Make iptables additional rules a list.
A list of iptables commands that come after the "-A OPENSTACK-INPUT" bit. Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3 Reviewed-on: https://review.openstack.org/17172 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Approved: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
This commit is contained in:
parent
2dab877fb5
commit
52269a0fe2
modules
iptables
openstack_project/manifests
@ -2,8 +2,16 @@
|
|||||||
#
|
#
|
||||||
# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
|
# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
|
||||||
#
|
#
|
||||||
|
# params:
|
||||||
|
# rules4: A list of additional iptables v4 rules
|
||||||
|
# eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
|
||||||
|
# rules6: A list of additional iptables v6 rules
|
||||||
|
# eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
|
||||||
|
# public_tcp_ports: List of integer TCP ports on which to allow all traffic
|
||||||
|
# public_udp_ports: List of integer UDP ports on which to allow all traffic
|
||||||
class iptables(
|
class iptables(
|
||||||
$rules = '',
|
$rules4 = [],
|
||||||
|
$rules6 = [],
|
||||||
$public_tcp_ports = [],
|
$public_tcp_ports = [],
|
||||||
$public_udp_ports = []
|
$public_udp_ports = []
|
||||||
) {
|
) {
|
||||||
|
@ -23,6 +23,8 @@
|
|||||||
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
||||||
<% end -%>
|
<% end -%>
|
||||||
# Per-host rules
|
# Per-host rules
|
||||||
<%= rules %>
|
<% rules4.each do |rule| -%>
|
||||||
|
-A openstack-INPUT <%= rule %>
|
||||||
|
<% end -%>
|
||||||
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
|
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||||
COMMIT
|
COMMIT
|
||||||
|
@ -21,6 +21,8 @@
|
|||||||
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
||||||
<% end -%>
|
<% end -%>
|
||||||
# Per-host rules
|
# Per-host rules
|
||||||
<%= rules %>
|
<% rules6.each do |rule| -%>
|
||||||
|
-A openstack-INPUT <%= rule %>
|
||||||
|
<% end -%>
|
||||||
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||||
COMMIT
|
COMMIT
|
||||||
|
@ -3,11 +3,15 @@
|
|||||||
# A server that we expect to run for some time
|
# A server that we expect to run for some time
|
||||||
class openstack_project::server (
|
class openstack_project::server (
|
||||||
$iptables_public_tcp_ports = [],
|
$iptables_public_tcp_ports = [],
|
||||||
|
$iptables_rules4 = [],
|
||||||
|
$iptables_rules6 = [],
|
||||||
$sysadmins = [],
|
$sysadmins = [],
|
||||||
$certname = $::fqdn
|
$certname = $::fqdn
|
||||||
) {
|
) {
|
||||||
class { 'openstack_project::template':
|
class { 'openstack_project::template':
|
||||||
iptables_public_tcp_ports => $iptables_public_tcp_ports,
|
iptables_public_tcp_ports => $iptables_public_tcp_ports,
|
||||||
|
iptables_rules4 => $iptables_rules4,
|
||||||
|
iptables_rules6 => $iptables_rules6,
|
||||||
certname => $certname,
|
certname => $certname,
|
||||||
}
|
}
|
||||||
class { 'exim':
|
class { 'exim':
|
||||||
|
@ -4,6 +4,8 @@
|
|||||||
#
|
#
|
||||||
class openstack_project::template (
|
class openstack_project::template (
|
||||||
$iptables_public_tcp_ports = [],
|
$iptables_public_tcp_ports = [],
|
||||||
|
$iptables_rules4 = [],
|
||||||
|
$iptables_rules6 = [],
|
||||||
$install_users = true,
|
$install_users = true,
|
||||||
$certname = $::fqdn
|
$certname = $::fqdn
|
||||||
) {
|
) {
|
||||||
@ -13,6 +15,8 @@ class openstack_project::template (
|
|||||||
|
|
||||||
class { 'iptables':
|
class { 'iptables':
|
||||||
public_tcp_ports => $iptables_public_tcp_ports,
|
public_tcp_ports => $iptables_public_tcp_ports,
|
||||||
|
rules4 => $iptables_rules4,
|
||||||
|
rules6 => $iptables_rules6,
|
||||||
}
|
}
|
||||||
|
|
||||||
class { 'ntp::server': }
|
class { 'ntp::server': }
|
||||||
|
Loading…
x
Reference in New Issue
Block a user