-# a plain, simple ferm rule
+# A simple ferm rule.
+#
+# This rule will send IPv4 and/or IPv6 traffic using either TCP and/or UDP
+# optionally going to a port, optionally from/to addresses/networks from
+# one table (INPUT by default) to some target (ACCEPT by default).
+#
+# Sample uses:
+#
+# ferm::rule::simple { '01-dsa-bind':
+# description => 'Allow nameserver access',
+# proto => ['udp', 'tcp'],
+# port => 'domain',
+# }
+#
+# or:
+#
+# ferm::rule::simple { 'dsa-smtp':
+# description => 'Allow smtp access from the world',
+# port => '25',
+# }
+#
+# or:
+#
+# @@ferm::rule::simple { "submission-from-${::fqdn}":
+# tag => 'smtp::server::submission::to::mail-relay',
+# chain => 'submission',
+# saddr => $base::public_addresses,
+# }
+# combined with:
+# ferm::rule::simple { 'submission-from-satellites':
+# target => 'submission',
+# port => 'submission',
+# }
+# Ferm::Rule::Simple <<| tag == 'smtp::server::submission::to::mail-relay' |>>
+#
#
# @param proto tcp or udp or both.
# @param port one or more ports or port ranges.
domain (<%= @real_domain.join(' ') %>) {
table <%= @table %> {
<%-
+ # netfilter chain names are limited to 28 characters, so if name is too long, we'll have to do something about that
name = @name
+ if name.size > 20 then
+ require 'digest'
+ name = 'dgst-' + Digest::SHA256.hexdigest(name)[0,15]
+ end
tail = "jump #{@target}"
-%>
<%=