simplerule: Add support for outgoing interface filtering

REFERENCE.md

@@ -2265,6 +2265,7 @@ The following parameters are available in the `nftables::simplerule` defined typ
 * [`saddr`](#-nftables--simplerule--saddr)
 * [`counter`](#-nftables--simplerule--counter)
 * [`iifname`](#-nftables--simplerule--iifname)
+* [`oifname`](#-nftables--simplerule--oifname)
 
 ##### <a name="-nftables--simplerule--ensure"></a>`ensure`
 
@@ -2387,6 +2388,14 @@ Optional filter for the incoming interface
 
 Default value: `undef`
 
+##### <a name="-nftables--simplerule--oifname"></a>`oifname`
+
+Data type: `Optional[String[1]]`
+
+Optional filter for the outgoing interface
+
+Default value: `undef`
+
 ## Data types
 
 ### <a name="Nftables--Addr"></a>`Nftables::Addr`

manifests/simplerule.pp

@@ -55,6 +55,8 @@
 #
 # @param iifname
 #   Optional filter for the incoming interface
+# @param oifname
+#   Optional filter for the outgoing interface
 define nftables::simplerule (
   Enum['present','absent'] $ensure = 'present',
   Nftables::SimpleRuleName $rulename = $title,
@@ -71,6 +73,7 @@
   Optional[Nftables::Addr] $saddr = undef,
   Boolean $counter = false,
   Optional[String[1]] $iifname = undef,
+  Optional[String[1]] $oifname = undef,
 ) {
   if $dport and !$proto {
     fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
@@ -94,6 +97,7 @@
           'set_type' => $set_type,
           'sport'    => $sport,
           'iifname'  => $iifname,
+          'oifname'  => $oifname,
         }
       ),
       order   => $order,

spec/acceptance/simple_rule_iifname_spec.rb

@@ -3,7 +3,7 @@
 require 'spec_helper_acceptance'
 
 describe 'nftables class' do
-  context 'configure a simple rule with input interface' do
+  context 'configure a simple rule with interface' do
     it_behaves_like 'an idempotent resource' do
       let(:manifest) do
         <<-EOS
@@ -19,12 +19,30 @@ class { 'nftables':
           in_ssh           => false,
           in_icmp          => false,
         }
+        # just incoming interface
         nftables::simplerule { 'dummyrule_in':
           action  => 'accept',
           iifname => $facts['networking']['primary'],
           comment => 'allow some multicast stuff',
           daddr   => 'ff02::fb',
         }
+        # just outgoing interface
+        nftables::simplerule { 'dummyrule_out':
+          action  => 'accept',
+          oifname => $facts['networking']['primary'],
+          comment => 'allow some multicast stuff',
+          chain   => 'default_out',
+          daddr   => 'ff02::fb',
+        }
+        # outgoing + incoming interface
+        nftables::simplerule { 'dummyrule_fwd':
+          action  => 'accept',
+          iifname => $facts['networking']['primary'],
+          oifname => 'lo',
+          comment => 'allow some multicast stuff',
+          chain   => 'default_fwd',
+          daddr   => 'ff02::fb',
+        }
         include nftables::rules::ssh
         include nftables::rules::out::dns
         include nftables::rules::out::ssh

templates/simplerule.epp

@@ -8,6 +8,7 @@
       String                   $set_type,
       Optional[Nftables::Port] $sport,
       Optional[String[1]]      $iifname,
+      Optional[String[1]]      $oifname,
 | -%>
 <%- if $proto {
   $_proto = $proto ? {
@@ -75,4 +76,9 @@
 } else {
   $_iifname = undef
 } -%>
-<%= regsubst(strip([$_ip_version_filter, $_iifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>
+<%- if $oifname {
+  $_oifname = "oifname \"${oifname}\""
+} else {
+  $_oifname = undef
+} -%>
+<%= regsubst(strip([$_ip_version_filter, $_iifname, $_oifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>