Add rule for filtering outgoing DNS server traffic

voxpupuli · Dec 20, 2023 · 73e5679 · 73e5679
1 parent ee2d38a
commit 73e5679
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 28 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -45,6 +45,7 @@ and Manager Daemons (MGR).
 * [`nftables::rules::out::dhcp`](#nftables--rules--out--dhcp): manage out dhcp
 * [`nftables::rules::out::dhcpv6_client`](#nftables--rules--out--dhcpv6_client): Allow DHCPv6 requests out of a host
 * [`nftables::rules::out::dns`](#nftables--rules--out--dns): manage out dns
+* [`nftables::rules::out::dnsserver`](#nftables--rules--out--dnsserver): manage outgoing DNS responses from a DNS server
 * [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
 * [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
 * [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
@@ -910,14 +911,37 @@ manage out dns
 The following parameters are available in the `nftables::rules::out::dns` class:
 
 * [`dns_server`](#-nftables--rules--out--dns--dns_server)
+* [`dns_servers`](#-nftables--rules--out--dns--dns_servers)
 
 ##### <a name="-nftables--rules--out--dns--dns_server"></a>`dns_server`
 
-Data type: `Optional[Variant[String,Array[String,1]]]`
-
 specify dns_server name
 
-Default value: `undef`
+##### <a name="-nftables--rules--out--dns--dns_servers"></a>`dns_servers`
+
+Data type: `Array[Stdlib::IP::Address]`
+
+
+
+Default value: `[]`
+
+### <a name="nftables--rules--out--dnsserver"></a>`nftables::rules::out::dnsserver`
+
+manage outgoing DNS responses from a DNS server
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::out::dnsserver` class:
+
+* [`dns_servers`](#-nftables--rules--out--dnsserver--dns_servers)
+
+##### <a name="-nftables--rules--out--dnsserver--dns_servers"></a>`dns_servers`
+
+Data type: `Array[Stdlib::IP::Address]`
+
+optional list of local ip addresses from the DNS server
+
+Default value: `[]`
 
 ### <a name="nftables--rules--out--hkp"></a>`nftables::rules::out::hkp`
 

diff --git a/manifests/rules/out/dns.pp b/manifests/rules/out/dns.pp
@@ -1,34 +1,19 @@
 # @summary manage out dns
 # @param dns_server specify dns_server name
 class nftables::rules::out::dns (
-  Optional[Variant[String,Array[String,1]]] $dns_server = undef,
+  Array[Stdlib::IP::Address] $dns_servers = [],
 ) {
-  if $dns_server {
-    any2array($dns_server).each |$index,$dns| {
-      nftables::rule {
-        "default_out-dnsudp-${index}":
+  unless empty($dns_servers) {
+    $dns_servers.each |$index,$dns| {
+      $content = $dns ? {
+        Stdlib::IP::Address::V6 => "ip6 daddr ${dns}",
+        Stdlib::IP::Address::V4 => "ip daddr ${dns}",
       }
-      if $dns =~ /:/ {
-        Nftables::Rule["default_out-dnsudp-${index}"] {
-          content => "ip6 daddr ${dns} udp dport 53 accept",
-        }
-      } else {
-        Nftables::Rule["default_out-dnsudp-${index}"] {
-          content => "ip daddr ${dns} udp dport 53 accept",
-        }
+      nftables::rule { "default_out-dnstcp-${index}":
+        content => "${content} tcp dport 53 accept",
       }
-
-      nftables::rule {
-        "default_out-dnstcp-${index}":
-      }
-      if $dns =~ /:/ {
-        Nftables::Rule["default_out-dnstcp-${index}"] {
-          content => "ip6 daddr ${dns} tcp dport 53 accept",
-        }
-      } else {
-        Nftables::Rule["default_out-dnstcp-${index}"] {
-          content => "ip daddr ${dns} tcp dport 53 accept",
-        }
+      nftables::rule { "default_out-dnsudp-${index}":
+        content => "${content} udp dport 53 accept",
       }
     }
   } else {

diff --git a/manifests/rules/out/dnsserver.pp b/manifests/rules/out/dnsserver.pp
@@ -0,0 +1,30 @@
+#
+# @summary manage outgoing DNS responses from a DNS server
+#
+# @param dns_servers optional list of local ip addresses from the DNS server
+#
+class nftables::rules::out::dnsserver (
+  Array[Stdlib::IP::Address] $dns_servers = [],
+) {
+  unless empty($dns_servers) {
+    $dns_servers.each |$index,$dns| {
+      $content = $dns ? {
+        Stdlib::IP::Address::V6 => "ip6 saddr ${dns}",
+        Stdlib::IP::Address::V4 => "ip saddr ${dns}",
+      }
+      nftables::rule { "default_out-dnsservertcp-${index}":
+        content => "${content} tcp sport 53 accept",
+      }
+      nftables::rule { "default_out-dnsserverudp-${index}":
+        content => "${content} udp sport 53 accept",
+      }
+    }
+  } else {
+    nftables::rule {
+      'default_out-dnsserverudp':
+        content => 'udp sport 53 accept';
+      'default_out-dnsservertcp':
+        content => 'tcp sport 53 accept';
+    }
+  }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
@@ -48,6 +48,7 @@ class { 'nftables':
       include nftables::rules::out::postgres
       include nftables::rules::out::icmp
       include nftables::rules::out::dns
+      include nftables::rules::out::dnsserver
       include nftables::rules::out::nfs3
       include nftables::rules::out::ssh
       include nftables::rules::out::kerberos

diff --git a/spec/classes/rules_out_dns_spec.rb → spec/classes/rules/out/dns_spec.rb b/spec/classes/rules_out_dns_spec.rb → spec/classes/rules/out/dns_spec.rb