root / manifests / rules / out / icmp.pp @ d1864b10
Historique | Voir | Annoter | Télécharger (1,51 ko)
| 1 | 09cba182 | Steve Traylen | # @summary control outbound icmp packages |
|---|---|---|---|
| 2 | 5d554e75 | Tim Meusel | # |
| 3 | # @param v4_types ICMP v4 types that should be allowed |
||
| 4 | # @param v6_types ICMP v6 types that should be allowed |
||
| 5 | # @param order the ordering of the rules |
||
| 6 | # |
||
| 7 | 79e9a23f | Nacho Barrientos | class nftables::rules::out::icmp ( |
| 8 | Optional[Array[String]] $v4_types = undef, |
||
| 9 | Optional[Array[String]] $v6_types = undef, |
||
| 10 | 31b17627 | Steve Traylen | String $order = '10', |
| 11 | 79e9a23f | Nacho Barrientos | ) {
|
| 12 | if $v4_types {
|
||
| 13 | $v4_types.each | String $icmp_type | {
|
||
| 14 | f9de4dee | Tim Meusel | nftables::rule { 'default_out-accept_icmpv4':
|
| 15 | content => "ip protocol icmp icmp type ${icmp_type} accept",
|
||
| 16 | order => $order, |
||
| 17 | 79e9a23f | Nacho Barrientos | } |
| 18 | } |
||
| 19 | d1864b10 | Tim Meusel | } elsif $v6_types {
|
| 20 | f9de4dee | Tim Meusel | nftables::rule { 'default_out-accept_icmpv4':
|
| 21 | content => 'ip protocol icmp accept', |
||
| 22 | order => $order, |
||
| 23 | 11bf7237 | Steve Traylen | } |
| 24 | 79e9a23f | Nacho Barrientos | } |
| 25 | |||
| 26 | if $v6_types {
|
||
| 27 | $v6_types.each | String $icmp_type | {
|
||
| 28 | f9de4dee | Tim Meusel | nftables::rule { 'default_out-accept_icmpv6':
|
| 29 | content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",
|
||
| 30 | order => $order, |
||
| 31 | 79e9a23f | Nacho Barrientos | } |
| 32 | } |
||
| 33 | d1864b10 | Tim Meusel | } elsif $v4_types {
|
| 34 | # `ip6 nexthdr ipv6-icmp accept` doesn't match for IPv6 ICMP with extensions |
||
| 35 | # context: https://www.rfc-editor.org/rfc/rfc3810#section-5 |
||
| 36 | # https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers |
||
| 37 | f9de4dee | Tim Meusel | nftables::rule { 'default_out-accept_icmpv6':
|
| 38 | d1864b10 | Tim Meusel | content => 'meta l4proto icmpv6 accept', |
| 39 | order => $order, |
||
| 40 | } |
||
| 41 | } |
||
| 42 | |||
| 43 | if $v6_types == undef and $v4_types == undef {
|
||
| 44 | nftables::rule { 'default_out-accept_icmp':
|
||
| 45 | content => 'meta l4proto { icmp, icmpv6} accept',
|
||
| 46 | f9de4dee | Tim Meusel | order => $order, |
| 47 | 11bf7237 | Steve Traylen | } |
| 48 | 79e9a23f | Nacho Barrientos | } |
| 49 | } |