Révision 1ef7d5c4
rules::llmnr: Allow interface filtering
| REFERENCE.md | ||
|---|---|---|
| 752 | 752 |
|
| 753 | 753 |
* [`ipv4`](#-nftables--rules--llmnr--ipv4) |
| 754 | 754 |
* [`ipv6`](#-nftables--rules--llmnr--ipv6) |
| 755 |
* [`iifname`](#-nftables--rules--llmnr--iifname) |
|
| 755 | 756 |
|
| 756 | 757 |
##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4` |
| 757 | 758 |
|
| ... | ... | |
| 769 | 770 |
|
| 770 | 771 |
Default value: `true` |
| 771 | 772 |
|
| 773 |
##### <a name="-nftables--rules--llmnr--iifname"></a>`iifname` |
|
| 774 |
|
|
| 775 |
Data type: `Array[String[1]]` |
|
| 776 |
|
|
| 777 |
optional list of incoming interfaces to filter on |
|
| 778 |
|
|
| 779 |
Default value: `[]` |
|
| 780 |
|
|
| 772 | 781 |
### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns` |
| 773 | 782 |
|
| 774 | 783 |
allow incoming multicast DNS |
| manifests/rules/llmnr.pp | ||
|---|---|---|
| 3 | 3 |
# |
| 4 | 4 |
# @param ipv4 Allow LLMNR over IPv4 |
| 5 | 5 |
# @param ipv6 Allow LLMNR over IPv6 |
| 6 |
# @param iifname optional list of incoming interfaces to filter on |
|
| 7 |
# |
|
| 8 |
# @author Tim Meusel <tim@bastelfreak.de> |
|
| 6 | 9 |
# |
| 7 | 10 |
# @see https://datatracker.ietf.org/doc/html/rfc4795 |
| 8 | 11 |
# |
| 9 | 12 |
class nftables::rules::llmnr ( |
| 10 | 13 |
Boolean $ipv4 = true, |
| 11 | 14 |
Boolean $ipv6 = true, |
| 15 |
Array[String[1]] $iifname = [], |
|
| 12 | 16 |
) {
|
| 17 |
if empty($iifname) {
|
|
| 18 |
$_iifname = '' |
|
| 19 |
} else {
|
|
| 20 |
$iifdata = $iifname.map |String[1] $interface| { "\"${interface}\"" }.join(', ')
|
|
| 21 |
$_iifname = "iifname { ${iifdata} } "
|
|
| 22 |
} |
|
| 13 | 23 |
if $ipv4 {
|
| 14 | 24 |
nftables::rule { 'default_in-llmnr_v4':
|
| 15 |
content => 'ip daddr 224.0.0.252 udp dport 5355 accept comment "allow LLMNR"',
|
|
| 25 |
content => "${_iifname}ip daddr 224.0.0.252 udp dport 5355 accept comment \"allow LLMNR\"",
|
|
| 16 | 26 |
} |
| 17 | 27 |
} |
| 18 | 28 |
if $ipv6 {
|
| 19 | 29 |
nftables::rule { 'default_in-llmnr_v6':
|
| 20 |
content => 'ip6 daddr ff02::1:3 udp dport 5355 accept comment "allow LLMNR"',
|
|
| 30 |
content => "${_iifname}ip6 daddr ff02::1:3 udp dport 5355 accept comment \"allow LLMNR\"",
|
|
| 21 | 31 |
} |
| 22 | 32 |
} |
| 23 | 33 |
} |
| spec/classes/rules/llmnr_spec.rb | ||
|---|---|---|
| 1 |
# frozen_string_literal: true |
|
| 2 |
|
|
| 3 |
require 'spec_helper' |
|
| 4 |
|
|
| 5 |
describe 'nftables::rules::llmnr' do |
|
| 6 |
on_supported_os.each do |os, os_facts| |
|
| 7 |
context "on #{os}" do
|
|
| 8 |
let :facts do |
|
| 9 |
os_facts |
|
| 10 |
end |
|
| 11 |
|
|
| 12 |
context 'default options' do |
|
| 13 |
it { is_expected.to compile.with_all_deps }
|
|
| 14 |
it { is_expected.to contain_nftables__rule('default_in-llmnr_v4').with_content('ip daddr 224.0.0.252 udp dport 5355 accept comment "allow LLMNR"') }
|
|
| 15 |
it { is_expected.to contain_nftables__rule('default_in-llmnr_v6').with_content('ip6 daddr ff02::1:3 udp dport 5355 accept comment "allow LLMNR"') }
|
|
| 16 |
end |
|
| 17 |
|
|
| 18 |
context 'with input interfaces set' do |
|
| 19 |
let :params do |
|
| 20 |
{
|
|
| 21 |
iifname: %w[docker0 eth0], |
|
| 22 |
} |
|
| 23 |
end |
|
| 24 |
|
|
| 25 |
it { is_expected.to compile }
|
|
| 26 |
it { is_expected.to contain_nftables__rule('default_in-llmnr_v4').with_content('iifname { "docker0", "eth0" } ip daddr 224.0.0.252 udp dport 5355 accept comment "allow LLMNR"') }
|
|
| 27 |
it { is_expected.to contain_nftables__rule('default_in-llmnr_v6').with_content('iifname { "docker0", "eth0" } ip6 daddr ff02::1:3 udp dport 5355 accept comment "allow LLMNR"') }
|
|
| 28 |
end |
|
| 29 |
end |
|
| 30 |
end |
|
| 31 |
end |
|
Formats disponibles : Unified diff