From 9494eea3b67c902f3fa0eedc3e77ae79e755174e Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sun, 6 Aug 2017 15:45:09 -0400
Subject: [PATCH] ferm: accept syslog from fastly IPs

---
 modules/ferm/manifests/per_host.pp   | 4 ++++
 modules/ferm/templates/defs.conf.erb | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index c68e4b6bb..7dca2520f 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -44,6 +44,10 @@ class ferm::per_host {
 				description     => 'Allow syslog access',
 				rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
 			}
+			@ferm::rule { 'fastly-syslog':
+				description     => 'Allow syslog access',
+				rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_FASTLY)'
+			}
 		}
 		kaufmann: {
 			@ferm::rule { 'dsa-hkp':
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 7c53bb90f..25468cfab 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -73,6 +73,14 @@
 @def $HOST_RCODE0_V6 = (2A02:850:8::/47);
 @def $HOST_NETNOD_V4 = (192.71.80.0/24 192.36.144.222 192.36.144.218);
 
+<%=
+def getfastlyranges()
+	data = YAML.safe_load(File.open("/srv/puppet.debian.org/puppet-facts/fastly_ranges.yaml").read)
+	return data.addresses
+end
+%>
+@def $HOST_FASTLY = (<%= getfastlyranges().join(' ') %>);
+
 @def $HOST_DEBIAN_V4 = (<%= scope.function_filter_ipv4([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN_V6 = (<%= scope.function_filter_ipv6([dbs]).uniq.join(' ') %>);
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);
-- 
2.20.1