Add firewall support for opensuse

openSUSE Leap uses its own firewall manager called SuSEfirewall2, which
is capable of loading custom iptables rules. This patch adds the
necessary configuration to tell SuSEfirewall2 where to look for custom
firewall rules so that we can manage openSUSE firewall rules in the same
way we manage firewall rules for other images.

Change-Id: Ifaebda6c7775244668710340831e12aabf9e86bc

nodepool/elements/infra-package-needs/pkg-map

@@ -36,7 +36,7 @@
       "puppet": "ruby2.1-rubygem-puppet",
       "python-dev": "python-devel",
       "python3-dev": "python3-devel",
-      "iptables": "iptables",
+      "iptables": "iptables SuSEfirewall2",
       "uuid-runtime": "uuidd"
     }
   },

nodepool/elements/nodepool-base/install.d/20-iptables

@@ -28,6 +28,10 @@ elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
     rules_dir=/etc/sysconfig
     ipv4_rules=${rules_dir}/iptables
     ipv6_rules=${rules_dir}/ip6tables
+elif [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
+    rules_dir=/etc/sysconfig
+    ipv4_rules=${rules_dir}/iptables
+    ipv6_rules=${rules_dir}/ip6tables
 else
     echo "Unsupported operating system $DISTRO_NAME"
     exit 1
@@ -82,3 +86,15 @@ cat > $ipv6_rules << EOF
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT
 EOF
+
+if [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
+    sed -i -e 's,^FW_CUSTOMRULES=.*$,FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom",' /etc/sysconfig/SuSEfirewall2
+
+    cat > /etc/sysconfig/scripts/SuSEfirewall2-custom <<EOF
+fw_custom_after_finished() {
+    /usr/sbin/iptables-restore $ipv4_rules
+    /usr/sbin/ip6tables-restore $ipv6_rules
+}
+EOF
+
+fi

nodepool/elements/nodepool-base/post-install.d/20-iptables

@@ -28,6 +28,8 @@ if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
     fi
 elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
     service_name=iptables
+elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
+    service_name=SuSEfirewall2
 else
     echo "Unsupported operating system $DISTRO_NAME"
     exit 1