diff options
Diffstat (limited to 'REFERENCE.md')
-rw-r--r-- | REFERENCE.md | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/REFERENCE.md b/REFERENCE.md index 019c5a4..7e7d518 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -18,6 +18,7 @@ _Private Classes_ **Defined types** * [`ferm::chain`](#fermchain): This defined resource manages ferm/iptables chains +* [`ferm::ipset`](#fermipset): a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. * [`ferm::rule`](#fermrule): This defined resource manages a single rule in a specific chain **Data types** @@ -273,6 +274,81 @@ Default value: $ferm::ip_versions Default value: $ferm::ip_versions +### ferm::ipset + +a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. + +* **See also** +http://ferm.foo-projects.org/download/2.1/ferm.html#set + +#### Examples + +##### + +```puppet +ferm::ipset { 'CONSUL': + sets => { + 'internet' => 'ACCEPT' + }, +} +``` + +##### create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table. + +```puppet +ferm::ipset { 'INPUT': + prepend_to_chain => false, + table => 'filter', + ip_version => 'ip6', + sets => { + 'testset01' => 'ACCEPT', + 'anothertestset' => 'DROP' + }, +} +``` + +#### Parameters + +The following parameters are available in the `ferm::ipset` defined type. + +##### `chain` + +Data type: `String[1]` + +name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this. + +Default value: $name + +##### `table` + +Data type: `Ferm::Tables` + +name of the table where we want to apply this. Defaults to `filter` because that's the most common usecase. + +Default value: 'filter' + +##### `ip_version` + +Data type: `Enum['ip','ip6']` + +sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version. + +Default value: 'ip' + +##### `sets` + +Data type: `Hash[String[1], Ferm::Actions]` + +A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. + +##### `prepend_to_chain` + +Data type: `Boolean` + + + +Default value: `true` + ### ferm::rule This defined resource manages a single rule in a specific chain |