From c1dbaaa5623d2f7ea3d2fde387b69719ba9bba03 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 30 Dec 2023 13:28:27 +0100 Subject: [PATCH] rules::mdns: Allow interface filtering --- REFERENCE.md | 9 +++++++++ manifests/rules/mdns.pp | 13 +++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 85809da7..ca0ceb58 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -779,6 +779,7 @@ The following parameters are available in the `nftables::rules::mdns` class: * [`ipv4`](#-nftables--rules--mdns--ipv4) * [`ipv6`](#-nftables--rules--mdns--ipv6) +* [`iifname`](#-nftables--rules--mdns--iifname) ##### `ipv4` @@ -796,6 +797,14 @@ Allow mdns over IPv6 Default value: `true` +##### `iifname` + +Data type: `Array[String[1]]` + +name for incoming interfaces to filter + +Default value: `[]` + ### `nftables::rules::multicast` allow incoming multicast traffic diff --git a/manifests/rules/mdns.pp b/manifests/rules/mdns.pp index 204e2845..7f977092 100644 --- a/manifests/rules/mdns.pp +++ b/manifests/rules/mdns.pp @@ -5,18 +5,27 @@ # Allow mdns over IPv4 # @param ipv6 # Allow mdns over IPv6 +# @param iifname name for incoming interfaces to filter +# class nftables::rules::mdns ( Boolean $ipv4 = true, Boolean $ipv6 = true, + Array[String[1]] $iifname = [], ) { + if empty($iifname) { + $_iifname = '' + } else { + $iifdata = $iifname.map |String[1] $interface| { "\"${interface}\"" }.join(', ') + $_iifname = "iifname { ${iifdata} } " + } if $ipv4 { nftables::rule { 'default_in-mdns_v4': - content => 'ip daddr 224.0.0.251 udp dport 5353 accept', + content => "${_iifname}ip daddr 224.0.0.251 udp dport 5353 accept", } } if $ipv6 { nftables::rule { 'default_in-mdns_v6': - content => 'ip6 daddr ff02::fb udp dport 5353 accept', + content => "${_iifname}ip6 daddr ff02::fb udp dport 5353 accept", } } }