Trying to automate setup of nft rules for relp traffic.

global/overlay/etc/puppet/modules/soc/manifests/rsyslog/server.pp

@@ -8,9 +8,10 @@ class soc::rsyslog::server(
   $udp_client = lookup('udp_client', undef, undef, 'any'),
   $tcp_port = lookup(tcp_port, undef, undef, undef),
   $tcp_client = lookup('tcp_client', undef, undef, 'any'),
-  $relp_port = lookup(relp_port, undef, undef, undef),
+  $relp_port = lookup(relp_port, undef, undef, '2514'),
   $relp_client = lookup('relp_client', undef, undef, 'any'),
   $traditional_file_format = false,
+  $hostgroups = $facts['configured_hosts_in_cosmos'],
 ) {
   # Install rsyslog packages
   [ 'rsyslog', 'rsyslog-relp', 'rsyslog-openssl' ].each |String $package| {
@@ -53,7 +54,7 @@ class soc::rsyslog::server(
     subscribe => File['/etc/rsyslog.d/60-remote.conf'],
   }
 
-  if ($tcp_port or $udp_port or $relp_port) {
+  if ($tcp_port or $udp_port) {
     if ($udp_port) {
         sunet::nftables::allow { "allow-syslog-udp-${udp_port}":
           from  => $udp_client,
@@ -70,14 +71,7 @@ class soc::rsyslog::server(
           port  => $tcp_port
         }
     }
-    if ($relp_port) {
-        sunet::nftables::allow { "allow-syslog-relp-${relp_port}":
-          from  => $relp_client,
-          to    => 'any',
-          proto => 'tcp',
-          port  => $relp_port
-        }
-    }
+  }
 
     file { '/etc/rsyslog.d/50-local.conf':
       ensure  => file,
@@ -96,4 +90,16 @@ class soc::rsyslog::server(
       content => template('soc/rsyslog/rsyslog.logrotate.erb'),
     }
   }
+
+  if 'all' in $hostgroups {
+    $hostgroups['all'].each |String $hostname| {
+      $ip_list = dnsLookup($hostname)
+      $ip_list.each |String $ip| {
+        sunet::nftables::allow { "allow-rsyslog-relp-${relp_port}":
+          from => $ip,
+          port => $relp_port,
+        }
+      }
+    }
+  }
 }