Trying to automate setup of nft rules for relp traffic.
This commit is contained in:
parent
fa0ca96e3f
commit
1572ff2bc3
1 changed files with 16 additions and 10 deletions
|
@ -8,9 +8,10 @@ class soc::rsyslog::server(
|
||||||
$udp_client = lookup('udp_client', undef, undef, 'any'),
|
$udp_client = lookup('udp_client', undef, undef, 'any'),
|
||||||
$tcp_port = lookup(tcp_port, undef, undef, undef),
|
$tcp_port = lookup(tcp_port, undef, undef, undef),
|
||||||
$tcp_client = lookup('tcp_client', undef, undef, 'any'),
|
$tcp_client = lookup('tcp_client', undef, undef, 'any'),
|
||||||
$relp_port = lookup(relp_port, undef, undef, undef),
|
$relp_port = lookup(relp_port, undef, undef, '2514'),
|
||||||
$relp_client = lookup('relp_client', undef, undef, 'any'),
|
$relp_client = lookup('relp_client', undef, undef, 'any'),
|
||||||
$traditional_file_format = false,
|
$traditional_file_format = false,
|
||||||
|
$hostgroups = $facts['configured_hosts_in_cosmos'],
|
||||||
) {
|
) {
|
||||||
# Install rsyslog packages
|
# Install rsyslog packages
|
||||||
[ 'rsyslog', 'rsyslog-relp', 'rsyslog-openssl' ].each |String $package| {
|
[ 'rsyslog', 'rsyslog-relp', 'rsyslog-openssl' ].each |String $package| {
|
||||||
|
@ -53,7 +54,7 @@ class soc::rsyslog::server(
|
||||||
subscribe => File['/etc/rsyslog.d/60-remote.conf'],
|
subscribe => File['/etc/rsyslog.d/60-remote.conf'],
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($tcp_port or $udp_port or $relp_port) {
|
if ($tcp_port or $udp_port) {
|
||||||
if ($udp_port) {
|
if ($udp_port) {
|
||||||
sunet::nftables::allow { "allow-syslog-udp-${udp_port}":
|
sunet::nftables::allow { "allow-syslog-udp-${udp_port}":
|
||||||
from => $udp_client,
|
from => $udp_client,
|
||||||
|
@ -70,14 +71,7 @@ class soc::rsyslog::server(
|
||||||
port => $tcp_port
|
port => $tcp_port
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ($relp_port) {
|
}
|
||||||
sunet::nftables::allow { "allow-syslog-relp-${relp_port}":
|
|
||||||
from => $relp_client,
|
|
||||||
to => 'any',
|
|
||||||
proto => 'tcp',
|
|
||||||
port => $relp_port
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
file { '/etc/rsyslog.d/50-local.conf':
|
file { '/etc/rsyslog.d/50-local.conf':
|
||||||
ensure => file,
|
ensure => file,
|
||||||
|
@ -96,4 +90,16 @@ class soc::rsyslog::server(
|
||||||
content => template('soc/rsyslog/rsyslog.logrotate.erb'),
|
content => template('soc/rsyslog/rsyslog.logrotate.erb'),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if 'all' in $hostgroups {
|
||||||
|
$hostgroups['all'].each |String $hostname| {
|
||||||
|
$ip_list = dnsLookup($hostname)
|
||||||
|
$ip_list.each |String $ip| {
|
||||||
|
sunet::nftables::allow { "allow-rsyslog-relp-${relp_port}":
|
||||||
|
from => $ip,
|
||||||
|
port => $relp_port,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue