Add firewall support for opensuse

openSUSE Leap uses its own firewall manager called SuSEfirewall2, which
is capable of loading custom iptables rules. This patch adds the
necessary configuration to tell SuSEfirewall2 where to look for custom
firewall rules so that we can manage openSUSE firewall rules in the same
way we manage firewall rules for other images.

Change-Id: Ifaebda6c7775244668710340831e12aabf9e86bc
This commit is contained in:
Colleen Murphy 2017-04-22 13:04:31 +02:00
parent 97e65e6924
commit ffafa8f773
3 changed files with 19 additions and 1 deletions

View File

@ -36,7 +36,7 @@
"puppet": "ruby2.1-rubygem-puppet", "puppet": "ruby2.1-rubygem-puppet",
"python-dev": "python-devel", "python-dev": "python-devel",
"python3-dev": "python3-devel", "python3-dev": "python3-devel",
"iptables": "iptables", "iptables": "iptables SuSEfirewall2",
"uuid-runtime": "uuidd" "uuid-runtime": "uuidd"
} }
}, },

View File

@ -28,6 +28,10 @@ elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
rules_dir=/etc/sysconfig rules_dir=/etc/sysconfig
ipv4_rules=${rules_dir}/iptables ipv4_rules=${rules_dir}/iptables
ipv6_rules=${rules_dir}/ip6tables ipv6_rules=${rules_dir}/ip6tables
elif [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
rules_dir=/etc/sysconfig
ipv4_rules=${rules_dir}/iptables
ipv6_rules=${rules_dir}/ip6tables
else else
echo "Unsupported operating system $DISTRO_NAME" echo "Unsupported operating system $DISTRO_NAME"
exit 1 exit 1
@ -82,3 +86,15 @@ cat > $ipv6_rules << EOF
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT COMMIT
EOF EOF
if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2
cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
fw_custom_after_finished() {
/usr/sbin/iptables-restore $ipv4_rules
/usr/sbin/ip6tables-restore $ipv6_rules
}
EOF
fi

View File

@ -28,6 +28,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
fi fi
elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
service_name=iptables service_name=iptables
elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
service_name=SuSEfirewall2
else else
echo "Unsupported operating system $DISTRO_NAME" echo "Unsupported operating system $DISTRO_NAME"
exit 1 exit 1