diff --git a/REFERENCE.md b/REFERENCE.md
index ed0e4814..ed9c572a 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -2265,6 +2265,7 @@ The following parameters are available in the `nftables::simplerule` defined typ
* [`saddr`](#-nftables--simplerule--saddr)
* [`counter`](#-nftables--simplerule--counter)
* [`iifname`](#-nftables--simplerule--iifname)
+* [`oifname`](#-nftables--simplerule--oifname)
##### `ensure`
@@ -2387,6 +2388,14 @@ Optional filter for the incoming interface
Default value: `undef`
+##### `oifname`
+
+Data type: `Optional[String[1]]`
+
+Optional filter for the outgoing interface
+
+Default value: `undef`
+
## Data types
### `Nftables::Addr`
diff --git a/manifests/simplerule.pp b/manifests/simplerule.pp
index 6b1405ac..b19c8b8f 100644
--- a/manifests/simplerule.pp
+++ b/manifests/simplerule.pp
@@ -55,6 +55,8 @@
#
# @param iifname
# Optional filter for the incoming interface
+# @param oifname
+# Optional filter for the outgoing interface
define nftables::simplerule (
Enum['present','absent'] $ensure = 'present',
Nftables::SimpleRuleName $rulename = $title,
@@ -71,6 +73,7 @@
Optional[Nftables::Addr] $saddr = undef,
Boolean $counter = false,
Optional[String[1]] $iifname = undef,
+ Optional[String[1]] $oifname = undef,
) {
if $dport and !$proto {
fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
@@ -94,6 +97,7 @@
'set_type' => $set_type,
'sport' => $sport,
'iifname' => $iifname,
+ 'oifname' => $oifname,
}
),
order => $order,
diff --git a/spec/acceptance/simple_rule_iifname_spec.rb b/spec/acceptance/simple_rule_iifname_spec.rb
index eb43122a..1369527f 100644
--- a/spec/acceptance/simple_rule_iifname_spec.rb
+++ b/spec/acceptance/simple_rule_iifname_spec.rb
@@ -3,7 +3,7 @@
require 'spec_helper_acceptance'
describe 'nftables class' do
- context 'configure a simple rule with input interface' do
+ context 'configure a simple rule with interface' do
it_behaves_like 'an idempotent resource' do
let(:manifest) do
<<-EOS
@@ -19,12 +19,30 @@ class { 'nftables':
in_ssh => false,
in_icmp => false,
}
+ # just incoming interface
nftables::simplerule { 'dummyrule_in':
action => 'accept',
iifname => $facts['networking']['primary'],
comment => 'allow some multicast stuff',
daddr => 'ff02::fb',
}
+ # just outgoing interface
+ nftables::simplerule { 'dummyrule_out':
+ action => 'accept',
+ oifname => $facts['networking']['primary'],
+ comment => 'allow some multicast stuff',
+ chain => 'default_out',
+ daddr => 'ff02::fb',
+ }
+ # outgoing + incoming interface
+ nftables::simplerule { 'dummyrule_fwd':
+ action => 'accept',
+ iifname => $facts['networking']['primary'],
+ oifname => 'lo',
+ comment => 'allow some multicast stuff',
+ chain => 'default_fwd',
+ daddr => 'ff02::fb',
+ }
include nftables::rules::ssh
include nftables::rules::out::dns
include nftables::rules::out::ssh
diff --git a/templates/simplerule.epp b/templates/simplerule.epp
index 9388d5f0..446fb987 100644
--- a/templates/simplerule.epp
+++ b/templates/simplerule.epp
@@ -8,6 +8,7 @@
String $set_type,
Optional[Nftables::Port] $sport,
Optional[String[1]] $iifname,
+ Optional[String[1]] $oifname,
| -%>
<%- if $proto {
$_proto = $proto ? {
@@ -75,4 +76,9 @@
} else {
$_iifname = undef
} -%>
-<%= regsubst(strip([$_ip_version_filter, $_iifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>
+<%- if $oifname {
+ $_oifname = "oifname \"${oifname}\""
+} else {
+ $_oifname = undef
+} -%>
+<%= regsubst(strip([$_ip_version_filter, $_iifname, $_oifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>