diff options
| -rw-r--r-- | .sync.yml | 4 | ||||
| -rw-r--r-- | Gemfile | 1 | ||||
| -rw-r--r-- | REFERENCE.md | 132 | ||||
| -rw-r--r-- | manifests/chain.pp | 1 | ||||
| -rw-r--r-- | types/port.pp | 1 |
5 files changed, 78 insertions, 61 deletions
@@ -10,3 +10,7 @@ - set: ubuntu2004-64 secure: "J7AG0AHVdEVql4c7cwJZCjbXFp5tehPnlS3REkUKu9s3Px+XRb+073W7hM2alfxB5Qo3mqyMdgyjIRMQyXXqfb54QmDG6Y1XfRIcNK/C6TL9JscC7rXN1gXJhrdZiQOtfXa3HFcWJkbsQrjnPbQ5y+ b5VdkzIthLkIa4IpQEYSQC5i88nDixF8dgApLGgC0CcmS+14iXZgJ2T89A7QiSbvhnIsszaIQucw91/Kled9mUT2cJlFrMXLfd3hycR/ftLJeBe6MvnlaflSqEWfz9UA7EW63JX13hhyNNaf26JsFyG7P7UiH6+dBGXX3xLPKeq032VysZzbmA1GFZYiGk0obAtqMlrfbcpsLceyg1FCku2/lv/6P9dkfjN0N0z7pgL0lGjjhN3lNwU997fIXq/tt3dxbXKFV2Ok16p/55VjV5i2U79bNTn6oZpqLzB6ZEc9WOb3DvBsLP5ooThSVtrZecTFZbjRFAT/Vd0nd/qIzdxEoaVVaSPOpaZf6v1Ojy3RMzSSOUdweDBNh0B+9p0tVDpiLhRYpAFbw1JH2X0dlPqtrKS+BNU8xwktfK5KGpvvfXdU+pWUKxP1MnzrmX5jDX3dIh7pkGRvaKSD5RTmufCVaR0neEBV3VERPPYLDKueGc3BgWtVqaEyZwuM5AMJJuWKkTIQsUPsXKbIqyP5c=" +Gemfile: + optional: + ':test': + - gem: puppet-lint-param-docs @@ -14,6 +14,7 @@ group :test do gem 'voxpupuli-test', '~> 2.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false + gem 'puppet-lint-param-docs', :require => false end group :development do diff --git a/REFERENCE.md b/REFERENCE.md index 821136b..4092bc1 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1,36 +1,38 @@ # Reference + <!-- DO NOT EDIT: This document was generated by Puppet Strings --> ## Table of Contents -**Classes** +### Classes -_Public Classes_ +#### Public Classes * [`ferm`](#ferm): This class manages ferm installation and rule generation on modern linux systems -_Private Classes_ +#### Private Classes * `ferm::config`: This class handles the configuration file. Avoid modifying private classes. * `ferm::install`: This class handles the configuration file. Avoid modifying private classes. * `ferm::service`: This class handles the configuration file. Avoid modifying private classes. -**Defined types** +### Defined types * [`ferm::chain`](#fermchain): This defined resource manages ferm/iptables chains * [`ferm::ipset`](#fermipset): a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. * [`ferm::rule`](#fermrule): This defined resource manages a single rule in a specific chain -**Data types** +### Data types * [`Ferm::Actions`](#fermactions): a list of allowed actions for a rule * [`Ferm::Policies`](#fermpolicies): a list of allowed policies for a chain +* [`Ferm::Port`](#fermport): ferm port-spec * [`Ferm::Protocols`](#fermprotocols): a list of allowed protocolls to match * [`Ferm::Tables`](#fermtables): a list of available tables ## Classes -### ferm +### `ferm` This class manages ferm installation and rule generation on modern linux systems @@ -82,7 +84,7 @@ Data type: `Boolean` Disable/Enable the management of the ferm daemon -Default value: `false` +Default value: ``false`` ##### `manage_configfile` @@ -90,7 +92,7 @@ Data type: `Boolean` Disable/Enable the management of the ferm default config -Default value: `false` +Default value: ``false`` ##### `manage_initfile` @@ -98,7 +100,7 @@ Data type: `Boolean` Disable/Enable the management of the ferm init script for RedHat-based OS -Default value: `false` +Default value: ``false`` ##### `configfile` @@ -118,7 +120,7 @@ Data type: `Boolean` Enable/Disable the generation of conntrack rules for the FORWARD chain -Default value: `true` +Default value: ``true`` ##### `output_disable_conntrack` @@ -126,7 +128,7 @@ Data type: `Boolean` Enable/Disable the generation of conntrack rules for the OUTPUT chain -Default value: `true` +Default value: ``true`` ##### `input_disable_conntrack` @@ -134,7 +136,7 @@ Data type: `Boolean` Enable/Disable the generation of conntrack rules for the INPUT chain -Default value: `false` +Default value: ``false`` ##### `forward_policy` @@ -142,7 +144,7 @@ Data type: `Ferm::Policies` Default policy for the FORWARD chain -Default value: 'DROP' +Default value: `'DROP'` ##### `output_policy` @@ -150,7 +152,7 @@ Data type: `Ferm::Policies` Default policy for the OUTPUT chain -Default value: 'ACCEPT' +Default value: `'ACCEPT'` ##### `input_policy` @@ -158,7 +160,7 @@ Data type: `Ferm::Policies` Default policy for the INPUT chain -Default value: 'DROP' +Default value: `'DROP'` ##### `input_drop_invalid_packets_with_conntrack` @@ -166,7 +168,7 @@ Data type: `Boolean` Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false`. You can set this to false if your policy is DROP. This only effects the INPUT chain. -Default value: `false` +Default value: ``false`` ##### `rules` @@ -174,7 +176,7 @@ Data type: `Hash` A hash that holds all data for ferm::rule -Default value: {} +Default value: `{}` ##### `chains` @@ -182,7 +184,7 @@ Data type: `Hash` A hash that holds all data for ferm::chain -Default value: {} +Default value: `{}` ##### `forward_log_dropped_packets` @@ -190,7 +192,7 @@ Data type: `Boolean` Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched -Default value: `false` +Default value: ``false`` ##### `output_log_dropped_packets` @@ -198,7 +200,7 @@ Data type: `Boolean` Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched -Default value: `false` +Default value: ``false`` ##### `input_log_dropped_packets` @@ -206,7 +208,7 @@ Data type: `Boolean` Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched -Default value: `false` +Default value: ``false`` ##### `ip_versions` @@ -214,7 +216,7 @@ Data type: `Array[Enum['ip','ip6']]` Set list of versions of ip we want ot use. -Default value: ['ip','ip6'] +Default value: `['ip','ip6']` ##### `preserve_chains_in_tables` @@ -223,7 +225,7 @@ Data type: `Hash[String[1],Array[String[1]]]` Hash with table:chains[] to use ferm @preserve for (since ferm v2.4) Example: {'nat' => ['PREROUTING', 'POSTROUTING']} -Default value: {} +Default value: `{}` ##### `install_method` @@ -231,7 +233,7 @@ Data type: `Enum['package','vcsrepo']` method used to install ferm -Default value: 'package' +Default value: `'package'` ##### `vcsrepo` @@ -239,7 +241,7 @@ Data type: `Stdlib::HTTPSUrl` git repository where ferm sources are hosted -Default value: 'https://github.com/MaxKellermann/ferm.git' +Default value: `'https://github.com/MaxKellermann/ferm.git'` ##### `vcstag` @@ -247,11 +249,11 @@ Data type: `String[1]` git tag used when install_method is vcsrepo -Default value: 'v2.5.1' +Default value: `'v2.5.1'` ## Defined types -### ferm::chain +### `ferm::chain` This defined resource manages ferm/iptables chains @@ -277,7 +279,7 @@ Data type: `Boolean` Disable/Enable usage of conntrack. By default, we enable conntrack only for the filter INPUT chain -Default value: `true` +Default value: ``true`` ##### `drop_invalid_packets_with_conntrack` @@ -285,7 +287,7 @@ Data type: `Boolean` Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false` in this chain. You can set this to false if your policy is DROP. -Default value: `false` +Default value: ``false`` ##### `log_dropped_packets` @@ -293,7 +295,7 @@ Data type: `Boolean` Enable/Disable logging of packets to the kernel log, if no explicit chain matched -Default value: `false` +Default value: ``false`` ##### `policy` @@ -302,7 +304,7 @@ Data type: `Optional[Ferm::Policies]` Set the default policy for CHAIN (works only for builtin chains) Allowed values: (ACCEPT|DROP) (see Ferm::Policies type) -Default value: `undef` +Default value: ``undef`` ##### `chain` @@ -311,7 +313,7 @@ Data type: `String[1]` Name of the chain that should be managed Allowed values: String[1] -Default value: $name +Default value: `$name` ##### `table` @@ -320,7 +322,7 @@ Data type: `Ferm::Tables` Select the target table (filter/raw/mangle/nat) Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type) -Default value: 'filter' +Default value: `'filter'` ##### `ip_versions` @@ -328,22 +330,22 @@ Data type: `Array[Enum['ip', 'ip6']]` Set list of versions of ip we want ot use. -Default value: $ferm::ip_versions +Default value: `$ferm::ip_versions` ##### `content` Data type: `Optional[String[1]]` +custom string that will be written into th chain file +Default value: ``undef`` -Default value: `undef` - -### ferm::ipset +### `ferm::ipset` a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. * **See also** -http://ferm.foo-projects.org/download/2.1/ferm.html#set + * http://ferm.foo-projects.org/download/2.1/ferm.html#set #### Examples @@ -387,7 +389,7 @@ Data type: `String[1]` name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this. -Default value: $name +Default value: `$name` ##### `table` @@ -395,7 +397,7 @@ Data type: `Ferm::Tables` name of the table where we want to apply this. Defaults to `filter` because that's the most common usecase. -Default value: 'filter' +Default value: `'filter'` ##### `ip_version` @@ -403,7 +405,7 @@ Data type: `Enum['ip','ip6']` sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version. -Default value: 'ip' +Default value: `'ip'` ##### `prepend_to_chain` @@ -411,9 +413,9 @@ Data type: `Boolean` By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead. -Default value: `true` +Default value: ``true`` -### ferm::rule +### `ferm::rule` This defined resource manages a single rule in a specific chain @@ -486,7 +488,7 @@ Data type: `String` A comment that will be added to the ferm config and to ip{,6}tables -Default value: $name +Default value: `$name` ##### `action` @@ -496,7 +498,7 @@ Configure what we want to do with the packet (drop/accept/reject, can also be a Default value: undef Allowed values: (RETURN|ACCEPT|DROP|REJECT|NOTRACK|LOG|MARK|DNAT|SNAT|MASQUERADE|REDIRECT|String[1]) -Default value: `undef` +Default value: ``undef`` ##### `policy` @@ -506,23 +508,23 @@ Configure what we want to do with the packet (drop/accept/reject, can also be a Default value: undef Allowed values: (RETURN|ACCEPT|DROP|REJECT|NOTRACK|LOG|MARK|DNAT|SNAT|MASQUERADE|REDIRECT|String[1]) -Default value: `undef` +Default value: ``undef`` ##### `dport` -Data type: `Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]]` +Data type: `Optional[Ferm::Port]` The destination port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher) -Default value: `undef` +Default value: ``undef`` ##### `sport` -Data type: `Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]]` +Data type: `Optional[Ferm::Port]` The source port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher) -Default value: `undef` +Default value: ``undef`` ##### `saddr` @@ -530,7 +532,7 @@ Data type: `Optional[Variant[Array, String[1]]]` The source address we want to match -Default value: `undef` +Default value: ``undef`` ##### `daddr` @@ -538,7 +540,7 @@ Data type: `Optional[Variant[Array, String[1]]]` The destination address we want to match -Default value: `undef` +Default value: ``undef`` ##### `proto_options` @@ -546,7 +548,7 @@ Data type: `Optional[String[1]]` Optional parameters that will be passed to the protocol (for example to match specific ICMP types) -Default value: `undef` +Default value: ``undef`` ##### `interface` @@ -554,7 +556,7 @@ Data type: `Optional[String[1]]` an Optional interface where this rule should be applied -Default value: `undef` +Default value: ``undef`` ##### `ensure` @@ -562,7 +564,7 @@ Data type: `Enum['absent','present']` Set the rule to present or absent -Default value: 'present' +Default value: `'present'` ##### `table` @@ -572,29 +574,39 @@ Select the target table (filter/raw/mangle/nat) Default value: filter Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type) -Default value: 'filter' +Default value: `'filter'` ## Data types -### Ferm::Actions +### `Ferm::Actions` As you can also *jump* to other chains, each chain-name is also a valid action/target Alias of `Variant[Enum['RETURN', 'ACCEPT', 'DROP', 'REJECT', 'NOTRACK', 'LOG', 'MARK', 'DNAT', 'SNAT', 'MASQUERADE', 'REDIRECT'], String[1]]` -### Ferm::Policies +### `Ferm::Policies` a list of allowed policies for a chain Alias of `Enum['ACCEPT', 'DROP']` -### Ferm::Protocols +### `Ferm::Port` + +allowed variants: +----------------- ++ single Integer port ++ Array of Integers (creates a multiport matcher) ++ ferm range port-spec (pair of colon-separated integer, assumes 0 if first is omitted) + +Alias of `Variant[Stdlib::Port, Array[Stdlib::Port], Pattern['^\d*:\d+$']]` + +### `Ferm::Protocols` a list of allowed protocolls to match Alias of `Variant[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all'], Array[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']]]` -### Ferm::Tables +### `Ferm::Tables` a list of available tables diff --git a/manifests/chain.pp b/manifests/chain.pp index 91cd930..cfa4f80 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -17,6 +17,7 @@ # @param table Select the target table (filter/raw/mangle/nat) # Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type) # @param ip_versions Set list of versions of ip we want ot use. +# @param content custom string that will be written into th chain file # define ferm::chain ( Boolean $log_dropped_packets = false, diff --git a/types/port.pp b/types/port.pp index dc2b7e1..da2ea23 100644 --- a/types/port.pp +++ b/types/port.pp @@ -5,7 +5,6 @@ # + single Integer port # + Array of Integers (creates a multiport matcher) # + ferm range port-spec (pair of colon-separated integer, assumes 0 if first is omitted) - type Ferm::Port = Variant[ Stdlib::Port, Array[Stdlib::Port], |