Projet

Général

Profil

Révision ad3dbd7d

IDad3dbd7d39f3215344267ef22a5803ba225bae33
Parent 4e9b7fa3
Enfant 330e6171

Ajouté par Ewoud Kohl van Wijngaarden il y a presque 2 ans

Rewrite mdns rules to limit to multicast and allow IPv6

This limits the mdns listener to only listen on multicast addresses with
port 5353. One rule for IPv4 and one for IPv6, each controllable with a
parameter.

The generic 5353 to 5353 rule is dropped since it's redundant when I
read [RFC6762].

[RFC6762]: https://www.rfc-editor.org/rfc/rfc6762

Voir les différences:

REFERENCE.md
657 657 

  		




  658
  658
  
    
allow incoming multicast DNS


  		




  659
  659
  
    

  		




  
  660
  
    
#### Parameters


  		




  
  661
  
    

  		




  
  662
  
    
The following parameters are available in the `nftables::rules::mdns` class:


  		




  
  663
  
    

  		




  
  664
  
    
* [`ipv4`](#-nftables--rules--mdns--ipv4)


  		




  
  665
  
    
* [`ipv6`](#-nftables--rules--mdns--ipv6)


  		




  
  666
  
    

  		




  
  667
  
    
##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`


  		




  
  668
  
    

  		




  
  669
  
    
Data type: `Boolean`


  		




  
  670
  
    

  		




  
  671
  
    
Allow mdns over IPv4


  		




  
  672
  
    

  		




  
  673
  
    
Default value: `true`


  		




  
  674
  
    

  		




  
  675
  
    
##### <a name="-nftables--rules--mdns--ipv6"></a>`ipv6`


  		




  
  676
  
    

  		




  
  677
  
    
Data type: `Boolean`


  		




  
  678
  
    

  		




  
  679
  
    
Allow mdns over IPv6


  		




  
  680
  
    

  		




  
  681
  
    
Default value: `true`


  		




  
  682
  
    

  		




  660
  683
  
    
### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`


  		




  661
  684
  
    

  		




  662
  685
  
    
allow incoming multicast traffic


  		












  

    
      manifests/rules/mdns.pp
    
  





  1
  1
  
    
#


  		




  2
  2
  
    
# @summary allow incoming multicast DNS


  		




  3
  3
  
    
#


  		




  4
  
  
    
class nftables::rules::mdns {


  		




  5
  
  
    
  nftables::rule { 'default_in-mdns1':


  		




  6
  
  
    
    content => 'ip daddr 224.0.0.251 accept',


  		




  
  4
  
    
# @param ipv4


  		




  
  5
  
    
#   Allow mdns over IPv4


  		




  
  6
  
    
# @param ipv6


  		




  
  7
  
    
#   Allow mdns over IPv6


  		




  
  8
  
    
class nftables::rules::mdns (


  		




  
  9
  
    
  Boolean $ipv4 = true,


  		




  
  10
  
    
  Boolean $ipv6 = true,


  		




  
  11
  
    
) {


  		




  
  12
  
    
  if $ipv4 {


  		




  
  13
  
    
    nftables::rule { 'default_in-mdns_v4':


  		




  
  14
  
    
      content => 'ip daddr 224.0.0.251 udp dport 5353 accept',


  		




  
  15
  
    
    }


  		




  7
  16
  
    
  }


  		




  8
  
  
    
  nftables::rule { 'default_in-mdns2':


  		




  9
  
  
    
    content => 'udp sport 5353 udp dport 5353 accept',


  		




  
  17
  
    
  if $ipv6 {


  		




  
  18
  
    
    nftables::rule { 'default_in-mdns_v6':


  		




  
  19
  
    
      content => 'ip6 daddr ff02::fb udp dport 5353 accept',


  		




  
  20
  
    
    }


  		




  10
  21
  
    
  }


  		




  11
  22
  
    
}


  		












Formats disponibles :  Unified diff