Skip to content

Commit

Permalink
Make filtering on dest addr optional
Browse files Browse the repository at this point in the history
Previously `$destination_addresses` was an array with the public
ipv6/ipv4 addresses. Those were used as destination address in the
firewall rules. People might have dynamic local ips so this won't
work/creates a lot of noise due to constant firewall rule updates. As a
fix, it was already possible to set `$destination_addresses` to an empty
Array (`[]`). But passing this to the `daddr` parameter in ferm::rule
created a broken firewall rule. This patch sets the `daddr` parameter to
`undef` if `$destination_addresses` is an empty array.
  • Loading branch information
bastelfreak committed Aug 2, 2021
1 parent da0fb8a commit 61c7377
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 1 deletion.
6 changes: 5 additions & 1 deletion manifests/interface.pp
Original file line number Diff line number Diff line change
Expand Up @@ -55,14 +55,18 @@
require wireguard
if $manage_firewall {
$daddr = empty($destination_addresses) ? {
true => undef,
default => $destination_addresses,
}
ferm::rule { "allow_wg_${interface}":
action => 'ACCEPT',
chain => 'INPUT',
proto => 'udp',
dport => $dport,
interface => $input_interface,
saddr => $source_addresses,
daddr => $destination_addresses,
daddr => $daddr,
notify => Service['systemd-networkd'],
}
}
Expand Down
22 changes: 22 additions & 0 deletions spec/defines/interface_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,28 @@ class {"systemd":
it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=fe80::ade1/64}) }
it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") }
end
context 'with empty destintion_addresses' do
let :pre_condition do
'class{"ferm":
configfile => "/etc/ferm.conf",
configdirectory => "/etc/ferm.d/"
}
class {"systemd":
manage_networkd => true
}'
end
let :params do
{
public_key: 'blabla==',
endpoint: 'wireguard.example.com:1234',
manage_firewall: true,
destination_addresses: [],
}
end

it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_ferm__rule("allow_wg_#{title}").without_daddr }
end
end
end
end

0 comments on commit 61c7377

Please sign in to comment.