move OpenVPN example to README.md

This was previously manually added to REFERENCE.md and got overwritten
by a freshly generation version of that file.
The proper place for this is the README.md which is not automatically
generated.

diff --git a/README.md b/README.md
index f095ce768028fb68c1f484895cc0a68c15ee38ca..262fe9da78b689085d057f9cf43cbb1cdf4006bb 100644 (file)
--- a/README.md
+++ b/README.md
@@ -159,6 +159,34 @@ The second rule will disable connection tracking for all other traffic coming in
 
 This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset.
 
+#### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL.
+
+```puppet
+$my_rules = @(EOT)
+chain OPENVPN_FORWORD_RULES {
+  proto udp {
+    interface tun0 {
+      outerface enp4s0 {
+        mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+      }
+    }
+  }
+}
+| EOT
+
+ferm::chain{'OPENVPN_FORWORD_RULES':
+  chain   => 'OPENVPN_FORWORD_RULES',
+  content => $my_rules,
+}
+
+ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+  chain     => 'FORWARD',
+  action    => 'OPENVPN_FORWORD_RULES',
+  saddr     => '10.8.0.0/24',
+  proto     => 'udp',
+}
+```
+
 ## Reference
 
 All parameters are documented within the classes. We generate markdown