Révision ad3dbd7d
Rewrite mdns rules to limit to multicast and allow IPv6
This limits the mdns listener to only listen on multicast addresses with
port 5353. One rule for IPv4 and one for IPv6, each controllable with a
parameter.
The generic 5353 to 5353 rule is dropped since it's redundant when I
read [RFC6762].
[RFC6762]: https://www.rfc-editor.org/rfc/rfc6762
| manifests/rules/mdns.pp | ||
|---|---|---|
| 1 | 1 |
# |
| 2 | 2 |
# @summary allow incoming multicast DNS |
| 3 | 3 |
# |
| 4 |
class nftables::rules::mdns {
|
|
| 5 |
nftables::rule { 'default_in-mdns1':
|
|
| 6 |
content => 'ip daddr 224.0.0.251 accept', |
|
| 4 |
# @param ipv4 |
|
| 5 |
# Allow mdns over IPv4 |
|
| 6 |
# @param ipv6 |
|
| 7 |
# Allow mdns over IPv6 |
|
| 8 |
class nftables::rules::mdns ( |
|
| 9 |
Boolean $ipv4 = true, |
|
| 10 |
Boolean $ipv6 = true, |
|
| 11 |
) {
|
|
| 12 |
if $ipv4 {
|
|
| 13 |
nftables::rule { 'default_in-mdns_v4':
|
|
| 14 |
content => 'ip daddr 224.0.0.251 udp dport 5353 accept', |
|
| 15 |
} |
|
| 7 | 16 |
} |
| 8 |
nftables::rule { 'default_in-mdns2':
|
|
| 9 |
content => 'udp sport 5353 udp dport 5353 accept', |
|
| 17 |
if $ipv6 {
|
|
| 18 |
nftables::rule { 'default_in-mdns_v6':
|
|
| 19 |
content => 'ip6 daddr ff02::fb udp dport 5353 accept', |
|
| 20 |
} |
|
| 10 | 21 |
} |
| 11 | 22 |
} |
Formats disponibles : Unified diff