rules::llmnr: Allow interface filtering

voxpupuli · Dec 31, 2023 · 1ef7d5c · 1ef7d5c
1 parent 9685362
commit 1ef7d5c
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 2 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -752,6 +752,7 @@ The following parameters are available in the `nftables::rules::llmnr` class:
 
 * [`ipv4`](#-nftables--rules--llmnr--ipv4)
 * [`ipv6`](#-nftables--rules--llmnr--ipv6)
+* [`iifname`](#-nftables--rules--llmnr--iifname)
 
 ##### <a name="-nftables--rules--llmnr--ipv4"></a>`ipv4`
 
@@ -769,6 +770,14 @@ Allow LLMNR over IPv6
 
 Default value: `true`
 
+##### <a name="-nftables--rules--llmnr--iifname"></a>`iifname`
+
+Data type: `Array[String[1]]`
+
+optional list of incoming interfaces to filter on
+
+Default value: `[]`
+
 ### <a name="nftables--rules--mdns"></a>`nftables::rules::mdns`
 
 allow incoming multicast DNS

diff --git a/manifests/rules/llmnr.pp b/manifests/rules/llmnr.pp
@@ -3,21 +3,31 @@
 #
 # @param ipv4 Allow LLMNR over IPv4
 # @param ipv6 Allow LLMNR over IPv6
+# @param iifname optional list of incoming interfaces to filter on
+#
+# @author Tim Meusel <[email protected]>
 #
 # @see https://datatracker.ietf.org/doc/html/rfc4795
 #
 class nftables::rules::llmnr (
   Boolean $ipv4 = true,
   Boolean $ipv6 = true,
+  Array[String[1]] $iifname = [],
 ) {
+  if empty($iifname) {
+    $_iifname = ''
+  } else {
+    $iifdata = $iifname.map |String[1] $interface| { "\"${interface}\"" }.join(', ')
+    $_iifname = "iifname { ${iifdata} } "
+  }
   if $ipv4 {
     nftables::rule { 'default_in-llmnr_v4':
-      content => 'ip daddr 224.0.0.252 udp dport 5355 accept comment "allow LLMNR"',
+      content => "${_iifname}ip daddr 224.0.0.252 udp dport 5355 accept comment \"allow LLMNR\"",
     }
   }
   if $ipv6 {
     nftables::rule { 'default_in-llmnr_v6':
-      content => 'ip6 daddr ff02::1:3 udp dport 5355 accept comment "allow LLMNR"',
+      content => "${_iifname}ip6 daddr ff02::1:3 udp dport 5355 accept comment \"allow LLMNR\"",
     }
   }
 }
diff --git a/spec/classes/rules/llmnr_spec.rb b/spec/classes/rules/llmnr_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::llmnr' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let :facts do
+        os_facts
+      end
+
+      context 'default options' do
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_nftables__rule('default_in-llmnr_v4').with_content('ip daddr 224.0.0.252 udp dport 5355 accept comment "allow LLMNR"') }
+        it { is_expected.to contain_nftables__rule('default_in-llmnr_v6').with_content('ip6 daddr ff02::1:3 udp dport 5355 accept comment "allow LLMNR"') }
+      end
+
+      context 'with input interfaces set' do
+        let :params do
+          {
+            iifname: %w[docker0 eth0],
+          }
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_in-llmnr_v4').with_content('iifname { "docker0", "eth0" } ip daddr 224.0.0.252 udp dport 5355 accept comment "allow LLMNR"') }
+        it { is_expected.to contain_nftables__rule('default_in-llmnr_v6').with_content('iifname { "docker0", "eth0" } ip6 daddr ff02::1:3 udp dport 5355 accept comment "allow LLMNR"') }
+      end
+    end
+  end
+end