From: Thore Bödecker <me@foxxx0.de>
Date: Mon, 22 Jun 2020 14:39:50 +0000 (+0200)
Subject: move OpenVPN example to README.md
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=8bca772e35c437ec1b750d2bc5fb332cc5d09db6;p=puppet-ferm.git

move OpenVPN example to README.md

This was previously manually added to REFERENCE.md and got overwritten
by a freshly generation version of that file.
The proper place for this is the README.md which is not automatically
generated.
---

diff --git a/README.md b/README.md
index f095ce7..262fe9d 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,34 @@ The second rule will disable connection tracking for all other traffic coming in
 
 This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset.
 
+#### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL.
+
+```puppet
+$my_rules = @(EOT)
+chain OPENVPN_FORWORD_RULES {
+  proto udp {
+    interface tun0 {
+      outerface enp4s0 {
+        mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+      }
+    }
+  }
+}
+| EOT
+
+ferm::chain{'OPENVPN_FORWORD_RULES':
+  chain   => 'OPENVPN_FORWORD_RULES',
+  content => $my_rules,
+}
+
+ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+  chain     => 'FORWARD',
+  action    => 'OPENVPN_FORWORD_RULES',
+  saddr     => '10.8.0.0/24',
+  proto     => 'udp',
+}
+```
+
 ## Reference
 
 All parameters are documented within the classes. We generate markdown