From d921031e8a13adecfe1743c1d58bd1b402086bea Mon Sep 17 00:00:00 2001
From: K Jonathan Harker <k.jonathan.harker@hpe.com>
Date: Mon, 29 Aug 2016 16:28:54 -0700
Subject: [PATCH] Parameterize SNMP source hosts

Downstream consumers of this module likely don't need or want to open
snmp access from cacti.openstack.org. Parameterize the hosts to allow
snmp from so that downstreams don't have to fork the module in order to
remove the access.

Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7
---
 manifests/init.pp      | 4 +++-
 templates/rules.erb    | 6 ++++--
 templates/rules.v6.erb | 6 ++++--
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 10e44f7..6ffb172 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -13,7 +13,9 @@ class iptables(
   $rules4           = [],
   $rules6           = [],
   $public_tcp_ports = [],
-  $public_udp_ports = []
+  $public_udp_ports = [],
+  $snmp_v4hosts     = ['104.239.135.208'],
+  $snmp_v6hosts     = ['2001:4800:7819:104:be76:4eff:fe05:1d6a'],
 ) {
 
   include ::iptables::params
diff --git a/templates/rules.erb b/templates/rules.erb
index bc5bce1..e427df9 100644
--- a/templates/rules.erb
+++ b/templates/rules.erb
@@ -10,8 +10,10 @@
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # SSH from anywhere
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 104.239.135.208 -j ACCEPT
+# SNMP
+<% @snmp_v4hosts.each do |host| -%>
+-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
+<% end -%>
 # Public TCP ports
 <% @public_tcp_ports.each do |port| -%>
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
diff --git a/templates/rules.v6.erb b/templates/rules.v6.erb
index a3e6a5b..d54a1f3 100644
--- a/templates/rules.v6.erb
+++ b/templates/rules.v6.erb
@@ -9,8 +9,10 @@
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # SSH from anywhere
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:7819:104:be76:4eff:fe05:1d6a -j ACCEPT
+# SNMP
+<% @snmp_v6hosts.each do |host| -%>
+-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
+<% end -%>
 # Public TCP ports
 <% @public_tcp_ports.each do |port| -%>
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT