From 059d8247005846ffccbb7d6d81cdd1825fdab1e7 Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Mon, 2 Aug 2021 10:05:25 +0200
Subject: [PATCH] Make filtering on dest addr optional

Previously `$destination_addresses` was an array with the public
ipv6/ipv4 addresses. Those were used as destination address in the
firewall rules. People might have dynamic local ips so this won't
work/creates a lot of noise due to constant firewall rule updates. As a
fix, it was already possible to set `$destination_addresses` to an empty
Array (`[]`). But passing this to the `daddr` parameter in ferm::rule
created a broken firewall rule. This patch sets the `daddr` parameter to
`undef` if `$destination_addresses` is an empty array.
---
 manifests/interface.pp         |  6 +++++-
 spec/defines/interface_spec.rb | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/manifests/interface.pp b/manifests/interface.pp
index fd5367e..e7e667e 100644
--- a/manifests/interface.pp
+++ b/manifests/interface.pp
@@ -55,6 +55,10 @@
   require wireguard
 
   if $manage_firewall {
+    $daddr = empty($destination_addresses) ? {
+      true    => undef,
+      default => $destination_addresses,
+    }
     ferm::rule { "allow_wg_${interface}":
       action    => 'ACCEPT',
       chain     => 'INPUT',
@@ -62,7 +66,7 @@
       dport     => $dport,
       interface => $input_interface,
       saddr     => $source_addresses,
-      daddr     => $destination_addresses,
+      daddr     => $daddr,
       notify    => Service['systemd-networkd'],
     }
   }
diff --git a/spec/defines/interface_spec.rb b/spec/defines/interface_spec.rb
index 3c7a0b4..a64d36f 100644
--- a/spec/defines/interface_spec.rb
+++ b/spec/defines/interface_spec.rb
@@ -96,6 +96,18 @@ class {"systemd":
         it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=fe80::ade1/64}) }
         it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") }
       end
+      context 'with empty destintion_addresses' do
+        let :params do
+          {
+            public_key: 'blabla==',
+            endpoint: 'wireguard.example.com:1234',
+            manage_firewall: true,
+            destination_addresses: [],
+          }
+        end
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_ferm__rule("allow_wg_#{title}").without_daddr }
+      end
     end
   end
 end