Add nftables rules for ws-discovery

voxpupuli · Aug 26, 2023 · ffc8b86 · ffc8b86
1 parent a5d1955
commit ffc8b86
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 0 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -87,6 +87,7 @@ and Manager Daemons (MGR).
 * [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
 * [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
 * [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
+* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
 * [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
 * [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
 
@@ -1393,6 +1394,36 @@ wiregueard port
 
 Default value: `[51820]`
 
+### <a name="nftables--rules--wsd"></a>`nftables::rules::wsd`
+
+allow incoming webservice discovery
+
+* **See also**
+  * https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::wsd` class:
+
+* [`ipv4`](#-nftables--rules--wsd--ipv4)
+* [`ipv6`](#-nftables--rules--wsd--ipv6)
+
+##### <a name="-nftables--rules--wsd--ipv4"></a>`ipv4`
+
+Data type: `Boolean`
+
+Allow ws-discovery over IPv4
+
+Default value: `true`
+
+##### <a name="-nftables--rules--wsd--ipv6"></a>`ipv6`
+
+Data type: `Boolean`
+
+Allow ws-discovery over IPv6
+
+Default value: `true`
+
 ### <a name="nftables--services--dhcpv6_client"></a>`nftables::services::dhcpv6_client`
 
 Allow in and outbound traffic for DHCPv6 server

diff --git a/manifests/rules/wsd.pp b/manifests/rules/wsd.pp
@@ -0,0 +1,23 @@
+#
+# @summary allow incoming webservice discovery
+#
+# @param ipv4 Allow ws-discovery over IPv4
+# @param ipv6 Allow ws-discovery over IPv6
+#
+# @see https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
+#
+class nftables::rules::wsd (
+  Boolean $ipv4 = true,
+  Boolean $ipv6 = true,
+) {
+  if $ipv4 {
+    nftables::rule { 'default_in-wsd_v4':
+      content => 'ip daddr 239.255.255.250 udp dport 3702 accept comment "accept ws-discovery"',
+    }
+  }
+  if $ipv6 {
+    nftables::rule { 'default_in-wsd_v6':
+      content => 'ip6 daddr ff02::c udp dport 3702 accept comment "accept ws-discovery"',
+    }
+  }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
@@ -90,6 +90,7 @@ class { 'nftables':
       include nftables::rules::ssdp
       include nftables::rules::mdns
       include nftables::rules::igmp
+      include nftables::rules::wsd
       include nftables::rules::out::igmp
       include nftables::rules::out::mldv2
       include nftables::rules::out::mdns