From 994365d1bfe2bddb15fd8384d56656493c12ca06 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Thu, 14 Dec 2017 11:14:14 -0800
Subject: [PATCH] Use iptables allowed_hosts

This allows us to more safely specify hosts by name in iptable
rules, as they will be resolved by puppet before being written
to disk.

Change-Id: Ie133ad8246d5907723a6d7cbf14644e0a10cc4e7
Depends-On: I7a0dfbab67bdba72c0a56acc611503795d2bc350
---
 manifests/site.pp                             | 61 +++++++++----------
 modules/openstack_project/manifests/server.pp |  2 +
 2 files changed, 30 insertions(+), 33 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 4e91d21659..029f26a38a 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -197,41 +197,36 @@ node 'puppetmaster.openstack.org' {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^graphite\d*\.openstack\.org$/ {
-  $statsd_hosts = ['git.openstack.org',
-                   'firehose01.openstack.org',
-                   'logstash.openstack.org',
-                   'nodepool.openstack.org',
-                   'nl01.openstack.org',
-                   'nl02.openstack.org',
-                   'zuul.openstack.org',
-                   'zuulv3.openstack.org',
-                   'zm01.openstack.org',
-                   'zm02.openstack.org',
-                   'zm03.openstack.org',
-                   'zm04.openstack.org',
-                   'zm05.openstack.org',
-                   'zm06.openstack.org',
-                   'zm07.openstack.org',
-                   'zm08.openstack.org',
-                   'ze01.openstack.org',
-                   'ze02.openstack.org',
-                   'ze03.openstack.org',
-                   'ze04.openstack.org',
-                   'ze05.openstack.org',
-                   'ze06.openstack.org',
-                   'ze07.openstack.org',
-                   'ze08.openstack.org',
-                   'ze09.openstack.org',
-                   'ze10.openstack.org',
-                   ]
-
-  # Turn a list of hostnames into a list of iptables rules
-  $rules = regsubst ($statsd_hosts, '^(.*)$', '-m udp -p udp -s \1 --dport 8125 -j ACCEPT')
-
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [80, 443],
-    iptables_rules6           => $rules,
-    iptables_rules4           => $rules,
+    iptables_allowed_hosts    => [
+      {protocol => 'udp', port => '8125', hostname => 'git.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'firehose01.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'logstash.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'nodepool.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'nl01.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'nl02.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zuul.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zuulv3.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm01.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm02.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm03.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm04.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm05.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm06.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm07.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'zm08.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze01.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze02.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze03.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze04.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze05.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze06.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze07.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze08.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze09.openstack.org'},
+      {protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
+    ],
     sysadmins                 => hiera('sysadmins', [])
   }
 
diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp
index 535f699c11..f3e7030d90 100644
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@@ -6,6 +6,7 @@ class openstack_project::server (
   $iptables_public_udp_ports = [],
   $iptables_rules4           = [],
   $iptables_rules6           = [],
+  $iptables_allowed_hosts    = [],
   $sysadmins                 = [],
   $pin_puppet                = '3.',
   $ca_server                 = undef,
@@ -222,6 +223,7 @@ class openstack_project::server (
     rules6           => $iptables_rules6,
     snmp_v4hosts     => $snmp_v4hosts,
     snmp_v6hosts     => $snmp_v6hosts,
+    allowed_hosts    => $iptables_allowed_hosts,
   }
 
   # We don't like byobu