Parameterize SNMP source hosts

Downstream consumers of this module likely don't need or want to open
snmp access from cacti.openstack.org. Parameterize the hosts to allow
snmp from so that downstreams don't have to fork the module in order to
remove the access.

Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7

manifests/init.pp

@@ -13,7 +13,9 @@ class iptables(
   $rules4           = [],
   $rules6           = [],
   $public_tcp_ports = [],
-  $public_udp_ports = []
+  $public_udp_ports = [],
+  $snmp_v4hosts     = ['104.239.135.208'],
+  $snmp_v6hosts     = ['2001:4800:7819:104:be76:4eff:fe05:1d6a'],
 ) {
 
   include ::iptables::params

templates/rules.erb

@@ -10,8 +10,10 @@
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # SSH from anywhere
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 104.239.135.208 -j ACCEPT
+# SNMP
+<% @snmp_v4hosts.each do |host| -%>
+-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
+<% end -%>
 # Public TCP ports
 <% @public_tcp_ports.each do |port| -%>
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT

templates/rules.v6.erb

@@ -9,8 +9,10 @@
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # SSH from anywhere
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:7819:104:be76:4eff:fe05:1d6a -j ACCEPT
+# SNMP
+<% @snmp_v6hosts.each do |host| -%>
+-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
+<% end -%>
 # Public TCP ports
 <% @public_tcp_ports.each do |port| -%>
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT