diff --git a/REFERENCE.md b/REFERENCE.md
index 3cfe756..97f54be 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -401,6 +401,18 @@ ferm::ipset { 'CONSUL':
}
```
+##### Create an iptables rule that allows outbound traffic that matches the ipset `internet`
+
+```puppet
+ferm::ipset { 'allow_outbound_ipsets':
+ table => 'OUTPUT',
+ match => 'dst',
+ sets => {
+ 'internet' => 'ACCEPT'
+ },
+}
+```
+
##### create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
```puppet
@@ -424,6 +436,7 @@ The following parameters are available in the `ferm::ipset` defined type:
* [`table`](#-ferm--ipset--table)
* [`ip_version`](#-ferm--ipset--ip_version)
* [`prepend_to_chain`](#-ferm--ipset--prepend_to_chain)
+* [`match`](#-ferm--ipset--match)
##### `sets`
@@ -463,6 +476,14 @@ By default, ipset rules are added to the top of the chain. Set this to false to
Default value: `true`
+##### `match`
+
+Data type: `Enum['dst', 'src']`
+
+Define if 'sets' should match for 'src' or 'dst'. Default: 'src'
+
+Default value: `'src'`
+
### `ferm::rule`
This defined resource manages a single rule in a specific chain
diff --git a/manifests/ipset.pp b/manifests/ipset.pp
index 7262cc3..534f41a 100644
--- a/manifests/ipset.pp
+++ b/manifests/ipset.pp
@@ -10,6 +10,15 @@
# },
# }
#
+# @example Create an iptables rule that allows outbound traffic that matches the ipset `internet`
+# ferm::ipset { 'allow_outbound_ipsets':
+# table => 'OUTPUT',
+# match => 'dst',
+# sets => {
+# 'internet' => 'ACCEPT'
+# },
+# }
+#
# @example create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
# ferm::ipset { 'INPUT':
# prepend_to_chain => false,
@@ -35,12 +44,16 @@
# @param prepend_to_chain
# By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.
#
+# @param match
+# Define if 'sets' should match for 'src' or 'dst'. Default: 'src'
+#
define ferm::ipset (
Hash[String[1], Ferm::Actions] $sets,
String[1] $chain = $name,
Ferm::Tables $table = 'filter',
Enum['ip','ip6'] $ip_version = 'ip',
Boolean $prepend_to_chain = true,
+ Enum['dst', 'src'] $match = 'src',
) {
$suffix = $prepend_to_chain ? {
true => 'aaa',
@@ -56,6 +69,7 @@
'table' => $table,
'chain' => $chain,
'sets' => $sets,
+ 'match' => $match,
}
),
order => "${table}-${chain}-${suffix}",
diff --git a/spec/defines/ipset_spec.rb b/spec/defines/ipset_spec.rb
index 88ef5c3..07841dc 100644
--- a/spec/defines/ipset_spec.rb
+++ b/spec/defines/ipset_spec.rb
@@ -17,6 +17,7 @@
context 'default params creates INPUT2 chain' do
let :params do
{
+ match: 'src',
sets: {
office: 'ACCEPT',
internet: 'DROP'
diff --git a/templates/ferm-chain-ipset.epp b/templates/ferm-chain-ipset.epp
index 79aeb5c..73b4fe5 100644
--- a/templates/ferm-chain-ipset.epp
+++ b/templates/ferm-chain-ipset.epp
@@ -2,12 +2,13 @@
Ferm::Tables $table,
String[1] $chain,
Hash[String[1], Ferm::Actions] $sets,
+Enum['dst', 'src'] $match,
| -%>
domain (<%= $ip %>) table <%= $table %> {
chain <%= $chain %> {
<%- $sets.each |$ipset, $action| { -%>
- mod set set <%= $ipset %> src <%= $action %>;
+ mod set set <%= $ipset %> <%= $match %> <%= $action %>;
<%- } -%>
}
}