From 94ca328e5d309a5617043b2944e65df79271e0cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Harald=20Jens=C3=A5s?= <hjensas@redhat.com>
Date: Sat, 21 Apr 2018 13:26:44 +0200
Subject: [PATCH] Firewall: NOT persist ephemetal ironic-inspector rules

When Ironic Inspector is configured to use the iptables
pxe_filter driver it uses ephemeral firewall rules. This
change ensures that these rules are not persisted.

Ironic Inspector iptables filter driver does not set
comments on it's rules. This patch use the string:
'-m comment --comment' to ensure rules created by
puppet-tripleo firewall is not accidentally removed from
the persisted firewall rules.

Change-Id: Ic90804db8dd74fce78169d9857a150d5ebf40cbb
Related-Bug: #1765700
---
 manifests/firewall.pp | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index 39de22886..160df54a5 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -150,7 +150,29 @@ class tripleo::firewall(
       command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
       onlyif  => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
     }
+
+    # Do not persist ephemeral firewall rules mananged by ironic-inspector
+    # pxe_filter 'iptables' driver.
+    # https://bugs.launchpad.net/tripleo/+bug/1765700
+    # https://storyboard.openstack.org/#!/story/2001890
+    exec { 'nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup':
+      command => '/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables',
+      onlyif  => [
+          '/bin/test -f /etc/sysconfig/iptables',
+          '/bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector'
+      ]
+    }
+    exec { 'nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup':
+      command => '/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
+      onlyif  => [
+          '/bin/test -f /etc/sysconfig/ip6tables',
+          '/bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector'
+      ]
+    }
+
     Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
     Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
+    Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup']
+    Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup']
   }
 }