add icinga2 rule for outgoing traffic

REFERENCE.md

@@ -48,6 +48,7 @@ and Manager Daemons (MGR).
 * [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
 * [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
 * [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
+* [`nftables::rules::out::icinga2`](#nftables--rules--out--icinga2): allow outgoing icinga2
 * [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
 * [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
 * [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
@@ -1013,6 +1014,24 @@ manage out http
 
 manage out https
 
+### <a name="nftables--rules--out--icinga2"></a>`nftables::rules::out::icinga2`
+
+allow outgoing icinga2
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::out::icinga2` class:
+
+* [`ports`](#-nftables--rules--out--icinga2--ports)
+
+##### <a name="-nftables--rules--out--icinga2--ports"></a>`ports`
+
+Data type: `Array[Stdlib::Port,1]`
+
+icinga2 ports
+
+Default value: `[5665]`
+
 ### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
 
 control outbound icmp packages

manifests/rules/out/icinga2.pp

@@ -0,0 +1,10 @@
+# @summary allow outgoing icinga2
+# @param ports icinga2 ports
+class nftables::rules::out::icinga2 (
+  Array[Stdlib::Port,1] $ports = [5665],
+) {
+  nftables::rule {
+    'default_out-icinga2':
+      content => "tcp dport {${join($ports,', ')}} accept",
+  }
+}

spec/acceptance/all_rules_spec.rb

@@ -4,7 +4,7 @@
 
 describe 'nftables class' do
   context 'configure all nftables rules' do
     it 'works idempotently with no errors' do
       pp = <<-EOS
       # Default ArchLinux rules contain "destroy" that requires kernel >= 6.3
       # https://gitlab.archlinux.org/archlinux/packaging/packages/nftables/-/commit/f26a7145b2885d298925819782a5302905332dbe
@@ -107,6 +107,7 @@
       include nftables::rules::out::mldv2
       include nftables::rules::out::mdns
       include nftables::rules::out::ssdp
+      include nftables::rules::out::icinga2
       include nftables::services::dhcpv6_client
       include nftables::services::openafs_client
       $config_path = $facts['os']['family'] ? {
@@ -143,16 +144,16 @@
     end
 
     describe service('nftables') do
       it { is_expected.to be_running }
       it { is_expected.to be_enabled }
     end
 
     describe file('/etc/nftables/puppet.nft', '/etc/systemd/system/nftables.service.d/puppet_nft.conf') do
       it { is_expected.to be_file }
     end
 
     describe file('/etc/nftables/puppet') do
       it { is_expected.to be_directory }
     end
   end
 end

spec/classes/rules/out/icinga2_spec.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::out::icinga2' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {5665} accept') }
+      end
+
+      context 'with ports set' do
+        let(:params) do
+          {
+            ports: [55, 60],
+          }
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {55, 60} accept') }
+      end
+    end
+  end
+end