Skip to content

Commit

Permalink
add icinga2 rule for outgoing traffic
Browse files Browse the repository at this point in the history
  • Loading branch information
SimonHoenscheid committed Sep 16, 2024
1 parent e338551 commit 1433165
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 0 deletions.
19 changes: 19 additions & 0 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ and Manager Daemons (MGR).
* [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
* [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
* [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
* [`nftables::rules::out::icinga2`](#nftables--rules--out--icinga2): allow outgoing icinga2
* [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
* [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
* [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
Expand Down Expand Up @@ -1013,6 +1014,24 @@ manage out http

manage out https

### <a name="nftables--rules--out--icinga2"></a>`nftables::rules::out::icinga2`

allow outgoing icinga2

#### Parameters

The following parameters are available in the `nftables::rules::out::icinga2` class:

* [`ports`](#-nftables--rules--out--icinga2--ports)

##### <a name="-nftables--rules--out--icinga2--ports"></a>`ports`

Data type: `Array[Stdlib::Port,1]`

icinga2 ports

Default value: `[5665]`

### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`

control outbound icmp packages
Expand Down
10 changes: 10 additions & 0 deletions manifests/rules/out/icinga2.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# @summary allow outgoing icinga2
# @param ports icinga2 ports
class nftables::rules::out::icinga2 (
Array[Stdlib::Port,1] $ports = [5665],
) {
nftables::rule {
'default_out-icinga2':
content => "tcp dport {${join($ports,', ')}} accept",
}
}
1 change: 1 addition & 0 deletions spec/acceptance/all_rules_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ class { 'nftables':
include nftables::rules::out::mldv2
include nftables::rules::out::mdns
include nftables::rules::out::ssdp
include nftables::rules::out::icinga2
include nftables::services::dhcpv6_client
include nftables::services::openafs_client
$config_path = $facts['os']['family'] ? {
Expand Down
27 changes: 27 additions & 0 deletions spec/classes/rules/out/icinga2_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'nftables::rules::out::icinga2' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }

context 'default options' do
it { is_expected.to compile }
it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {5665} accept') }
end

context 'with ports set' do
let(:params) do
{
ports: [55, 60],
}
end

it { is_expected.to compile }
it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {55, 60} accept') }
end
end
end
end

0 comments on commit 1433165

Please sign in to comment.