3 files changed, 55 insertions, 9 deletions

diff --git a/README.md b/README.md
index 2f8fcf8..2668e95 100644
--- a/README.md
+++ b/README.md
@@ -63,17 +63,29 @@ You can collect them like this:
 Ferm::Rule <<| tag == 'allow_kafka_server2server' |>>
 ```
 
-You can also define rules in hiera:
+You can also define rules in Hiera. Make sure to use `alias()` as interpolation function, because `hiera()` will always return a string.
 
 ```yaml
 ---
+subnet01: '123.123.123.0/24'
+subnet02: '123.123.124.0/24'
+subnet03:
+ - '123.123.125.0/24'
+ - '123.123.126.0/24'
+
+subnets:
+  - "%{alias('subnet01')}"
+  - "%{alias('subnet02')}"
+  - "%{alias('subnet03')}"
+  - 123.123.127.0/24
+
 ferm::rules:
   'allow_http_https':
     chain: 'INPUT'
     policy: 'ACCEPT'
     proto: 'tcp'
     dport: '(80 443)'
-    saddr: "%{hiera('some_other_hiera_key')}"
+    saddr: "%{alias('subnets')}"
 ```
 
 ferm::rules is a hash. configured for deep merge. Hiera will collect all
diff --git a/manifests/rule.pp b/manifests/rule.pp
index b8ae29a..bd17245 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -17,8 +17,8 @@ define ferm::rule (
   String $comment = $name,
   Optional[Variant[Stdlib::Port,String[1]]] $dport = undef,
   Optional[Variant[Stdlib::Port,String[1]]] $sport = undef,
-  Optional[String[1]] $saddr = undef,
-  Optional[String[1]] $daddr = undef,
+  Optional[Variant[Array, String[1]]] $saddr = undef,
+  Optional[Variant[Array, String[1]]] $daddr = undef,
   Optional[String[1]] $proto_options = undef,
   Optional[String[1]] $interface = undef,
   Enum['absent','present'] $ensure = 'present',
@@ -33,13 +33,29 @@ define ferm::rule (
     undef   => '',
     default => "sport ${sport}",
   }
+  if $saddr =~ Array {
+    assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| {
+      fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." )
+        ''
+    }
+  }
   $saddr_real = $saddr ? {
     undef   => '',
-    default => "saddr @ipfilter(${saddr})",
+    Array   => "saddr @ipfilter((${join(flatten($saddr).unique, ' ')}))",
+    String  => "saddr @ipfilter((${saddr}))",
+    default => '',
+  }
+  if $daddr =~ Array {
+    assert_type(Array[Stdlib::IP::Address], flatten($daddr)) |$expected, $actual| {
+      fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($daddr)}." )
+        ''
+    }
   }
   $daddr_real = $daddr ? {
-    undef   =>  '',
-    default => "daddr @ipfilter(${daddr})"
+    undef   => '',
+    Array   => "daddr @ipfilter((${join(flatten($daddr).unique, ' ')}))",
+    String  => "daddr @ipfilter((${daddr}))",
+    default => '',
   }
   $proto_options_real = $proto_options ? {
     undef   =>  '',
diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb
index bd4ed73..3ee5576 100644
--- a/spec/defines/rule_spec.rb
+++ b/spec/defines/rule_spec.rb
@@ -20,7 +20,7 @@ describe 'ferm::rule', type: :define do
         end
 
         it { is_expected.to compile.with_all_deps }
-        it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") }
+        it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
       end
       context 'with a specific interface' do
         let(:title) { 'filter-ssh' }
@@ -36,7 +36,25 @@ describe 'ferm::rule', type: :define do
         end
 
         it { is_expected.to compile.with_all_deps }
-        it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content("  mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") }
+        it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content("  mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+        it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") }
+        it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") }
+      end
+      context 'with a specific interface using array for daddr' do
+        let(:title) { 'filter-ssh' }
+        let :params do
+          {
+            chain: 'INPUT',
+            policy: 'ACCEPT',
+            proto: 'tcp',
+            dport: '22',
+            daddr: ['127.0.0.1', '123.123.123.123', ['10.0.0.1', '10.0.0.2']],
+            interface: 'eth0'
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content("  mod comment comment 'filter-ssh' proto tcp dport 22 daddr @ipfilter((127.0.0.1 123.123.123.123 10.0.0.1 10.0.0.2)) ACCEPT;\n") }
         it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") }
         it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") }
       end