Merge branch 'drybjed-accept-mdns-when-avahi-present'

CHANGELOG.rst

@@ -69,6 +69,15 @@ LDAP
   able to access SSH service from any host. Existing installations might need
   to be updated manually to fix UID/GID or LDAP DN conflicts.
 
+:ref:`debops.ferm` role
+'''''''''''''''''''''''
+
+- If Avahi/mDNS support is present on a host, the :ref:`debops.ferm` role will
+  allow access through the ``mdns`` UDP port by default. This will most likely
+  happen on workstations and laptops with full desktop environments installed,
+  but not on servers with minimal install. To configure Avahi service or enable
+  it on servers, you can use the :ref:`debops.avahi` Ansible role.
+
 :ref:`debops.lxc` role
 ''''''''''''''''''''''
 

ansible/roles/debops.ferm/defaults/main.yml

@@ -507,6 +507,24 @@ ferm__default_rules:
     dport: [ 'dhcpv6-client' ]
     rule_state: '{{ "present" if ("ip6" in ferm__domains) else "absent" }}'
 
+    # Avahi is usually installed by default on workstations and laptops where
+    # it is useful. To manage Avahi on servers, you should enable the
+    # 'debops.avahi' Ansible role which will set up the same firewall rule.
+  - name: 'avahi'
+    type: 'accept'
+    dport: 'mdns'
+    saddr: '{{ avahi__allow | d([]) }}'
+    protocol: 'udp'
+    accept_any: True
+    rule_state: '{{ "present"
+                    if ((ansible_local|d() and ansible_local.nsswitch|d() and
+                         ansible_local.nsswitch.conf|d() and
+                         "mdns4_minimal" in q("flattened",
+                                              ansible_local.nsswitch.conf.hosts|d([]))) and
+                        (ansible_local|d(True) and ansible_local.avahi|d(True) and
+                         (ansible_local.avahi.enabled|d(True))|bool))
+                    else "absent" }}'
+
   - name: 'jump_to_legacy_input_rules'
     type: 'accept'
     weight: '-10'