Mercurial > repos > other > Puppet
annotate modules/firewall/REFERENCE.md @ 447:1a9de0661666
Add missing package/dir for minimal Ubuntu
Minimal is minimal - no locale, no cron, and some dirs do not
exist
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Mon, 08 May 2023 19:24:20 +0100 |
| parents | 66c406eec60d |
| children | adf6fe9bbc17 |
| rev | line source |
|---|---|
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1 # Reference |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
2 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
3 <!-- DO NOT EDIT: This document was generated by Puppet Strings --> |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
4 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
5 ## Table of Contents |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
6 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
7 ### Classes |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
8 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
9 #### Public Classes |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
10 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
11 * [`firewall`](#firewall): Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
12 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
13 #### Private Classes |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 * `firewall::linux`: Main linux class, includes all other classes |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 * `firewall::linux::archlinux`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 * `firewall::linux::debian`: Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 * `firewall::linux::gentoo`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
19 * `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 * `firewall::params`: Provides defaults for the Apt module parameters. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
22 ### Resource types |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 * [`firewall`](#firewall): This type provides the capability to manage firewall rules within puppet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
25 * [`firewallchain`](#firewallchain): This type provides the capability to manage rule chains for firewalls. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
26 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
27 ## Classes |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
28 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
29 ### <a name="firewall"></a>`firewall` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
30 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
31 Performs the basic setup tasks required for using the firewall resources. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
32 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
33 At the moment this takes care of: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
34 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 iptables-persistent package installation |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
36 Include the firewall class for nodes that need to use the resources in this module: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
37 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
38 #### Examples |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
39 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
40 ##### |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
41 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
42 ```puppet |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
43 class { 'firewall': } |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
44 ``` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
45 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
46 #### Parameters |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
47 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
48 The following parameters are available in the `firewall` class: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
49 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
50 * [`ensure`](#ensure) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
51 * [`ensure_v6`](#ensure_v6) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
52 * [`pkg_ensure`](#pkg_ensure) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
53 * [`service_name`](#service_name) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
54 * [`service_name_v6`](#service_name_v6) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
55 * [`package_name`](#package_name) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
56 * [`ebtables_manage`](#ebtables_manage) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
57 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
58 ##### <a name="ensure"></a>`ensure` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
59 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
60 Data type: `Any` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
61 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
62 Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
63 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
64 Default value: `running` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
65 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
66 ##### <a name="ensure_v6"></a>`ensure_v6` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
67 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
68 Data type: `Any` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
69 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
70 Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
71 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
72 Default value: ``undef`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
74 ##### <a name="pkg_ensure"></a>`pkg_ensure` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
75 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
76 Data type: `Any` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
77 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
78 Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
79 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
80 Default value: `present` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
81 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
82 ##### <a name="service_name"></a>`service_name` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
83 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
84 Data type: `Any` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
85 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
86 Specify the name of the IPv4 iptables service. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
87 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
88 Default value: `$firewall::params::service_name` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
89 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
90 ##### <a name="service_name_v6"></a>`service_name_v6` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
91 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
92 Data type: `Any` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
93 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
94 Specify the name of the IPv6 iptables service. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
95 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
96 Default value: `$firewall::params::service_name_v6` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
97 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
98 ##### <a name="package_name"></a>`package_name` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
99 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
100 Data type: `Any` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
101 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
102 Specify the platform-specific package(s) to install. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
103 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
104 Default value: `$firewall::params::package_name` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
105 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
106 ##### <a name="ebtables_manage"></a>`ebtables_manage` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
107 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
108 Data type: `Any` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
109 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
110 Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
111 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
112 Default value: ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
113 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
114 ## Resource types |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
115 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
116 ### <a name="firewall"></a>`firewall` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
117 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
118 **Autorequires:** |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
119 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
120 If Puppet is managing the iptables or ip6tables chains specified in the |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
121 `chain` or `jump` parameters, the firewall resource will autorequire |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
122 those firewallchain resources. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
123 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
124 If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
125 and the provider is iptables or ip6tables, the firewall resource will |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
126 autorequire those packages to ensure that any required binaries are |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
127 installed. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
128 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
129 #### Providers |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
130 Note: Not all features are available with all providers. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
131 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
132 * ip6tables: Ip6tables type provider |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
133 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
134 * Required binaries: ip6tables-save, ip6tables. |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
135 * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
136 interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag, |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
137 ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
138 log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
139 owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
140 snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
141 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
142 * iptables: Iptables type provider |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
143 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
144 * Required binaries: iptables-save, iptables. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
145 * Default for kernel == linux. |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
146 * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
147 interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
148 log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
149 mark, mask, mss, netmap, nflog_group, nflog_prefix, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
150 nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
151 recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
152 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
153 #### Features |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
154 * address_type: The ability to match on source or destination address type. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
155 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
156 * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
157 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
158 * condition: Match if a specific condition variable is (un)set (requires xtables-addons) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
159 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
160 * connection_limiting: Connection limiting features. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
161 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
162 * conntrack: Connection tracking features. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
163 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
164 * dnat: Destination NATing. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
165 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
166 * hop_limiting: Hop limiting features. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
167 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
168 * icmp_match: The ability to match ICMP types. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
169 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
170 * interface_match: Interface matching. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
171 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
172 * iprange: The ability to match on source or destination IP range. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
173 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
174 * ipsec_dir: The ability to match IPsec policy direction. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
175 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
176 * ipsec_policy: The ability to match IPsec policy. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
177 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
178 * iptables: The provider provides iptables features. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
179 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
180 * isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
181 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
182 * isfragment: The ability to match fragments. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
183 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
184 * ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
185 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
186 * islastfrag: The ability to match the last fragment of an ipv6 packet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
187 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
188 * length: The ability to match the length of the layer-3 payload. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
189 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
190 * log_level: The ability to control the log level. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
191 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
192 * log_prefix: The ability to add prefixes to log messages. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
193 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
194 * log_uid: The ability to log the userid of the process which generated the packet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
195 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
196 * log_tcp_sequence: The ability to log TCP sequence numbers. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
197 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
198 * log_tcp_options: The ability to log TCP packet header. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
199 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
200 * log_ip_options: The ability to log IP/IPv6 packet header. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
201 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
202 * mark: The ability to match or set the netfilter mark value associated with the packet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
203 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
204 * mask: The ability to match recent rules based on the ipv4 mask. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
205 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
206 * nflog_group: The ability to set the group number for NFLOG. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
207 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
208 * nflog_prefix: The ability to set a prefix for nflog messages. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
209 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
210 * nflog_range: The ability to set nflog_range. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
211 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
212 * nflog_threshold: The ability to set nflog_threshold. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
213 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
214 * owner: The ability to match owners. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
215 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
216 * pkttype: The ability to match a packet type. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
217 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
218 * rate_limiting: Rate limiting features. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
219 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
220 * recent_limiting: The netfilter recent module. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
221 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
222 * reject_type: The ability to control reject messages. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
223 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
224 * set_mss: Set the TCP MSS of a packet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
225 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
226 * snat: Source NATing. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
227 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
228 * socket: The ability to match open sockets. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
229 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
230 * state_match: The ability to match stateful firewall states. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
231 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
232 * string_matching: The ability to match a given string by using some pattern matching strategy. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
233 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
234 * tcp_flags: The ability to match on particular TCP flag settings. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
235 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
236 * netmap: The ability to map entire subnets via source or destination nat rules. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
237 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
238 * hashlimit: The ability to use the hashlimit-module. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
239 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
240 * bpf: The ability to use Berkeley Paket Filter rules. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
241 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
242 * ipvs: The ability to match IP Virtual Server packets. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
243 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
244 * ct_target: The ability to set connection tracking parameters for a packet or its associated connection. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
245 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
246 * random_fully: The ability to use --random-fully flag. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
247 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
248 #### Properties |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
249 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
250 The following properties are available in the `firewall` type. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
251 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
252 ##### `action` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
253 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
254 Valid values: `accept`, `reject`, `drop` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
255 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
256 This is the action to perform on a match. Can be one of: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
257 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
258 * accept - the packet is accepted |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
259 * reject - the packet is rejected with a suitable ICMP response |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
260 * drop - the packet is dropped |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
261 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
262 If you specify no value it will simply match the rule but perform no |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
263 action unless you provide a provider specific parameter (such as *jump*). |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
264 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
265 ##### `burst` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
266 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
267 Valid values: `%r{^\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
268 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
269 Rate limiting burst value (per second) before limit checks apply. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
270 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
271 ##### `bytecode` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
272 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
273 Match using Linux Socket Filter. Expects a BPF program in decimal format. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
274 This is the format generated by the nfbpf_compile utility. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
275 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
276 ##### `cgroup` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
277 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
278 Matches against the net_cls cgroup ID of the packet. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
279 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
280 ##### `chain` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
281 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
282 Valid values: `%r{^[a-zA-Z0-9\-_]+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
283 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
284 Name of the chain to use. Can be one of the built-ins: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
285 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
286 * INPUT |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
287 * FORWARD |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
288 * OUTPUT |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
289 * PREROUTING |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
290 * POSTROUTING |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
291 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
292 Or you can provide a user-based chain. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
293 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
294 Default value: `INPUT` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
295 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
296 ##### `checksum_fill` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
297 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
298 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
299 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
300 Compute and fill missing packet checksums. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
301 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
302 ##### `clamp_mss_to_pmtu` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
303 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
304 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
305 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
306 Sets the clamp mss to pmtu flag. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
307 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
308 ##### `clusterip_clustermac` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
309 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
310 Valid values: `%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
311 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
312 Used with the CLUSTERIP jump target. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
313 Specify the ClusterIP MAC address. Has to be a link-layer multicast address. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
314 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
315 ##### `clusterip_hash_init` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
316 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
317 Used with the CLUSTERIP jump target. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
318 Specify the random seed used for hash initialization. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
319 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
320 ##### `clusterip_hashmode` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
321 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
322 Valid values: `sourceip`, `sourceip-sourceport`, `sourceip-sourceport-destport` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
323 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
324 Used with the CLUSTERIP jump target. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
325 Specify the hashing mode. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
326 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
327 ##### `clusterip_local_node` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
328 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
329 Valid values: `%r{\d+}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
330 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
331 Used with the CLUSTERIP jump target. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
332 Specify the random seed used for hash initialization. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
333 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
334 ##### `clusterip_new` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
335 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
336 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
337 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
338 Used with the CLUSTERIP jump target. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
339 Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
340 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
341 ##### `clusterip_total_nodes` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
342 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
343 Valid values: `%r{\d+}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
344 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
345 Used with the CLUSTERIP jump target. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
346 Number of total nodes within this cluster. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
347 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
348 ##### `condition` |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
349 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
350 Match on boolean value (0/1) stored in /proc/net/nf_condition/name. |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
351 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
352 ##### `connlimit_above` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
353 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
354 Valid values: `%r{^\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
355 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
356 Connection limiting value for matched connections above n. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
357 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
358 ##### `connlimit_mask` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
359 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
360 Valid values: `%r{^\d+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
361 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
362 Connection limiting by subnet mask for matched connections. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
363 IPv4: 0-32 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
364 IPv6: 0-128 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
365 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
366 ##### `connmark` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
367 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
368 Match the Netfilter mark value associated with the packet. Accepts either of: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
369 mark/mask or mark. These will be converted to hex if they are not already. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
370 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
371 ##### `ctdir` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
372 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
373 Valid values: `REPLY`, `ORIGINAL` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
374 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
375 Matches a packet that is flowing in the specified direction using the |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
376 conntrack module. If this flag is not specified at all, matches packets |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
377 in both directions. Values can be: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
378 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
379 * REPLY |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
380 * ORIGINAL |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
381 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
382 ##### `ctexpire` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
383 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
384 Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
385 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
386 Matches a packet based on lifetime remaining in seconds or range of values |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
387 using the conntrack module. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
388 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
389 ctexpire => '100:150' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
390 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
391 ##### `ctorigdst` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
392 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
393 The original destination address using the conntrack module. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
394 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
395 ctorigdst => '192.168.2.0/24' |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
396 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
397 You can also negate a mask by putting ! in front. For example: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
398 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
399 ctorigdst => '! 192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
400 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
401 The ctorigdst can also be an IPv6 address if your provider supports it. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
402 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
403 ##### `ctorigdstport` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
404 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
405 Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
406 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
407 The original destination port to match for this filter using the conntrack module. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
408 For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
409 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
410 ctorigdstport => '80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
411 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
412 You can also specify a port range: For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
413 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
414 ctorigdstport => '80:81' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
415 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
416 You can also negate a port by putting ! in front. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
417 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
418 ctorigdstport => '! 80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
419 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
420 ##### `ctorigsrc` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
421 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
422 The original source address using the conntrack module. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
423 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
424 ctorigsrc => '192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
425 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
426 You can also negate a mask by putting ! in front. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
427 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
428 ctorigsrc => '! 192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
429 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
430 The ctorigsrc can also be an IPv6 address if your provider supports it. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
431 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
432 ##### `ctorigsrcport` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
433 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
434 Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
435 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
436 The original source port to match for this filter using the conntrack module. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
437 For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
438 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
439 ctorigsrcport => '80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
440 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
441 You can also specify a port range: For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
442 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
443 ctorigsrcport => '80:81' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
444 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
445 You can also negate a port by putting ! in front. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
446 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
447 ctorigsrcport => '! 80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
448 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
449 ##### `ctproto` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
450 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
451 Valid values: `%r{^!?\s?\d+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
452 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
453 The specific layer-4 protocol number to match for this rule using the |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
454 conntrack module. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
455 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
456 ##### `ctrepldst` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
457 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
458 The reply destination address using the conntrack module. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
459 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
460 ctrepldst => '192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
461 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
462 You can also negate a mask by putting ! in front. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
463 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
464 ctrepldst => '! 192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
465 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
466 The ctrepldst can also be an IPv6 address if your provider supports it. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
467 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
468 ##### `ctrepldstport` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
469 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
470 Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
471 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
472 The reply destination port to match for this filter using the conntrack module. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
473 For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
474 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
475 ctrepldstport => '80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
476 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
477 You can also specify a port range: For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
478 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
479 ctrepldstport => '80:81' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
480 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
481 You can also negate a port by putting ! in front. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
482 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
483 ctrepldstport => '! 80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
484 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
485 ##### `ctreplsrc` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
486 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
487 The reply source address using the conntrack module. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
488 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
489 ctreplsrc => '192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
490 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
491 You can also negate a mask by putting ! in front. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
492 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
493 ctreplsrc => '! 192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
494 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
495 The ctreplsrc can also be an IPv6 address if your provider supports it. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
496 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
497 ##### `ctreplsrcport` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
498 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
499 Valid values: `%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
500 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
501 The reply source port to match for this filter using the conntrack module. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
502 For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
503 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
504 ctreplsrcport => '80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
505 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
506 You can also specify a port range: For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
507 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
508 ctreplsrcport => '80:81' |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
509 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
510 You can also negate a port by putting ! in front. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
511 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
512 ctreplsrcport => '! 80' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
513 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
514 ##### `ctstate` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
515 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
516 Valid values: `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`, `UNTRACKED`, `SNAT`, `DNAT` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
517 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
518 Matches a packet based on its state in the firewall stateful inspection |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
519 table, using the conntrack module. Values can be: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
520 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
521 * INVALID |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
522 * ESTABLISHED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
523 * NEW |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
524 * RELATED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
525 * UNTRACKED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
526 * SNAT |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
527 * DNAT |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
528 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
529 ##### `ctstatus` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
530 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
531 Valid values: `NONE`, `EXPECTED`, `SEEN_REPLY`, `ASSURED`, `CONFIRMED` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
532 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
533 Matches a packet based on its status using the conntrack module. Values can be: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
534 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
535 * EXPECTED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
536 * SEEN_REPLY |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
537 * ASSURED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
538 * CONFIRMED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
539 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
540 ##### `date_start` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
541 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
542 Only match during the given time, which must be in ISO 8601 "T" notation. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
543 The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
544 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
545 ##### `date_stop` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
546 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
547 Only match during the given time, which must be in ISO 8601 "T" notation. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
548 The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
549 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
550 ##### `destination` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
551 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
552 The destination address to match. For example: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
553 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
554 destination => '192.168.1.0/24' |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
555 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
556 You can also negate a mask by putting ! in front. For example: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
557 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
558 destination => '! 192.168.2.0/24' |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
559 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
560 The destination can also be an IPv6 address if your provider supports it. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
561 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
562 ##### `dport` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
563 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
564 The destination port to match for this filter (if the protocol supports |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
565 ports). Will accept a single element or an array. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
566 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
567 For some firewall providers you can pass a range of ports in the format: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
568 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
569 <start_number>-<ending_number> |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
570 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
571 For example: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
572 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
573 1-1024 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
574 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
575 This would cover ports 1 to 1024. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
576 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
577 ##### `dst_cc` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
578 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
579 Valid values: `%r{^[A-Z]{2}(,[A-Z]{2})*$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
580 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
581 dst attribute for the module geoip |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
582 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
583 ##### `dst_range` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
584 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
585 The destination IP range. For example: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
586 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
587 dst_range => '192.168.1.1-192.168.1.10' |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
588 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
589 The destination IP range must be in 'IP1-IP2' format. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
590 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
591 ##### `dst_type` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
592 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
593 Valid values: `[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
594 :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
595 [ |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
596 address_type, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
597 "! #{address_type}".to_sym, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
598 "#{address_type} --limit-iface-in".to_sym, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
599 "#{address_type} --limit-iface-out".to_sym, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
600 "! #{address_type} --limit-iface-in".to_sym, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
601 "! #{address_type} --limit-iface-out".to_sym, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
602 ] |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
603 }.flatten` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
604 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
605 The destination address type. For example: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
606 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
607 dst_type => ['LOCAL'] |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
608 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
609 Can be one of: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
610 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
611 * UNSPEC - an unspecified address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
612 * UNICAST - a unicast address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
613 * LOCAL - a local address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
614 * BROADCAST - a broadcast address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
615 * ANYCAST - an anycast packet |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
616 * MULTICAST - a multicast address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
617 * BLACKHOLE - a blackhole address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
618 * UNREACHABLE - an unreachable address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
619 * PROHIBIT - a prohibited address |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
620 * THROW - undocumented |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
621 * NAT - undocumented |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
622 * XRESOLVE - undocumented |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
623 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
624 In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
625 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
626 dst_type => ['LOCAL --limit-iface-in'] |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
627 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
628 It can also be negated using '!': |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
629 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
630 dst_type => ['! LOCAL'] |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
631 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
632 Will accept a single element or an array. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
633 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
634 ##### `ensure` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
635 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
636 Valid values: `present`, `absent` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
637 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
638 Manage the state of this rule. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
639 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
640 Default value: `present` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
641 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
642 ##### `gateway` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
643 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
644 The TEE target will clone a packet and redirect this clone to another |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
645 machine on the local network segment. gateway is the target host's IP. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
646 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
647 ##### `gid` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
648 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
649 GID or Group owner matching rule. Accepts a string argument |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
650 only, as iptables does not accept multiple gid in a single |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
651 statement. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
652 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
653 ##### `goto` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
654 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
655 The value for the iptables --goto parameter. Normal values are: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
656 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
657 * QUEUE |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
658 * RETURN |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
659 * DNAT |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
660 * SNAT |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
661 * LOG |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
662 * MASQUERADE |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
663 * REDIRECT |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
664 * MARK |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
665 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
666 But any valid chain name is allowed. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
667 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
668 ##### `hashlimit_above` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
669 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
670 Match if the rate is above amount/quantum. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
671 This parameter or hashlimit_upto is required. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
672 Allowed forms are '40','40/second','40/minute','40/hour','40/day'. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
673 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
674 ##### `hashlimit_burst` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
675 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
676 Valid values: `%r{^\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
677 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
678 Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
679 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
680 ##### `hashlimit_dstmask` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
681 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
682 Like --hashlimit-srcmask, but for destination addresses. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
683 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
684 ##### `hashlimit_htable_expire` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
685 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
686 After how many milliseconds do hash entries expire. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
687 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
688 ##### `hashlimit_htable_gcinterval` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
689 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
690 How many milliseconds between garbage collection intervals. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
691 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
692 ##### `hashlimit_htable_max` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
693 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
694 Maximum entries in the hash. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
695 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
696 ##### `hashlimit_htable_size` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
697 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
698 The number of buckets of the hash table |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
699 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
700 ##### `hashlimit_mode` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
701 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
702 A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
703 Allowed values are: srcip, srcport, dstip, dstport |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
704 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
705 ##### `hashlimit_name` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
706 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
707 The name for the /proc/net/ipt_hashlimit/foo entry. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
708 This parameter is required. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
709 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
710 ##### `hashlimit_srcmask` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
711 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
712 When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
713 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
714 ##### `hashlimit_upto` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
715 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
716 Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
717 This parameter or hashlimit_above is required. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
718 Allowed forms are '40','40/second','40/minute','40/hour','40/day'. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
719 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
720 ##### `helper` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
721 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
722 Invoke the nf_conntrack_xxx helper module for this packet. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
723 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
724 ##### `hop_limit` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
725 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
726 Valid values: `%r{^\d+$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
727 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
728 Hop limiting value for matched packets. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
729 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
730 ##### `icmp` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
731 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
732 When matching ICMP packets, this is the type of ICMP packet to match. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
733 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
734 A value of "any" is not supported. To achieve this behaviour the |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
735 parameter should simply be omitted or undefined. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
736 An array of values is also not supported. To match against multiple ICMP |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
737 types, please use separate rules for each ICMP type. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
738 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
739 ##### `iniface` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
740 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
741 Valid values: `%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
742 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
743 Input interface to filter on. Supports interface alias like eth0:0. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
744 To negate the match try this: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
745 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
746 iniface => '! lo', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
747 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
748 ##### `ipsec_dir` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
749 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
750 Valid values: `in`, `out` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
751 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
752 Sets the ipsec policy direction |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
753 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
754 ##### `ipsec_policy` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
755 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
756 Valid values: `none`, `ipsec` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
757 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
758 Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
759 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
760 ##### `ipset` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
761 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
762 Matches against the specified ipset list. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
763 Requires ipset kernel module. Will accept a single element or an array. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
764 The value is the name of the blacklist, followed by a space, and then |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
765 'src' and/or 'dst' separated by a comma. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
766 For example: 'blacklist src,dst' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
767 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
768 ##### `ipvs` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
769 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
770 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
771 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
772 Indicates that the current packet belongs to an IPVS connection. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
773 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
774 ##### `isfirstfrag` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
775 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
776 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
777 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
778 If true, matches if the packet is the first fragment. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
779 Sadly cannot be negated. ipv6. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
780 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
781 ##### `isfragment` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
782 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
783 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
784 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
785 Set to true to match tcp fragments (requires type to be set to tcp) |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
786 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
787 ##### `ishasmorefrags` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
788 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
789 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
790 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
791 If true, matches if the packet has it's 'more fragments' bit set. ipv6. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
792 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
793 ##### `islastfrag` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
794 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
795 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
796 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
797 If true, matches if the packet is the last fragment. ipv6. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
798 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
799 ##### `jump` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
800 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
801 The value for the iptables --jump parameter. Normal values are: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
802 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
803 * QUEUE |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
804 * RETURN |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
805 * DNAT |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
806 * SNAT |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
807 * LOG |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
808 * NFLOG |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
809 * MASQUERADE |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
810 * REDIRECT |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
811 * MARK |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
812 * CT |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
813 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
814 But any valid chain name is allowed. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
815 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
816 For the values ACCEPT, DROP, and REJECT, you must use the generic |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
817 'action' parameter. This is to enfore the use of generic parameters where |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
818 possible for maximum cross-platform modelling. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
819 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
820 If you set both 'accept' and 'jump' parameters, you will get an error as |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
821 only one of the options should be set. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
822 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
823 ##### `kernel_timezone` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
824 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
825 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
826 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
827 Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
828 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
829 ##### `length` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
830 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
831 Sets the length of layer-3 payload to match. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
832 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
833 ##### `limit` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
834 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
835 Rate limiting value for matched packets. The format is: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
836 rate/[/second/|/minute|/hour|/day]. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
837 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
838 Example values are: '50/sec', '40/min', '30/hour', '10/day'." |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
839 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
840 ##### `log_ip_options` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
841 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
842 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
843 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
844 When combined with jump => "LOG" logging of the TCP IP/IPv6 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
845 packet header. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
846 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
847 ##### `log_level` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
848 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
849 When combined with jump => "LOG" specifies the system log level to log |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
850 to. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
851 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
852 ##### `log_prefix` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
853 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
854 When combined with jump => "LOG" specifies the log prefix to use when |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
855 logging. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
856 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
857 ##### `log_tcp_options` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
858 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
859 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
860 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
861 When combined with jump => "LOG" logging of the TCP packet |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
862 header. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
863 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
864 ##### `log_tcp_sequence` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
865 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
866 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
867 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
868 When combined with jump => "LOG" enables logging of the TCP sequence |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
869 numbers. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
870 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
871 ##### `log_uid` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
872 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
873 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
874 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
875 When combined with jump => "LOG" specifies the uid of the process making |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
876 the connection. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
877 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
878 ##### `mac_source` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
879 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
880 Valid values: `%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
881 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
882 MAC Source |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
883 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
884 ##### `mask` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
885 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
886 Sets the mask to use when `recent` is enabled. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
887 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
888 ##### `match_mark` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
889 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
890 Match the Netfilter mark value associated with the packet. Accepts either of: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
891 mark/mask or mark. These will be converted to hex if they are not already. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
892 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
893 ##### `month_days` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
894 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
895 Only match on the given days of the month. Possible values are 1 to 31. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
896 Note that specifying 31 will of course not match on months which do not have a 31st day; |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
897 the same goes for 28- or 29-day February. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
898 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
899 ##### `mss` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
900 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
901 Match a given TCP MSS value or range. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
902 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
903 ##### `nflog_group` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
904 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
905 Used with the jump target NFLOG. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
906 The netlink group (0 - 2^16-1) to which packets are (only applicable |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
907 for nfnetlink_log). Defaults to 0. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
908 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
909 ##### `nflog_prefix` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
910 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
911 Used with the jump target NFLOG. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
912 A prefix string to include in the log message, up to 64 characters long, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
913 useful for distinguishing messages in the logs. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
914 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
915 ##### `nflog_range` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
916 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
917 Used with the jump target NFLOG. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
918 The number of bytes to be copied to userspace (only applicable for nfnetlink_log). |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
919 nfnetlink_log instances may specify their own range, this option overrides it. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
920 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
921 ##### `nflog_threshold` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
922 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
923 Used with the jump target NFLOG. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
924 Number of packets to queue inside the kernel before sending them to userspace |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
925 (only applicable for nfnetlink_log). Higher values result in less overhead |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
926 per packet, but increase delay until the packets reach userspace. Defaults to 1. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
927 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
928 ##### `notrack` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
929 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
930 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
931 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
932 Invoke the disable connection tracking for this packet. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
933 This parameter can be used with iptables version >= 1.8.3 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
934 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
935 ##### `outiface` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
936 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
937 Valid values: `%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
938 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
939 Output interface to filter on. Supports interface alias like eth0:0. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
940 To negate the match try this: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
941 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
942 outiface => '! lo', |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
943 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
944 ##### `physdev_in` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
945 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
946 Valid values: `%r{^[a-zA-Z0-9\-\._\+]+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
947 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
948 Match if the packet is entering a bridge from the given interface. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
949 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
950 ##### `physdev_is_bridged` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
951 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
952 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
953 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
954 Match if the packet is transversing a bridge. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
955 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
956 ##### `physdev_is_in` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
957 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
958 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
959 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
960 Matches if the packet has entered through a bridge interface. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
961 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
962 ##### `physdev_is_out` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
963 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
964 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
965 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
966 Matches if the packet will leave through a bridge interface. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
967 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
968 ##### `physdev_out` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
969 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
970 Valid values: `%r{^[a-zA-Z0-9\-\._\+]+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
971 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
972 Match if the packet is leaving a bridge via the given interface. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
973 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
974 ##### `pkttype` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
975 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
976 Valid values: `unicast`, `broadcast`, `multicast` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
977 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
978 Sets the packet type to match. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
979 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
980 ##### `port` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
981 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
982 *note* This property has been DEPRECATED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
983 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
984 The destination or source port to match for this filter (if the protocol |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
985 supports ports). Will accept a single element or an array. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
986 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
987 For some firewall providers you can pass a range of ports in the format: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
988 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
989 <start_number>-<ending_number> |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
990 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
991 For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
992 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
993 1-1024 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
994 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
995 This would cover ports 1 to 1024. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
996 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
997 ##### `proto` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
998 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
999 Valid values: `[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto| |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1000 [proto, "! #{proto}".to_sym] |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1001 }.flatten` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1002 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1003 The specific protocol to match for this rule. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1004 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1005 Default value: `tcp` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1006 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1007 ##### `queue_bypass` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1008 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1009 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1010 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1011 Used with NFQUEUE jump target |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1012 Allow packets to bypass :queue_num if userspace process is not listening |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1013 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1014 ##### `queue_num` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1015 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1016 Used with NFQUEUE jump target. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1017 What queue number to send packets to |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1018 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1019 ##### `random` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1020 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1021 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1022 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1023 When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1024 this boolean will enable randomized port mapping. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1025 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1026 ##### `random_fully` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1027 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1028 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1029 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1030 When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1031 this boolean will enable fully randomized port mapping. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1032 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1033 **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1034 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1035 ##### `rdest` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1036 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1037 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1038 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1039 Recent module; add the destination IP address to the list. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1040 Must be boolean true. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1041 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1042 ##### `reap` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1043 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1044 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1045 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1046 Recent module; can only be used in conjunction with the `rseconds` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1047 attribute. When used, this will cause entries older than 'seconds' to be |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1048 purged. Must be boolean true. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1049 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1050 ##### `recent` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1051 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1052 Valid values: `set`, `update`, `rcheck`, `remove` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1053 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1054 Enable the recent module. Takes as an argument one of set, update, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1055 rcheck or remove. For example: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1056 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1057 ``` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1058 # If anyone's appeared on the 'badguy' blacklist within |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1059 # the last 60 seconds, drop their traffic, and update the timestamp. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1060 firewall { '100 Drop badguy traffic': |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1061 recent => 'update', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1062 rseconds => 60, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1063 rsource => true, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1064 rname => 'badguy', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1065 action => 'DROP', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1066 chain => 'FORWARD', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1067 } |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1068 ``` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1069 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1070 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1071 ``` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1072 # No-one should be sending us traffic on eth0 from the |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1073 # localhost, Blacklist them |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1074 firewall { '101 blacklist strange traffic': |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1075 recent => 'set', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1076 rsource => true, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1077 rname => 'badguy', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1078 destination => '127.0.0.0/8', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1079 iniface => 'eth0', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1080 action => 'DROP', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1081 chain => 'FORWARD', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1082 } |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1083 ``` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1084 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1085 ##### `reject` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1086 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1087 When combined with action => "REJECT" you can specify a different icmp |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1088 response to be sent back to the packet sender. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1089 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1090 ##### `rhitcount` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1091 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1092 Recent module; used in conjunction with `recent => 'update'` or `recent |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1093 => 'rcheck'. When used, this will narrow the match to only happen when |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1094 the address is in the list and packets had been received greater than or |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1095 equal to the given value. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1096 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1097 ##### `rname` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1098 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1099 Recent module; The name of the list. Takes a string argument. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1100 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1101 ##### `rpfilter` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1102 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1103 Valid values: `loose`, `validmark`, `accept-local`, `invert` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1104 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1105 Enable the rpfilter module. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1106 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1107 ##### `rseconds` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1108 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1109 Recent module; used in conjunction with one of `recent => 'rcheck'` or |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1110 `recent => 'update'`. When used, this will narrow the match to only |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1111 happen when the address is in the list and was seen within the last given |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1112 number of seconds. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1113 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1114 ##### `rsource` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1115 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1116 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1117 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1118 Recent module; add the source IP address to the list. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1119 Must be boolean true. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1120 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1121 ##### `rttl` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1122 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1123 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1124 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1125 Recent module; may only be used in conjunction with one of `recent => |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1126 'rcheck'` or `recent => 'update'`. When used, this will narrow the match |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1127 to only happen when the address is in the list and the TTL of the current |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1128 packet matches that of the packet which hit the `recent => 'set'` rule. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1129 This may be useful if you have problems with people faking their source |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1130 address in order to DoS you via this module by disallowing others access |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1131 to your site by sending bogus packets to you. Must be boolean true. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1132 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1133 ##### `set_dscp` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1134 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1135 Set DSCP Markings. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1136 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1137 ##### `set_dscp_class` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1138 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1139 This sets the DSCP field according to a predefined DiffServ class. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1140 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1141 ##### `set_mark` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1142 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1143 Set the Netfilter mark value associated with the packet. Accepts either of: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1144 mark/mask or mark. These will be converted to hex if they are not already. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1145 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1146 ##### `set_mss` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1147 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1148 Sets the TCP MSS value for packets. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1149 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1150 ##### `socket` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1151 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1152 Valid values: ``true``, ``false`` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1153 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1154 If true, matches if an open socket can be found by doing a coket lookup |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1155 on the packet. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1156 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1157 ##### `source` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1158 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1159 The source address. For example: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1160 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1161 source => '192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1162 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1163 You can also negate a mask by putting ! in front. For example: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1164 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1165 source => '! 192.168.2.0/24' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1166 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1167 The source can also be an IPv6 address if your provider supports it. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1168 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1169 ##### `sport` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1170 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1171 The source port to match for this filter (if the protocol supports |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1172 ports). Will accept a single element or an array. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1173 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1174 For some firewall providers you can pass a range of ports in the format: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1175 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1176 <start_number>-<ending_number> |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1177 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1178 For example: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1179 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1180 1-1024 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1181 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1182 This would cover ports 1 to 1024. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1183 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1184 ##### `src_cc` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1185 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1186 Valid values: `%r{^[A-Z]{2}(,[A-Z]{2})*$}` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1187 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1188 src attribute for the module geoip |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1189 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1190 ##### `src_range` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1191 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1192 The source IP range. For example: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1193 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1194 src_range => '192.168.1.1-192.168.1.10' |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1195 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1196 The source IP range must be in 'IP1-IP2' format. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1197 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1198 ##### `src_type` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1199 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1200 Valid values: `[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1201 :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1202 [ |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1203 address_type, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1204 "! #{address_type}".to_sym, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1205 "#{address_type} --limit-iface-in".to_sym, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1206 "#{address_type} --limit-iface-out".to_sym, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1207 "! #{address_type} --limit-iface-in".to_sym, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1208 "! #{address_type} --limit-iface-out".to_sym, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1209 ] |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1210 }.flatten` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1211 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1212 The source address type. For example: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1213 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1214 src_type => ['LOCAL'] |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1215 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1216 Can be one of: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1217 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1218 * UNSPEC - an unspecified address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1219 * UNICAST - a unicast address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1220 * LOCAL - a local address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1221 * BROADCAST - a broadcast address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1222 * ANYCAST - an anycast packet |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1223 * MULTICAST - a multicast address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1224 * BLACKHOLE - a blackhole address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1225 * UNREACHABLE - an unreachable address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1226 * PROHIBIT - a prohibited address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1227 * THROW - undocumented |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1228 * NAT - undocumented |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1229 * XRESOLVE - undocumented |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1230 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1231 In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1232 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1233 src_type => ['LOCAL --limit-iface-in'] |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1234 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1235 It can also be negated using '!': |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1236 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1237 src_type => ['! LOCAL'] |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1238 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1239 Will accept a single element or an array. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1240 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1241 ##### `stat_every` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1242 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1243 Match one packet every nth packet. Requires `stat_mode => 'nth'` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1244 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1245 ##### `stat_mode` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1246 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1247 Valid values: `nth`, `random` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1248 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1249 Set the matching mode for statistic matching. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1250 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1251 ##### `stat_packet` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1252 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1253 Valid values: `%r{^\d+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1254 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1255 Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1256 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1257 ##### `stat_probability` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1258 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1259 Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1260 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1261 ##### `state` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1262 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1263 Valid values: `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`, `UNTRACKED` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1264 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1265 Matches a packet based on its state in the firewall stateful inspection |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1266 table. Values can be: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1267 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1268 * INVALID |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1269 * ESTABLISHED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1270 * NEW |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1271 * RELATED |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1272 * UNTRACKED |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1273 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1274 ##### `string` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1275 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1276 String matching feature. Matches the packet against the pattern |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1277 given as an argument. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1278 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1279 ##### `string_algo` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1280 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1281 Valid values: `bm`, `kmp` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1282 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1283 String matching feature, pattern matching strategy. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1284 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1285 ##### `string_from` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1286 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1287 String matching feature, offset from which we start looking for any matching. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1288 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1289 ##### `string_hex` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1290 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1291 String matching feature. Matches the package against the hex pattern |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1292 given as an argument. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1293 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1294 ##### `string_to` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1295 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1296 String matching feature, offset up to which we should scan. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1297 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1298 ##### `table` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1299 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1300 Valid values: `nat`, `mangle`, `filter`, `raw`, `rawpost` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1301 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1302 Table to use. Can be one of: |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1303 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1304 * nat |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1305 * mangle |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1306 * filter |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1307 * raw |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1308 * rawpost |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1309 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1310 Default value: `filter` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1311 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1312 ##### `tcp_flags` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1313 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1314 Match when the TCP flags are as specified. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1315 Is a string with a list of comma-separated flag names for the mask, |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1316 then a space, then a comma-separated list of flags that should be set. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1317 The flags are: SYN ACK FIN RST URG PSH ALL NONE |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1318 Note that you specify them in the order that iptables --list-rules |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1319 would list them to avoid having puppet think you changed the flags. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1320 Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1321 ACK,RST and FIN bits cleared. Such packets are used to request |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1322 TCP connection initiation. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1323 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1324 ##### `time_contiguous` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1325 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1326 Valid values: ``true``, ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1327 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1328 When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1329 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1330 ##### `time_start` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1331 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1332 Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1333 Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1334 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1335 ##### `time_stop` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1336 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1337 Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1338 Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1339 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1340 ##### `to` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1341 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1342 For NETMAP this will replace the destination IP |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1343 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1344 ##### `todest` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1345 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1346 When using jump => "DNAT" you can specify the new destination address |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1347 using this paramter. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1348 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1349 ##### `toports` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1350 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1351 For DNAT this is the port that will replace the destination port. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1352 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1353 ##### `tosource` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1354 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1355 When using jump => "SNAT" you can specify the new source address using |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1356 this parameter. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1357 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1358 ##### `uid` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1359 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1360 UID or Username owner matching rule. Accepts a string argument |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1361 only, as iptables does not accept multiple uid in a single |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1362 statement. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1363 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1364 ##### `week_days` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1365 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1366 Valid values: `Mon`, `Tue`, `Wed`, `Thu`, `Fri`, `Sat`, `Sun` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1367 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1368 Only match on the given weekdays. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1369 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1370 ##### `zone` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1371 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1372 Assign this packet to zone id and only have lookups done in that zone. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1373 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1374 #### Parameters |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1375 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1376 The following parameters are available in the `firewall` type. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1377 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1378 * [`line`](#line) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1379 * [`name`](#name) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1380 * [`provider`](#provider) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1381 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1382 ##### <a name="line"></a>`line` |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1383 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1384 Read-only property for caching the rule line. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1385 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1386 ##### <a name="name"></a>`name` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1387 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1388 Valid values: `%r{^\d+[[:graph:][:space:]]+$}` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1389 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1390 namevar |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1391 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1392 The canonical name of the rule. This name is also used for ordering |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1393 so make sure you prefix the rule with a number: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1394 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1395 000 this runs first |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1396 999 this runs last |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1397 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1398 Depending on the provider, the name of the rule can be stored using |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1399 the comment feature of the underlying firewall subsystem. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1400 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1401 ##### <a name="provider"></a>`provider` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1402 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1403 The specific backend to use for this `firewall` resource. You will seldom need to specify this --- Puppet will usually |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1404 discover the appropriate provider for your platform. |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1405 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1406 ### <a name="firewallchain"></a>`firewallchain` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1407 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1408 Currently this supports only iptables, ip6tables and ebtables on Linux. And |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1409 provides support for setting the default policy on chains and tables that |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1410 allow it. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1411 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1412 **Autorequires:** |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1413 If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1414 and the provider is iptables_chain, the firewall resource will autorequire |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1415 those packages to ensure that any required binaries are installed. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1416 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1417 #### Providers |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1418 * iptables_chain is the only provider that supports firewallchain. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1419 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1420 #### Features |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1421 * iptables_chain: The provider provides iptables chain features. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1422 * policy: Default policy (inbuilt chains only). |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1423 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1424 #### Properties |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1425 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1426 The following properties are available in the `firewallchain` type. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1427 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1428 ##### `ensure` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1429 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1430 Valid values: `present`, `absent` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1431 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1432 The basic property that the resource should be in. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1433 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1434 Default value: `present` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1435 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1436 ##### `policy` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1437 |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1438 Valid values: `accept`, `drop`, `queue`, `return` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1439 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1440 This is the action to when the end of the chain is reached. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1441 It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1442 PREROUTING, POSTROUTING) and can be one of: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1443 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1444 * accept - the packet is accepted |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1445 * drop - the packet is dropped |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1446 * queue - the packet is passed userspace |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1447 * return - the packet is returned to calling (jump) queue |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1448 or the default of inbuilt chains |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1449 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1450 #### Parameters |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1451 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1452 The following parameters are available in the `firewallchain` type. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1453 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1454 * [`ignore`](#ignore) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1455 * [`ignore_foreign`](#ignore_foreign) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1456 * [`name`](#name) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1457 * [`provider`](#provider) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1458 * [`purge`](#purge) |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1459 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1460 ##### <a name="ignore"></a>`ignore` |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1461 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1462 Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1463 This is matched against the output of `iptables-save`. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1464 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1465 This can be a single regex, or an array of them. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1466 To support flags, use the ruby inline flag mechanism. |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1467 Meaning a regex such as |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1468 /foo/i |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1469 can be written as |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1470 '(?i)foo' or '(?i:foo)' |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1471 |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1472 Full example: |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1473 ``` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1474 firewallchain { 'INPUT:filter:IPv4': |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1475 purge => true, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1476 ignore => [ |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1477 '-j fail2ban-ssh', # ignore the fail2ban jump rule |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1478 '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1479 ], |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1480 } |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1481 ``` |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1482 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1483 ##### <a name="ignore_foreign"></a>`ignore_foreign` |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1484 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1485 Valid values: ``false``, ``true`` |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1486 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1487 Ignore rules that do not match the puppet title pattern "^\d+[[:graph:][:space:]]" when purging unmanaged firewall rules |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1488 in this chain. |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1489 This can be used to ignore rules that were not put in by puppet. Beware that nothing keeps other systems from |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1490 configuring firewall rules with a comment that starts with digits, and is indistinguishable from puppet-configured |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1491 rules. |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1492 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1493 Default value: ``false`` |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1494 |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1495 ##### <a name="name"></a>`name` |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1496 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1497 namevar |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1498 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1499 The canonical name of the chain. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1500 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1501 For iptables the format must be {chain}:{table}:{protocol}. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1502 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1503 ##### <a name="provider"></a>`provider` |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1504 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1505 The specific backend to use for this `firewallchain` resource. You will seldom need to specify this --- Puppet will |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1506 usually discover the appropriate provider for your platform. |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1507 |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
348
diff
changeset
|
1508 ##### <a name="purge"></a>`purge` |
|
348
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1509 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1510 Valid values: ``false``, ``true`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1511 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1512 Purge unmanaged firewall rules in this chain |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1513 |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1514 Default value: ``false`` |
|
11d940c9014e
Update Firewall module to try and fix quoting string issue
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1515 |