aboutsummaryrefslogtreecommitdiff
path: root/REFERENCE.md
diff options
context:
space:
mode:
Diffstat (limited to 'REFERENCE.md')
-rw-r--r--REFERENCE.md62
1 files changed, 61 insertions, 1 deletions
diff --git a/REFERENCE.md b/REFERENCE.md
index 2d0a4e3..eef0dc5 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -220,11 +220,35 @@ Default value: ['ip','ip6']
Data type: `Hash[String[1],Array[String[1]]]`
-Hash with table:chains[] to use ferm @preserve for
+Hash with table:chains[] to use ferm @preserve for (since ferm v2.4)
Example: {'nat' => ['PREROUTING', 'POSTROUTING']}
Default value: {}
+##### `install_method`
+
+Data type: `Enum['package','vcsrepo']`
+
+method used to install ferm
+
+Default value: 'package'
+
+##### `vcsrepo`
+
+Data type: `Stdlib::HTTPSUrl`
+
+git repository where ferm sources are hosted
+
+Default value: 'https://github.com/MaxKellermann/ferm.git'
+
+##### `vcstag`
+
+Data type: `String[1]`
+
+git tag used when install_method is vcsrepo
+
+Default value: 'v2.5.1'
+
## Defined types
### ferm::chain
@@ -243,6 +267,34 @@ ferm::chain{'check-ssh':
}
```
+##### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL.
+
+```puppet
+$my_rules = @(EOT)
+chain OPENVPN_FORWORD_RULES {
+ proto udp {
+ interface tun0 {
+ outerface enp4s0 {
+ mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+ }
+ }
+ }
+}
+| EOT
+
+ferm::chain{'OPENVPN_FORWORD_RULES':
+ chain => 'OPENVPN_FORWORD_RULES',
+ content => $my_rules,
+}
+
+ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+ chain => 'FORWARD',
+ action => 'OPENVPN_FORWORD_RULES',
+ saddr => '10.8.0.0/24',
+ proto => 'udp',
+}
+```
+
#### Parameters
The following parameters are available in the `ferm::chain` defined type.
@@ -306,6 +358,14 @@ Set list of versions of ip we want ot use.
Default value: $ferm::ip_versions
+##### `content`
+
+Data type: `Optional[String]`
+
+Can only be used for custom chains. It allows you to provide your own ferm rules for this chain. Sets the contents of this custom chain to provided value.
+
+Default value: undef
+
### ferm::ipset
a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets.
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-27 22:35:46 +0000