other/Puppet: modules/firewall/REFERENCE.md annotate

annotate modules/firewall/REFERENCE.md @ 320:99e3ca448d55

Fix Remi PHP on CentOS 8 It uses the new "modules" approach, so we need to use a new package provider They also use different signing keys

author	IBBoard <dev@ibboard.co.uk>
date	Sun, 01 Mar 2020 10:58:00 +0000
parents	d9352a684e62
children	11d940c9014e

rev	line source
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1 # Reference
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	2 <!-- DO NOT EDIT: This document was generated by Puppet Strings -->
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	3
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	4 ## Table of Contents
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	5
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	6 Classes
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	7
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	8 _Public Classes_
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	9
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	10 * [`firewall`](#firewall): Performs the basic setup tasks required for using the firewall resources. At the moment this takes care of: iptables-persistent package ins
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	11
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	12 _Private Classes_
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	13
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	14 * `firewall::linux`: Main linux class, includes all other classes
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	15 * `firewall::linux::archlinux`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	16 * `firewall::linux::debian`: Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	17 * `firewall::linux::gentoo`: Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	18 * `firewall::linux::redhat`: Manages the `iptables` service on RedHat-alike systems.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	19 * `firewall::params`: Provides defaults for the Apt module parameters.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	20
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	21 Resource types
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	22
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	23 * [`firewall`](#firewall): This type provides the capability to manage firewall rules within puppet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	24 * [`firewallchain`](#firewallchain): This type provides the capability to manage rule chains for firewalls.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	25
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	26 ## Classes
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	27
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	28 ### firewall
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	29
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	30 Performs the basic setup tasks required for using the firewall resources.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	31
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	32 At the moment this takes care of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	33
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	34 iptables-persistent package installation
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	35 Include the firewall class for nodes that need to use the resources in this module:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	36
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	37 #### Examples
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	38
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	39 #####
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	40
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	41 ```puppet
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	42 class { 'firewall': }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	43 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	44
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	45 #### Parameters
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	46
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	47 The following parameters are available in the `firewall` class.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	48
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	49 ##### `ensure`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	50
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	51 Data type: `Any`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	52
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	53 Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	54
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	55 Default value: running
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	56
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	57 ##### `ensure_v6`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	58
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	59 Data type: `Any`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	60
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	61 Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	62
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	63 Default value: `undef`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	64
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	65 ##### `pkg_ensure`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	66
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	67 Data type: `Any`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	68
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	69 Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	70
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	71 Default value: present
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	72
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	73 ##### `service_name`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	74
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	75 Data type: `Any`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	76
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	77 Specify the name of the IPv4 iptables service.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	78
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	79 Default value: $::firewall::params::service_name
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	80
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	81 ##### `service_name_v6`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	82
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	83 Data type: `Any`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	84
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	85 Specify the name of the IPv6 iptables service.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	86
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	87 Default value: $::firewall::params::service_name_v6
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	88
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	89 ##### `package_name`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	90
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	91 Data type: `Any`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	92
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	93 Specify the platform-specific package(s) to install.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	94
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	95 Default value: $::firewall::params::package_name
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	96
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	97 ##### `ebtables_manage`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	98
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	99 Data type: `Any`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	100
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	101 Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	102
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	103 Default value: `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	104
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	105 ## Resource types
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	106
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	107 ### firewall
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	108
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	109 Autorequires:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	110
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	111 If Puppet is managing the iptables or ip6tables chains specified in the
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	112 `chain` or `jump` parameters, the firewall resource will autorequire
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	113 those firewallchain resources.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	114
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	115 If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	116 and the provider is iptables or ip6tables, the firewall resource will
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	117 autorequire those packages to ensure that any required binaries are
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	118 installed.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	119
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	120 #### Providers
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	121 Note: Not all features are available with all providers.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	122
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	123 * ip6tables: Ip6tables type provider
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	124
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	125 * Required binaries: ip6tables-save, ip6tables.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	126 * Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	127 interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	128 ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	129 owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	130 snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	131
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	132 * iptables: Iptables type provider
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	133
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	134 * Required binaries: iptables-save, iptables.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	135 * Default for kernel == linux.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	136 * Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	137 interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	138 log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	139 nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	140 recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	141
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	142 #### Features
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	143 * address_type: The ability to match on source or destination address type.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	144
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	145 * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	146
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	147 * connection_limiting: Connection limiting features.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	148
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	149 * dnat: Destination NATing.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	150
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	151 * hop_limiting: Hop limiting features.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	152
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	153 * icmp_match: The ability to match ICMP types.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	154
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	155 * interface_match: Interface matching.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	156
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	157 * iprange: The ability to match on source or destination IP range.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	158
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	159 * ipsec_dir: The ability to match IPsec policy direction.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	160
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	161 * ipsec_policy: The ability to match IPsec policy.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	162
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	163 * iptables: The provider provides iptables features.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	164
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	165 * isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	166
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	167 * isfragment: The ability to match fragments.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	168
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	169 * ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	170
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	171 * islastfrag: The ability to match the last fragment of an ipv6 packet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	172
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	173 * length: The ability to match the length of the layer-3 payload.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	174
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	175 * log_level: The ability to control the log level.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	176
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	177 * log_prefix: The ability to add prefixes to log messages.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	178
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	179 * log_uid: The ability to log the userid of the process which generated the packet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	180
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	181 * mark: The ability to match or set the netfilter mark value associated with the packet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	182
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	183 * mask: The ability to match recent rules based on the ipv4 mask.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	184
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	185 * nflog_group: The ability to set the group number for NFLOG.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	186
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	187 * nflog_prefix: The ability to set a prefix for nflog messages.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	188
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	189 * nflog_range: The ability to set nflog_range.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	190
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	191 * nflog_threshold: The ability to set nflog_threshold.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	192
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	193 * owner: The ability to match owners.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	194
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	195 * pkttype: The ability to match a packet type.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	196
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	197 * rate_limiting: Rate limiting features.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	198
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	199 * recent_limiting: The netfilter recent module.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	200
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	201 * reject_type: The ability to control reject messages.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	202
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	203 * set_mss: Set the TCP MSS of a packet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	204
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	205 * snat: Source NATing.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	206
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	207 * socket: The ability to match open sockets.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	208
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	209 * state_match: The ability to match stateful firewall states.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	210
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	211 * string_matching: The ability to match a given string by using some pattern matching strategy.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	212
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	213 * tcp_flags: The ability to match on particular TCP flag settings.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	214
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	215 * netmap: The ability to map entire subnets via source or destination nat rules.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	216
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	217 * hashlimit: The ability to use the hashlimit-module.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	218
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	219 * bpf: The ability to use Berkeley Paket Filter rules.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	220
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	221 * ipvs: The ability to match IP Virtual Server packets.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	222
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	223 * ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	224
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	225 #### Properties
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	226
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	227 The following properties are available in the `firewall` type.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	228
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	229 ##### `ensure`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	230
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	231 Valid values: present, absent
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	232
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	233 Manage the state of this rule.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	234
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	235 Default value: present
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	236
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	237 ##### `action`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	238
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	239 Valid values: accept, reject, drop
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	240
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	241 This is the action to perform on a match. Can be one of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	242
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	243 * accept - the packet is accepted
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	244 * reject - the packet is rejected with a suitable ICMP response
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	245 * drop - the packet is dropped
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	246
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	247 If you specify no value it will simply match the rule but perform no
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	248 action unless you provide a provider specific parameter (such as jump).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	249
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	250 ##### `source`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	251
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	252 The source address. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	253
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	254 source => '192.168.2.0/24'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	255
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	256 You can also negate a mask by putting ! in front. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	257
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	258 source => '! 192.168.2.0/24'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	259
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	260 The source can also be an IPv6 address if your provider supports it.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	261
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	262 ##### `src_range`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	263
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	264 The source IP range. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	265
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	266 src_range => '192.168.1.1-192.168.1.10'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	267
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	268 The source IP range must be in 'IP1-IP2' format.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	269
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	270 ##### `destination`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	271
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	272 The destination address to match. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	273
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	274 destination => '192.168.1.0/24'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	275
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	276 You can also negate a mask by putting ! in front. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	277
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	278 destination => '! 192.168.2.0/24'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	279
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	280 The destination can also be an IPv6 address if your provider supports it.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	281
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	282 ##### `dst_range`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	283
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	284 The destination IP range. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	285
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	286 dst_range => '192.168.1.1-192.168.1.10'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	287
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	288 The destination IP range must be in 'IP1-IP2' format.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	289
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	290 ##### `sport`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	291
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	292 The source port to match for this filter (if the protocol supports
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	293 ports). Will accept a single element or an array.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	294
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	295 For some firewall providers you can pass a range of ports in the format:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	296
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	297 <start_number>-<ending_number>
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	298
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	299 For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	300
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	301 1-1024
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	302
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	303 This would cover ports 1 to 1024.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	304
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	305 ##### `dport`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	306
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	307 The destination port to match for this filter (if the protocol supports
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	308 ports). Will accept a single element or an array.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	309
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	310 For some firewall providers you can pass a range of ports in the format:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	311
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	312 <start_number>-<ending_number>
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	313
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	314 For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	315
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	316 1-1024
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	317
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	318 This would cover ports 1 to 1024.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	319
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	320 ##### `port`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	321
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	322 note This property has been DEPRECATED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	323
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	324 The destination or source port to match for this filter (if the protocol
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	325 supports ports). Will accept a single element or an array.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	326
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	327 For some firewall providers you can pass a range of ports in the format:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	328
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	329 <start_number>-<ending_number>
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	330
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	331 For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	332
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	333 1-1024
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	334
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	335 This would cover ports 1 to 1024.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	336
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	337 ##### `dst_type`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	338
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	339 Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	340 :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { \|address_type\|
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	341 [
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	342 address_type,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	343 "! #{address_type}".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	344 "#{address_type} --limit-iface-in".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	345 "#{address_type} --limit-iface-out".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	346 "! #{address_type} --limit-iface-in".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	347 "! #{address_type} --limit-iface-out".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	348 ]
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	349 }.flatten
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	350
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	351 The destination address type. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	352
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	353 dst_type => ['LOCAL']
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	354
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	355 Can be one of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	356
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	357 * UNSPEC - an unspecified address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	358 * UNICAST - a unicast address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	359 * LOCAL - a local address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	360 * BROADCAST - a broadcast address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	361 * ANYCAST - an anycast packet
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	362 * MULTICAST - a multicast address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	363 * BLACKHOLE - a blackhole address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	364 * UNREACHABLE - an unreachable address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	365 * PROHIBIT - a prohibited address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	366 * THROW - undocumented
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	367 * NAT - undocumented
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	368 * XRESOLVE - undocumented
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	369
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	370 In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	371
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	372 dst_type => ['LOCAL --limit-iface-in']
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	373
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	374 It can also be negated using '!':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	375
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	376 dst_type => ['! LOCAL']
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	377
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	378 Will accept a single element or an array.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	379
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	380 ##### `src_type`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	381
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	382 Valid values: [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	383 :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { \|address_type\|
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	384 [
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	385 address_type,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	386 "! #{address_type}".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	387 "#{address_type} --limit-iface-in".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	388 "#{address_type} --limit-iface-out".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	389 "! #{address_type} --limit-iface-in".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	390 "! #{address_type} --limit-iface-out".to_sym,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	391 ]
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	392 }.flatten
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	393
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	394 The source address type. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	395
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	396 src_type => ['LOCAL']
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	397
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	398 Can be one of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	399
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	400 * UNSPEC - an unspecified address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	401 * UNICAST - a unicast address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	402 * LOCAL - a local address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	403 * BROADCAST - a broadcast address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	404 * ANYCAST - an anycast packet
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	405 * MULTICAST - a multicast address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	406 * BLACKHOLE - a blackhole address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	407 * UNREACHABLE - an unreachable address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	408 * PROHIBIT - a prohibited address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	409 * THROW - undocumented
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	410 * NAT - undocumented
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	411 * XRESOLVE - undocumented
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	412
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	413 In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	414
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	415 src_type => ['LOCAL --limit-iface-in']
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	416
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	417 It can also be negated using '!':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	418
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	419 src_type => ['! LOCAL']
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	420
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	421 Will accept a single element or an array.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	422
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	423 ##### `proto`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	424
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	425 Valid values: [:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { \|proto\|
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	426 [proto, "! #{proto}".to_sym]
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	427 }.flatten
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	428
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	429 The specific protocol to match for this rule.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	430
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	431 Default value: tcp
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	432
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	433 ##### `mss`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	434
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	435 Match a given TCP MSS value or range.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	436
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	437 ##### `tcp_flags`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	438
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	439 Match when the TCP flags are as specified.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	440 Is a string with a list of comma-separated flag names for the mask,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	441 then a space, then a comma-separated list of flags that should be set.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	442 The flags are: SYN ACK FIN RST URG PSH ALL NONE
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	443 Note that you specify them in the order that iptables --list-rules
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	444 would list them to avoid having puppet think you changed the flags.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	445 Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	446 ACK,RST and FIN bits cleared. Such packets are used to request
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	447 TCP connection initiation.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	448
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	449 ##### `chain`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	450
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	451 Valid values: %r{^[a-zA-Z0-9\-_]+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	452
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	453 Name of the chain to use. Can be one of the built-ins:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	454
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	455 * INPUT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	456 * FORWARD
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	457 * OUTPUT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	458 * PREROUTING
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	459 * POSTROUTING
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	460
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	461 Or you can provide a user-based chain.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	462
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	463 Default value: INPUT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	464
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	465 ##### `table`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	466
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	467 Valid values: nat, mangle, filter, raw, rawpost
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	468
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	469 Table to use. Can be one of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	470
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	471 * nat
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	472 * mangle
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	473 * filter
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	474 * raw
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	475 * rawpost
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	476
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	477 Default value: filter
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	478
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	479 ##### `jump`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	480
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	481 The value for the iptables --jump parameter. Normal values are:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	482
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	483 * QUEUE
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	484 * RETURN
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	485 * DNAT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	486 * SNAT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	487 * LOG
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	488 * NFLOG
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	489 * MASQUERADE
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	490 * REDIRECT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	491 * MARK
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	492
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	493 But any valid chain name is allowed.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	494
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	495 For the values ACCEPT, DROP, and REJECT, you must use the generic
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	496 'action' parameter. This is to enfore the use of generic parameters where
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	497 possible for maximum cross-platform modelling.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	498
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	499 If you set both 'accept' and 'jump' parameters, you will get an error as
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	500 only one of the options should be set.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	501
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	502 ##### `goto`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	503
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	504 The value for the iptables --goto parameter. Normal values are:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	505
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	506 * QUEUE
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	507 * RETURN
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	508 * DNAT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	509 * SNAT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	510 * LOG
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	511 * MASQUERADE
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	512 * REDIRECT
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	513 * MARK
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	514
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	515 But any valid chain name is allowed.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	516
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	517 ##### `iniface`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	518
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	519 Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	520
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	521 Input interface to filter on. Supports interface alias like eth0:0.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	522 To negate the match try this:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	523
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	524 iniface => '! lo',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	525
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	526 ##### `outiface`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	527
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	528 Valid values: %r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	529
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	530 Output interface to filter on. Supports interface alias like eth0:0.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	531 To negate the match try this:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	532
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	533 outiface => '! lo',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	534
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	535 ##### `tosource`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	536
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	537 When using jump => "SNAT" you can specify the new source address using
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	538 this parameter.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	539
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	540 ##### `todest`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	541
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	542 When using jump => "DNAT" you can specify the new destination address
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	543 using this paramter.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	544
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	545 ##### `toports`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	546
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	547 For DNAT this is the port that will replace the destination port.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	548
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	549 ##### `to`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	550
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	551 For NETMAP this will replace the destination IP
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	552
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	553 ##### `random`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	554
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	555 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	556
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	557 When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	558 this boolean will enable randomized port mapping.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	559
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	560 ##### `reject`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	561
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	562 When combined with action => "REJECT" you can specify a different icmp
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	563 response to be sent back to the packet sender.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	564
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	565 ##### `log_level`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	566
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	567 When combined with jump => "LOG" specifies the system log level to log
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	568 to.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	569
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	570 ##### `log_prefix`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	571
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	572 When combined with jump => "LOG" specifies the log prefix to use when
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	573 logging.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	574
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	575 ##### `log_uid`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	576
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	577 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	578
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	579 When combined with jump => "LOG" specifies the uid of the process making
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	580 the connection.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	581
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	582 ##### `nflog_group`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	583
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	584 Used with the jump target NFLOG.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	585 The netlink group (0 - 2^16-1) to which packets are (only applicable
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	586 for nfnetlink_log). Defaults to 0.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	587
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	588 ##### `nflog_prefix`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	589
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	590 Used with the jump target NFLOG.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	591 A prefix string to include in the log message, up to 64 characters long,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	592 useful for distinguishing messages in the logs.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	593
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	594 ##### `nflog_range`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	595
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	596 Used with the jump target NFLOG.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	597 The number of bytes to be copied to userspace (only applicable for nfnetlink_log).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	598 nfnetlink_log instances may specify their own range, this option overrides it.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	599
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	600 ##### `nflog_threshold`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	601
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	602 Used with the jump target NFLOG.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	603 Number of packets to queue inside the kernel before sending them to userspace
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	604 (only applicable for nfnetlink_log). Higher values result in less overhead
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	605 per packet, but increase delay until the packets reach userspace. Defaults to 1.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	606
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	607 ##### `icmp`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	608
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	609 When matching ICMP packets, this is the type of ICMP packet to match.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	610
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	611 A value of "any" is not supported. To achieve this behaviour the
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	612 parameter should simply be omitted or undefined.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	613 An array of values is also not supported. To match against multiple ICMP
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	614 types, please use separate rules for each ICMP type.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	615
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	616 ##### `state`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	617
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	618 Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	619
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	620 Matches a packet based on its state in the firewall stateful inspection
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	621 table. Values can be:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	622
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	623 * INVALID
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	624 * ESTABLISHED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	625 * NEW
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	626 * RELATED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	627 * UNTRACKED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	628
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	629 ##### `ctstate`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	630
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	631 Valid values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	632
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	633 Matches a packet based on its state in the firewall stateful inspection
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	634 table, using the conntrack module. Values can be:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	635
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	636 * INVALID
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	637 * ESTABLISHED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	638 * NEW
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	639 * RELATED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	640 * UNTRACKED
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	641
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	642 ##### `connmark`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	643
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	644 Match the Netfilter mark value associated with the packet. Accepts either of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	645 mark/mask or mark. These will be converted to hex if they are not already.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	646
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	647 ##### `connlimit_above`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	648
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	649 Valid values: %r{^\d+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	650
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	651 Connection limiting value for matched connections above n.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	652
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	653 ##### `connlimit_mask`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	654
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	655 Valid values: %r{^\d+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	656
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	657 Connection limiting by subnet mask for matched connections.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	658 IPv4: 0-32
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	659 IPv6: 0-128
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	660
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	661 ##### `hop_limit`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	662
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	663 Valid values: %r{^\d+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	664
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	665 Hop limiting value for matched packets.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	666
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	667 ##### `limit`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	668
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	669 Rate limiting value for matched packets. The format is:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	670 rate/[/second/\|/minute\|/hour\|/day].
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	671
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	672 Example values are: '50/sec', '40/min', '30/hour', '10/day'."
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	673
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	674 ##### `burst`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	675
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	676 Valid values: %r{^\d+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	677
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	678 Rate limiting burst value (per second) before limit checks apply.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	679
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	680 ##### `uid`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	681
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	682 UID or Username owner matching rule. Accepts a string argument
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	683 only, as iptables does not accept multiple uid in a single
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	684 statement.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	685
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	686 ##### `gid`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	687
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	688 GID or Group owner matching rule. Accepts a string argument
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	689 only, as iptables does not accept multiple gid in a single
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	690 statement.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	691
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	692 ##### `match_mark`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	693
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	694 Match the Netfilter mark value associated with the packet. Accepts either of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	695 mark/mask or mark. These will be converted to hex if they are not already.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	696
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	697 ##### `set_mark`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	698
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	699 Set the Netfilter mark value associated with the packet. Accepts either of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	700 mark/mask or mark. These will be converted to hex if they are not already.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	701
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	702 ##### `clamp_mss_to_pmtu`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	703
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	704 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	705
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	706 Sets the clamp mss to pmtu flag.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	707
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	708 ##### `set_dscp`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	709
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	710 Set DSCP Markings.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	711
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	712 ##### `set_dscp_class`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	713
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	714 This sets the DSCP field according to a predefined DiffServ class.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	715
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	716 ##### `set_mss`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	717
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	718 Sets the TCP MSS value for packets.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	719
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	720 ##### `pkttype`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	721
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	722 Valid values: unicast, broadcast, multicast
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	723
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	724 Sets the packet type to match.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	725
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	726 ##### `isfragment`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	727
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	728 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	729
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	730 Set to true to match tcp fragments (requires type to be set to tcp)
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	731
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	732 ##### `recent`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	733
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	734 Valid values: set, update, rcheck, remove
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	735
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	736 Enable the recent module. Takes as an argument one of set, update,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	737 rcheck or remove. For example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	738
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	739 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	740 # If anyone's appeared on the 'badguy' blacklist within
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	741 # the last 60 seconds, drop their traffic, and update the timestamp.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	742 firewall { '100 Drop badguy traffic':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	743 recent => 'update',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	744 rseconds => 60,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	745 rsource => true,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	746 rname => 'badguy',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	747 action => 'DROP',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	748 chain => 'FORWARD',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	749 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	750 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	751
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	752
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	753 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	754 # No-one should be sending us traffic on eth0 from the
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	755 # localhost, Blacklist them
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	756 firewall { '101 blacklist strange traffic':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	757 recent => 'set',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	758 rsource => true,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	759 rname => 'badguy',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	760 destination => '127.0.0.0/8',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	761 iniface => 'eth0',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	762 action => 'DROP',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	763 chain => 'FORWARD',
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	764 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	765 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	766
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	767 ##### `rdest`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	768
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	769 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	770
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	771 Recent module; add the destination IP address to the list.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	772 Must be boolean true.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	773
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	774 ##### `rsource`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	775
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	776 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	777
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	778 Recent module; add the source IP address to the list.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	779 Must be boolean true.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	780
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	781 ##### `rname`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	782
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	783 Recent module; The name of the list. Takes a string argument.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	784
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	785 ##### `rseconds`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	786
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	787 Recent module; used in conjunction with one of `recent => 'rcheck'` or
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	788 `recent => 'update'`. When used, this will narrow the match to only
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	789 happen when the address is in the list and was seen within the last given
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	790 number of seconds.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	791
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	792 ##### `reap`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	793
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	794 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	795
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	796 Recent module; can only be used in conjunction with the `rseconds`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	797 attribute. When used, this will cause entries older than 'seconds' to be
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	798 purged. Must be boolean true.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	799
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	800 ##### `rhitcount`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	801
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	802 Recent module; used in conjunction with `recent => 'update'` or `recent
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	803 => 'rcheck'. When used, this will narrow the match to only happen when
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	804 the address is in the list and packets had been received greater than or
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	805 equal to the given value.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	806
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	807 ##### `rttl`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	808
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	809 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	810
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	811 Recent module; may only be used in conjunction with one of `recent =>
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	812 'rcheck'` or `recent => 'update'`. When used, this will narrow the match
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	813 to only happen when the address is in the list and the TTL of the current
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	814 packet matches that of the packet which hit the `recent => 'set'` rule.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	815 This may be useful if you have problems with people faking their source
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	816 address in order to DoS you via this module by disallowing others access
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	817 to your site by sending bogus packets to you. Must be boolean true.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	818
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	819 ##### `socket`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	820
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	821 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	822
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	823 If true, matches if an open socket can be found by doing a coket lookup
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	824 on the packet.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	825
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	826 ##### `ishasmorefrags`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	827
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	828 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	829
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	830 If true, matches if the packet has it's 'more fragments' bit set. ipv6.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	831
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	832 ##### `islastfrag`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	833
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	834 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	835
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	836 If true, matches if the packet is the last fragment. ipv6.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	837
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	838 ##### `isfirstfrag`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	839
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	840 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	841
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	842 If true, matches if the packet is the first fragment.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	843 Sadly cannot be negated. ipv6.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	844
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	845 ##### `ipsec_policy`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	846
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	847 Valid values: none, ipsec
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	848
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	849 Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	850
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	851 ##### `ipsec_dir`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	852
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	853 Valid values: in, out
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	854
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	855 Sets the ipsec policy direction
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	856
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	857 ##### `stat_mode`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	858
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	859 Valid values: nth, random
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	860
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	861 Set the matching mode for statistic matching.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	862
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	863 ##### `stat_every`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	864
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	865 Match one packet every nth packet. Requires `stat_mode => 'nth'`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	866
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	867 ##### `stat_packet`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	868
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	869 Valid values: %r{^\d+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	870
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	871 Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	872
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	873 ##### `stat_probability`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	874
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	875 Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	876
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	877 ##### `mask`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	878
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	879 Sets the mask to use when `recent` is enabled.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	880
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	881 ##### `gateway`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	882
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	883 The TEE target will clone a packet and redirect this clone to another
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	884 machine on the local network segment. gateway is the target host's IP.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	885
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	886 ##### `ipset`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	887
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	888 Matches against the specified ipset list.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	889 Requires ipset kernel module. Will accept a single element or an array.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	890 The value is the name of the blacklist, followed by a space, and then
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	891 'src' and/or 'dst' separated by a comma.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	892 For example: 'blacklist src,dst'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	893
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	894 ##### `checksum_fill`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	895
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	896 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	897
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	898 Compute and fill missing packet checksums.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	899
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	900 ##### `mac_source`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	901
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	902 Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	903
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	904 MAC Source
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	905
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	906 ##### `physdev_in`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	907
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	908 Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	909
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	910 Match if the packet is entering a bridge from the given interface.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	911
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	912 ##### `physdev_out`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	913
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	914 Valid values: %r{^[a-zA-Z0-9\-\._\+]+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	915
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	916 Match if the packet is leaving a bridge via the given interface.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	917
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	918 ##### `physdev_is_bridged`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	919
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	920 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	921
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	922 Match if the packet is transversing a bridge.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	923
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	924 ##### `physdev_is_in`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	925
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	926 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	927
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	928 Matches if the packet has entered through a bridge interface.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	929
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	930 ##### `physdev_is_out`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	931
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	932 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	933
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	934 Matches if the packet will leave through a bridge interface.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	935
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	936 ##### `date_start`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	937
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	938 Only match during the given time, which must be in ISO 8601 "T" notation.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	939 The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	940
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	941 ##### `date_stop`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	942
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	943 Only match during the given time, which must be in ISO 8601 "T" notation.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	944 The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	945
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	946 ##### `time_start`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	947
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	948 Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	949 Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	950
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	951 ##### `time_stop`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	952
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	953 Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	954 Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	955
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	956 ##### `month_days`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	957
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	958 Only match on the given days of the month. Possible values are 1 to 31.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	959 Note that specifying 31 will of course not match on months which do not have a 31st day;
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	960 the same goes for 28- or 29-day February.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	961
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	962 ##### `week_days`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	963
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	964 Valid values: Mon, Tue, Wed, Thu, Fri, Sat, Sun
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	965
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	966 Only match on the given weekdays.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	967
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	968 ##### `time_contiguous`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	969
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	970 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	971
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	972 When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	973
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	974 ##### `kernel_timezone`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	975
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	976 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	977
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	978 Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	979
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	980 ##### `clusterip_new`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	981
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	982 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	983
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	984 Used with the CLUSTERIP jump target.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	985 Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	986
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	987 ##### `clusterip_hashmode`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	988
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	989 Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	990
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	991 Used with the CLUSTERIP jump target.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	992 Specify the hashing mode.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	993
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	994 ##### `clusterip_clustermac`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	995
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	996 Valid values: %r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	997
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	998 Used with the CLUSTERIP jump target.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	999 Specify the ClusterIP MAC address. Has to be a link-layer multicast address.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1000
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1001 ##### `clusterip_total_nodes`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1002
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1003 Valid values: %r{\d+}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1004
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1005 Used with the CLUSTERIP jump target.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1006 Number of total nodes within this cluster.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1007
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1008 ##### `clusterip_local_node`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1009
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1010 Valid values: %r{\d+}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1011
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1012 Used with the CLUSTERIP jump target.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1013 Specify the random seed used for hash initialization.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1014
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1015 ##### `clusterip_hash_init`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1016
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1017 Used with the CLUSTERIP jump target.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1018 Specify the random seed used for hash initialization.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1019
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1020 ##### `length`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1021
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1022 Sets the length of layer-3 payload to match.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1023
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1024 ##### `string`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1025
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1026 String matching feature. Matches the packet against the pattern
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1027 given as an argument.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1028
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1029 ##### `string_algo`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1030
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1031 Valid values: bm, kmp
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1032
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1033 String matching feature, pattern matching strategy.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1034
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1035 ##### `string_from`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1036
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1037 String matching feature, offset from which we start looking for any matching.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1038
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1039 ##### `string_to`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1040
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1041 String matching feature, offset up to which we should scan.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1042
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1043 ##### `queue_num`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1044
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1045 Used with NFQUEUE jump target.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1046 What queue number to send packets to
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1047
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1048 ##### `queue_bypass`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1049
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1050 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1051
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1052 Used with NFQUEUE jump target
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1053 Allow packets to bypass :queue_num if userspace process is not listening
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1054
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1055 ##### `src_cc`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1056
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1057 Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1058
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1059 src attribute for the module geoip
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1060
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1061 ##### `dst_cc`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1062
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1063 Valid values: %r{^[A-Z]{2}(,[A-Z]{2})*$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1064
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1065 dst attribute for the module geoip
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1066
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1067 ##### `hashlimit_name`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1068
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1069 The name for the /proc/net/ipt_hashlimit/foo entry.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1070 This parameter is required.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1071
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1072 ##### `hashlimit_upto`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1073
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1074 Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1075 This parameter or hashlimit_above is required.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1076 Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1077
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1078 ##### `hashlimit_above`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1079
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1080 Match if the rate is above amount/quantum.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1081 This parameter or hashlimit_upto is required.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1082 Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1083
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1084 ##### `hashlimit_burst`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1085
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1086 Valid values: %r{^\d+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1087
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1088 Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1089
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1090 ##### `hashlimit_mode`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1091
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1092 A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1093 Allowed values are: srcip, srcport, dstip, dstport
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1094
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1095 ##### `hashlimit_srcmask`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1096
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1097 When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1098
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1099 ##### `hashlimit_dstmask`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1100
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1101 Like --hashlimit-srcmask, but for destination addresses.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1102
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1103 ##### `hashlimit_htable_size`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1104
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1105 The number of buckets of the hash table
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1106
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1107 ##### `hashlimit_htable_max`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1108
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1109 Maximum entries in the hash.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1110
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1111 ##### `hashlimit_htable_expire`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1112
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1113 After how many milliseconds do hash entries expire.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1114
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1115 ##### `hashlimit_htable_gcinterval`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1116
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1117 How many milliseconds between garbage collection intervals.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1118
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1119 ##### `bytecode`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1120
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1121 Match using Linux Socket Filter. Expects a BPF program in decimal format.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1122 This is the format generated by the nfbpf_compile utility.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1123
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1124 ##### `ipvs`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1125
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1126 Valid values: `true`, `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1127
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1128 Indicates that the current packet belongs to an IPVS connection.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1129
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1130 ##### `zone`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1131
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1132 Assign this packet to zone id and only have lookups done in that zone.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1133
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1134 #### Parameters
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1135
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1136 The following parameters are available in the `firewall` type.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1137
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1138 ##### `name`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1139
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1140 Valid values: %r{^\d+[[:graph:][:space:]]+$}
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1141
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1142 namevar
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1143
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1144 The canonical name of the rule. This name is also used for ordering
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1145 so make sure you prefix the rule with a number:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1146
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1147 000 this runs first
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1148 999 this runs last
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1149
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1150 Depending on the provider, the name of the rule can be stored using
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1151 the comment feature of the underlying firewall subsystem.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1152
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1153 ##### `line`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1154
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1155 Read-only property for caching the rule line.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1156
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1157 ### firewallchain
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1158
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1159 Currently this supports only iptables, ip6tables and ebtables on Linux. And
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1160 provides support for setting the default policy on chains and tables that
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1161 allow it.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1162
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1163 Autorequires:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1164 If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1165 and the provider is iptables_chain, the firewall resource will autorequire
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1166 those packages to ensure that any required binaries are installed.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1167
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1168 #### Providers
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1169 * iptables_chain is the only provider that supports firewallchain.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1170
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1171 #### Features
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1172 * iptables_chain: The provider provides iptables chain features.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1173 * policy: Default policy (inbuilt chains only).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1174
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1175 #### Properties
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1176
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1177 The following properties are available in the `firewallchain` type.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1178
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1179 ##### `ensure`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1180
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1181 Valid values: present, absent
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1182
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1183 The basic property that the resource should be in.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1184
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1185 Default value: present
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1186
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1187 ##### `policy`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1188
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1189 Valid values: accept, drop, queue, return
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1190
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1191 This is the action to when the end of the chain is reached.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1192 It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1193 PREROUTING, POSTROUTING) and can be one of:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1194
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1195 * accept - the packet is accepted
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1196 * drop - the packet is dropped
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1197 * queue - the packet is passed userspace
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1198 * return - the packet is returned to calling (jump) queue
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1199 or the default of inbuilt chains
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1200
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1201 #### Parameters
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1202
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1203 The following parameters are available in the `firewallchain` type.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1204
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1205 ##### `name`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1206
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1207 namevar
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1208
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1209 The canonical name of the chain.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1210
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1211 For iptables the format must be {chain}:{table}:{protocol}.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1212
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1213 ##### `purge`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1214
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1215 Valid values: `false`, `true`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1216
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1217 Purge unmanaged firewall rules in this chain
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1218
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1219 Default value: `false`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1220
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1221 ##### `ignore`
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1222
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1223 Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1224 This is matched against the output of `iptables-save`.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1225
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1226 This can be a single regex, or an array of them.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1227 To support flags, use the ruby inline flag mechanism.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1228 Meaning a regex such as
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1229 /foo/i
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1230 can be written as
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1231 '(?i)foo' or '(?i:foo)'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1232
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1233 Full example:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1234 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1235 firewallchain { 'INPUT:filter:IPv4':
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1236 purge => true,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1237 ignore => [
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1238 '-j fail2ban-ssh', # ignore the fail2ban jump rule
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1239 '--comment "[^"](?i:ignore)[^"]"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1240 ],
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1241 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1242 ```
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: diff changeset	1243

Mercurial > repos > other > Puppet

annotate modules/firewall/REFERENCE.md @ 320:99e3ca448d55