simplerule: Add support for incoming interface filtering

voxpupuli · Dec 19, 2023 · 4514009 · 4514009
1 parent 0ec7c23
commit 4514009
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -2264,6 +2264,7 @@ The following parameters are available in the `nftables::simplerule` defined typ
 * [`sport`](#-nftables--simplerule--sport)
 * [`saddr`](#-nftables--simplerule--saddr)
 * [`counter`](#-nftables--simplerule--counter)
+* [`iifname`](#-nftables--simplerule--iifname)
 
 ##### <a name="-nftables--simplerule--ensure"></a>`ensure`
 
@@ -2378,6 +2379,14 @@ Enable traffic counters for the matched traffic.
 
 Default value: `false`
 
+##### <a name="-nftables--simplerule--iifname"></a>`iifname`
+
+Data type: `Optional[String[1]]`
+
+Optional filter for the incoming interface
+
+Default value: `undef`
+
 ## Data types
 
 ### <a name="Nftables--Addr"></a>`Nftables::Addr`

diff --git a/manifests/simplerule.pp b/manifests/simplerule.pp
@@ -52,6 +52,9 @@
 #
 # @param counter
 #   Enable traffic counters for the matched traffic.
+#
+# @param iifname
+#   Optional filter for the incoming interface
 define nftables::simplerule (
   Enum['present','absent'] $ensure = 'present',
   Nftables::SimpleRuleName $rulename = $title,
@@ -67,6 +70,7 @@
   Optional[Nftables::Port] $sport = undef,
   Optional[Nftables::Addr] $saddr = undef,
   Boolean $counter = false,
+  Optional[String[1]] $iifname = undef,
 ) {
   if $dport and !$proto {
     fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
@@ -89,6 +93,7 @@
           'saddr'    => $saddr,
           'set_type' => $set_type,
           'sport'    => $sport,
+          'iifname'  => $iifname,
         }
       ),
       order   => $order,

diff --git a/templates/simplerule.epp b/templates/simplerule.epp
@@ -7,6 +7,7 @@
       Optional[Nftables::Addr] $saddr,
       String                   $set_type,
       Optional[Nftables::Port] $sport,
+      Optional[String[1]]      $iifname,
 | -%>
 <%- if $proto {
   $_proto = $proto ? {
@@ -69,4 +70,9 @@
 } else {
   $_counter = undef
 } -%>
-<%= regsubst(strip([$_ip_version_filter, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>
+<%- if $iifname {
+  $_iifname = "iifname \"${iifname}\""
+} else {
+  $_iifname = undef
+} -%>
+<%= regsubst(strip([$_ip_version_filter, $_iifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>