Make iptables additional rules a list.

A list of iptables commands that come after the "-A OPENSTACK-INPUT" bit. Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3 Reviewed-on: https://review.openstack.org/17172 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Approved: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
2012-11-29 15:58:31 -08:00 · 2012-11-29 15:58:31 -08:00 · 52269a0fe2
commit 52269a0fe2
parent 2dab877fb5
5 changed files with 23 additions and 3 deletions
--- a/modules/iptables/manifests/init.pp
+++ b/modules/iptables/manifests/init.pp
@ -2,8 +2,16 @@
 #
 # http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
 #
+# params:
+#   rules4: A list of additional iptables v4 rules
+#          eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
+#   rules6: A list of additional iptables v6 rules
+#          eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
+#   public_tcp_ports: List of integer TCP ports on which to allow all traffic
+#   public_udp_ports: List of integer UDP ports on which to allow all traffic
 class iptables(
-  $rules = '',
+  $rules4 = [],
+  $rules6 = [],
  $public_tcp_ports = [],
  $public_udp_ports = []
 ) {
--- a/modules/iptables/templates/rules.erb
+++ b/modules/iptables/templates/rules.erb
@ -23,6 +23,8 @@
 -A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
 <% end -%>
 # Per-host rules
-<%= rules %>
+<% rules4.each do |rule| -%>
+-A openstack-INPUT <%= rule %>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT
--- a/modules/iptables/templates/rules.v6.erb
+++ b/modules/iptables/templates/rules.v6.erb
@ -21,6 +21,8 @@
 -A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
 <% end -%>
 # Per-host rules
-<%= rules %>
+<% rules6.each do |rule| -%>
+-A openstack-INPUT <%= rule %>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@ -3,11 +3,15 @@
 # A server that we expect to run for some time
 class openstack_project::server (
  $iptables_public_tcp_ports = [],
+  $iptables_rules4           = [],
+  $iptables_rules6           = [],
  $sysadmins                 = [],
  $certname                  = $::fqdn
 ) {
  class { 'openstack_project::template':
    iptables_public_tcp_ports => $iptables_public_tcp_ports,
+    iptables_rules4           => $iptables_rules4,
+    iptables_rules6           => $iptables_rules6,
    certname                  => $certname,
  }
  class { 'exim':
--- a/modules/openstack_project/manifests/template.pp
+++ b/modules/openstack_project/manifests/template.pp
@ -4,6 +4,8 @@
 #
 class openstack_project::template (
  $iptables_public_tcp_ports = [],
+  $iptables_rules4           = [],
+  $iptables_rules6           = [],
  $install_users = true,
  $certname = $::fqdn
 ) {
@ -13,6 +15,8 @@ class openstack_project::template (

  class { 'iptables':
    public_tcp_ports => $iptables_public_tcp_ports,
+    rules4           => $iptables_rules4,
+    rules6           => $iptables_rules6,
  }

  class { 'ntp::server': }