Révision 8cdd24a5
rules::icmp: Allow ICMP packets with extensions
| REFERENCE.md | ||
|---|---|---|
| 24 | 24 |
* [`nftables::rules::http`](#nftables--rules--http): manage in http |
| 25 | 25 |
* [`nftables::rules::https`](#nftables--rules--https): manage in https |
| 26 | 26 |
* [`nftables::rules::icinga2`](#nftables--rules--icinga2): manage in icinga2 |
| 27 |
* [`nftables::rules::icmp`](#nftables--rules--icmp) |
|
| 27 |
* [`nftables::rules::icmp`](#nftables--rules--icmp): allows incoming ICMP
|
|
| 28 | 28 |
* [`nftables::rules::igmp`](#nftables--rules--igmp): allow incoming IGMP messages |
| 29 | 29 |
* [`nftables::rules::ldap`](#nftables--rules--ldap): manage in ldap |
| 30 | 30 |
* [`nftables::rules::llmnr`](#nftables--rules--llmnr): allow incoming Link-Local Multicast Name Resolution |
| ... | ... | |
| 683 | 683 |
|
| 684 | 684 |
### <a name="nftables--rules--icmp"></a>`nftables::rules::icmp` |
| 685 | 685 |
|
| 686 |
The nftables::rules::icmp class.
|
|
| 686 |
allows incoming ICMP
|
|
| 687 | 687 |
|
| 688 | 688 |
#### Parameters |
| 689 | 689 |
|
| ... | ... | |
| 697 | 697 |
|
| 698 | 698 |
Data type: `Optional[Array[String]]` |
| 699 | 699 |
|
| 700 |
|
|
| 700 |
ICMP v4 types that should be allowed |
|
| 701 | 701 |
|
| 702 | 702 |
Default value: `undef` |
| 703 | 703 |
|
| ... | ... | |
| 705 | 705 |
|
| 706 | 706 |
Data type: `Optional[Array[String]]` |
| 707 | 707 |
|
| 708 |
|
|
| 708 |
ICMP v6 types that should be allowed |
|
| 709 | 709 |
|
| 710 | 710 |
Default value: `undef` |
| 711 | 711 |
|
| ... | ... | |
| 713 | 713 |
|
| 714 | 714 |
Data type: `String` |
| 715 | 715 |
|
| 716 |
|
|
| 716 |
the ordering of the rules |
|
| 717 | 717 |
|
| 718 | 718 |
Default value: `'10'` |
| 719 | 719 |
|
| manifests/rules/icmp.pp | ||
|---|---|---|
| 1 |
# |
|
| 2 |
# @summary allows incoming ICMP |
|
| 3 |
# |
|
| 4 |
# @param v4_types ICMP v4 types that should be allowed |
|
| 5 |
# @param v6_types ICMP v6 types that should be allowed |
|
| 6 |
# @param order the ordering of the rules |
|
| 7 |
# |
|
| 1 | 8 |
class nftables::rules::icmp ( |
| 2 |
# lint:ignore:parameter_documentation |
|
| 3 | 9 |
Optional[Array[String]] $v4_types = undef, |
| 4 | 10 |
Optional[Array[String]] $v6_types = undef, |
| 5 | 11 |
String $order = '10', |
| 6 |
# lint:endignore |
|
| 7 | 12 |
) {
|
| 8 | 13 |
if $v4_types {
|
| 9 | 14 |
$v4_types.each | String $icmp_type | {
|
| 10 |
nftables::rule {
|
|
| 11 |
"default_in-accept_icmpv4_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":
|
|
| 12 |
content => "ip protocol icmp icmp type ${icmp_type} accept",
|
|
| 13 |
order => $order, |
|
| 15 |
nftables::rule { "default_in-accept_icmpv4_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":
|
|
| 16 |
content => "ip protocol icmp icmp type ${icmp_type} accept",
|
|
| 17 |
order => $order, |
|
| 14 | 18 |
} |
| 15 | 19 |
} |
| 16 |
} else {
|
|
| 17 |
nftables::rule {
|
|
| 18 |
'default_in-accept_icmpv4': |
|
| 19 |
content => 'ip protocol icmp accept', |
|
| 20 |
order => $order, |
|
| 20 |
} elsif $v6_types {
|
|
| 21 |
nftables::rule { 'default_in-accept_icmpv4':
|
|
| 22 |
content => 'ip protocol icmp accept', |
|
| 23 |
order => $order, |
|
| 21 | 24 |
} |
| 22 | 25 |
} |
| 23 | 26 |
|
| 24 | 27 |
if $v6_types {
|
| 25 | 28 |
$v6_types.each | String $icmp_type | {
|
| 26 |
nftables::rule {
|
|
| 27 |
"default_in-accept_icmpv6_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":
|
|
| 28 |
content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",
|
|
| 29 |
order => $order, |
|
| 29 |
nftables::rule { "default_in-accept_icmpv6_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":
|
|
| 30 |
content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",
|
|
| 31 |
order => $order, |
|
| 30 | 32 |
} |
| 31 | 33 |
} |
| 32 |
} else {
|
|
| 33 |
nftables::rule {
|
|
| 34 |
'default_in-accept_icmpv6': |
|
| 35 |
content => 'ip6 nexthdr ipv6-icmp accept', |
|
| 36 |
order => $order, |
|
| 34 |
} elsif $v4_types {
|
|
| 35 |
nftables::rule { 'default_in-accept_icmpv6':
|
|
| 36 |
content => 'meta l4proto icmpv6 accept', |
|
| 37 |
order => $order, |
|
| 38 |
} |
|
| 39 |
} |
|
| 40 |
if $v6_types == undef and $v4_types == undef {
|
|
| 41 |
nftables::rule { 'default_in-accept_icmp':
|
|
| 42 |
content => 'meta l4proto { icmp, icmpv6} accept',
|
|
| 43 |
order => $order, |
|
| 37 | 44 |
} |
| 38 | 45 |
} |
| 39 | 46 |
} |
| spec/classes/rules/icmp_spec.rb | ||
|---|---|---|
| 8 | 8 |
let(:facts) { os_facts }
|
| 9 | 9 |
|
| 10 | 10 |
context 'default options' do |
| 11 |
it { is_expected.to compile }
|
|
| 12 |
|
|
| 13 |
it {
|
|
| 14 |
expect(subject).to contain_nftables__rule('default_in-accept_icmpv4').with(
|
|
| 15 |
content: 'ip protocol icmp accept', |
|
| 16 |
order: '10' |
|
| 17 |
) |
|
| 18 |
} |
|
| 11 |
it { is_expected.to compile.with_all_deps }
|
|
| 19 | 12 |
|
| 20 |
it {
|
|
| 21 |
expect(subject).to contain_nftables__rule('default_in-accept_icmpv6').with(
|
|
| 22 |
content: 'ip6 nexthdr ipv6-icmp accept', |
|
| 23 |
order: '10' |
|
| 24 |
) |
|
| 25 |
} |
|
| 13 |
it { is_expected.to contain_nftables__rule('default_in-accept_icmp').with_content('meta l4proto { icmp, icmpv6} accept').with_order('10') }
|
|
| 14 |
it { is_expected.not_to contain_nftables__rule('default_in-accept_icmpv4') }
|
|
| 15 |
it { is_expected.not_to contain_nftables__rule('default_in-accept_icmpv6') }
|
|
| 26 | 16 |
end |
| 27 | 17 |
|
| 28 | 18 |
context 'with custom ICMP types (v4 only)' do |
| ... | ... | |
| 50 | 40 |
|
| 51 | 41 |
it {
|
| 52 | 42 |
expect(subject).to contain_nftables__rule('default_in-accept_icmpv6').with(
|
| 53 |
content: 'ip6 nexthdr ipv6-icmp accept',
|
|
| 43 |
content: 'meta l4proto icmpv6 accept',
|
|
| 54 | 44 |
order: '10' |
| 55 | 45 |
) |
| 56 | 46 |
} |
Formats disponibles : Unified diff