|
@@ -2,17 +2,15 @@
|
|
|
#
|
|
|
# /etc/nftables.conf - FFHO packet filter configuration
|
|
|
#
|
|
|
-{%- set node_config = salt['pillar.get']('nodes:' ~ grains['id']) %}
|
|
|
+{%- set nodes = salt['pillar.get']('nodes', {}) %}
|
|
|
+{%- set node_config = nodes.get (grains['id'], {}) %}
|
|
|
{%- set roles = node_config.get ('roles', []) %}
|
|
|
|
|
|
{%- set fw_config = salt['pillar.get']('firewall', {}) %}
|
|
|
{%- set admin_access = fw_config.get ('admin_access') %}
|
|
|
{%- set ssh = fw_config.get ('ssh') %}
|
|
|
-
|
|
|
-{%- set prometheus_hosts = salt['pillar.get']('firewall:acls:prometheus') %}
|
|
|
-{%- set icinga2_queriers = salt['pillar.get']('monitoring:icinga2:queriers', []) %}
|
|
|
-{%- set nms_list = salt['pillar.get']('globals:snmp:nms_list', []) %}
|
|
|
-
|
|
|
+{%- set monitoring_cfg = salt['pillar.get']('monitoring') %}
|
|
|
+{%- set monitoring_rules = salt['ffho_netfilter.generate_monitoring_rules'](nodes, monitoring_cfg) %}
|
|
|
{%- set services = salt['ffho_netfilter.generate_service_rules'](fw_config, node_config) %}
|
|
|
{%- set forward = salt['ffho_netfilter.generate_forward_policy'](fw_config, node_config) %}
|
|
|
{%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](node_config) %}
|
|
@@ -111,12 +109,8 @@ table ip filter {
|
|
|
{%- endif %}
|
|
|
|
|
|
chain monitoring {
|
|
|
- ip saddr { {{ prometheus_hosts[4]|join(", ") }} } tcp dport 9100 counter accept comment "prometheus"
|
|
|
-{%- for ip in icinga2_queriers if not ":" in ip %}
|
|
|
- ip saddr {{ ip }} counter accept comment "Icinga2"
|
|
|
-{%- endfor %}
|
|
|
-{%- for ip in nms_list if not ":" in ip %}
|
|
|
- ip saddr {{ ip }} udp dport 161 counter accept comment "NMS"
|
|
|
+{%- for rule in monitoring_rules[4] %}
|
|
|
+ {{ rule }}
|
|
|
{%- endfor %}
|
|
|
}
|
|
|
|
|
@@ -240,12 +234,8 @@ table ip6 filter {
|
|
|
{%- endif %}
|
|
|
|
|
|
chain monitoring {
|
|
|
- ip6 saddr { {{ prometheus_hosts[6]|join(", ") }} } tcp dport 9100 counter accept comment "prometheus"
|
|
|
-{%- for ip in icinga2_queriers if ":" in ip %}
|
|
|
- ip6 saddr {{ ip }} counter accept comment "Icinga2"
|
|
|
-{%- endfor %}
|
|
|
-{%- for ip in nms_list if ":" in ip %}
|
|
|
- ip6 saddr {{ ip }} udp dport 161 counter accept comment "NMS"
|
|
|
+{%- for rule in monitoring_rules[6] %}
|
|
|
+ {{ rule }}
|
|
|
{%- endfor %}
|
|
|
}
|
|
|
|