noreply nftables Puppet module

Overview

This nft module provides building blocks for making an nftables firewall using puppet. It does not come with a policy but it provides the infrastructure for building your own.

Usage

Here's an example:

# local noreply.org nft policies
class my_nft() {
  $log_limit_rate = '5/minute burst 5 packets'
  $reject_rate = '60/minute burst 120 packets'

  class{ 'nft': }

  nft::chain{ 'input': }
  nft::chain{ 'forward': }
  nft::chain{ 'output': }

  nft::chain{ 'services_tcp': }
  nft::chain{ 'services_udp': }

  nft::rule{
    'iif lo counter accept': order => 100;
    'meta l4proto icmp counter accept': order => 101;
    'meta l4proto ipv6-icmp counter accept': order => 101;

    'ct state established,related counter accept': order => 110;

    'meta l4proto tcp counter jump services_tcp': order => 1200;
    'meta l4proto udp counter jump services_udp': order => 1201;
    'goto log_reject_drop': order => 9900;
  }

  nft::chain{ 'log_reject_drop':
    rules => [
      "limit rate ${log_limit_rate} log flags all counter",
      "limit rate ${reject_rate} meta l4proto tcp counter reject with tcp reset",
      "limit rate ${reject_rate} meta l4proto != tcp counter reject with icmpx type admin-prohibited",
      'counter drop',
    ]
  }

  include my_nft::rule::ssh
}

# Allow ssh either from everywhere or from the networks in src
#
# @param src Hosts to allow ssh connections from
class my_nft::rule::ssh(
  Optional[Array[Stdlib::IP::Address]] $src = undef,
) {
  if $src =~ Undef {
    nft::rule{ 'allow-ssh':
      rule  => 'tcp dport ssh counter accept',
      chain => 'services_tcp',
    }
  } else {
    $ip4 = $src.filter |$a| { $a !~ Stdlib::IP::Address::V6 }
    $ip6 = $src.filter |$a| { $a =~ Stdlib::IP::Address::V6 }

    nft::rule{ 'allow-ssh4':
      rule  => "tcp dport ssh ip  saddr { ${ip4.join(', ')} } counter accept",
      chain => 'services_tcp',
    }
    nft::rule{ 'allow-ssh6':
      rule  => "tcp dport ssh ip6 saddr { ${ip6.join(', ')} } counter accept",
      chain => 'services_tcp',
    }
  }
}

And another one:

class mprofiles::puppetagent (
) {
# [...]
# $addresses = [...]

  # export a firewall rule to the puppet server
  @@nft::simple{ "puppet-${trusted['certname']}":
    tag   => "to-${server_facts['servername']}",
    saddr => $addresses,
    chain => 'puppetserver',
  }
}

class mprofiles::puppetserver (
) {
  nft::chain{ 'puppetserver': }
  nft::rule{ 'tcp dport 8140 counter jump puppetserver': chain => 'services_tcp' }

  # Collect firewall rules exported to us
  Nft::Simple <<| tag == "to-${trusted['certname']}" |>>
}

Reference

Table of Contents

Classes

• nft: Initialize nft, the noreply nftables puppet module. This sets up the staging directory and files and installs nftables and activates the ser

Defined types

• nft::chain: Create a nftables chain in the nftables config file Chains come in two forms: base chains are chains that the kernel hooks into while proces
• nft::file: Create a chain for nft to stage content in This is a module internal type, you should never need to use it from outside.
• nft::fragment: Add a fragment to a staging file created by nft::file This is a module internal type, you should never need to use it from outside.
• nft::object: Create an nftables.conf "define" set. This is static and can then be referenced in other nftables like things Implicitly, we also create __
• nft::object_impl: The backend implementation the nft::object front. This type knows its address types. An object may not have address elements/objects and no
• nft::rule: Create a rule in our nftables config Rules live in chains that belong to tables. Confer to the nftables documentation for how to write rule
• nft::set: Create an nftables named set in the nftables config file Example: nft::set{ 'authnft-pape': type => 'ipv4_addr', flags => [ 'time
• nft::simple: A simple rule from IP addresses to a TCP or UDP port This is meant to abstract the most common instances of nftables rules. It will never be

Functions

• nft::af_filter_address_set_object: Find the elements of a given address family for an address, set, or object as passed into nft::simnple For object references, replace by the

Data types

• Nft::AddressFamily: An nftables address family cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Address_Families
• Nft::ChainHook: The list of chain hooks in nftables cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Address_Fam
• Nft::ChainPriority: The priority strings that are accepted for base chains cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.co
• Nft::ChainType: The nftables chain types cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Chains
• Nft::Objectdefine: Nftables.conf define, during definition (i.e. without the $) cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets#nftables.conf_syntax
• Nft::Objectreference: Nftables.conf define when used (i.e. wit the $) cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets#nftables.conf_syntax
• Nft::Objectreference_internal: Nftables.conf define when used (i.e. wit the $) cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets#nftables.conf_syntax Including in
• Nft::Port: Nftables.conf port, either a number of a string from /etc/services
• Nft::Portrange: Nftables.conf portrange
• Nft::Setflag: Nftables named set flags cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets
• Nft::Setname: Nftables name of a named set cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets
• Nft::Setreference: Nftables reference to a set with @ cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets
• Nft::Settype: Nftables named set types cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets
• Nft::String: What defines an nftables string cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Data_Types

Classes

nft

Initialize nft, the noreply nftables puppet module.

This sets up the staging directory and files and installs nftables and activates the service. No policy is shipped with this module, it needs to be provided by other puppet code using nft.

Parameters

The following parameters are available in the nft class:

• dir_test
• dir_prod
• main_test
• main_prod
• flush_ruleset
• service_enable
• service_ensure

dir_test

Data type: Stdlib::AbsolutePath

Staging directory

Default value: '/etc/.nftables-staging'

dir_prod

Data type: Stdlib::AbsolutePath

Production directory for the live, tested rules

Default value: '/etc/nftables'

main_test

Data type: Stdlib::AbsolutePath

Staging config file that sources everything else

Default value: "${dir_test}/main.conf"

main_prod

Data type: Stdlib::AbsolutePath

Production config file that sources everything else

Default value:

$facts['os']['family'] ? {
    'Debian' => '/etc/nftables.conf',
    'RedHat' => '/etc/sysconfig/nftables.conf',
    default  => '/etc/nftables.conf'

flush_ruleset

Data type: Variant[Boolean, String]

Whether to flush the ruleset at the start, or which tables to flush. In general, this probably always wants to be true. However, if you manage for instance the inet table with this module and say the ip table by some other means, this can be set to just 'inet'.

Default value: true

service_enable

Data type: Boolean

enable the nftables service

Default value: true

service_ensure

Data type: Enum['running', 'stopped']

whether to have the service running or stopped

Default value: if ($service_enable) { 'running' } else { 'stopped'

Defined types

nft::chain

Create a nftables chain in the nftables config file

Chains come in two forms: base chains are chains that the kernel hooks into while processing a packet. These chains may then also jump to non-base-chains. See the netfilter documentation for more details.

Examples

nft::chain{ 'input': }
nft::chain{ 'forward': }
nft::chain{ 'output': }

nft::chain{ 'log_reject_drop':
  rules => [
    "limit rate 5/minute burst 5 packets log flags all counter",
    "limit rate 60/minute burst 120 packets meta l4proto tcp counter reject with tcp reset",
    "limit rate 60/minute burst 120 packets meta l4proto != tcp counter reject with icmpx type admin-prohibited",
    'counter drop',
  ]
}

Parameters

The following parameters are available in the nft::chain defined type:

• chain
• af
• table
• base_chain
• hook
• type
• priority
• rules_order
• rules

chain

Data type: Nft::String

The name of the chain

Default value: $name

af

Data type: Nft::AddressFamily

Address family (inet, ip, ip6, etc)

Default value: 'inet'

table

Data type: Nft::String

The name of the table

Default value: 'filter'

base_chain

Data type: Boolean

Whether this is a base chain

If so, we add hooks and need to define hook, type, and priority.

Default value: $chain =~ Nft::ChainHook

hook

Data type: Optional[Nft::ChainHook]

If a base chain, the name of the hook

Default value: if $base_chain { $chain } else { undef

type

Data type: Optional[Nft::ChainType]

If a base chain, the type of this chain (filter, nat, route)

Default value: if $base_chain { $table } else { undef

priority

Data type: Optional[Nft::ChainPriority]

If a base chain, the priority of this chain.

Default value:

if $base_chain {
    "${table}-${chain}" ? {
      'nat-prerouting'    => 'dstnat',
      'nat-postrouting'   => 'srcnat',
      'filter-prerouting' => 'raw',
      default             => 'filter' } } else { undef

rules_order

Data type: Integer

If we pass a set of rules to this chain here, at what order number to add it to the concat.

Default value: 0

rules

Data type: Optional[Array[String]]

A list of rules to pass here directly. More can be added later using nft::rule.

Default value: undef

nft::file

Create a chain for nft to stage content in

This is a module internal type, you should never need to use it from outside.

Parameters

The following parameters are available in the nft::file defined type:

• filename
• extension

filename

Data type: String

Base name of the file (without path or extension)

Default value: regsubst($name, '[^a-zA-Z0-9.,_=-]', '_' ,'G')

extension

Data type: String

String to append to the filename

Default value: '.nft'

nft::fragment

Add a fragment to a staging file created by nft::file

This is a module internal type, you should never need to use it from outside.

Parameters

The following parameters are available in the nft::fragment defined type:

• target
• source
• content
• order

target

Data type: String

Where in our nftables config this should end up with. Usually this is a per-chain file.

source

Data type: Optional[String]

Source to pass to concat::fragment

Default value: undef

content

Data type: Optional[String]

Content to pass to concat::fragment

Default value: undef

order

Data type: Optional[Integer]

Order to pass to concat::fragment

Default value: undef

nft::object

Create an nftables.conf "define" set. This is static and can then be referenced in other nftables like things

Implicitly, we also create 4_ and 6_ objects with just the ipv4 and ipv6 elements of the object. If the object is not an address object, these will usually be empty.

Example: nft::object{ 'SIMPLE_SET': elements => [ '192.168.1.1', '192.168.1.2' ], } Example: nft::object{ 'CDN': elements => [ '$CDN_EDGE', '$CDN_MONITORS' ] }

Parameters

The following parameters are available in the nft::object defined type:

• object_name
• elements

object_name

Data type: Nft::Objectdefine

The name of the object, in capital letters.

Default value: $name

elements

Data type: Array[String]

A list of elements in this set. Currently, no syntax checking is done in the puppet module.

Default value: []

nft::object_impl

The backend implementation the nft::object front.

This type knows its address types.

An object may not have address elements/objects and non-adress elements/objects at the same time.

Example: nft::object_impl{ 'SIMPLE_SET': ipv4_elements => [ '192.168.1.1', '192.168.1.2' ], }

Parameters

The following parameters are available in the nft::object_impl defined type:

• object_name
• ipv4_elements
• ipv6_elements
• ipv4_objects
• ipv6_objects
• non_addr_elements
• non_addr_objects
• have_ipv4
• have_ipv6

object_name

Data type: Nft::Objectdefine

The name of the object, in capital letters.

Default value: $name

ipv4_elements

Data type: Array[Stdlib::IP::Address::V4]

IPv4 Addresses in this object

Default value: []

ipv6_elements

Data type: Array[Stdlib::IP::Address::V6]

IPv6 Addresses in this object

Default value: []

ipv4_objects

Data type: Array[Nft::Objectdefine]

IPv4 Object names referenced by this object

Default value: []

ipv6_objects

Data type: Array[Nft::Objectdefine]

IPv6 Object names referenced by this object

Default value: []

non_addr_elements

Data type: Array[String]

Non-Address elements in this object

Default value: []

non_addr_objects

Data type: Array[Nft::Objectdefine]

Non-Address Object names referenced by this object

Default value: []

have_ipv4

Data type: Boolean

Is an object that includes ipv4 elements directly or via referenced objects This must be set by the caller, as computing it here is too late since objects get evaluated lazily, and when we access this by e.g. the af_filter_address_set_object function, we need the correct values.

have_ipv6

Data type: Boolean

Is an object that includes ipv6 elements directly or via referenced objects Just like have_ipv4, this must be set by the caller and for the same reasons.

nft::rule

Create a rule in our nftables config

Rules live in chains that belong to tables. Confer to the nftables documentation for how to write rules. Also see nft::simple for a more abstracted way of adding rules.

Examples

nft::chain{ 'input': }
nft::chain{ 'services_tcp': }

nft::rule{
  'iif lo counter accept': order => 100;
  'meta l4proto icmp counter accept': order => 101;
  'meta l4proto ipv6-icmp counter accept': order => 101;
  'ct state established,related counter accept': order => 110;
  'meta l4proto tcp counter jump services_tcp': order => 20;
  'counter drop': order => 9000;
}

nft::rule{ 'allow-https':
  rule  => 'tcp dport https counter accept',
  chain => 'services_tcp',
}

Parameters

The following parameters are available in the nft::rule defined type:

• rule
• chain
• af
• table
• description
• order

rule

Data type: Variant[String,Array[String]]

The actual nftables rule.

Default value: $name

chain

Data type: Nft::String

The name of the chain

Default value: 'input'

af

Data type: Nft::AddressFamily

Address family (inet, ip, ip6, etc)

Default value: 'inet'

table

Data type: Nft::String

The name of the table

Default value: 'filter'

description

Data type: Optional[String]

A description or comment for this rule to put into the nftables config

Default value: undef

order

Data type: Integer

Where to put this rule in the concat file

Default value: 200

nft::set

Create an nftables named set in the nftables config file

Example: nft::set{ 'authnft-pape': type => 'ipv4_addr', flags => [ 'timeout' ], }

Parameters

The following parameters are available in the nft::set defined type:

• setname
• af
• table
• type
• flags

setname

Data type: Nft::Setname

The name of the set

Default value: $name

af

Data type: Nft::AddressFamily

Address family (inet, ip, ip6, etc)

Default value: 'inet'

table

Data type: Nft::String

The name of the table

Default value: 'filter'

type

Data type: Nft::Settype

The type of the objects in this set (cf Nft::Settype)

flags

Data type: Array[Nft::Setflag]

A list of flags for this set (cf Nft::Setflags)

Default value: []

nft::simple

A simple rule from IP addresses to a TCP or UDP port

This is meant to abstract the most common instances of nftables rules. It will never be a way to do them all, nor is that the intention.

Examples

nft::simple { 'allow-web':
  dport   => [80, 443],
}

nft::simple { 'allow-ssh':
  dport   => 22,
  iifname => 'mgmt',
}

allow-ssh

nft::simple { 'allow-ssh':
  iifname => 'mgmt',
  dport   => 22,
  saddr   => ['10.0.0.0/8', '172.16.0.0/12'],
}

from networks

nft::simple{ 'allow-mta-submission':
  saddr => $my_networks,
  dport => 587,
}

in a different chain

nft::simple{ "allow-extra-ssh":
  chain => 'ssh-filter',
  saddr => $src_address,
}

allow-dns

nft::simple { 'allow-dns':
  dport   => 'domain',
  proto   => ['tcp', 'udp'],
}

nft::simple { 'from-guest-wifi':
  iifname => 'wlan0',
  action  => 'jump from-guests',
}

# do not track the incoming traffic

nft::simple { "prerouting-notrack-${title}-${proto}":
  chain   => 'prerouting',
  iifname => $interface,
  proto   => $proto,
  dport   => $incoming_dport,
  sport   => $incoming_sport,
  action  => 'notrack',
}

nat

nft::chain { 'prerouting':
  table => 'nat',
}
nft::simple { 'redirect-incoming-gerrit-ssh':
  chain  => 'prerouting',
  table  => 'nat',
  daddr  => $gerrit_service_ip,
  dport  => 22,
  action => "redirect to :${gerrit_ssh_port}",
}

Parameters

The following parameters are available in the nft::simple defined type:

• saddr
• daddr
• saddr_not
• daddr_not
• dport
• sport
• proto
• chain
• af
• table
• description
• iif
• oif
• iifname
• oifname
• order
• counter
• log_rule
• action
• snat

saddr

Data type:

Optional[Variant[ Stdlib::IP::Address, Nft::Objectreference, Nft::Setreference,
                    Array[Variant[Stdlib::IP::Address, Nft::Objectreference]]]]

A list of source addresses. If not provided, allow from everywhere, but see the explanation at daddr.

Default value: undef

daddr

Data type:

Optional[Variant[ Stdlib::IP::Address, Nft::Objectreference, Nft::Setreference,
                    Array[Variant[Stdlib::IP::Address, Nft::Objectreference]]]]

A list of destination addresses. If not provided, allow to everywhere.

Note that the interaction with different address families is tricky.

• If saddr and daddr are empty, then IPv4 and IPv6 are allowed.
• If saddr and/or daddr only have addresses of one address family, then only that address family is allowed.
• If the union of saddr and daddr have both IPv4 and IPv6, then both are processed, with saddr and daddr filtering based on the given lists, with an empty list (after AF filtering) meaning everything is allowed.

Default value: undef

saddr_not

Data type:

Optional[Variant[ Stdlib::IP::Address, Nft::Objectreference, Nft::Setreference,
                    Array[Variant[Stdlib::IP::Address, Nft::Objectreference]]]]

A negative list of source addresses

Default value: undef

daddr_not

Data type:

Optional[Variant[ Stdlib::IP::Address, Nft::Objectreference, Nft::Setreference,
                    Array[Variant[Stdlib::IP::Address, Nft::Objectreference]]]]

A negative list of destination addresses

Default value: undef

dport

Data type: Optional[Variant[Nft::Port, Nft::Portrange, Array[Variant[Nft::Port, Nft::Portrange], 1]]]

A target port (port number or service name from /etc/services), A range of ports ("-" as string), or a list of these. If not provided, do not match on ports

Default value: undef

sport

Data type: Optional[Variant[Nft::Port, Nft::Portrange, Array[Variant[Nft::Port, Nft::Portrange], 1]]]

Source ports in the same way as dport.

Default value: undef

proto

Data type: Optional[Variant[Enum['tcp', 'udp'], Integer, Array[Enum['tcp', 'udp']]]]

Whether this is TCP or UDP or something else (given protocol number). Providing sport and dport may or may not make sense for a given protocol. Defaults to 'tcp' if ports are given, none otherwise. Using a set (i.e. list of ['tcp', 'udp']) is also possible.

Default value: if ($sport !~ Undef or $dport !~ Undef) { 'tcp' } else { undef

chain

Data type: Nft::String

The name of the chain

Default value: 'input'

af

Data type: Nft::AddressFamily

Address family (inet, ip, ip6, etc)

Default value: 'inet'

table

Data type: Nft::String

The name of the table

Default value: 'filter'

description

Data type: Optional[String]

A description or comment for this rule to put into the nftables config

Default value: undef

iif

Data type: Optional[Variant[String,Array[String, 1]]]

A list of in-interfaces to match; if not provided, do not match on interfaces.

Default value: undef

oif

Data type: Optional[Variant[String,Array[String, 1]]]

A list of out-interfaces to match; if not provided, do not match on interfaces.

Default value: undef

iifname

Data type: Optional[Variant[String,Array[String, 1]]]

A list of in-interface-namess to match; if not provided, do not match on interface names.

Default value: undef

oifname

Data type: Optional[Variant[String,Array[String, 1]]]

A list of out-interface-names to match; if not provided, do not match on interface names.

Default value: undef

order

Data type: Optional[Integer]

Where to put this rule in the concat file

Default value: undef

counter

Data type: Boolean

Whether to add a counter to this rule

Default value: true

log_rule

Data type: Optional[Pattern[/\Alog.*\z/]]

Log rule to add before the final action

Default value: undef

action

Data type: Optional[String]

What to do with matches (accept, drop, ..)

Default value: undef

snat

Data type: Optional[Variant[Stdlib::IP::Address, Nft::Objectreference]]

Address to source nat to (mutually exclusive with other action items)

Default value: undef

Functions

nft::af_filter_address_set_object

Type: Puppet Language

Find the elements of a given address family for an address, set, or object as passed into nft::simnple

For object references, replace by the corresponding _ object (cf. nft::object)

`nft::af_filter_address_set_object(Optional[Variant[ Stdlib::IP::Address, Nft::Setreference, Nft::Objectreference,

                Array[Variant[Stdlib::IP::Address, Nft::Objectreference]]]] $filter_element, Enum['v4', 'v6'] $test_target)`

Find the elements of a given address family for an address, set, or object as passed into nft::simnple

For object references, replace by the corresponding _ object (cf. nft::object)

Returns: Variant[ Array[Variant[Stdlib::IP::Address::V4, Nft::Objectreference, Nft::Objectreference_internal]], Array[Variant[Stdlib::IP::Address::V6, Nft::Objectreference, Nft::Objectreference_internal]], Array[Nft::Setreference, 1, 1] ] The addresses and sets in that list of the given address family

filter_element

Data type:

Optional[Variant[ Stdlib::IP::Address, Nft::Setreference, Nft::Objectreference,
                    Array[Variant[Stdlib::IP::Address, Nft::Objectreference]]]]

The address, set, or list to filter

test_target

Data type: Enum['v4', 'v6']

v4 or v6

Data types

Nft::AddressFamily

An nftables address family cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Address_Families

Alias of Enum['inet', 'ip', 'ip6', 'arp', 'bridge', 'netdev']

Nft::ChainHook

The list of chain hooks in nftables cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Address_Families

Alias of Enum['ingress', 'prerouting', 'input', 'forward', 'output', 'postrouting']

Nft::ChainPriority

The priority strings that are accepted for base chains cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Chains

Alias of Variant[Integer, Enum['raw', 'mangle', 'dstnat', 'filter', 'security', 'srcnat']]

Nft::ChainType

The nftables chain types cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Chains

Alias of Enum['filter', 'nat', 'route']

Nft::Objectdefine

Nftables.conf define, during definition (i.e. without the $) cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets#nftables.conf_syntax

Alias of Pattern[/\A[A-Z][A-Z0-9_]*\z/]

Nft::Objectreference

Nftables.conf define when used (i.e. wit the $) cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets#nftables.conf_syntax

Alias of Pattern[/\A\$[A-Z][A-Z0-9_]*\z/]

Nft::Objectreference_internal

Nftables.conf define when used (i.e. wit the $) cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets#nftables.conf_syntax

Including internal objects

Alias of Pattern[/\A\$__[46]_[A-Z][A-Z0-9_]*\z/]

Nft::Port

Nftables.conf port, either a number of a string from /etc/services

Alias of Variant[Stdlib::Port, Pattern[/\A[a-z][a-z0-9-]*\z/]]

Nft::Portrange

Nftables.conf portrange

Alias of Pattern[/\A[0-9]+-[0-9]+\z/]

Nft::Setflag

Nftables named set flags cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets

Alias of Enum['constant', 'interval', 'timeout']

Nft::Setname

Nftables name of a named set cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets

Alias of Pattern[/\A[a-z][a-z0-9_-]*\z/]

Nft::Setreference

Nftables reference to a set with @ cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets

Alias of Pattern[/\A@[a-z][a-z0-9_-]*\z/]

Nft::Settype

Nftables named set types cf. https://wiki.nftables.org/wiki-nftables/index.php/Sets

Alias of Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark', 'ifname']

Nft::String

What defines an nftables string cf. https://www.netfilter.org/projects/nftables/manpage.html or https://www.mankier.com/8/nft#Data_Types

Alias of Pattern[/\A[a-zA-Z_][a-zA-Z0-9\/_.-]*\z/]

Change log

0.0.10 (2024-07-01)

Full Changelog

Significant Changes

• nft::simple changes the matching logic for empty saddr/daddr lists: If the list is defined (i.e. not undef) but empty, no rule is generated (the logic is that the empty set is never matched). This is in particular true for mixed v4/v6 lists. If, after filtering, either saddr or daddr is empty for one of the two address families, no rule is generated for that family. . For saddr_not and daddr_not, an empty list will still cause a rule to be created (with no filter on saddr/daddr).