summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorK Jonathan Harker <k.jonathan.harker@hpe.com>2016-08-29 16:28:54 -0700
committerK Jonathan Harker <k.jonathan.harker@hpe.com>2016-08-29 16:28:54 -0700
commitd921031e8a13adecfe1743c1d58bd1b402086bea (patch)
treed4222b9cec9a5ac6a472cd097539ddf758b0063a
parent5b178cefd3960d1f0c78d4f465933a58cde60887 (diff)
Parameterize SNMP source hosts
Downstream consumers of this module likely don't need or want to open snmp access from cacti.openstack.org. Parameterize the hosts to allow snmp from so that downstreams don't have to fork the module in order to remove the access. Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7
Notes
Notes (review): Code-Review+1: Ramy Asselin <ramy.asselin@hpe.com> Code-Review+2: Ricardo Carrillo Cruz <ricardo.carrillo.cruz@gmail.com> Code-Review+2: yolanda.robla <yroblamo@redhat.com> Code-Review+2: Elizabeth K. Joseph <lyz@princessleia.com> Workflow+1: Ricardo Carrillo Cruz <ricardo.carrillo.cruz@gmail.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Tue, 04 Oct 2016 20:21:13 +0000 Reviewed-on: https://review.openstack.org/362490 Project: openstack-infra/puppet-iptables Branch: refs/heads/master
-rw-r--r--manifests/init.pp4
-rw-r--r--templates/rules.erb6
-rw-r--r--templates/rules.v6.erb6
3 files changed, 11 insertions, 5 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 10e44f7..6ffb172 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -13,7 +13,9 @@ class iptables(
13 $rules4 = [], 13 $rules4 = [],
14 $rules6 = [], 14 $rules6 = [],
15 $public_tcp_ports = [], 15 $public_tcp_ports = [],
16 $public_udp_ports = [] 16 $public_udp_ports = [],
17 $snmp_v4hosts = ['104.239.135.208'],
18 $snmp_v6hosts = ['2001:4800:7819:104:be76:4eff:fe05:1d6a'],
17) { 19) {
18 20
19 include ::iptables::params 21 include ::iptables::params
diff --git a/templates/rules.erb b/templates/rules.erb
index bc5bce1..e427df9 100644
--- a/templates/rules.erb
+++ b/templates/rules.erb
@@ -10,8 +10,10 @@
10-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 10-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
11# SSH from anywhere 11# SSH from anywhere
12-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 12-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
13# SNMP from openstack cacti 13# SNMP
14-A openstack-INPUT -m udp -p udp --dport 161 -s 104.239.135.208 -j ACCEPT 14<% @snmp_v4hosts.each do |host| -%>
15-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
16<% end -%>
15# Public TCP ports 17# Public TCP ports
16<% @public_tcp_ports.each do |port| -%> 18<% @public_tcp_ports.each do |port| -%>
17-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT 19-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
diff --git a/templates/rules.v6.erb b/templates/rules.v6.erb
index a3e6a5b..d54a1f3 100644
--- a/templates/rules.v6.erb
+++ b/templates/rules.v6.erb
@@ -9,8 +9,10 @@
9-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 9-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
10# SSH from anywhere 10# SSH from anywhere
11-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 11-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
12# SNMP from openstack cacti 12# SNMP
13-A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:7819:104:be76:4eff:fe05:1d6a -j ACCEPT 13<% @snmp_v6hosts.each do |host| -%>
14-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
15<% end -%>
14# Public TCP ports 16# Public TCP ports
15<% @public_tcp_ports.each do |port| -%> 17<% @public_tcp_ports.each do |port| -%>
16-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT 18-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT