Projet

Général

Profil

Révision 50a5be8b

ID50a5be8b049446b849e36eff8ff93b5da815d566
Parent 91c5635b
Enfant a5d1955b

Ajouté par Tim Meusel il y a plus d'un an

Add rule for incoming SSDP

Voir les différences:

REFERENCE.md
69 69 
* [`nftables::rules::out::pxp_agent`](#nftables--rules--out--pxp_agent): manage outgoing pxp-agent
70 70 
* [`nftables::rules::out::smtp`](#nftables--rules--out--smtp): allow outgoing smtp
71 71 
* [`nftables::rules::out::smtp_client`](#nftables--rules--out--smtp_client): allow outgoing smtp client
72 
* [`nftables::rules::out::ssdp`](#nftables--rules--out--ssdp): allow outgoing SSDP
72 73 
* [`nftables::rules::out::ssh`](#nftables--rules--out--ssh): manage out ssh
73 74 
* [`nftables::rules::out::ssh::remove`](#nftables--rules--out--ssh--remove): disable outgoing ssh
74 75 
* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
......
82 83 
* [`nftables::rules::smtp_submission`](#nftables--rules--smtp_submission): manage in smtp submission
83 84 
* [`nftables::rules::smtps`](#nftables--rules--smtps): manage in smtps
84 85 
* [`nftables::rules::spotify`](#nftables--rules--spotify): allow incoming spotify
86 
* [`nftables::rules::ssdp`](#nftables--rules--ssdp): allow incoming SSDP
85 87 
* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
86 88 
* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
87 89 
* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
......
1085 1087 

  		




  1086
  1088
  
    
allow outgoing smtp client


  		




  1087
  1089
  
    

  		




  
  1090
  
    
### <a name="nftables--rules--out--ssdp"></a>`nftables::rules::out::ssdp`


  		




  
  1091
  
    

  		




  
  1092
  
    
allow outgoing SSDP


  		




  
  1093
  
    

  		




  
  1094
  
    
* **See also**


  		




  
  1095
  
    
  * https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03


  		




  
  1096
  
    

  		




  
  1097
  
    
#### Parameters


  		




  
  1098
  
    

  		




  
  1099
  
    
The following parameters are available in the `nftables::rules::out::ssdp` class:


  		




  
  1100
  
    

  		




  
  1101
  
    
* [`ipv4`](#-nftables--rules--out--ssdp--ipv4)


  		




  
  1102
  
    
* [`ipv6`](#-nftables--rules--out--ssdp--ipv6)


  		




  
  1103
  
    

  		




  
  1104
  
    
##### <a name="-nftables--rules--out--ssdp--ipv4"></a>`ipv4`


  		




  
  1105
  
    

  		




  
  1106
  
    
Data type: `Boolean`


  		




  
  1107
  
    

  		




  
  1108
  
    
Allow SSDP over IPv4


  		




  
  1109
  
    

  		




  
  1110
  
    
Default value: `true`


  		




  
  1111
  
    

  		




  
  1112
  
    
##### <a name="-nftables--rules--out--ssdp--ipv6"></a>`ipv6`


  		




  
  1113
  
    

  		




  
  1114
  
    
Data type: `Boolean`


  		




  
  1115
  
    

  		




  
  1116
  
    
Allow SSDP over IPv6


  		




  
  1117
  
    

  		




  
  1118
  
    
Default value: `true`


  		




  
  1119
  
    

  		




  1088
  1120
  
    
### <a name="nftables--rules--out--ssh"></a>`nftables::rules::out::ssh`


  		




  1089
  1121
  
    

  		




  1090
  1122
  
    
manage out ssh


  		




  ......




  1277
  1309
  
    

  		




  1278
  1310
  
    
allow incoming spotify


  		




  1279
  1311
  
    

  		




  
  1312
  
    
### <a name="nftables--rules--ssdp"></a>`nftables::rules::ssdp`


  		




  
  1313
  
    

  		




  
  1314
  
    
allow incoming SSDP


  		




  
  1315
  
    

  		




  
  1316
  
    
* **See also**


  		




  
  1317
  
    
  * https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03


  		




  
  1318
  
    

  		




  
  1319
  
    
#### Parameters


  		




  
  1320
  
    

  		




  
  1321
  
    
The following parameters are available in the `nftables::rules::ssdp` class:


  		




  
  1322
  
    

  		




  
  1323
  
    
* [`ipv4`](#-nftables--rules--ssdp--ipv4)


  		




  
  1324
  
    
* [`ipv6`](#-nftables--rules--ssdp--ipv6)


  		




  
  1325
  
    

  		




  
  1326
  
    
##### <a name="-nftables--rules--ssdp--ipv4"></a>`ipv4`


  		




  
  1327
  
    

  		




  
  1328
  
    
Data type: `Boolean`


  		




  
  1329
  
    

  		




  
  1330
  
    
Allow SSDP over IPv4


  		




  
  1331
  
    

  		




  
  1332
  
    
Default value: `true`


  		




  
  1333
  
    

  		




  
  1334
  
    
##### <a name="-nftables--rules--ssdp--ipv6"></a>`ipv6`


  		




  
  1335
  
    

  		




  
  1336
  
    
Data type: `Boolean`


  		




  
  1337
  
    

  		




  
  1338
  
    
Allow SSDP over IPv6


  		




  
  1339
  
    

  		




  
  1340
  
    
Default value: `true`


  		




  
  1341
  
    

  		




  1280
  1342
  
    
### <a name="nftables--rules--ssh"></a>`nftables::rules::ssh`


  		




  1281
  1343
  
    

  		




  1282
  1344
  
    
manage in ssh


  		












  

    
      manifests/rules/out/ssdp.pp
    
  





  
  1
  
    
#


  		




  
  2
  
    
# @summary allow outgoing SSDP


  		




  
  3
  
    
#


  		




  
  4
  
    
# @param ipv4 Allow SSDP over IPv4


  		




  
  5
  
    
# @param ipv6 Allow SSDP over IPv6


  		




  
  6
  
    
#


  		




  
  7
  
    
# @see https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03


  		




  
  8
  
    
#


  		




  
  9
  
    
class nftables::rules::out::ssdp (


  		




  
  10
  
    
  Boolean $ipv4 = true,


  		




  
  11
  
    
  Boolean $ipv6 = true,


  		




  
  12
  
    
) {


  		




  
  13
  
    
  if $ipv4 {


  		




  
  14
  
    
    nftables::rule { 'default_out-ssdp_v4':


  		




  
  15
  
    
      content => 'ip daddr 239.255.255.250 udp dport 1900 accept comment "allow outgoing SSDP"',


  		




  
  16
  
    
    }


  		




  
  17
  
    
  }


  		




  
  18
  
    
  if $ipv6 {


  		




  
  19
  
    
    nftables::rule { 'default_out-ssdp_v6':


  		




  
  20
  
    
      content => 'ip6 daddr {ff02::c, ff05::c} udp dport 1900 accept comment "allow outgoing SSDP"',


  		




  
  21
  
    
    }


  		




  
  22
  
    
  }


  		




  
  23
  
    
}


  		












  

    
      manifests/rules/ssdp.pp
    
  





  
  1
  
    
#


  		




  
  2
  
    
# @summary allow incoming SSDP


  		




  
  3
  
    
#


  		




  
  4
  
    
# @param ipv4 Allow SSDP over IPv4


  		




  
  5
  
    
# @param ipv6 Allow SSDP over IPv6


  		




  
  6
  
    
#


  		




  
  7
  
    
# @see https://datatracker.ietf.org/doc/html/draft-cai-ssdp-v1-03


  		




  
  8
  
    
#


  		




  
  9
  
    
class nftables::rules::ssdp (


  		




  
  10
  
    
  Boolean $ipv4 = true,


  		




  
  11
  
    
  Boolean $ipv6 = true,


  		




  
  12
  
    
) {


  		




  
  13
  
    
  if $ipv4 {


  		




  
  14
  
    
    nftables::rule { 'default_in-ssdp_v4':


  		




  
  15
  
    
      content => 'ip daddr 239.255.255.250 udp dport 1900 accept comment "accept SSDP"',


  		




  
  16
  
    
    }


  		




  
  17
  
    
  }


  		




  
  18
  
    
  if $ipv6 {


  		




  
  19
  
    
    nftables::rule { 'default_in-ssdp_v6':


  		




  
  20
  
    
      content => 'ip6 daddr {ff02::c, ff05::c} udp dport 1900 accept comment "accept SSDP"',


  		




  
  21
  
    
    }


  		




  
  22
  
    
  }


  		




  
  23
  
    
}


  		












  

    
      spec/acceptance/all_rules_spec.rb
    
  





  87
  87
  
    
      include nftables::rules::multicast


  		




  88
  88
  
    
      include nftables::rules::spotify


  		




  89
  89
  
    
      include nftables::rules::llmnr


  		




  
  90
  
    
      include nftables::rules::ssdp


  		




  90
  91
  
    
      include nftables::rules::mdns


  		




  91
  92
  
    
      include nftables::rules::igmp


  		




  92
  93
  
    
      include nftables::rules::out::igmp


  		




  93
  94
  
    
      include nftables::rules::out::mldv2


  		




  94
  95
  
    
      include nftables::rules::out::mdns


  		




  
  96
  
    
      include nftables::rules::out::ssdp


  		




  95
  97
  
    
      include nftables::services::dhcpv6_client


  		




  96
  98
  
    
      include nftables::services::openafs_client


  		




  97
  99
  
    
      nftables::set{'my_test_set':


  		












Formats disponibles :  Unified diff