Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

out::icmp: simplify filtering/fix ICMP bug #230

Merged
merged 3 commits into from
Dec 29, 2023
Merged

out::icmp: simplify filtering/fix ICMP bug #230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f9de4de
out::icmp: reformat code
bastelfreak Dec 29, 2023
5d554e7
out::icmp: Add parameter documentation
bastelfreak Dec 29, 2023
d1864b1
out::icmp: simplify filtering/fix ICMP bug
bastelfreak Dec 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions REFERENCE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -965,23 +965,23 @@ The following parameters are available in the `nftables::rules::out::icmp` class

Data type: `Optional[Array[String]]`


ICMP v4 types that should be allowed

Default value: `undef`

##### <a name="-nftables--rules--out--icmp--v6_types"></a>`v6_types`

Data type: `Optional[Array[String]]`


ICMP v6 types that should be allowed

Default value: `undef`

##### <a name="-nftables--rules--out--icmp--order"></a>`order`

Data type: `String`


the ordering of the rules

Default value: `'10'`

Expand Down
49 changes: 29 additions & 20 deletions manifests/rules/out/icmp.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,40 +1,49 @@
# @summary control outbound icmp packages
#
# @param v4_types ICMP v4 types that should be allowed
# @param v6_types ICMP v6 types that should be allowed
# @param order the ordering of the rules
#
class nftables::rules::out::icmp (
# lint:ignore:parameter_documentation
Optional[Array[String]] $v4_types = undef,
Optional[Array[String]] $v6_types = undef,
String $order = '10',
# lint:endignore
) {
if $v4_types {
$v4_types.each | String $icmp_type | {
nftables::rule {
'default_out-accept_icmpv4':
content => "ip protocol icmp icmp type ${icmp_type} accept",
order => $order,
nftables::rule { 'default_out-accept_icmpv4':
content => "ip protocol icmp icmp type ${icmp_type} accept",
order => $order,
}
}
} else {
nftables::rule {
'default_out-accept_icmpv4':
content => 'ip protocol icmp accept',
order => $order,
} elsif $v6_types {
nftables::rule { 'default_out-accept_icmpv4':
content => 'ip protocol icmp accept',
order => $order,
}
}

if $v6_types {
$v6_types.each | String $icmp_type | {
nftables::rule {
'default_out-accept_icmpv6':
content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",
order => $order,
nftables::rule { 'default_out-accept_icmpv6':
content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",
order => $order,
}
}
} else {
nftables::rule {
'default_out-accept_icmpv6':
content => 'ip6 nexthdr ipv6-icmp accept',
order => $order,
} elsif $v4_types {
# `ip6 nexthdr ipv6-icmp accept` doesn't match for IPv6 ICMP with extensions
# context: https://www.rfc-editor.org/rfc/rfc3810#section-5
# https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_headers#Matching_IPv6_headers
nftables::rule { 'default_out-accept_icmpv6':
content => 'meta l4proto icmpv6 accept',
order => $order,
}
}

if $v6_types == undef and $v4_types == undef {
nftables::rule { 'default_out-accept_icmp':
content => 'meta l4proto { icmp, icmpv6} accept',
order => $order,
}
}
}
Loading