From a67b208476a023fefacff78ddfb1688de8f9cc20 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Wed, 14 Feb 2018 08:35:10 -0800
Subject: [PATCH] Restrict SNMP to internal network

Add a parameter, SnmpdIpSubnet, which can be an IP/MASK that will be
used to secure with IPtables the source network authorized to reach
SNMP service on the host.
If SnmpdIpSubnet is left empty (default) the parameter will be set to
SnmpdNetwork.

Also change the IPtables id, 127 was used by Horizon, so let's switch
SNMP to 124. No impact on users.

Change-Id: I46fce28926cb5a881f7384948480266712ae75e3
Depends-On: Ib203161b9676dcfaaf46eec2bddf767ec49282f7
Closes-Bug: #1749324
(cherry picked from commit 43155ed1462a8e27c9efdbb345bfc5832c50bd2f)
---
 network/service_net_map.j2.yaml               |  1 +
 puppet/services/snmp.yaml                     | 19 ++++++++++++++++++-
 .../notes/snmp_firewall-ab17f60ba1ec71d2.yaml |  7 +++++++
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml

diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml
index 60d84a6134..ad5b328519 100644
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@@ -69,6 +69,7 @@ parameters:
       RabbitmqNetwork: internal_api
       RedisNetwork: internal_api
       MysqlNetwork: internal_api
+      SnmpdNetwork: internal_api
       CephClusterNetwork: storage_mgmt
       CephMonNetwork: storage
       CephRgwNetwork: storage
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index 072ccc1a17..7617c05f49 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -32,6 +32,13 @@ parameters:
     description: An array of bind host addresses on which SNMP daemon will listen.
     type: comma_delimited_list
     default: ['udp:161','udp6:[::1]:161']
+  SnmpdIpSubnet:
+    default: ''
+    description: IP address/subnet on the snmpd network. If empty (default), SnmpdNetwork
+                 will be taken.
+    type: string
+conditions:
+  snmpd_network_unset: {equals : [{get_param: SnmpdIpSubnet}, '']}
 
 outputs:
   role_data:
@@ -42,10 +49,20 @@ outputs:
         tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
         tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
         snmp::agentaddress: {get_param: SnmpdBindHost}
+        snmpd_network:
+          str_replace:
+            template: "NETWORK_subnet"
+            params:
+              NETWORK: {get_param: [ServiceNetMap, SnmpdNetwork]}
         tripleo.snmp.firewall_rules:
-          '127 snmp':
+          '124 snmp':
             dport: 161
             proto: 'udp'
+            source:
+              if:
+              - snmpd_network_unset
+              - "%{hiera('snmpd_network')}"
+              - {get_param: SnmpdIpSubnet}
       step_config: |
         include ::tripleo::profile::base::snmp
       upgrade_tasks:
diff --git a/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml b/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml
new file mode 100644
index 0000000000..b8e299322f
--- /dev/null
+++ b/releasenotes/notes/snmp_firewall-ab17f60ba1ec71d2.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Change the IPtables rule for SNMP service and open 161 udp port on
+    SnmpdIpSubnet parameter instead of 0.0.0.0/0.
+    If SnmpdIpSubnet is left empty, SnmpdNetwork will be used.
+