match on months which do not have a 31st day;
-the same goes for 28- or 29-day February.
+##### `src_range`
-##### `week_days`
+The source IP range. For example:
-Valid values: Mon, Tue, Wed, Thu, Fri, Sat, Sun
+ src_range => '192.168.1.1-192.168.1.10'
-Only match on the given weekdays.
+The source IP range must be in 'IP1-IP2' format.
-##### `time_contiguous`
+##### `src_type`
-Valid values: `true`, `false`
+Valid values: `[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+ :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
+ [
+ address_type,
+ "! #{address_type}".to_sym,
+ "#{address_type} --limit-iface-in".to_sym,
+ "#{address_type} --limit-iface-out".to_sym,
+ "! #{address_type} --limit-iface-in".to_sym,
+ "! #{address_type} --limit-iface-out".to_sym,
+ ]
+ }.flatten`
-When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
+The source address type. For example:
-##### `kernel_timezone`
+ src_type => ['LOCAL']
-Valid values: `true`, `false`
+Can be one of:
-Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
+* UNSPEC - an unspecified address
+* UNICAST - a unicast address
+* LOCAL - a local address
+* BROADCAST - a broadcast address
+* ANYCAST - an anycast packet
+* MULTICAST - a multicast address
+* BLACKHOLE - a blackhole address
+* UNREACHABLE - an unreachable address
+* PROHIBIT - a prohibited address
+* THROW - undocumented
+* NAT - undocumented
+* XRESOLVE - undocumented
-##### `clusterip_new`
+In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
-Valid values: `true`, `false`
+ src_type => ['LOCAL --limit-iface-in']
-Used with the CLUSTERIP jump target.
-Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
+It can also be negated using '!':
-##### `clusterip_hashmode`
+ src_type => ['! LOCAL']
-Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport
+Will accept a single element or an array.
-Used with the CLUSTERIP jump target.
-Specify the hashing mode.
+##### `stat_every`
-##### `clusterip_clustermac`
+Match one packet every nth packet. Requires `stat_mode => 'nth'`
-Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
+##### `stat_mode`
-Used with the CLUSTERIP jump target.
-Specify the ClusterIP MAC address. Has to be a link-layer multicast address.
+Valid values: `nth`, `random`
-##### `clusterip_total_nodes`
+Set the matching mode for statistic matching.
-Valid values: %r{\d+}
+##### `stat_packet`
-Used with the CLUSTERIP jump target.
-Number of total nodes within this cluster.
+Valid values: `%r{^\d+$}`
-##### `clusterip_local_node`
+Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'`
-Valid values: %r{\d+}
+##### `stat_probability`
-Used with the CLUSTERIP jump target.
-Specify the random seed used for hash initialization.
+Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
-##### `clusterip_hash_init`
+##### `state`
-Used with the CLUSTERIP jump target.
-Specify the random seed used for hash initialization.
+Valid values: `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`, `UNTRACKED`
-##### `length`
+Matches a packet based on its state in the firewall stateful inspection
+table. Values can be:
-Sets the length of layer-3 payload to match.
+* INVALID
+* ESTABLISHED
+* NEW
+* RELATED
+* UNTRACKED
##### `string`
String matching feature. Matches the packet against the pattern
given as an argument.
-##### `string_hex`
-
-String matching feature. Matches the package against the hex pattern
-given as an argument.
-
##### `string_algo`
-Valid values: bm, kmp
+Valid values: `bm`, `kmp`
String matching feature, pattern matching strategy.
String matching feature, offset from which we start looking for any matching.
-##### `string_to`
-
-String matching feature, offset up to which we should scan.
-
-##### `queue_num`
-
-Used with NFQUEUE jump target.
-What queue number to send packets to
-
-##### `queue_bypass`
-
-Valid values: `true`, `false`
-
-Used with NFQUEUE jump target
-Allow packets to bypass :queue_num if userspace process is not listening
-
-##### `src_cc`
-
-Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
-
-src attribute for the module geoip
-
-##### `dst_cc`
+##### `string_hex`
-Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
+String matching feature. Matches the package against the hex pattern
+given as an argument.
-dst attribute for the module geoip
+##### `string_to`
-##### `hashlimit_name`
+String matching feature, offset up to which we should scan.
-The name for the /proc/net/ipt_hashlimit/foo entry.
-This parameter is required.
+##### `table`
-##### `hashlimit_upto`
+Valid values: `nat`, `mangle`, `filter`, `raw`, `rawpost`
-Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second).
-This parameter or hashlimit_above is required.
-Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
+Table to use. Can be one of:
-##### `hashlimit_above`
+* nat
+* mangle
+* filter
+* raw
+* rawpost
-Match if the rate is above amount/quantum.
-This parameter or hashlimit_upto is required.
-Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
+Default value: `filter`
-##### `hashlimit_burst`
+##### `tcp_flags`
-Valid values: %r{^\d+$}
+Match when the TCP flags are as specified.
+Is a string with a list of comma-separated flag names for the mask,
+then a space, then a comma-separated list of flags that should be set.
+The flags are: SYN ACK FIN RST URG PSH ALL NONE
+Note that you specify them in the order that iptables --list-rules
+would list them to avoid having puppet think you changed the flags.
+Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
+ACK,RST and FIN bits cleared. Such packets are used to request
+TCP connection initiation.
-Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too.
+##### `time_contiguous`
-##### `hashlimit_mode`
+Valid values: ``true``, ``false``
-A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
-Allowed values are: srcip, srcport, dstip, dstport
+When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
-##### `hashlimit_srcmask`
+##### `time_start`
-When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
+Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
+Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
-##### `hashlimit_dstmask`
+##### `time_stop`
-Like --hashlimit-srcmask, but for destination addresses.
+Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
+Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
-##### `hashlimit_htable_size`
+##### `to`
-The number of buckets of the hash table
+For NETMAP this will replace the destination IP
-##### `hashlimit_htable_max`
+##### `todest`
-Maximum entries in the hash.
+When using jump => "DNAT" you can specify the new destination address
+using this paramter.
-##### `hashlimit_htable_expire`
+##### `toports`
-After how many milliseconds do hash entries expire.
+For DNAT this is the port that will replace the destination port.
-##### `hashlimit_htable_gcinterval`
+##### `tosource`
-How many milliseconds between garbage collection intervals.
+When using jump => "SNAT" you can specify the new source address using
+this parameter.
-##### `bytecode`
+##### `uid`
-Match using Linux Socket Filter. Expects a BPF program in decimal format.
-This is the format generated by the nfbpf_compile utility.
+UID or Username owner matching rule. Accepts a string argument
+only, as iptables does not accept multiple uid in a single
+statement.
-##### `ipvs`
+##### `week_days`
-Valid values: `true`, `false`
+Valid values: `Mon`, `Tue`, `Wed`, `Thu`, `Fri`, `Sat`, `Sun`
-Indicates that the current packet belongs to an IPVS connection.
+Only match on the given weekdays.
##### `zone`
Assign this packet to zone id and only have lookups done in that zone.
-##### `helper`
-
-Invoke the nf_conntrack_xxx helper module for this packet.
-
-##### `cgroup`
-
-Matches against the net_cls cgroup ID of the packet.
-
#### Parameters
The following parameters are available in the `firewall` type.
+##### `line`
+
+Read-only property for caching the rule line.
+
##### `name`
-Valid values: %r{^\d+[[:graph:][:space:]]+$}
+Valid values: `%r{^\d+[[:graph:][:space:]]+$}`
namevar
Depending on the provider, the name of the rule can be stored using
the comment feature of the underlying firewall subsystem.
-##### `line`
+##### `provider`
-Read-only property for caching the rule line.
+The specific backend to use for this `firewall` resource. You will seldom need to specify this --- Puppet will usually
+discover the appropriate provider for your platform.
-### firewallchain
+### `firewallchain`
Currently this supports only iptables, ip6tables and ebtables on Linux. And
provides support for setting the default policy on chains and tables that
##### `ensure`
-Valid values: present, absent
+Valid values: `present`, `absent`
The basic property that the resource should be in.
-Default value: present
+Default value: `present`
##### `policy`
-Valid values: accept, drop, queue, return
+Valid values: `accept`, `drop`, `queue`, `return`
This is the action to when the end of the chain is reached.
It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,
The following parameters are available in the `firewallchain` type.
-##### `name`
-
-namevar
-
-The canonical name of the chain.
-
-For iptables the format must be {chain}:{table}:{protocol}.
-
-##### `purge`
-
-Valid values: `false`, `true`
-
-Purge unmanaged firewall rules in this chain
-
-Default value: `false`
-
##### `ignore`
Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
}
```
+##### `name`
+
+namevar
+
+The canonical name of the chain.
+
+For iptables the format must be {chain}:{table}:{protocol}.
+
+##### `provider`
+
+The specific backend to use for this `firewallchain` resource. You will seldom need to specify this --- Puppet will
+usually discover the appropriate provider for your platform.
+
+##### `purge`
+
+Valid values: ``false``, ``true``
+
+Purge unmanaged firewall rules in this chain
+
+Default value: ``false``
+
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff