## Reference
-Classes:
-
-* [firewall](#class-firewall)
-
-Types:
-
-* [firewall](#type-firewall)
-* [firewallchain](#type-firewallchain)
+For information on the classes and types, see the [REFERENCE.md](https://github.com/puppetlabs/puppetlabs-firewall/blob/master/REFERENCE.md). For information on the facts, see below.
Facts:
* [iptables_version](#fact-iptablesversion)
* [iptables_persistent_version](#fact-iptablespersistentversion)
-### Class: firewall
-
-Performs the basic setup tasks required for using the firewall resources.
-
-At the moment this takes care of:
-
-* iptables-persistent package installation
-
-Include the `firewall` class for nodes that need to use the resources in this module:
-
- class { 'firewall': }
-
-#### ensure
-
-Parameter that controls the state of the iptables service on your system, allowing you to disable iptables if you want.
-
-`ensure` can either be 'running' or 'stopped'. Defaults to 'running'.
-
-#### pkg_ensure
-
-Parameter that controls the state of the iptables package on your system, allowing you to update it if you wish.
-
-`ensure` can either be 'present' or 'latest'. Defaults to 'present'.
-
-#### ebtables_manage
-
-Parameter that controls whether puppet manages the ebtables package or not. If managed, the package will use the value of `pkg_ensure` as its ensure value.
-
-#### service_name
-
-Specify the name of the IPv4 iptables service. Defaults defined in `firewall::params`.
-
-#### service_name_v6
-
-Specify the name of the IPv6 ip6tables service. Defaults defined in `firewall::params`.
-
-#### package_name
-
-Specify the platform-specific package(s) to install. Defaults defined in `firewall::params`.
-
-### Type: firewall
-
-This type enables you to manage firewall rules within Puppet.
-
-#### Providers
-**Note:** Not all features are available with all providers.
-
- * `ip6tables`: Ip6tables type provider
- * Required binaries: `ip6tables-save`, `ip6tables`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `queue_bypass`, `queue_num`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`, `hashlimit`, `bpf`.
-
-* `iptables`: Iptables type provider
- * Required binaries: `iptables-save`, `iptables`.
- * Default for `kernel` == `linux`.
- * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `nflog_group`, `nflog_prefix`, `nflog_range`, `nflog_threshold`, `owner`, `pkttype`, `queue_bypass`, `queue_num`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`, `bpf`.
-
-**Autorequires:**
-
-If Puppet is managing the iptables or ip6tables chains specified in the `chain` or `jump` parameters, the firewall resource will autorequire those firewallchain resources.
-
-If Puppet is managing the iptables or iptables-persistent packages, and the provider is iptables or ip6tables, the firewall resource will autorequire those packages to ensure that any required binaries are installed.
-
-#### Features
-
-* `address_type`: The ability to match on source or destination address type.
-
-* `clusterip`: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
-
-* `connection_limiting`: Connection limiting features.
-
-* `dnat`: Destination NATing.
-
-* `hop_limiting`: Hop limiting features.
-
-* `icmp_match`: The ability to match ICMP types.
-
-* `interface_match`: Interface matching.
-
-* `iprange`: The ability to match on source or destination IP range.
-
-* `ipsec_dir`: The ability to match IPsec policy direction.
-
-* `ipsec_policy`: The ability to match IPsec policy.
-
-* `iptables`: The provider provides iptables features.
-
-* `isfirstfrag`: The ability to match the first fragment of a fragmented ipv6 packet.
-
-* `isfragment`: The ability to match fragments.
-
-* `ishasmorefrags`: The ability to match a non-last fragment of a fragmented ipv6 packet.
-
-* `islastfrag`: The ability to match the last fragment of an ipv6 packet.
-
-* `length`: The ability to match the length of the layer-3 payload.
-
-* `log_level`: The ability to control the log level.
-
-* `log_prefix`: The ability to add prefixes to log messages.
-
-* `log_uid`: The ability to log the userid of the process which generated the packet.
-
-* `mark`: The ability to match or set the netfilter mark value associated with the packet.
-
-* `mask`: The ability to match recent rules based on the ipv4 mask.
-
-* `nflog_group`: The ability to set the group number for NFLOG.
-
-* `nflog_prefix`: The ability to set a prefix for nflog messages.
-
-* `nflog_range`: The ability to set nflog\_range.
-
-* `nflog_threshold`: The ability to set nflog\_threshold.
-
-* `owner`: The ability to match owners.
-
-* `pkttype`: The ability to match a packet type.
-
-* `rate_limiting`: Rate limiting features.
-
-* `recent_limiting`: The netfilter recent module.
-
-* `reject_type`: The ability to control reject messages.
-
-* `set_mss`: Set the TCP MSS of a packet.
-
-* `snat`: Source NATing.
-
-* `socket`: The ability to match open sockets.
-
-* `state_match`: The ability to match stateful firewall states.
-
-* `string_matching`: The ability to match a given string by using some pattern matching strategy.
-
-* `tcp_flags`: The ability to match on particular TCP flag settings.
-
-* `netmap`: The ability to map entire subnets via source or destination nat rules.
-
-* `hashlimit`: The ability to use the hashlimit-module.
-
-* `bpf`: The ability to use Berkeley Paket Filter rules.
-
-* `ipvs`: The ability to match IP Virtual Server packets.
-
-#### Parameters
-
-* `action`: This is the action to perform on a match. Valid values for this action are:
- * 'accept': The packet is accepted.
- * 'reject': The packet is rejected with a suitable ICMP response.
- * 'drop': The packet is dropped.
-
- If you specify no value it will simply match the rule but perform no action unless you provide a provider-specific parameter (such as `jump`).
-
-* `burst`: Rate limiting burst value (per second) before limit checks apply. Values must match '/^\d+$/'. Requires the `rate_limiting` feature.
-
-* `bytecode`: Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. This parameter is only supported by operatingsystems using nftables (in general Linux kernel 3.13, RedHat 7 (and derivates) with 3.10).
-
-* `clusterip_new`: Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. Requires the `clusterip` feature.
-
-* `clusterip_hashmode`: Specify the hashing mode. Valid values are sourceip, sourceip-sourceport, sourceip-sourceport-destport. Requires the `clusterip` feature.
-
-* `clusterip_clustermac`: Specify the ClusterIP MAC address. Has to be a link-layer multicast address. Requires the `clusterip` feature.
-
-* `clusterip_total_nodes`: Number of total nodes within this cluster. Requires the `clusterip` feature.
-
-* `clusterip_local_node`: Local node number within this cluster. Requires the `clusterip` feature.
-
-* `clusterip_hash_init`: Specify the random seed used for hash initialization. Requires the `clusterip` feature.
-
-* `chain`: Name of the chain to use. You can provide a user-based chain or use one of the following built-in chains:'INPUT','FORWARD','OUTPUT','PREROUTING', or 'POSTROUTING'. The default value is 'INPUT'. Values must match '/^[a-zA-Z0-9\-_]+$/'. Requires the `iptables` feature.
-
-* `checksum_fill`: When using a `jump` value of 'CHECKSUM', this boolean makes sure that a checksum is calculated and filled in a packet that lacks a checksum. Valid values are 'true' or 'false'. Requires the `iptables` feature.
-
-* `clamp_mss_to_pmtu`: Enables PMTU Clamping support when using a jump target of 'TCPMSS'. Valid values are 'true' or 'false'.
-
-* `connlimit_above`: Connection limiting value for matched connections above n. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.
-
-* `connlimit_mask`: Connection limiting by subnet mask for matched connections. Apply a subnet mask of /0 to /32 for IPv4, and a subnet mask of /0 to /128 for IPv6. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.
-
-* `connmark`: Match the Netfilter mark value associated with the packet. Accepts values `mark/mask` or `mark`. These will be converted to hex if they are not hex already. Requires the `mark` feature.
-
-* `ctstate`: Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Valid values are: 'INVALID', 'ESTABLISHED', 'NEW', 'RELATED', 'UNTRACKED'. Requires the `state_match` feature.
-
-* `date_start`: Start Date/Time for the rule to match, which must be in ISO 8601 "T" notation. The possible time range is '1970-01-01T00:00:00' to '2038-01-19T04:17:07'
-
-* `date_stop`: End Date/Time for the rule to match, which must be in ISO 8601 "T" notation. The possible time range is '1970-01-01T00:00:00' to '2038-01-19T04:17:07'
-
-* `destination`: The destination address to match. For example: `destination => '192.168.1.0/24'`. You can also negate a mask by putting ! in front. For example: `destination => '! 192.168.2.0/24'`. The destination can also be an IPv6 address if your provider supports it. This parameter is supported by firewall_multi (see below).
-
- For some firewall providers you can pass a range of ports in the format: 'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
-
-* `dport`: The destination port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: 'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
-
-* `dst_range`: The destination IP range. For example: `dst_range => '192.168.1.1-192.168.1.10'`.
-
- The destination IP range is must in 'IP1-IP2' format. Values in the range must be valid IPv4 or IPv6 addresses. Requires the `iprange` feature.
-
-* `dst_type`: The destination address type. Will accept a single element or an array. For example: `dst_type => ['LOCAL']`.
-
- Valid values are:
-
- * 'UNSPEC': an unspecified address
- * 'UNICAST': a unicast address
- * 'LOCAL': a local address
- * 'BROADCAST': a broadcast address
- * 'ANYCAST': an anycast packet
- * 'MULTICAST': a multicast address
- * 'BLACKHOLE': a blackhole address
- * 'UNREACHABLE': an unreachable address
- * 'PROHIBIT': a prohibited address
- * 'THROW': an unroutable address
- * 'XRESOLVE: an unresolvable address
-
- In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags. For example: `dst_type => ['LOCAL --limit-iface-in']`.
-
- It can also be negated using '!'. For example: `dst_type => ['! LOCAL']`.
-
- Requires the `address_type` feature.
-
-* `ensure`: Ensures that the resource is present. Valid values are 'present', 'absent'. The default is 'present'.
-
-* `gateway`: Used with TEE target to mirror traffic of a machine to a secondary host on the LAN.
-
-* `gid`: GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement. Requires the `owner` feature.
-
-* `hashlimit_above`: Match if the rate is above amount/quantum. A hash limit option (--hashlimit-upto, --hashlimit-above) and --hashlimit-name are required.
-
-* `hashlimit_burst`: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.
-
-* `hashlimit_dstmask`: Like --hashlimit-srcmask, but for destination addresses.
-
-* `hashlimit_htable_expire`: After how many miliseconds do hash entries expire. Corresponds to --hashlimit-htable-expire.
-
-* `hashlimit_htable_gcinterval`: How many miliseconds between garbage collection intervals. Corresponds to --hashlimit-htable-gcinterval.
-
-* `hashlimit_htable_max`: Maximum entries in the hash. Corresponds to --hashlimit-htable-max.
-
-* `hashlimit_htable_size`: The number of buckets of the hash table. Corresponds to --hashlimit-htable-size.
-
-* `hashlimit_mode`: {srcip|srcport|dstip|dstport} A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
-
-* `hashlimit_name`: The name for the /proc/net/ipt_hashlimit/foo entry. A hash limit option (--hashlimit-upto, --hashlimit-above) and --hashlimit-name are required.
-
-* `hashlimit_srcmask`: When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
-
-* `hashlimit_upto`: Match if the rate is below or equal to amount/quantum. It is specified as a number, with an optional time quantum suffix; the default is 3/hour. A hash limit option (--hashlimit-upto, --hashlimit-above) and --hashlimit-name are required.
-
-* `hop_limit`: Hop limiting value for matched packets. Values must match '/^\d+$/'. Requires the `hop_limiting` feature.
-
-* `icmp`: When matching ICMP packets, this indicates the type of ICMP packet to match. A value of 'any' is not supported. To match any type of ICMP packet, the parameter should be omitted or undefined. Requires the `icmp_match` feature. This parameter is supported by firewall_multi (see below).
-
-* `iniface`: Input interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:@]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.
-
-* `ipsec_dir`: Sets the ipsec policy direction. Valid values are 'in', 'out'. Requires the `ipsec_dir` feature.
-
-* `ipsec_policy`: Sets the ipsec policy type. Valid values are 'none', 'ipsec'. Requires the `ipsec_policy` feature.
-
-* `ipset`: Matches IP sets. Value must be 'ipset_name (src|dst|src,dst)' and can be negated by putting ! in front. Requires ipset kernel module. Will accept a single element or an array.
-
-* `ipvs`: Matches packets belonging to an IP Virtual server connection.
-
-* `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature.
-
-* `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`.
-
-* `ishasmorefrags`: If 'true', matches when the packet has the 'more fragments' bit set. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `ishasmorefrags` feature.
-
-* `islastfrag`: If true, matches when the packet is the last fragment of a fragmented ipv6 packet. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `islastfrag`.
-
-* `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK', 'TCPMSS', 'DSCP', 'NFLOG'.
-
- For the values 'ACCEPT', 'DROP', and 'REJECT', you must use the generic `action` parameter. This is to enforce the use of generic parameters where possible for maximum cross-platform modeling.
-
- If you set both `accept` and `jump` parameters, you will get an error, because only one of the options should be set. Requires the `iptables` feature.
-
-* `kernel_timezone`: Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
-
-* `length`: Set the value for matching the length of the layer-3 payload. Can be a single number or a range using '-' as a separator. Requires the `length` feature.
-
-* `limit`: Rate limiting value for matched packets. The format is: 'rate/[/second/|/minute|/hour|/day]'. Example values are: '50/sec', '40/min', '30/hour', '10/day'. Requires the `rate_limiting` feature.
-
-* `line`: Read-only property for caching the rule line.
-
-* `log_level`: When combined with `jump => 'LOG'` specifies the system log level to log to. Requires the `log_level` feature.
-
-* `log_prefix`: When combined with `jump => 'LOG'` specifies the log prefix to use when logging. Requires the `log_prefix` feature.
-
-* `log_uid`: The ability to log the userid of the process which generated the packet.
-
-* `nflog_group`: When combined with `jump => 'NFLOG'` grants the ability to specify the NFLOG group number. Requires the `nflog_group` feature.
-
-* `nflog_prefix`: When combined with `jump => 'NFLOG'` grants the ability to specify a prefix for log entries. Requires the `nflog_prefix` feature.
-
-* `nflog_range`: When combined with `jump => 'NFLOG'` grants the ability to specify the number of bytes to be copied to userspace. Requires the `nflog_range` feature.
-
-* `nflog_threshold`: When combined with `jump => 'NFLOG'` grants the ability to specify the size of the NFLOG threshold. Requires the `nflog_threshold` feature.
-
-* `mask`: Sets the mask to use when `recent` is enabled. Requires the `mask` feature.
-
-* `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying '31' will not match on months that do not have a 31st day; the same goes for 28- or 29-day February.
-
-* `match_mark`: Match the Netfilter mark value associated with the packet. Accepts either of mark/mask or mark. These will be converted to hex if they are not already. Requires the `mark` feature.
-
-* `mss`: Sets a given TCP MSS value or range to match.
-
-* `name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example:
-
- ~~~ puppet
- firewall { '000 this runs first':
- # this rule will run first
- }
- firewall { '999 this runs last':
- # this rule will run last
- }
- ~~~
-
- Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:graph:][:space:]]+$/'.
-
-* `outiface`: Output interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:@]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.
-
-* `physdev_in`: Match if the packet is entering a bridge from the given interface. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'.
-
-* `physdev_out`: Match if the packet is leaving a bridge via the given interface. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'.
-
-* `physdev_is_bridged`: Match if the packet is transversing a bridge. Valid values are true or false.
-
-* `physdev_is_in`: Match if the packet has entered through a bridge interface. Valid values are true or false.
-
-* `physdev_is_bridged`: Match if the packet will leave through a bridge interface. Valid values are true or false.
-
-* `pkttype`: Sets the packet type to match. Valid values are: 'unicast', 'broadcast', and'multicast'. Requires the `pkttype` feature.
-
-* `port`: *DEPRECATED* Using the unspecific 'port' parameter can lead to firewall rules that are unexpectedly too lax. It is recommended to always use the specific dport and sport parameters to avoid this ambiguity. The destination or source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: 'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
-
-* `proto`: The specific protocol to match for this rule. This is 'tcp' by default. This parameter is supported by firewall_multi (see below). Valid values are:
- * 'ip'
- * 'tcp'
- * 'udp'
- * 'icmp'
- * 'ipv4'
- * 'ipv6'
- * 'ipv6-icmp'
- * 'esp'
- * 'ah'
- * 'vrrp'
- * 'igmp'
- * 'ipencap'
- * 'ospf'
- * 'gre'
- * 'pim'
- * 'all'
-
-* `provider`: The specific backend to use for this firewall resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. Available providers are ip6tables and iptables. See the [Providers](#providers) section above for details about these providers. This parameter is supported by firewall_multi (see below).
-
-* `queue_bypass`: When using a `jump` value of 'NFQUEUE' this boolean will allow packets to bypass `queue_num`. This is useful when the process in userspace may not be listening on `queue_num` all the time.
-
-* `queue_num`: When using a `jump` value of 'NFQUEUE' this parameter specifies the queue number to send packets to.
-
-* `random`: When using a `jump` value of 'MASQUERADE', 'DNAT', 'REDIRECT', or 'SNAT', this boolean will enable randomized port mapping. Valid values are true or false. Requires the `dnat` feature.
-
-* `rdest`: If boolean 'true', adds the destination IP address to the list. Valid values are true or false. Requires the `recent_limiting` feature and the `recent` parameter.
-
-* `reap`: Can only be used in conjunction with the `rseconds` parameter. If boolean 'true', this will purge entries older than 'seconds' as specified in `rseconds`. Valid values are true or false. Requires the `recent_limiting` feature and the `recent` parameter.
-
-* `recent`: Enable the recent module. Valid values are: 'set', 'update', 'rcheck', or 'remove'. For example:
-
- ~~~ puppet
- # If anyone's appeared on the 'badguy' blacklist within
- # the last 60 seconds, drop their traffic, and update the timestamp.
- firewall { '100 Drop badguy traffic':
- recent => 'update',
- rseconds => 60,
- rsource => true,
- rname => 'badguy',
- action => 'DROP',
- chain => 'FORWARD',
- }
- # No-one should be sending us traffic on eth0 from localhost
- # Blacklist them
- firewall { '101 blacklist strange traffic':
- recent => 'set',
- rsource => true,
- rname => 'badguy',
- destination => '127.0.0.0/8',
- iniface => 'eth0',
- action => 'DROP',
- chain => 'FORWARD',
- }
- ~~~
-
- Requires the `recent_limiting` feature.
-
-* `reject`: When combined with `jump => 'REJECT'`, you can specify a different ICMP response to be sent back to the packet sender. Requires the `reject_type` feature.
-
-* `rhitcount`: Used in conjunction with `recent => 'update'` or `recent => 'rcheck'`. When used, this will narrow the match to happen only when the address is in the list and packets greater than or equal to the given value have been received. Requires the `recent_limiting` feature and the `recent` parameter.
-
-* `rname`: Specify the name of the list. Takes a string argument. Requires the `recent_limiting` feature and the `recent` parameter.
-
-* `rseconds`: Used in conjunction with `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. Requires the `recent_limiting` feature and the `recent` parameter.
-
-* `rsource`: If boolean 'true', adds the source IP address to the list. Valid values are 'true', 'false'. Requires the `recent_limiting` feature and the `recent` parameter.
-
-* `rttl`: May only be used in conjunction with `recent => 'rcheck'` or `recent => 'update'`. If boolean 'true', this will narrow the match to happen only when the address is in the list and the TTL of the current packet matches that of the packet that hit the `recent => 'set'` rule. If you have problems with DoS attacks via bogus packets from fake source addresses, this parameter may help. Valid values are 'true', 'false'. Requires the `recent_limiting` feature and the `recent` parameter.
-
-* `set_dscp`: When combined with `jump => 'DSCP'` specifies the dscp marking associated with the packet.
-
-* `set_dscp_class`: When combined with `jump => 'DSCP'` specifies the class associated with the packet (valid values found here: http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-packet-marking/10103-dscpvalues.html#packetclassification).
-
-* `set_mark`: Set the Netfilter mark value associated with the packet. Accepts either 'mark/mask' or 'mark'. These will be converted to hex if they are not already. Requires the `mark` feature.
-
-* `set_mss`: When combined with `jump => 'TCPMSS'` specifies the value of the MSS field.
-
-* `socket`: If 'true', matches if an open socket can be found by doing a socket lookup on the packet. Valid values are 'true', 'false'. Requires the `socket` feature.
-
-* `source`: The source address. For example: `source => '192.168.2.0/24'`. You can also negate a mask by putting ! in front. For example: `source => '! 192.168.2.0/24'`. The source can also be an IPv6 address if your provider supports it. This parameter is supported by firewall_multi (see below).
-
-* `sport`: The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format:'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
-
-* `src_range`: The source IP range. For example: `src_range => '192.168.1.1-192.168.1.10'`. The source IP range must be in 'IP1-IP2' format. Values in the range must be valid IPv4 or IPv6 addresses. Requires the `iprange` feature.
-
-* `src_type`: Specify the source address type. Will accept a single element or an array. For example: `src_type => ['LOCAL']`.
-
- Valid values are:
-
- * 'UNSPEC': an unspecified address.
- * 'UNICAST': a unicast address.
- * 'LOCAL': a local address.
- * 'BROADCAST': a broadcast address.
- * 'ANYCAST': an anycast packet.
- * 'MULTICAST': a multicast address.
- * 'BLACKHOLE': a blackhole address.
- * 'UNREACHABLE': an unreachable address.
- * 'PROHIBIT': a prohibited address.
- * 'THROW': an unroutable address.
- * 'XRESOLVE': an unresolvable address.
-
- In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags. For example: `dst_type => ['LOCAL --limit-iface-in']`.
-
- It can also be negated using '!'. For example: `dst_type => ['! LOCAL']`.
-
- Requires the `address_type` feature.
-
-* `stat_every`: Match one packet every nth packet. Requires `stat_mode => 'nth'`
-
-* `stat_mode`: Set the matching mode for statistic matching. Supported modes are `random` and `nth`.
-
-* `stat_packet`: Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'`
-
-* `stat_probability`: Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
-
-* `state`: Matches a packet based on its state in the firewall stateful inspection table. Valid values are: 'INVALID', 'ESTABLISHED', 'NEW', 'RELATED', 'UNTRACKED'. Requires the `state_match` feature. Usage of this is considered to be deprecated and obsolete on SLES 11 SP4, as such it is advisable to use the `ctstate` parameter in it's place.
-
-* `string`: Set the pattern for string matching. Requires the `string_matching` feature.
-
-* `string_algo`: Used in conjunction with `string`, select the pattern matching strategy. Valid values are: 'bm', 'kmp' (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris). Requires the `string_matching` feature.
-
-* `string_from`: Used in conjunction with `string`, set the offset from which it starts looking for any matching. Requires the `string_matching` feature.
-
-* `string_to`: Used in conjunction with `string`, set the offset up to which should be scanned. Requires the `string_matching` feature.
-
-* `table`: Table to use. Valid values are: 'nat', 'mangle', 'filter', 'raw', 'rawpost'. By default the setting is 'filter'. Requires the `iptables` feature.
-
-* `tcp_flags`: Match when the TCP flags are as specified. Set as a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. The flags are: 'SYN', 'ACK', 'FIN', 'RST', 'URG', 'PSH', 'ALL', 'NONE'.
-
- Note that you specify flags in the order that iptables `--list` rules would list them to avoid having Puppet think you changed the flags. For example, 'FIN,SYN,RST,ACK SYN' matches packets with the SYN bit set and the ACK, RST and FIN bits cleared. Such packets are used to request TCP connection initiation. Requires the `tcp_flags` feature.
-
-* `time_contiguous`: When the `time_stop` value is smaller than the `time_start` value, match this as a single time period instead of distinct intervals.
-
-* `time_start`: Start time for the rule to match. The possible time range is '00:00:00' to '23:59:59'. Leading zeroes are allowed (e.g. '06:03') and correctly interpreted as base-10.
-
-* `time_stop`: End time for the rule to match. The possible time range is '00:00:00' to '23:59:59'. Leading zeroes are allowed (e.g. '06:03') and correctly interpreted as base-10.
-
-* `todest`: When using `jump => 'DNAT'`, you can specify the new destination address using this parameter. Requires the `dnat` feature.
-
-* `toports`: For DNAT this is the port that will replace the destination port. Requires the `dnat` feature.
-
-* `tosource`: When using `jump => 'SNAT'`, you can specify the new source address using this parameter. Requires the `snat` feature.
-
-* `to`: When using `jump => 'NETMAP'`, you can specify a source or destination subnet to nat to. Requires the `netmap` feature.
-
-* `uid`: UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. Requires the `owner` feature.
-
-* `week_days`: Only match on the given weekdays. Possible values are 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun'.
-
-### Type: firewallchain
-
-Enables you to manage rule chains for firewalls.
-
-Currently this type supports only iptables, ip6tables, and ebtables on Linux. It also provides support for setting the default policy on chains and tables that allow it.
-
-**Autorequires**: If Puppet is managing the iptables or iptables-persistent packages, and the provider is iptables_chain, the firewall resource will autorequire those packages to ensure that any required binaries are installed.
-
-#### Providers
-
-`iptables_chain` is the only provider that supports firewallchain.
-
-#### Features
-
-* `iptables_chain`: The provider provides iptables chain features.
-* `policy`: Default policy (inbuilt chains only).
-
-#### Parameters
-
-* `ensure`: Ensures that the resource is present. Valid values are 'present', 'absent'.
-
-* `ignore`: Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of iptables-save. This can be a single regex or an array of them. To support flags, use the ruby inline flag mechanism: a regex such as '/foo/i' can be written as '(?i)foo' or '(?i:foo)'. Only when purge is 'true'.
-
- Full example:
- ~~~ puppet
- firewallchain { 'INPUT:filter:IPv4':
- purge => true,
- ignore => [
- # ignore the fail2ban jump rule
- '-j fail2ban-ssh',
- # ignore any rules with "ignore" (case insensitive) in the comment in the rule
- '--comment "[^"](?i:ignore)[^"]"',
- ],
- }
- ~~~
-
-* `name`: Specify the canonical name of the chain. For iptables the format must be {chain}:{table}:{protocol}.
-
-* `policy`: Set the action the packet will perform when the end of the chain is reached. It can only be set on inbuilt chains ('INPUT', 'FORWARD', 'OUTPUT', 'PREROUTING', 'POSTROUTING'). Valid values are:
-
- * 'accept': The packet is accepted.
- * 'drop': The packet is dropped.
- * 'queue': The packet is passed userspace.
- * 'return': The packet is returned to calling (jump) queue or to the default of inbuilt chains.
-
-* `provider`: The specific backend to use for this firewallchain resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. The only available provider is:
-
- `iptables_chain`: iptables chain provider
-
- * Required binaries: `ebtables-save`, `ebtables`, `ip6tables-save`, `ip6tables`, `iptables-save`, `iptables`.
- * Default for `kernel` == `linux`.
- * Supported features: `iptables_chain`, `policy`.
-
-* `purge`: Purge unmanaged firewall rules in this chain. Valid values are 'false', 'true'.
-
- **Note** This `purge` is purging unmanaged rules in a firewall chain, not unmanaged firewall chains. To purge unmanaged firewall chains, use the following instead.
-
- ~~~ puppet
- resources { 'firewallchain':
- purge => true,
- }
- ~~~
-
### Fact: ip6tables_version
A Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.
--- /dev/null
+# Reference
+<!-- DO NOT EDIT: This document was generated by Puppet Strings -->
+
+## Table of Contents
+
+**Classes**
+
+_Public Classes_
+
+* [`firewall`](#firewall): Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins
+
+_Private Classes_
+
+* `firewall::linux`: Main linux class, includes all other classes
+* `firewall::linux::archlinux`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems.
+* `firewall::linux::debian`: Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot.
+* `firewall::linux::gentoo`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems.
+* `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems.
+* `firewall::params`: Provides defaults for the Apt module parameters.
+
+**Resource types**
+
+* [`firewall`](#firewall): This type provides the capability to manage firewall rules within puppet.
+* [`firewallchain`](#firewallchain): This type provides the capability to manage rule chains for firewalls.
+
+## Classes
+
+### firewall
+
+Performs the basic setup tasks required for using the firewall resources.
+
+At the moment this takes care of:
+
+iptables-persistent package installation
+Include the firewall class for nodes that need to use the resources in this module:
+
+#### Examples
+
+#####
+
+```puppet
+class { 'firewall': }
+```
+
+#### Parameters
+
+The following parameters are available in the `firewall` class.
+
+##### `ensure`
+
+Data type: `Any`
+
+Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.
+
+Default value: running
+
+##### `ensure_v6`
+
+Data type: `Any`
+
+Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
+
+Default value: `undef`
+
+##### `pkg_ensure`
+
+Data type: `Any`
+
+Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.
+
+Default value: present
+
+##### `service_name`
+
+Data type: `Any`
+
+Specify the name of the IPv4 iptables service.
+
+Default value: $::firewall::params::service_name
+
+##### `service_name_v6`
+
+Data type: `Any`
+
+Specify the name of the IPv6 iptables service.
+
+Default value: $::firewall::params::service_name_v6
+
+##### `package_name`
+
+Data type: `Any`
+
+Specify the platform-specific package(s) to install.
+
+Default value: $::firewall::params::package_name
+
+##### `ebtables_manage`
+
+Data type: `Any`
+
+Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
+
+Default value: `false`
+
+## Resource types
+
+### firewall
+
+**Autorequires:**
+
+If Puppet is managing the iptables or ip6tables chains specified in the
+`chain` or `jump` parameters, the firewall resource will autorequire
+those firewallchain resources.
+
+If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
+and the provider is iptables or ip6tables, the firewall resource will
+autorequire those packages to ensure that any required binaries are
+installed.
+
+#### Providers
+ Note: Not all features are available with all providers.
+
+ * ip6tables: Ip6tables type provider
+
+ * Required binaries: ip6tables-save, ip6tables.
+ * Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match,
+ interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
+ ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
+ owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
+ snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
+
+ * iptables: Iptables type provider
+
+ * Required binaries: iptables-save, iptables.
+ * Default for kernel == linux.
+ * Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match,
+ interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
+ log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
+ nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
+ recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
+
+#### Features
+ * address_type: The ability to match on source or destination address type.
+
+ * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
+
+ * connection_limiting: Connection limiting features.
+
+ * dnat: Destination NATing.
+
+ * hop_limiting: Hop limiting features.
+
+ * icmp_match: The ability to match ICMP types.
+
+ * interface_match: Interface matching.
+
+ * iprange: The ability to match on source or destination IP range.
+
+ * ipsec_dir: The ability to match IPsec policy direction.
+
+ * ipsec_policy: The ability to match IPsec policy.
+
+ * iptables: The provider provides iptables features.
+
+ * isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet.
+
+ * isfragment: The ability to match fragments.
+
+ * ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet.
+
+ * islastfrag: The ability to match the last fragment of an ipv6 packet.
+
+ * length: The ability to match the length of the layer-3 payload.
+
+ * log_level: The ability to control the log level.
+
+ * log_prefix: The ability to add prefixes to log messages.
+
+ * log_uid: The ability to log the userid of the process which generated the packet.
+
+ * mark: The ability to match or set the netfilter mark value associated with the packet.
+
+ * mask: The ability to match recent rules based on the ipv4 mask.
+
+ * nflog_group: The ability to set the group number for NFLOG.
+
+ * nflog_prefix: The ability to set a prefix for nflog messages.
+
+ * nflog_range: The ability to set nflog_range.
+
+ * nflog_threshold: The ability to set nflog_threshold.
+
+ * owner: The ability to match owners.
+
+ * pkttype: The ability to match a packet type.
+
+ * rate_limiting: Rate limiting features.
+
+ * recent_limiting: The netfilter recent module.
+
+ * reject_type: The ability to control reject messages.
+
+ * set_mss: Set the TCP MSS of a packet.
+
+ * snat: Source NATing.
+
+ * socket: The ability to match open sockets.
+
+ * state_match: The ability to match stateful firewall states.
+
+ * string_matching: The ability to match a given string by using some pattern matching strategy.
+
+ * tcp_flags: The ability to match on particular TCP flag settings.
+
+ * netmap: The ability to map entire subnets via source or destination nat rules.
+
+ * hashlimit: The ability to use the hashlimit-module.
+
+ * bpf: The ability to use Berkeley Paket Filter rules.
+
+ * ipvs: The ability to match IP Virtual Server packets.
+
+#### Properties
+
+The following properties are available in the `firewall` type.
+
+##### `ensure`
+
+Valid values: present, absent
+
+Manage the state of this rule.
+
+Default value: present
+
+##### `action`
+
+Valid values: accept, reject, drop
+
+This is the action to perform on a match. Can be one of:
+
+* accept - the packet is accepted
+* reject - the packet is rejected with a suitable ICMP response
+* drop - the packet is dropped
+
+If you specify no value it will simply match the rule but perform no
+action unless you provide a provider specific parameter (such as *jump*).
+
+##### `source`
+
+The source address. For example:
+
+ source => '192.168.2.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+ source => '! 192.168.2.0/24'
+
+The source can also be an IPv6 address if your provider supports it.
+
+##### `src_range`
+
+The source IP range. For example:
+
+ src_range => '192.168.1.1-192.168.1.10'
+
+The source IP range must be in 'IP1-IP2' format.
+
+##### `destination`
+
+The destination address to match. For example:
+
+ destination => '192.168.1.0/24'
+
+You can also negate a mask by putting ! in front. For example:
+
+ destination => '! 192.168.2.0/24'
+
+The destination can also be an IPv6 address if your provider supports it.
+
+##### `dst_range`
+
+The destination IP range. For example:
+
+ dst_range => '192.168.1.1-192.168.1.10'
+
+The destination IP range must be in 'IP1-IP2' format.
+
+##### `sport`
+
+The source port to match for this filter (if the protocol supports
+ports). Will accept a single element or an array.
+
+For some firewall providers you can pass a range of ports in the format:
+
+ <start_number>-<ending_number>
+
+For example:
+
+ 1-1024
+
+This would cover ports 1 to 1024.
+
+##### `dport`
+
+The destination port to match for this filter (if the protocol supports
+ports). Will accept a single element or an array.
+
+For some firewall providers you can pass a range of ports in the format:
+
+ <start_number>-<ending_number>
+
+For example:
+
+ 1-1024
+
+This would cover ports 1 to 1024.
+
+##### `port`
+
+*note* This property has been DEPRECATED
+
+The destination or source port to match for this filter (if the protocol
+supports ports). Will accept a single element or an array.
+
+For some firewall providers you can pass a range of ports in the format:
+
+ <start_number>-<ending_number>
+
+For example:
+
+ 1-1024
+
+This would cover ports 1 to 1024.
+
+##### `dst_type`
+
+Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+ :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
+ [
+ address_type,
+ "! #{address_type}".to_sym,
+ "#{address_type} --limit-iface-in".to_sym,
+ "#{address_type} --limit-iface-out".to_sym,
+ "! #{address_type} --limit-iface-in".to_sym,
+ "! #{address_type} --limit-iface-out".to_sym,
+ ]
+ }.flatten
+
+The destination address type. For example:
+
+ dst_type => ['LOCAL']
+
+Can be one of:
+
+* UNSPEC - an unspecified address
+* UNICAST - a unicast address
+* LOCAL - a local address
+* BROADCAST - a broadcast address
+* ANYCAST - an anycast packet
+* MULTICAST - a multicast address
+* BLACKHOLE - a blackhole address
+* UNREACHABLE - an unreachable address
+* PROHIBIT - a prohibited address
+* THROW - undocumented
+* NAT - undocumented
+* XRESOLVE - undocumented
+
+In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
+
+ dst_type => ['LOCAL --limit-iface-in']
+
+It can also be negated using '!':
+
+ dst_type => ['! LOCAL']
+
+Will accept a single element or an array.
+
+##### `src_type`
+
+Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+ :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
+ [
+ address_type,
+ "! #{address_type}".to_sym,
+ "#{address_type} --limit-iface-in".to_sym,
+ "#{address_type} --limit-iface-out".to_sym,
+ "! #{address_type} --limit-iface-in".to_sym,
+ "! #{address_type} --limit-iface-out".to_sym,
+ ]
+ }.flatten
+
+The source address type. For example:
+
+ src_type => ['LOCAL']
+
+Can be one of:
+
+* UNSPEC - an unspecified address
+* UNICAST - a unicast address
+* LOCAL - a local address
+* BROADCAST - a broadcast address
+* ANYCAST - an anycast packet
+* MULTICAST - a multicast address
+* BLACKHOLE - a blackhole address
+* UNREACHABLE - an unreachable address
+* PROHIBIT - a prohibited address
+* THROW - undocumented
+* NAT - undocumented
+* XRESOLVE - undocumented
+
+In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
+
+ src_type => ['LOCAL --limit-iface-in']
+
+It can also be negated using '!':
+
+ src_type => ['! LOCAL']
+
+Will accept a single element or an array.
+
+##### `proto`
+
+Valid values: [:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
+ [proto, "! #{proto}".to_sym]
+ }.flatten
+
+The specific protocol to match for this rule.
+
+Default value: tcp
+
+##### `mss`
+
+Match a given TCP MSS value or range.
+
+##### `tcp_flags`
+
+Match when the TCP flags are as specified.
+Is a string with a list of comma-separated flag names for the mask,
+then a space, then a comma-separated list of flags that should be set.
+The flags are: SYN ACK FIN RST URG PSH ALL NONE
+Note that you specify them in the order that iptables --list-rules
+would list them to avoid having puppet think you changed the flags.
+Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
+ACK,RST and FIN bits cleared. Such packets are used to request
+TCP connection initiation.
+
+##### `chain`
+
+Valid values: %r{^[a-zA-Z0-9\-_]+$}
+
+Name of the chain to use. Can be one of the built-ins:
+
+* INPUT
+* FORWARD
+* OUTPUT
+* PREROUTING
+* POSTROUTING
+
+Or you can provide a user-based chain.
+
+Default value: INPUT
+
+##### `table`
+
+Valid values: nat, mangle, filter, raw, rawpost
+
+Table to use. Can be one of:
+
+* nat
+* mangle
+* filter
+* raw
+* rawpost
+
+Default value: filter
+
+##### `jump`
+
+The value for the iptables --jump parameter. Normal values are:
+
+* QUEUE
+* RETURN
+* DNAT
+* SNAT
+* LOG
+* NFLOG
+* MASQUERADE
+* REDIRECT
+* MARK
+
+But any valid chain name is allowed.
+
+For the values ACCEPT, DROP and REJECT you must use the generic
+'action' parameter. This is to enfore the use of generic parameters where
+possible for maximum cross-platform modelling.
+
+If you set both 'accept' and 'jump' parameters, you will get an error as
+only one of the options should be set.
+
+##### `goto`
+
+The value for the iptables --goto parameter. Normal values are:
+
+* QUEUE
+* RETURN
+* DNAT
+* SNAT
+* LOG
+* MASQUERADE
+* REDIRECT
+* MARK
+
+But any valid chain name is allowed.
+
+##### `iniface`
+
+Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
+
+Input interface to filter on. Supports interface alias like eth0:0.
+To negate the match try this:
+
+ iniface => '! lo',
+
+##### `outiface`
+
+Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
+
+ Output interface to filter on. Supports interface alias like eth0:0.
+To negate the match try this:
+
+ outiface => '! lo',
+
+##### `tosource`
+
+When using jump => "SNAT" you can specify the new source address using
+this parameter.
+
+##### `todest`
+
+When using jump => "DNAT" you can specify the new destination address
+using this paramter.
+
+##### `toports`
+
+For DNAT this is the port that will replace the destination port.
+
+##### `to`
+
+For NETMAP this will replace the destination IP
+
+##### `random`
+
+Valid values: `true`, `false`
+
+When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+this boolean will enable randomized port mapping.
+
+##### `reject`
+
+When combined with jump => "REJECT" you can specify a different icmp
+response to be sent back to the packet sender.
+
+##### `log_level`
+
+When combined with jump => "LOG" specifies the system log level to log
+to.
+
+##### `log_prefix`
+
+When combined with jump => "LOG" specifies the log prefix to use when
+logging.
+
+##### `log_uid`
+
+Valid values: `true`, `false`
+
+When combined with jump => "LOG" specifies the uid of the process making
+the connection.
+
+##### `nflog_group`
+
+Used with the jump target NFLOG.
+The netlink group (0 - 2^16-1) to which packets are (only applicable
+for nfnetlink_log). Defaults to 0.
+
+##### `nflog_prefix`
+
+Used with the jump target NFLOG.
+A prefix string to include in the log message, up to 64 characters long,
+useful for distinguishing messages in the logs.
+
+##### `nflog_range`
+
+Used with the jump target NFLOG.
+The number of bytes to be copied to userspace (only applicable for nfnetlink_log).
+nfnetlink_log instances may specify their own range, this option overrides it.
+
+##### `nflog_threshold`
+
+Used with the jump target NFLOG.
+Number of packets to queue inside the kernel before sending them to userspace
+(only applicable for nfnetlink_log). Higher values result in less overhead
+per packet, but increase delay until the packets reach userspace. Defaults to 1.
+
+##### `icmp`
+
+When matching ICMP packets, this is the type of ICMP packet to match.
+
+A value of "any" is not supported. To achieve this behaviour the
+parameter should simply be omitted or undefined.
+An array of values is also not supported. To match against multiple ICMP
+types, please use separate rules for each ICMP type.
+
+##### `state`
+
+Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED
+
+Matches a packet based on its state in the firewall stateful inspection
+table. Values can be:
+
+* INVALID
+* ESTABLISHED
+* NEW
+* RELATED
+* UNTRACKED
+
+##### `ctstate`
+
+Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED
+
+Matches a packet based on its state in the firewall stateful inspection
+table, using the conntrack module. Values can be:
+
+* INVALID
+* ESTABLISHED
+* NEW
+* RELATED
+* UNTRACKED
+
+##### `connmark`
+
+Match the Netfilter mark value associated with the packet. Accepts either of:
+mark/mask or mark. These will be converted to hex if they are not already.
+
+##### `connlimit_above`
+
+Valid values: %r{^\d+$}
+
+Connection limiting value for matched connections above n.
+
+##### `connlimit_mask`
+
+Valid values: %r{^\d+$}
+
+Connection limiting by subnet mask for matched connections.
+IPv4: 0-32
+IPv6: 0-128
+
+##### `hop_limit`
+
+Valid values: %r{^\d+$}
+
+Hop limiting value for matched packets.
+
+##### `limit`
+
+Rate limiting value for matched packets. The format is:
+rate/[/second/|/minute|/hour|/day].
+
+Example values are: '50/sec', '40/min', '30/hour', '10/day'."
+
+##### `burst`
+
+Valid values: %r{^\d+$}
+
+Rate limiting burst value (per second) before limit checks apply.
+
+##### `uid`
+
+UID or Username owner matching rule. Accepts a string argument
+only, as iptables does not accept multiple uid in a single
+statement.
+
+##### `gid`
+
+GID or Group owner matching rule. Accepts a string argument
+only, as iptables does not accept multiple gid in a single
+statement.
+
+##### `match_mark`
+
+Match the Netfilter mark value associated with the packet. Accepts either of:
+mark/mask or mark. These will be converted to hex if they are not already.
+
+##### `set_mark`
+
+Set the Netfilter mark value associated with the packet. Accepts either of:
+mark/mask or mark. These will be converted to hex if they are not already.
+
+##### `clamp_mss_to_pmtu`
+
+Valid values: `true`, `false`
+
+Sets the clamp mss to pmtu flag.
+
+##### `set_dscp`
+
+Set DSCP Markings.
+
+##### `set_dscp_class`
+
+This sets the DSCP field according to a predefined DiffServ class.
+
+##### `set_mss`
+
+Sets the TCP MSS value for packets.
+
+##### `pkttype`
+
+Valid values: unicast, broadcast, multicast
+
+Sets the packet type to match.
+
+##### `isfragment`
+
+Valid values: `true`, `false`
+
+Set to true to match tcp fragments (requires type to be set to tcp)
+
+##### `recent`
+
+Valid values: set, update, rcheck, remove
+
+Enable the recent module. Takes as an argument one of set, update,
+rcheck or remove. For example:
+
+ ```
+ # If anyone's appeared on the 'badguy' blacklist within
+ # the last 60 seconds, drop their traffic, and update the timestamp.
+ firewall { '100 Drop badguy traffic':
+ recent => 'update',
+ rseconds => 60,
+ rsource => true,
+ rname => 'badguy',
+ action => 'DROP',
+ chain => 'FORWARD',
+ }
+ ```
+
+
+ ```
+ # No-one should be sending us traffic on eth0 from the
+ # localhost, Blacklist them
+ firewall { '101 blacklist strange traffic':
+ recent => 'set',
+ rsource => true,
+ rname => 'badguy',
+ destination => '127.0.0.0/8',
+ iniface => 'eth0',
+ action => 'DROP',
+ chain => 'FORWARD',
+ }
+ ```
+
+##### `rdest`
+
+Valid values: `true`, `false`
+
+Recent module; add the destination IP address to the list.
+Must be boolean true.
+
+##### `rsource`
+
+Valid values: `true`, `false`
+
+Recent module; add the source IP address to the list.
+Must be boolean true.
+
+##### `rname`
+
+Recent module; The name of the list. Takes a string argument.
+
+##### `rseconds`
+
+Recent module; used in conjunction with one of `recent => 'rcheck'` or
+`recent => 'update'`. When used, this will narrow the match to only
+happen when the address is in the list and was seen within the last given
+number of seconds.
+
+##### `reap`
+
+Valid values: `true`, `false`
+
+Recent module; can only be used in conjunction with the `rseconds`
+attribute. When used, this will cause entries older than 'seconds' to be
+purged. Must be boolean true.
+
+##### `rhitcount`
+
+Recent module; used in conjunction with `recent => 'update'` or `recent
+=> 'rcheck'. When used, this will narrow the match to only happen when
+the address is in the list and packets had been received greater than or
+equal to the given value.
+
+##### `rttl`
+
+Valid values: `true`, `false`
+
+Recent module; may only be used in conjunction with one of `recent =>
+'rcheck'` or `recent => 'update'`. When used, this will narrow the match
+to only happen when the address is in the list and the TTL of the current
+packet matches that of the packet which hit the `recent => 'set'` rule.
+This may be useful if you have problems with people faking their source
+address in order to DoS you via this module by disallowing others access
+to your site by sending bogus packets to you. Must be boolean true.
+
+##### `socket`
+
+Valid values: `true`, `false`
+
+If true, matches if an open socket can be found by doing a coket lookup
+on the packet.
+
+##### `ishasmorefrags`
+
+Valid values: `true`, `false`
+
+If true, matches if the packet has it's 'more fragments' bit set. ipv6.
+
+##### `islastfrag`
+
+Valid values: `true`, `false`
+
+If true, matches if the packet is the last fragment. ipv6.
+
+##### `isfirstfrag`
+
+Valid values: `true`, `false`
+
+If true, matches if the packet is the first fragment.
+Sadly cannot be negated. ipv6.
+
+##### `ipsec_policy`
+
+Valid values: none, ipsec
+
+Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc.
+
+##### `ipsec_dir`
+
+Valid values: in, out
+
+Sets the ipsec policy direction
+
+##### `stat_mode`
+
+Valid values: nth, random
+
+Set the matching mode for statistic matching.
+
+##### `stat_every`
+
+Match one packet every nth packet. Requires `stat_mode => 'nth'`
+
+##### `stat_packet`
+
+Valid values: %r{^\d+$}
+
+Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'`
+
+##### `stat_probability`
+
+Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
+
+##### `mask`
+
+Sets the mask to use when `recent` is enabled.
+
+##### `gateway`
+
+The TEE target will clone a packet and redirect this clone to another
+machine on the local network segment. gateway is the target host's IP.
+
+##### `ipset`
+
+Matches against the specified ipset list.
+Requires ipset kernel module. Will accept a single element or an array.
+The value is the name of the blacklist, followed by a space, and then
+'src' and/or 'dst' separated by a comma.
+For example: 'blacklist src,dst'
+
+##### `checksum_fill`
+
+Valid values: `true`, `false`
+
+Compute and fill missing packet checksums.
+
+##### `mac_source`
+
+Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
+
+MAC Source
+
+##### `physdev_in`
+
+Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
+
+Match if the packet is entering a bridge from the given interface.
+
+##### `physdev_out`
+
+Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
+
+Match if the packet is leaving a bridge via the given interface.
+
+##### `physdev_is_bridged`
+
+Valid values: `true`, `false`
+
+Match if the packet is transversing a bridge.
+
+##### `physdev_is_in`
+
+Valid values: `true`, `false`
+
+Matches if the packet has entered through a bridge interface.
+
+##### `physdev_is_out`
+
+Valid values: `true`, `false`
+
+Matches if the packet will leave through a bridge interface.
+
+##### `date_start`
+
+Only match during the given time, which must be in ISO 8601 "T" notation.
+The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
+
+##### `date_stop`
+
+Only match during the given time, which must be in ISO 8601 "T" notation.
+The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
+
+##### `time_start`
+
+Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
+Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
+
+##### `time_stop`
+
+Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
+Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
+
+##### `month_days`
+
+Only match on the given days of the month. Possible values are 1 to 31.
+Note that specifying 31 will of course not match on months which do not have a 31st day;
+the same goes for 28- or 29-day February.
+
+##### `week_days`
+
+Valid values: Mon, Tue, Wed, Thu, Fri, Sat, Sun
+
+Only match on the given weekdays.
+
+##### `time_contiguous`
+
+Valid values: `true`, `false`
+
+When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
+
+##### `kernel_timezone`
+
+Valid values: `true`, `false`
+
+Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
+
+##### `clusterip_new`
+
+Valid values: `true`, `false`
+
+Used with the CLUSTERIP jump target.
+Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
+
+##### `clusterip_hashmode`
+
+Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport
+
+Used with the CLUSTERIP jump target.
+Specify the hashing mode.
+
+##### `clusterip_clustermac`
+
+Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
+
+Used with the CLUSTERIP jump target.
+Specify the ClusterIP MAC address. Has to be a link-layer multicast address.
+
+##### `clusterip_total_nodes`
+
+Valid values: %r{\d+}
+
+Used with the CLUSTERIP jump target.
+Number of total nodes within this cluster.
+
+##### `clusterip_local_node`
+
+Valid values: %r{\d+}
+
+Used with the CLUSTERIP jump target.
+Specify the random seed used for hash initialization.
+
+##### `clusterip_hash_init`
+
+Used with the CLUSTERIP jump target.
+Specify the random seed used for hash initialization.
+
+##### `length`
+
+Sets the length of layer-3 payload to match.
+
+##### `string`
+
+String matching feature. Matches the packet against the pattern
+given as an argument.
+
+##### `string_algo`
+
+Valid values: bm, kmp
+
+String matching feature, pattern matching strategy.
+
+##### `string_from`
+
+String matching feature, offset from which we start looking for any matching.
+
+##### `string_to`
+
+String matching feature, offset up to which we should scan.
+
+##### `queue_num`
+
+Used with NFQUEUE jump target.
+What queue number to send packets to
+
+##### `queue_bypass`
+
+Valid values: `true`, `false`
+
+Used with NFQUEUE jump target
+Allow packets to bypass :queue_num if userspace process is not listening
+
+##### `src_cc`
+
+Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
+
+src attribute for the module geoip
+
+##### `dst_cc`
+
+Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
+
+dst attribute for the module geoip
+
+##### `hashlimit_name`
+
+The name for the /proc/net/ipt_hashlimit/foo entry.
+This parameter is required.
+
+##### `hashlimit_upto`
+
+Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second).
+This parameter or hashlimit_above is required.
+Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
+
+##### `hashlimit_above`
+
+Match if the rate is above amount/quantum.
+This parameter or hashlimit_upto is required.
+Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
+
+##### `hashlimit_burst`
+
+Valid values: %r{^\d+$}
+
+Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too.
+
+##### `hashlimit_mode`
+
+A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
+Allowed values are: srcip, srcport, dstip, dstport
+
+##### `hashlimit_srcmask`
+
+When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
+
+##### `hashlimit_dstmask`
+
+Like --hashlimit-srcmask, but for destination addresses.
+
+##### `hashlimit_htable_size`
+
+The number of buckets of the hash table
+
+##### `hashlimit_htable_max`
+
+Maximum entries in the hash.
+
+##### `hashlimit_htable_expire`
+
+After how many milliseconds do hash entries expire.
+
+##### `hashlimit_htable_gcinterval`
+
+How many milliseconds between garbage collection intervals.
+
+##### `bytecode`
+
+Match using Linux Socket Filter. Expects a BPF program in decimal format.
+This is the format generated by the nfbpf_compile utility.
+
+##### `ipvs`
+
+Valid values: `true`, `false`
+
+Indicates that the current packet belongs to an IPVS connection.
+
+#### Parameters
+
+The following parameters are available in the `firewall` type.
+
+##### `name`
+
+Valid values: %r{^\d+[[:graph:][:space:]]+$}
+
+namevar
+
+The canonical name of the rule. This name is also used for ordering
+so make sure you prefix the rule with a number:
+
+ 000 this runs first
+ 999 this runs last
+
+Depending on the provider, the name of the rule can be stored using
+the comment feature of the underlying firewall subsystem.
+
+##### `line`
+
+Read-only property for caching the rule line.
+
+### firewallchain
+
+Currently this supports only iptables, ip6tables and ebtables on Linux. And
+provides support for setting the default policy on chains and tables that
+allow it.
+
+**Autorequires:**
+If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
+and the provider is iptables_chain, the firewall resource will autorequire
+those packages to ensure that any required binaries are installed.
+
+#### Providers
+ * iptables_chain is the only provider that supports firewallchain.
+
+#### Features
+ * iptables_chain: The provider provides iptables chain features.
+ * policy: Default policy (inbuilt chains only).
+
+#### Properties
+
+The following properties are available in the `firewallchain` type.
+
+##### `ensure`
+
+Valid values: present, absent
+
+The basic property that the resource should be in.
+
+Default value: present
+
+##### `policy`
+
+Valid values: accept, drop, queue, return
+
+This is the action to when the end of the chain is reached.
+It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,
+PREROUTING, POSTROUTING) and can be one of:
+
+* accept - the packet is accepted
+* drop - the packet is dropped
+* queue - the packet is passed userspace
+* return - the packet is returned to calling (jump) queue
+ or the default of inbuilt chains
+
+#### Parameters
+
+The following parameters are available in the `firewallchain` type.
+
+##### `name`
+
+namevar
+
+The canonical name of the chain.
+
+For iptables the format must be {chain}:{table}:{protocol}.
+
+##### `purge`
+
+Valid values: `false`, `true`
+
+Purge unmanaged firewall rules in this chain
+
+Default value: `false`
+
+##### `ignore`
+
+Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
+This is matched against the output of `iptables-save`.
+
+This can be a single regex, or an array of them.
+To support flags, use the ruby inline flag mechanism.
+Meaning a regex such as
+ /foo/i
+can be written as
+ '(?i)foo' or '(?i:foo)'
+
+Full example:
+```
+firewallchain { 'INPUT:filter:IPv4':
+ purge => true,
+ ignore => [
+ '-j fail2ban-ssh', # ignore the fail2ban jump rule
+ '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
+ ],
+}
+```
+
include Puppet::Util::Firewall
@doc = <<-PUPPETCODE
- This type provides the capability to manage firewall rules within
- puppet.
+ @summary
+ This type provides the capability to manage firewall rules within puppet.
**Autorequires:**
and the provider is iptables or ip6tables, the firewall resource will
autorequire those packages to ensure that any required binaries are
installed.
+
+ #### Providers
+ Note: Not all features are available with all providers.
+
+ * ip6tables: Ip6tables type provider
+
+ * Required binaries: ip6tables-save, ip6tables.
+ * Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match,
+ interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
+ ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
+ owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
+ snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
+
+ * iptables: Iptables type provider
+
+ * Required binaries: iptables-save, iptables.
+ * Default for kernel == linux.
+ * Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match,
+ interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
+ log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
+ nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
+ recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
+
+ #### Features
+ * address_type: The ability to match on source or destination address type.
+
+ * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
+
+ * connection_limiting: Connection limiting features.
+
+ * dnat: Destination NATing.
+
+ * hop_limiting: Hop limiting features.
+
+ * icmp_match: The ability to match ICMP types.
+
+ * interface_match: Interface matching.
+
+ * iprange: The ability to match on source or destination IP range.
+
+ * ipsec_dir: The ability to match IPsec policy direction.
+
+ * ipsec_policy: The ability to match IPsec policy.
+
+ * iptables: The provider provides iptables features.
+
+ * isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet.
+
+ * isfragment: The ability to match fragments.
+
+ * ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet.
+
+ * islastfrag: The ability to match the last fragment of an ipv6 packet.
+
+ * length: The ability to match the length of the layer-3 payload.
+
+ * log_level: The ability to control the log level.
+
+ * log_prefix: The ability to add prefixes to log messages.
+
+ * log_uid: The ability to log the userid of the process which generated the packet.
+
+ * mark: The ability to match or set the netfilter mark value associated with the packet.
+
+ * mask: The ability to match recent rules based on the ipv4 mask.
+
+ * nflog_group: The ability to set the group number for NFLOG.
+
+ * nflog_prefix: The ability to set a prefix for nflog messages.
+
+ * nflog_range: The ability to set nflog_range.
+
+ * nflog_threshold: The ability to set nflog_threshold.
+
+ * owner: The ability to match owners.
+
+ * pkttype: The ability to match a packet type.
+
+ * rate_limiting: Rate limiting features.
+
+ * recent_limiting: The netfilter recent module.
+
+ * reject_type: The ability to control reject messages.
+
+ * set_mss: Set the TCP MSS of a packet.
+
+ * snat: Source NATing.
+
+ * socket: The ability to match open sockets.
+
+ * state_match: The ability to match stateful firewall states.
+
+ * string_matching: The ability to match a given string by using some pattern matching strategy.
+
+ * tcp_flags: The ability to match on particular TCP flag settings.
+
+ * netmap: The ability to map entire subnets via source or destination nat rules.
+
+ * hashlimit: The ability to use the hashlimit-module.
+
+ * bpf: The ability to use Berkeley Paket Filter rules.
+
+ * ipvs: The ability to match IP Virtual Server packets.
PUPPETCODE
feature :connection_limiting, 'Connection limiting features.'
ensurable do
desc <<-PUPPETCODE
- Manage the state of this rule. The default action is *present*.
+ Manage the state of this rule.
PUPPETCODE
newvalue(:present) do
newproperty(:port, array_matching: :all) do
desc <<-PUPPETCODE
- DEPRECATED
+ *note* This property has been DEPRECATED
The destination or source port to match for this filter (if the protocol
supports ports). Will accept a single element or an array.
newproperty(:proto) do
desc <<-PUPPETCODE
- The specific protocol to match for this rule. By default this is
- *tcp*.
+ The specific protocol to match for this rule.
PUPPETCODE
newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
Note that you specify them in the order that iptables --list-rules
would list them to avoid having puppet think you changed the flags.
Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
- ACK,RST and FIN bits cleared. Such packets are used to request
- TCP connection initiation.
+ ACK,RST and FIN bits cleared. Such packets are used to request
+ TCP connection initiation.
PUPPETCODE
end
* POSTROUTING
Or you can provide a user-based chain.
-
- The default value is 'INPUT'.
PUPPETCODE
defaultto 'INPUT'
* filter
* raw
* rawpost
-
- By default the setting is 'filter'.
PUPPETCODE
newvalues(:nat, :mangle, :filter, :raw, :rawpost)
Enable the recent module. Takes as an argument one of set, update,
rcheck or remove. For example:
+ ```
# If anyone's appeared on the 'badguy' blacklist within
- # the last 60 seconds, drop their traffic, and update the timestamp.
+ # the last 60 seconds, drop their traffic, and update the timestamp.
firewall { '100 Drop badguy traffic':
recent => 'update',
rseconds => 60,
action => 'DROP',
chain => 'FORWARD',
}
- # No-one should be sending us traffic on eth0 from localhost
- # Blacklist them
+ ```
+
+
+ ```
+ # No-one should be sending us traffic on eth0 from the
+ # localhost, Blacklist them
firewall { '101 blacklist strange traffic':
recent => 'set',
rsource => true,
action => 'DROP',
chain => 'FORWARD',
}
+ ```
PUPPETCODE
newvalues(:set, :update, :rcheck, :remove)
newproperty(:stat_mode) do
desc <<-PUPPETCODE
- Set the matching mode for statistic matching. Supported modes are `random` and `nth`.
+ Set the matching mode for statistic matching.
PUPPETCODE
newvalues(:nth, :random)
newproperty(:week_days, required_features: :iptables) do
desc <<-PUPPETCODE
- Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun.
+ Only match on the given weekdays.
PUPPETCODE
newvalues(:Mon, :Tue, :Wed, :Thu, :Fri, :Sat, :Sun)
newproperty(:clusterip_hashmode, required_features: :clusterip) do
desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
- Specify the hashing mode. Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport.
+ Specify the hashing mode.
PUPPETCODE
newvalues(:sourceip, :'sourceip-sourceport', :'sourceip-sourceport-destport')
include Puppet::Util::Firewall
@doc = <<-PUPPETCODE
- This type provides the capability to manage rule chains for firewalls.
+ @summary
+ This type provides the capability to manage rule chains for firewalls.
Currently this supports only iptables, ip6tables and ebtables on Linux. And
provides support for setting the default policy on chains and tables that
If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
and the provider is iptables_chain, the firewall resource will autorequire
those packages to ensure that any required binaries are installed.
+
+ #### Providers
+ * iptables_chain is the only provider that supports firewallchain.
+
+ #### Features
+ * iptables_chain: The provider provides iptables chain features.
+ * policy: Default policy (inbuilt chains only).
PUPPETCODE
feature :iptables_chain, 'The provider provides iptables chain features.'
'(?i)foo' or '(?i:foo)'
Full example:
+ ```
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => [
'--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
],
}
+ ```
PUPPETCODE
validate do |value|
-# = Class: firewall
+# @summary
+# Performs the basic setup tasks required for using the firewall resources.
#
-# Manages packages and services required by the firewall type/provider.
+# At the moment this takes care of:
#
-# This class includes the appropriate sub-class for your operating system,
-# where supported.
+# iptables-persistent package installation
+# Include the firewall class for nodes that need to use the resources in this module:
#
-# == Parameters:
+# @example
+# class { 'firewall': }
#
-# [*ensure*]
-# Ensure parameter passed onto Service[] resources.
-# Default: running
+# @param ensure
+# Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.
+#
+# @param ensure_v6
+# Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
+#
+# @param pkg_ensure
+# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.
+#
+# @param service_name
+# Specify the name of the IPv4 iptables service.
+#
+# @param service_name_v6
+# Specify the name of the IPv6 iptables service.
+#
+# @param package_name
+# Specify the platform-specific package(s) to install.
+#
+# @param ebtables_manage
+# Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
#
class firewall (
$ensure = running,
-# = Class: firewall::linux
+# @summary Main linux class, includes all other classes
#
-# Installs the `iptables` package for Linux operating systems and includes
-# the appropriate sub-class for any distribution specific services and
-# additional packages.
+# @param ensure
+# Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
-# == Parameters:
+# @param ensure_v6
+# Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
-# [*ensure*]
-# Ensure parameter passed onto Service[] resources. When `running` the
-# service will be started on boot, and when `stopped` it will not.
-# Default: running
+# @param pkg_ensure
+# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
#
-# [*ensure_v6*]
-# Ensure parameter passed onto Service[] resources. When `running` the
-# service will be started on boot, and when `stopped` it will not.
-# Default: running
+# @param service_name
+# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
+#
+# @param service_name_v6
+# Specify the name of the IPv6 iptables service. Defaults defined in firewall::params.
+#
+# @param package_name
+# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
+#
+# @param ebtables_manage
+# Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
+#
+# @api private
#
class firewall::linux (
$ensure = running,
-# = Class: firewall::linux::archlinux
+# @summary
+# Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems.
#
-# Manages `iptables` and `ip6tables` services, and creates files used for
-# persistence, on Arch Linux systems.
+# @param ensure
+# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
-# == Parameters:
+# @param enable
+# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
-# [*ensure*]
-# Ensure parameter passed onto Service[] resources.
-# Default: running
+# @param service_name
+# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
-# [*enable*]
-# Enable parameter passed onto Service[] resources.
-# Default: true
+# @param package_name
+# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
+#
+# @param package_ensure
+# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
+#
+# @api private
#
class firewall::linux::archlinux (
$ensure = 'running',
-# = Class: firewall::linux::debian
+# @summary
+# Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot.
#
-# Installs the `iptables-persistent` package for Debian-alike systems. This
-# allows rules to be stored to file and restored on boot.
+# @param ensure
+# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
-# == Parameters:
+# @param enable
+# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
-# [*ensure*]
-# Ensure parameter passed onto Service[] resources.
-# Default: running
+# @param service_name
+# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
-# [*enable*]
-# Enable parameter passed onto Service[] resources.
-# Default: true
+# @param package_name
+# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
+#
+# @param package_ensure
+# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
+#
+# @api private
#
class firewall::linux::debian (
$ensure = running,
-# = Class: firewall::linux::gentoo
+# @summary
+# Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems.
#
-# Manages `iptables` and `ip6tables` services, and creates files used for
-# persistence, on Gentoo Linux systems.
+# @param ensure
+# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
-# == Parameters:
+# @param enable
+# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
-# [*ensure*]
-# Ensure parameter passed onto Service[] resources.
-# Default: running
+# @param service_name
+# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
-# [*enable*]
-# Enable parameter passed onto Service[] resources.
-# Default: true
+# @param package_name
+# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
+#
+# @param package_ensure
+# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
+#
+# @api private
#
class firewall::linux::gentoo (
$ensure = 'running',
-# = Class: firewall::linux::redhat
+# @summary
+# Manages the `iptables` service on RedHat-alike systems.
#
-# Manages the `iptables` service on RedHat-alike systems.
+# @param ensure
+# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
-# == Parameters:
+# @param ensure_v6
+# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'undef'.
#
-# [*ensure*]
-# Ensure parameter passed onto Service[] resources.
-# Default: running
+# @param enable
+# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
-# [*ensure_v6*]
-# Ensure parameter passed onto Service[] resources.
-# Default: undef
+# @param enable_v6
+# Enable parameter passed onto Service[] resources. Defaults to 'undef'.
#
-# [*enable*]
-# Enable parameter passed onto Service[] resources.
-# Default: true
+# @param service_name
+# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
-# [*enable_v6*]
-# Enable parameter passed onto Service[] resources.
-# Default: undef
+# @param service_name_v6
+# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
-# [*sysconfig_manage*]
-# Enable sysconfig configuration for iptables/ip6tables files. This is
-# disabled for RedHat 8+ or CentOS 8+
-# Default: true
+# @param package_name
+# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
+#
+# @param package_ensure
+# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
+#
+# @param sysconfig_manage
+# Enable sysconfig configuration for iptables/ip6tables files. Defaults defined in firewall::params. This is disabled for RedHat/CentOS 8+.
+#
+# @api private
#
class firewall::linux::redhat (
$ensure = running,
-# Manifest containing module parameters
+# @summary Provides defaults for the Apt module parameters.
+#
+# @api private
+#
class firewall::params {
$package_ensure = 'present'
case $::osfamily {
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff