Add rule for filtering outgoing DNS server traffic

voxpupuli · Dec 2, 2023 · 899de90 · 899de90
1 parent c23d8bf
commit 899de90
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 0 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -45,6 +45,7 @@ and Manager Daemons (MGR).
 * [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
 * [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
 * [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
+* [`nftables::rules::out::dnsserver`](#nftables--rules--out--dnsserver): manage outgoing DNS responses from a DNS server
 * [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
 * [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
 * [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
@@ -919,6 +920,24 @@ specify dns_server name
 
 Default value: `undef`
 
+### <a name="nftables--rules--out--dnsserver"></a>`nftables::rules::out::dnsserver`
+
+manage outgoing DNS responses from a DNS server
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::out::dnsserver` class:
+
+* [`dns_servers`](#-nftables--rules--out--dnsserver--dns_servers)
+
+##### <a name="-nftables--rules--out--dnsserver--dns_servers"></a>`dns_servers`
+
+Data type: `Array[Stdlib::IP::Address]`
+
+optional list of local ip addresses from the DNS server
+
+Default value: `[]`
+
 ### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
 
 allow outgoing hkp connections to gpg keyservers

diff --git a/manifests/rules/out/dnsserver.pp b/manifests/rules/out/dnsserver.pp
@@ -0,0 +1,45 @@
+#
+# @summary manage outgoing DNS responses from a DNS server
+#
+# @param dns_servers optional list of local ip addresses from the DNS server
+#
+class nftables::rules::out::dnsserver (
+  Array[Stdlib::IP::Address] $dns_servers = [],
+) {
+  unless empty($dns_servers) {
+    $dns_servers.each |$index,$dns| {
+      nftables::rule {
+        "default_out-dnsserverudp-${index}":
+      }
+      if $dns =~ /:/ {
+        Nftables::Rule["default_out-dnsudp-${index}"] {
+          content => "ip6 daddr ${dns} udp sport 53 accept",
+        }
+      } else {
+        Nftables::Rule["default_out-dnsudp-${index}"] {
+          content => "ip daddr ${dns} udp sport 53 accept",
+        }
+      }
+
+      nftables::rule {
+        "default_out-dnsservertcp-${index}":
+      }
+      if $dns =~ /:/ {
+        Nftables::Rule["default_out-dnstcp-${index}"] {
+          content => "ip6 daddr ${dns} tcp sport 53 accept",
+        }
+      } else {
+        Nftables::Rule["default_out-dnstcp-${index}"] {
+          content => "ip daddr ${dns} tcp sport 53 accept",
+        }
+      }
+    }
+  } else {
+    nftables::rule {
+      'default_out-dnsudp':
+        content => 'udp sport 53 accept';
+      'default_out-dnstcp':
+        content => 'tcp sport 53 accept';
+    }
+  }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
@@ -48,6 +48,7 @@ class { 'nftables':
       include nftables::rules::out::postgres
       include nftables::rules::out::icmp
       include nftables::rules::out::dns
+      include nftables::rules::out::dnsserver
       include nftables::rules::out::nfs3
       include nftables::rules::out::ssh
       include nftables::rules::out::kerberos