diff options
| author | Tim Meusel <tim@bastelfreak.de> | 2019-09-30 14:51:12 +0200 |
|---|---|---|
| committer | Tim Meusel <tim@bastelfreak.de> | 2019-10-01 16:27:42 +0200 |
| commit | d4b8909eab6194da389b121e46137da7618eb45c (patch) | |
| tree | 8cfc5af5a35a1557af027d68eccbd9def263dbde /REFERENCE.md | |
| parent | 5d00a506f896fccb2485ebf3ea316f0156b80f8b (diff) | |
| download | puppet-ferm-d4b8909eab6194da389b121e46137da7618eb45c.tar.gz puppet-ferm-d4b8909eab6194da389b121e46137da7618eb45c.tar.bz2 | |
implement ipset support
Diffstat (limited to 'REFERENCE.md')
| -rw-r--r-- | REFERENCE.md | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/REFERENCE.md b/REFERENCE.md index 019c5a4..7e7d518 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -18,6 +18,7 @@ _Private Classes_ **Defined types** * [`ferm::chain`](#fermchain): This defined resource manages ferm/iptables chains +* [`ferm::ipset`](#fermipset): a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. * [`ferm::rule`](#fermrule): This defined resource manages a single rule in a specific chain **Data types** @@ -273,6 +274,81 @@ Default value: $ferm::ip_versions Default value: $ferm::ip_versions +### ferm::ipset + +a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. + +* **See also** +http://ferm.foo-projects.org/download/2.1/ferm.html#set + +#### Examples + +##### + +```puppet +ferm::ipset { 'CONSUL': + sets => { + 'internet' => 'ACCEPT' + }, +} +``` + +##### create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table. + +```puppet +ferm::ipset { 'INPUT': + prepend_to_chain => false, + table => 'filter', + ip_version => 'ip6', + sets => { + 'testset01' => 'ACCEPT', + 'anothertestset' => 'DROP' + }, +} +``` + +#### Parameters + +The following parameters are available in the `ferm::ipset` defined type. + +##### `chain` + +Data type: `String[1]` + +name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this. + +Default value: $name + +##### `table` + +Data type: `Ferm::Tables` + +name of the table where we want to apply this. Defaults to `filter` because that's the most common usecase. + +Default value: 'filter' + +##### `ip_version` + +Data type: `Enum['ip','ip6']` + +sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version. + +Default value: 'ip' + +##### `sets` + +Data type: `Hash[String[1], Ferm::Actions]` + +A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. + +##### `prepend_to_chain` + +Data type: `Boolean` + + + +Default value: `true` + ### ferm::rule This defined resource manages a single rule in a specific chain |