From 8bca772e35c437ec1b750d2bc5fb332cc5d09db6 Mon Sep 17 00:00:00 2001
From: Thore Bödecker <me@foxxx0.de>
Date: Mon, 22 Jun 2020 16:39:50 +0200
Subject: move OpenVPN example to README.md

This was previously manually added to REFERENCE.md and got overwritten
by a freshly generation version of that file.
The proper place for this is the README.md which is not automatically
generated.
---
 README.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/README.md b/README.md
index f095ce7..262fe9d 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,34 @@ The second rule will disable connection tracking for all other traffic coming in
 
 This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset.
 
+#### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL.
+
+```puppet
+$my_rules = @(EOT)
+chain OPENVPN_FORWORD_RULES {
+  proto udp {
+    interface tun0 {
+      outerface enp4s0 {
+        mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+      }
+    }
+  }
+}
+| EOT
+
+ferm::chain{'OPENVPN_FORWORD_RULES':
+  chain   => 'OPENVPN_FORWORD_RULES',
+  content => $my_rules,
+}
+
+ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+  chain     => 'FORWARD',
+  action    => 'OPENVPN_FORWORD_RULES',
+  saddr     => '10.8.0.0/24',
+  proto     => 'udp',
+}
+```
+
 ## Reference
 
 All parameters are documented within the classes. We generate markdown
-- 
cgit v1.2.3