### ferm
-Class: ferm
+This class manages ferm installation and rule generation on modern linux systems
#### Examples
Data type: `Optional[Ferm::Policies]`
Set the default policy for CHAIN (works only for builtin chains)
-Default value: undef
Allowed values: (ACCEPT|DROP) (see Ferm::Policies type)
Default value: `undef`
Data type: `String[1]`
Name of the chain that should be managed
-Default value: $name (resource name)
Allowed values: String[1]
Default value: $name
Data type: `Ferm::Tables`
Select the target table (filter/raw/mangle/nat)
-Default value: 'filter'
Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type)
Default value: 'filter'
Data type: `Array[Enum['ip','ip6']]`
Set list of versions of ip we want ot use.
-Default value: $ferm::ip_versions
Default value: $ferm::ip_versions
#### Examples
-#####
+##### Create an iptables rule that allows traffic that matches the ipset `internet`
```puppet
ferm::ipset { 'CONSUL':
}
```
-##### create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
+##### create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
```puppet
ferm::ipset { 'INPUT':
The following parameters are available in the `ferm::ipset` defined type.
+##### `sets`
+
+Data type: `Hash[String[1], Ferm::Actions]`
+
+A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
+
##### `chain`
Data type: `String[1]`
Default value: 'ip'
-##### `sets`
-
-Data type: `Hash[String[1], Ferm::Actions]`
-
-A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
-
##### `prepend_to_chain`
Data type: `Boolean`
-
+By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.
Default value: `true`
# @param disable_conntrack Disable/Enable usage of conntrack
# @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched
# @param policy Set the default policy for CHAIN (works only for builtin chains)
-# Default value: undef
# Allowed values: (ACCEPT|DROP) (see Ferm::Policies type)
# @param chain Name of the chain that should be managed
-# Default value: $name (resource name)
# Allowed values: String[1]
# @param table Select the target table (filter/raw/mangle/nat)
-# Default value: 'filter'
# Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type)
# @param ip_versions Set list of versions of ip we want ot use.
-# Default value: $ferm::ip_versions
+#
define ferm::chain (
Boolean $disable_conntrack,
Boolean $log_dropped_packets,
+#
# @api private
-# This class handles the configuration file. Avoid modifying private classes.
+#
+# @summary This class handles the configuration file. Avoid modifying private classes.
+#
class ferm::config {
# this is a private class
-# Class: ferm
-#
# @summary This class manages ferm installation and rule generation on modern linux systems
#
# @example deploy ferm without any configured rules, but also don't start the service or modify existing config files
+#
# @api private
-# This class handles the configuration file. Avoid modifying private classes.
+#
+# @summary This class handles the configuration file. Avoid modifying private classes.
+#
class ferm::install {
# this is a private class
#
# @see http://ferm.foo-projects.org/download/2.1/ferm.html#set
#
-# @example
+# @example Create an iptables rule that allows traffic that matches the ipset `internet`
# ferm::ipset { 'CONSUL':
# sets => {
# 'internet' => 'ACCEPT'
# },
# }
#
-# @example create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
+# @example create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
# ferm::ipset { 'INPUT':
# prepend_to_chain => false,
# table => 'filter',
# },
# }
#
+# @param sets
+# A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
# @param chain
# name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this.
#
# @param ip_version
# sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version.
#
-# @param sets
-# A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
+# @param prepend_to_chain
+# By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.
#
define ferm::ipset (
Hash[String[1], Ferm::Actions] $sets,
+#
# @api private
-# This class handles the configuration file. Avoid modifying private classes.
+#
+# @summary This class handles the configuration file. Avoid modifying private classes.
+#
class ferm::service {
# this is a private class
projects / puppet-ferm.git / commitdiff