Browse Source

Parameterize SNMP source hosts

Downstream consumers of this module likely don't need or want to open
snmp access from cacti.openstack.org. Parameterize the hosts to allow
snmp from so that downstreams don't have to fork the module in order to
remove the access.

Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7
changes/90/362490/1
K Jonathan Harker 2 years ago
parent
commit
d921031e8a
3 changed files with 11 additions and 5 deletions
  1. 3
    1
      manifests/init.pp
  2. 4
    2
      templates/rules.erb
  3. 4
    2
      templates/rules.v6.erb

+ 3
- 1
manifests/init.pp View File

@@ -13,7 +13,9 @@ class iptables(
13 13
   $rules4           = [],
14 14
   $rules6           = [],
15 15
   $public_tcp_ports = [],
16
-  $public_udp_ports = []
16
+  $public_udp_ports = [],
17
+  $snmp_v4hosts     = ['104.239.135.208'],
18
+  $snmp_v6hosts     = ['2001:4800:7819:104:be76:4eff:fe05:1d6a'],
17 19
 ) {
18 20
 
19 21
   include ::iptables::params

+ 4
- 2
templates/rules.erb View File

@@ -10,8 +10,10 @@
10 10
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
11 11
 # SSH from anywhere
12 12
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
13
-# SNMP from openstack cacti
14
--A openstack-INPUT -m udp -p udp --dport 161 -s 104.239.135.208 -j ACCEPT
13
+# SNMP
14
+<% @snmp_v4hosts.each do |host| -%>
15
+-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
16
+<% end -%>
15 17
 # Public TCP ports
16 18
 <% @public_tcp_ports.each do |port| -%>
17 19
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT

+ 4
- 2
templates/rules.v6.erb View File

@@ -9,8 +9,10 @@
9 9
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
10 10
 # SSH from anywhere
11 11
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
12
-# SNMP from openstack cacti
13
--A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:7819:104:be76:4eff:fe05:1d6a -j ACCEPT
12
+# SNMP
13
+<% @snmp_v6hosts.each do |host| -%>
14
+-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
15
+<% end -%>
14 16
 # Public TCP ports
15 17
 <% @public_tcp_ports.each do |port| -%>
16 18
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT

Loading…
Cancel
Save