rules::mdns: Allow interface filtering

voxpupuli · Dec 30, 2023 · c1dbaaa · c1dbaaa
1 parent 5a649e8
commit c1dbaaa
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -779,6 +779,7 @@ The following parameters are available in the `nftables::rules::mdns` class:
 
 * [`ipv4`](#-nftables--rules--mdns--ipv4)
 * [`ipv6`](#-nftables--rules--mdns--ipv6)
+* [`iifname`](#-nftables--rules--mdns--iifname)
 
 ##### <a name="-nftables--rules--mdns--ipv4"></a>`ipv4`
 
@@ -796,6 +797,14 @@ Allow mdns over IPv6
 
 Default value: `true`
 
+##### <a name="-nftables--rules--mdns--iifname"></a>`iifname`
+
+Data type: `Array[String[1]]`
+
+name for incoming interfaces to filter
+
+Default value: `[]`
+
 ### <a name="nftables--rules--multicast"></a>`nftables::rules::multicast`
 
 allow incoming multicast traffic

diff --git a/manifests/rules/mdns.pp b/manifests/rules/mdns.pp
@@ -5,18 +5,27 @@
 #   Allow mdns over IPv4
 # @param ipv6
 #   Allow mdns over IPv6
+# @param iifname name for incoming interfaces to filter
+#
 class nftables::rules::mdns (
   Boolean $ipv4 = true,
   Boolean $ipv6 = true,
+  Array[String[1]] $iifname = [],
 ) {
+  if empty($iifname) {
+    $_iifname = ''
+  } else {
+    $iifdata = $iifname.map |String[1] $interface| { "\"${interface}\"" }.join(', ')
+    $_iifname = "iifname { ${iifdata} } "
+  }
   if $ipv4 {
     nftables::rule { 'default_in-mdns_v4':
-      content => 'ip daddr 224.0.0.251 udp dport 5353 accept',
+      content => "${_iifname}ip daddr 224.0.0.251 udp dport 5353 accept",
     }
   }
   if $ipv6 {
     nftables::rule { 'default_in-mdns_v6':
-      content => 'ip6 daddr ff02::fb udp dport 5353 accept',
+      content => "${_iifname}ip6 daddr ff02::fb udp dport 5353 accept",
     }
   }
 }