puppet nftables

#### Parameters

The following parameters are available in the `nftables::rules::out::chrony` class:

* [`servers`](#servers)

##### <a name="servers"></a>`servers`

Data type: `Array[Stdlib::IP::Address]`

single IP-Address or array of IP-addresses from NTP servers

Default value: `[]`

# @summary manage out chrony

# @param servers single IP-Address or array of IP-addresses from NTP servers

class nftables::rules::out::chrony (

  Array[Stdlib::IP::Address] $servers = [],

) {

  if empty($servers) {

    nftables::rule {

      'default_out-chrony':

        content => 'udp dport 123 accept',

    }

  } else {

    $ipv6_servers = $servers.filter |$ip| { $ip =~ Stdlib::IP::Address::V6 }

    $ipv4_servers = $servers.filter |$ip| { $ip =~ Stdlib::IP::Address::V4 }

    unless empty($ipv6_servers) {

      nftables::rule { 'default_out-chrony_v6':

        content => "ip6 daddr {${join($ipv6_servers, ',')}} udp dport 123 accept",

      }

    }

    unless empty($ipv4_servers) {

      nftables::rule { 'default_out-chrony_v4':

        content => "ip daddr {${join($ipv4_servers, ',')}} udp dport 123 accept",

      }

    }

# frozen_string_literal: true

require 'spec_helper'

describe 'nftables::rules::out::chrony' do

  on_supported_os.each do |os, os_facts|

    context "on #{os}" do

      let(:facts) { os_facts }

      context 'default options' do

        it { is_expected.to compile.with_all_deps }

        it { is_expected.to contain_nftables__rule('default_out-chrony').with_content('udp dport 123 accept') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony_header') }

      end

      context 'with two IPv4 addresses as array' do

        let(:params) do

          { servers: ['1.2.3.4', '5.6.7.8'] }

        end

        it { is_expected.to compile.with_all_deps }

        it { is_expected.to contain_nftables__rule('default_out-chrony_v4').with_content('ip daddr {1.2.3.4,5.6.7.8} udp dport 123 accept') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony_v4') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony_v4_header') }

      end

      context 'with ipv6 & ipv4 address as array' do

        let(:params) do

          { servers: ['fe80::1', '1.2.3.4'] }

        end

        it { is_expected.to compile.with_all_deps }

        it { is_expected.to contain_nftables__rule('default_out-chrony_v4').with_content('ip daddr {1.2.3.4} udp dport 123 accept') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony_v4') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony_v4_header') }

        it { is_expected.to contain_nftables__rule('default_out-chrony_v6').with_content('ip6 daddr {fe80::1} udp dport 123 accept') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony_v6') }

        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony_v6_header') }

      end

    end

  end

end