Use iptables for openSUSE

In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the openSUSE nodeset to use plain
iptables rather than injecting iptables rules into the SuSEfirewall2
service. This will work on both Tumbleweed and Leap nodesets.

openSUSE provides no iptables-service package the way the RHEL family
does, so we can't fall back to that. Rather than try to convert iptables
rules to firewalld syntax, this change leverages init.d to ensure
iptables rules are loaded at boot. The 89-unbound script has been
coopted for this purpose since it already creates
/etc/init.d/boot.local. Switched from `dd` to `cat` which makes
conditionally composing the file more natural.

[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

Change-Id: Ia2b72e25078efa68019f1bf7c7a0b77e6ff702fd
This commit is contained in:
Colleen Murphy 2019-09-19 14:04:44 -07:00
parent 7a6101a60c
commit 587b85ba36
4 changed files with 15 additions and 15 deletions

View File

@ -49,7 +49,7 @@
"python-dev": "python-devel",
"python3-dev": "python3-devel",
"python3": "python3",
"iptables": "iptables SuSEfirewall2",
"iptables": "iptables",
"uuid-runtime": "uuidd"
}
},

View File

@ -124,7 +124,7 @@ else
# [1] https://bugzilla.redhat.com/show_bug.cgi?id=1386052
if [[ ! -e /etc/rc.local ]] && [[ ! -e /etc/debian_version ]]; then
if [[ ! -d /etc/rc.d ]]; then
echo "No rc.local and no rc.d directory! See comments in 89-unbound"
echo "No rc.local and no rc.d directory! See comments in 89-boot-settings"
exit 1
fi
touch /etc/rc.d/rc.local
@ -137,7 +137,7 @@ fi
# Overwrite /etc/resolv.conf at boot (let's hope nothing else is using
# rc.local...)
dd of=$rclocal <<EOF
cat >$rclocal <<EOF
#!/bin/bash
set -o xtrace
@ -150,6 +150,16 @@ set -e
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
EOF
# openSUSE doesn't have an iptables service, so apply the iptables rules at boot
if [[ "${DISTRO_NAME}" =~ (opensuse) ]] ; then
cat >>$rclocal <<EOF
iptables-restore /etc/sysconfig/iptables
ip6tables-restore /etc/sysconfig/ip6tables
EOF
fi
cat >>$rclocal <<EOF
exit 0
EOF

View File

@ -90,14 +90,3 @@ cat > $ipv6_rules << EOF
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
EOF
if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2
cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
fw_custom_after_finished() {
/usr/sbin/iptables-restore $ipv4_rules
/usr/sbin/ip6tables-restore $ipv6_rules
}
EOF
fi

View File

@ -29,7 +29,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
elif [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
service_name=iptables
elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
service_name=SuSEfirewall2
# handle iptables through init.d instead of a service
exit 0
elif [[ "$DISTRO_NAME" == 'gentoo' ]] ; then
# for use in loops in both openrc and systemd
service_name='iptables ip6tables'