From 14331657911fc06e14a014a74fe916d4342fc7d6 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Sun, 15 Sep 2024 21:13:35 +0200 Subject: [PATCH] add icinga2 rule for outgoing traffic --- REFERENCE.md | 19 ++++++++++++++++++ manifests/rules/out/icinga2.pp | 10 ++++++++++ spec/acceptance/all_rules_spec.rb | 1 + spec/classes/rules/out/icinga2_spec.rb | 27 ++++++++++++++++++++++++++ 4 files changed, 57 insertions(+) create mode 100644 manifests/rules/out/icinga2.pp create mode 100644 spec/classes/rules/out/icinga2_spec.rb diff --git a/REFERENCE.md b/REFERENCE.md index 1a8f89f6..0caf1de0 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -48,6 +48,7 @@ and Manager Daemons (MGR). * [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers * [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http * [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https +* [`nftables::rules::out::icinga2`](#nftables--rules--out--icinga2): allow outgoing icinga2 * [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages * [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages * [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap @@ -1013,6 +1014,24 @@ manage out http manage out https +### `nftables::rules::out::icinga2` + +allow outgoing icinga2 + +#### Parameters + +The following parameters are available in the `nftables::rules::out::icinga2` class: + +* [`ports`](#-nftables--rules--out--icinga2--ports) + +##### `ports` + +Data type: `Array[Stdlib::Port,1]` + +icinga2 ports + +Default value: `[5665]` + ### `nftables::rules::out::icmp` control outbound icmp packages diff --git a/manifests/rules/out/icinga2.pp b/manifests/rules/out/icinga2.pp new file mode 100644 index 00000000..bf638ea7 --- /dev/null +++ b/manifests/rules/out/icinga2.pp @@ -0,0 +1,10 @@ +# @summary allow outgoing icinga2 +# @param ports icinga2 ports +class nftables::rules::out::icinga2 ( + Array[Stdlib::Port,1] $ports = [5665], +) { + nftables::rule { + 'default_out-icinga2': + content => "tcp dport {${join($ports,', ')}} accept", + } +} diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb index 7b7b8f92..0c30931b 100644 --- a/spec/acceptance/all_rules_spec.rb +++ b/spec/acceptance/all_rules_spec.rb @@ -107,6 +107,7 @@ class { 'nftables': include nftables::rules::out::mldv2 include nftables::rules::out::mdns include nftables::rules::out::ssdp + include nftables::rules::out::icinga2 include nftables::services::dhcpv6_client include nftables::services::openafs_client $config_path = $facts['os']['family'] ? { diff --git a/spec/classes/rules/out/icinga2_spec.rb b/spec/classes/rules/out/icinga2_spec.rb new file mode 100644 index 00000000..37abfe34 --- /dev/null +++ b/spec/classes/rules/out/icinga2_spec.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'nftables::rules::out::icinga2' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + context 'default options' do + it { is_expected.to compile } + it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {5665} accept') } + end + + context 'with ports set' do + let(:params) do + { + ports: [55, 60], + } + end + + it { is_expected.to compile } + it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {55, 60} accept') } + end + end + end +end