nft

pdk
configure nftables firewalls using puppet

1,206 downloads

26 latest version

Version information

  • 0.0.11 (latest)
  • 0.0.10
  • 0.0.9
  • 0.0.8
  • 0.0.7
  • 0.0.6
  • 0.0.5
  • 0.0.4
  • 0.0.3
  • 0.0.2
released Jul 9th 2025
This version is compatible with:
  • Puppet Enterprise 2025.4.x, 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 9.0.0
  • Debian
    ,
    Rocky
    ,
    RedHat

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'weasel-nft', '0.0.11'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add weasel-nft
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install weasel-nft --version 0.0.11

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

weasel/nft — version 0.0.11 Jul 9th 2025

noreply nftables Puppet module

Overview

This nft module provides building blocks for making an nftables firewall using puppet. It does not come with a policy but it provides the infrastructure for building your own.

Usage

Here's an example:

# local noreply.org nft policies
class my_nft() {
  $log_limit_rate = '5/minute burst 5 packets'
  $reject_rate = '60/minute burst 120 packets'

  class{ 'nft': }

  nft::chain{ 'input': }
  nft::chain{ 'forward': }
  nft::chain{ 'output': }

  nft::chain{ 'services_tcp': }
  nft::chain{ 'services_udp': }

  nft::rule{
    'iif lo counter accept': order => 100;
    'meta l4proto icmp counter accept': order => 101;
    'meta l4proto ipv6-icmp counter accept': order => 101;

    'ct state established,related counter accept': order => 110;

    'meta l4proto tcp counter jump services_tcp': order => 1200;
    'meta l4proto udp counter jump services_udp': order => 1201;
    'goto log_reject_drop': order => 9900;
  }

  nft::chain{ 'log_reject_drop':
    rules => [
      "limit rate ${log_limit_rate} log flags all counter",
      "limit rate ${reject_rate} meta l4proto tcp counter reject with tcp reset",
      "limit rate ${reject_rate} meta l4proto != tcp counter reject with icmpx type admin-prohibited",
      'counter drop',
    ]
  }

  include my_nft::rule::ssh
}
# Allow ssh either from everywhere or from the networks in src
#
# @param src Hosts to allow ssh connections from
class my_nft::rule::ssh(
  Optional[Array[Stdlib::IP::Address]] $src = undef,
) {
  if $src =~ Undef {
    nft::rule{ 'allow-ssh':
      rule  => 'tcp dport ssh counter accept',
      chain => 'services_tcp',
    }
  } else {
    $ip4 = $src.filter |$a| { $a !~ Stdlib::IP::Address::V6 }
    $ip6 = $src.filter |$a| { $a =~ Stdlib::IP::Address::V6 }

    nft::rule{ 'allow-ssh4':
      rule  => "tcp dport ssh ip  saddr { ${ip4.join(', ')} } counter accept",
      chain => 'services_tcp',
    }
    nft::rule{ 'allow-ssh6':
      rule  => "tcp dport ssh ip6 saddr { ${ip6.join(', ')} } counter accept",
      chain => 'services_tcp',
    }
  }
}

And another one:

class mprofiles::puppetagent (
) {
# [...]
# $addresses = [...]

  # export a firewall rule to the puppet server
  @@nft::simple{ "puppet-${trusted['certname']}":
    tag   => "to-${server_facts['servername']}",
    saddr => $addresses,
    chain => 'puppetserver',
  }
}
class mprofiles::puppetserver (
) {
  nft::chain{ 'puppetserver': }
  nft::rule{ 'tcp dport 8140 counter jump puppetserver': chain => 'services_tcp' }

  # Collect firewall rules exported to us
  Nft::Simple <<| tag == "to-${trusted['certname']}" |>>
}