Merge pull request #16 from bastelfreak/ferm

Make filtering on dest addr optional
voxpupuli · Aug 2, 2021 · ece1c28 · ece1c28
2 parents da0fb8a + 61c7377
commit ece1c28
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/manifests/interface.pp b/manifests/interface.pp
@@ -55,14 +55,18 @@
   require wireguard
 
   if $manage_firewall {
+    $daddr = empty($destination_addresses) ? {
+      true    => undef,
+      default => $destination_addresses,
+    }
     ferm::rule { "allow_wg_${interface}":
       action    => 'ACCEPT',
       chain     => 'INPUT',
       proto     => 'udp',
       dport     => $dport,
       interface => $input_interface,
       saddr     => $source_addresses,
-      daddr     => $destination_addresses,
+      daddr     => $daddr,
       notify    => Service['systemd-networkd'],
     }
   }

diff --git a/spec/defines/interface_spec.rb b/spec/defines/interface_spec.rb
@@ -96,6 +96,28 @@ class {"systemd":
         it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=fe80::ade1/64}) }
         it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") }
       end
+      context 'with empty destintion_addresses' do
+        let :pre_condition do
+          'class{"ferm":
+          configfile => "/etc/ferm.conf",
+          configdirectory => "/etc/ferm.d/"
+          }
+          class {"systemd":
+            manage_networkd => true
+          }'
+        end
+        let :params do
+          {
+            public_key: 'blabla==',
+            endpoint: 'wireguard.example.com:1234',
+            manage_firewall: true,
+            destination_addresses: [],
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_ferm__rule("allow_wg_#{title}").without_daddr }
+      end
     end
   end
 end