From 1b1b1a35a19c67d3a9d3a189931bf6f14565b6aa Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Sun, 31 Dec 2023 01:30:00 +0100
Subject: [PATCH] rules::ospf3: Allow filtering on incoming interfaces

---
 REFERENCE.md                     | 14 ++++++++++++++
 manifests/rules/ospf3.pp         | 21 ++++++++++++++++-----
 spec/classes/rules/ospf3_spec.rb | 30 ++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+), 5 deletions(-)
 create mode 100644 spec/classes/rules/ospf3_spec.rb

diff --git a/REFERENCE.md b/REFERENCE.md
index d36f1662..5e484a23 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -852,6 +852,20 @@ manage in ospf
 
 manage in ospf3
 
+#### Parameters
+
+The following parameters are available in the `nftables::rules::ospf3` class:
+
+* [`iifname`](#-nftables--rules--ospf3--iifname)
+
+##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
+
+Data type: `Array[String[1]]`
+
+optional list of incoming interfaces to allow traffic
+
+Default value: `[]`
+
 ### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
 
 manage outgoing active diectory
diff --git a/manifests/rules/ospf3.pp b/manifests/rules/ospf3.pp
index c4abd9da..bc87a2b2 100644
--- a/manifests/rules/ospf3.pp
+++ b/manifests/rules/ospf3.pp
@@ -1,7 +1,18 @@
-# manage in ospf3
-class nftables::rules::ospf3 {
-  nftables::rule {
-    'default_in-ospf3':
-      content => 'ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept',
+#
+# @summary manage in ospf3
+#
+# @param iifname optional list of incoming interfaces to allow traffic
+#
+class nftables::rules::ospf3 (
+  Array[String[1]] $iifname = [],
+) {
+  if empty($iifname) {
+    $_iifname = ''
+  } else {
+    $iifdata = $iifname.map |String[1] $interface| { "\"${interface}\"" }.join(', ')
+    $_iifname = "iifname { ${iifdata} } "
+  }
+  nftables::rule { 'default_in-ospf3':
+    content => "${_iifname}ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept",
   }
 }
diff --git a/spec/classes/rules/ospf3_spec.rb b/spec/classes/rules/ospf3_spec.rb
new file mode 100644
index 00000000..a7a62f05
--- /dev/null
+++ b/spec/classes/rules/ospf3_spec.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::ospf3' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let :facts do
+        os_facts
+      end
+
+      context 'default options' do
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_nftables__rule('default_in-ospf3').with_content('ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept') }
+      end
+
+      context 'with input interfaces set' do
+        let :params do
+          {
+            iifname: %w[docker0 eth0],
+          }
+        end
+
+        it { is_expected.to compile }
+        str = 'iifname { "docker0", "eth0" } ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept'
+        it { is_expected.to contain_nftables__rule('default_in-ospf3').with_content(str) }
+      end
+    end
+  end
+end