rules::ospf3: Allow filtering on incoming interfaces

voxpupuli · Dec 31, 2023 · 1b1b1a3 · 1b1b1a3
1 parent 98bdad7
commit 1b1b1a3
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 5 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -852,6 +852,20 @@ manage in ospf
 
 manage in ospf3
 
+#### Parameters
+
+The following parameters are available in the `nftables::rules::ospf3` class:
+
+* [`iifname`](#-nftables--rules--ospf3--iifname)
+
+##### <a name="-nftables--rules--ospf3--iifname"></a>`iifname`
+
+Data type: `Array[String[1]]`
+
+optional list of incoming interfaces to allow traffic
+
+Default value: `[]`
+
 ### <a name="nftables--rules--out--active_directory"></a>`nftables::rules::out::active_directory`
 
 manage outgoing active diectory

diff --git a/manifests/rules/ospf3.pp b/manifests/rules/ospf3.pp
@@ -1,7 +1,18 @@
-# manage in ospf3
-class nftables::rules::ospf3 {
-  nftables::rule {
-    'default_in-ospf3':
-      content => 'ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept',
+#
+# @summary manage in ospf3
+#
+# @param iifname optional list of incoming interfaces to allow traffic
+#
+class nftables::rules::ospf3 (
+  Array[String[1]] $iifname = [],
+) {
+  if empty($iifname) {
+    $_iifname = ''
+  } else {
+    $iifdata = $iifname.map |String[1] $interface| { "\"${interface}\"" }.join(', ')
+    $_iifname = "iifname { ${iifdata} } "
+  }
+  nftables::rule { 'default_in-ospf3':
+    content => "${_iifname}ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept",
   }
 }
diff --git a/spec/classes/rules/ospf3_spec.rb b/spec/classes/rules/ospf3_spec.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::ospf3' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let :facts do
+        os_facts
+      end
+
+      context 'default options' do
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_nftables__rule('default_in-ospf3').with_content('ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept') }
+      end
+
+      context 'with input interfaces set' do
+        let :params do
+          {
+            iifname: %w[docker0 eth0],
+          }
+        end
+
+        it { is_expected.to compile }
+        str = 'iifname { "docker0", "eth0" } ip6 saddr fe80::/64 ip6 daddr { ff02::5, ff02::6 } meta l4proto 89 accept'
+        it { is_expected.to contain_nftables__rule('default_in-ospf3').with_content(str) }
+      end
+    end
+  end
+end