diff options
-rw-r--r-- | REFERENCE.md | 24 | ||||
-rw-r--r-- | manifests/chain.pp | 5 | ||||
-rw-r--r-- | manifests/config.pp | 5 | ||||
-rw-r--r-- | manifests/init.pp | 2 | ||||
-rw-r--r-- | manifests/install.pp | 5 | ||||
-rw-r--r-- | manifests/ipset.pp | 10 | ||||
-rw-r--r-- | manifests/service.pp | 5 |
7 files changed, 29 insertions, 27 deletions
diff --git a/REFERENCE.md b/REFERENCE.md index 7e7d518..2de98f6 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -32,7 +32,7 @@ _Private Classes_ ### ferm -Class: ferm +This class manages ferm installation and rule generation on modern linux systems #### Examples @@ -240,7 +240,6 @@ Enable/Disable logging of packets to the kernel log, if no explicit chain matche Data type: `Optional[Ferm::Policies]` Set the default policy for CHAIN (works only for builtin chains) -Default value: undef Allowed values: (ACCEPT|DROP) (see Ferm::Policies type) Default value: `undef` @@ -250,7 +249,6 @@ Default value: `undef` Data type: `String[1]` Name of the chain that should be managed -Default value: $name (resource name) Allowed values: String[1] Default value: $name @@ -260,7 +258,6 @@ Default value: $name Data type: `Ferm::Tables` Select the target table (filter/raw/mangle/nat) -Default value: 'filter' Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type) Default value: 'filter' @@ -270,7 +267,6 @@ Default value: 'filter' Data type: `Array[Enum['ip','ip6']]` Set list of versions of ip we want ot use. -Default value: $ferm::ip_versions Default value: $ferm::ip_versions @@ -283,7 +279,7 @@ http://ferm.foo-projects.org/download/2.1/ferm.html#set #### Examples -##### +##### Create an iptables rule that allows traffic that matches the ipset `internet` ```puppet ferm::ipset { 'CONSUL': @@ -293,7 +289,7 @@ ferm::ipset { 'CONSUL': } ``` -##### create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table. +##### create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table. ```puppet ferm::ipset { 'INPUT': @@ -311,6 +307,12 @@ ferm::ipset { 'INPUT': The following parameters are available in the `ferm::ipset` defined type. +##### `sets` + +Data type: `Hash[String[1], Ferm::Actions]` + +A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. + ##### `chain` Data type: `String[1]` @@ -335,17 +337,11 @@ sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Bec Default value: 'ip' -##### `sets` - -Data type: `Hash[String[1], Ferm::Actions]` - -A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. - ##### `prepend_to_chain` Data type: `Boolean` - +By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead. Default value: `true` diff --git a/manifests/chain.pp b/manifests/chain.pp index 1be7e83..b66ef7f 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -10,16 +10,13 @@ # @param disable_conntrack Disable/Enable usage of conntrack # @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched # @param policy Set the default policy for CHAIN (works only for builtin chains) -# Default value: undef # Allowed values: (ACCEPT|DROP) (see Ferm::Policies type) # @param chain Name of the chain that should be managed -# Default value: $name (resource name) # Allowed values: String[1] # @param table Select the target table (filter/raw/mangle/nat) -# Default value: 'filter' # Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type) # @param ip_versions Set list of versions of ip we want ot use. -# Default value: $ferm::ip_versions +# define ferm::chain ( Boolean $disable_conntrack, Boolean $log_dropped_packets, diff --git a/manifests/config.pp b/manifests/config.pp index 7dae7a5..acc58d6 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,5 +1,8 @@ +# # @api private -# This class handles the configuration file. Avoid modifying private classes. +# +# @summary This class handles the configuration file. Avoid modifying private classes. +# class ferm::config { # this is a private class diff --git a/manifests/init.pp b/manifests/init.pp index cb3dd1b..ecaa391 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,3 @@ -# Class: ferm -# # @summary This class manages ferm installation and rule generation on modern linux systems # # @example deploy ferm without any configured rules, but also don't start the service or modify existing config files diff --git a/manifests/install.pp b/manifests/install.pp index 548846c..4337a99 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -1,5 +1,8 @@ +# # @api private -# This class handles the configuration file. Avoid modifying private classes. +# +# @summary This class handles the configuration file. Avoid modifying private classes. +# class ferm::install { # this is a private class diff --git a/manifests/ipset.pp b/manifests/ipset.pp index 1f859b8..23c555a 100644 --- a/manifests/ipset.pp +++ b/manifests/ipset.pp @@ -3,14 +3,14 @@ # # @see http://ferm.foo-projects.org/download/2.1/ferm.html#set # -# @example +# @example Create an iptables rule that allows traffic that matches the ipset `internet` # ferm::ipset { 'CONSUL': # sets => { # 'internet' => 'ACCEPT' # }, # } # -# @example create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table. +# @example create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table. # ferm::ipset { 'INPUT': # prepend_to_chain => false, # table => 'filter', @@ -21,6 +21,8 @@ # }, # } # +# @param sets +# A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. # @param chain # name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this. # @@ -30,8 +32,8 @@ # @param ip_version # sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version. # -# @param sets -# A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. +# @param prepend_to_chain +# By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead. # define ferm::ipset ( Hash[String[1], Ferm::Actions] $sets, diff --git a/manifests/service.pp b/manifests/service.pp index ad6fc47..9cc1373 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,5 +1,8 @@ +# # @api private -# This class handles the configuration file. Avoid modifying private classes. +# +# @summary This class handles the configuration file. Avoid modifying private classes. +# class ferm::service { # this is a private class |