aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--REFERENCE.md24
-rw-r--r--manifests/chain.pp5
-rw-r--r--manifests/config.pp5
-rw-r--r--manifests/init.pp2
-rw-r--r--manifests/install.pp5
-rw-r--r--manifests/ipset.pp10
-rw-r--r--manifests/service.pp5
7 files changed, 29 insertions, 27 deletions
diff --git a/REFERENCE.md b/REFERENCE.md
index 7e7d518..2de98f6 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -32,7 +32,7 @@ _Private Classes_
### ferm
-Class: ferm
+This class manages ferm installation and rule generation on modern linux systems
#### Examples
@@ -240,7 +240,6 @@ Enable/Disable logging of packets to the kernel log, if no explicit chain matche
Data type: `Optional[Ferm::Policies]`
Set the default policy for CHAIN (works only for builtin chains)
-Default value: undef
Allowed values: (ACCEPT|DROP) (see Ferm::Policies type)
Default value: `undef`
@@ -250,7 +249,6 @@ Default value: `undef`
Data type: `String[1]`
Name of the chain that should be managed
-Default value: $name (resource name)
Allowed values: String[1]
Default value: $name
@@ -260,7 +258,6 @@ Default value: $name
Data type: `Ferm::Tables`
Select the target table (filter/raw/mangle/nat)
-Default value: 'filter'
Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type)
Default value: 'filter'
@@ -270,7 +267,6 @@ Default value: 'filter'
Data type: `Array[Enum['ip','ip6']]`
Set list of versions of ip we want ot use.
-Default value: $ferm::ip_versions
Default value: $ferm::ip_versions
@@ -283,7 +279,7 @@ http://ferm.foo-projects.org/download/2.1/ferm.html#set
#### Examples
-#####
+##### Create an iptables rule that allows traffic that matches the ipset `internet`
```puppet
ferm::ipset { 'CONSUL':
@@ -293,7 +289,7 @@ ferm::ipset { 'CONSUL':
}
```
-##### create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
+##### create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
```puppet
ferm::ipset { 'INPUT':
@@ -311,6 +307,12 @@ ferm::ipset { 'INPUT':
The following parameters are available in the `ferm::ipset` defined type.
+##### `sets`
+
+Data type: `Hash[String[1], Ferm::Actions]`
+
+A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
+
##### `chain`
Data type: `String[1]`
@@ -335,17 +337,11 @@ sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Bec
Default value: 'ip'
-##### `sets`
-
-Data type: `Hash[String[1], Ferm::Actions]`
-
-A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
-
##### `prepend_to_chain`
Data type: `Boolean`
-
+By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.
Default value: `true`
diff --git a/manifests/chain.pp b/manifests/chain.pp
index 1be7e83..b66ef7f 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -10,16 +10,13 @@
# @param disable_conntrack Disable/Enable usage of conntrack
# @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched
# @param policy Set the default policy for CHAIN (works only for builtin chains)
-# Default value: undef
# Allowed values: (ACCEPT|DROP) (see Ferm::Policies type)
# @param chain Name of the chain that should be managed
-# Default value: $name (resource name)
# Allowed values: String[1]
# @param table Select the target table (filter/raw/mangle/nat)
-# Default value: 'filter'
# Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type)
# @param ip_versions Set list of versions of ip we want ot use.
-# Default value: $ferm::ip_versions
+#
define ferm::chain (
Boolean $disable_conntrack,
Boolean $log_dropped_packets,
diff --git a/manifests/config.pp b/manifests/config.pp
index 7dae7a5..acc58d6 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,5 +1,8 @@
+#
# @api private
-# This class handles the configuration file. Avoid modifying private classes.
+#
+# @summary This class handles the configuration file. Avoid modifying private classes.
+#
class ferm::config {
# this is a private class
diff --git a/manifests/init.pp b/manifests/init.pp
index cb3dd1b..ecaa391 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,5 +1,3 @@
-# Class: ferm
-#
# @summary This class manages ferm installation and rule generation on modern linux systems
#
# @example deploy ferm without any configured rules, but also don't start the service or modify existing config files
diff --git a/manifests/install.pp b/manifests/install.pp
index 548846c..4337a99 100644
--- a/manifests/install.pp
+++ b/manifests/install.pp
@@ -1,5 +1,8 @@
+#
# @api private
-# This class handles the configuration file. Avoid modifying private classes.
+#
+# @summary This class handles the configuration file. Avoid modifying private classes.
+#
class ferm::install {
# this is a private class
diff --git a/manifests/ipset.pp b/manifests/ipset.pp
index 1f859b8..23c555a 100644
--- a/manifests/ipset.pp
+++ b/manifests/ipset.pp
@@ -3,14 +3,14 @@
#
# @see http://ferm.foo-projects.org/download/2.1/ferm.html#set
#
-# @example
+# @example Create an iptables rule that allows traffic that matches the ipset `internet`
# ferm::ipset { 'CONSUL':
# sets => {
# 'internet' => 'ACCEPT'
# },
# }
#
-# @example create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
+# @example create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
# ferm::ipset { 'INPUT':
# prepend_to_chain => false,
# table => 'filter',
@@ -21,6 +21,8 @@
# },
# }
#
+# @param sets
+# A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
# @param chain
# name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this.
#
@@ -30,8 +32,8 @@
# @param ip_version
# sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version.
#
-# @param sets
-# A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
+# @param prepend_to_chain
+# By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.
#
define ferm::ipset (
Hash[String[1], Ferm::Actions] $sets,
diff --git a/manifests/service.pp b/manifests/service.pp
index ad6fc47..9cc1373 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -1,5 +1,8 @@
+#
# @api private
-# This class handles the configuration file. Avoid modifying private classes.
+#
+# @summary This class handles the configuration file. Avoid modifying private classes.
+#
class ferm::service {
# this is a private class