firwalling for pg basebackup

[mirror/dsa-puppet.git] / modules / postgres / manifests / backup_cluster.pp

diff --git a/modules/postgres/manifests/backup_cluster.pp b/modules/postgres/manifests/backup_cluster.pp
index 102f264..bd6ef09 100644 (file)
--- a/modules/postgres/manifests/backup_cluster.pp
+++ b/modules/postgres/manifests/backup_cluster.pp
@@ -43,10 +43,17 @@ define postgres::backup_cluster(
       }
     }
   }
+
+  # Send connections to the port to the pg-backup chain
+  # there, the register_backup_clienthost class will have
+  # realized the exported allows from the backup servers.
+  #
+  # Any non-matching traffic will fall through and it can
+  # be allowed elsewhere
   ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
-    description => 'Allow postgress access from backup host',
+    description => 'Check for postgres access from backup host',
     port        => $pg_port,
-    saddr       => $backup_servers_addrs,
+    target      => 'pg-backup',
   }
 
   postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":