Import default rules and sort rules
This change imports some embedded rules which were missed when the role was created. Additionally there was some logic missing that sorted the rules by comment strings. To ensure we're creating rules in the same way with the same expected ordering a new fact has been created to ensure rules are all sorted prior to being written. This fact will now be used in a single loop which will ensure all rules are written in their expected orders. Change-Id: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
parent
b9b51cd4c6
commit
1449edf270
|
@ -30,3 +30,29 @@
|
|||
# extras:
|
||||
# ensure: 'absent'
|
||||
tripleo_firewall_rules: {}
|
||||
|
||||
tripleo_firewall_default_rules:
|
||||
'000 accept related established rules':
|
||||
proto: all
|
||||
state:
|
||||
- RELATED
|
||||
- ESTABLISHED
|
||||
'001 accept all icmp':
|
||||
proto: icmp
|
||||
'002 accept all to lo interface':
|
||||
proto: all
|
||||
interface: lo
|
||||
'004 accept ipv6 dhcpv6':
|
||||
dport: 546
|
||||
proto: udp
|
||||
state:
|
||||
- NEW
|
||||
destination: 'fe80::/64'
|
||||
'998 log all':
|
||||
proto: all
|
||||
jump: LOG
|
||||
limit: 20/min
|
||||
limit_burst: 15
|
||||
'999 drop all':
|
||||
proto: all
|
||||
action: drop
|
||||
|
|
|
@ -28,6 +28,17 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: Set rule fact
|
||||
set_fact:
|
||||
firewall_rules_sorted: "{{
|
||||
tripleo_firewall_default_rules |
|
||||
combine(tripleo_firewall_rules) |
|
||||
dict2items(key_name='rule_name', value_name='rule') |
|
||||
sort(attribute='rule_name') |
|
||||
reverse |
|
||||
list
|
||||
}}"
|
||||
|
||||
- name: Check rule set
|
||||
fail:
|
||||
msg: >-
|
||||
|
@ -38,7 +49,7 @@
|
|||
(item['rule']['dport'] is undefined) and
|
||||
((item['rule']['chain'] | default('INPUT')) != 'FORWARD') and
|
||||
((item['rule']['table'] | default('filter')) != 'nat')
|
||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
||||
loop: "{{ firewall_rules_sorted }}"
|
||||
|
||||
- name: Firewall add block
|
||||
become: true
|
||||
|
@ -56,13 +67,4 @@
|
|||
|
||||
- name: Enable filewall port config
|
||||
include_tasks: tripleo_firewall_add.yml
|
||||
when:
|
||||
- item['rule']['dport'] is defined
|
||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
||||
|
||||
- name: Enable filewall protocol config
|
||||
include_tasks: tripleo_firewall_protocol_rules.yml
|
||||
when:
|
||||
- item['rule']['proto'] is defined
|
||||
- item['rule']['dport'] is undefined
|
||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
||||
loop: "{{ firewall_rules_sorted }}"
|
||||
|
|
|
@ -43,48 +43,114 @@
|
|||
|
||||
- include_tasks: tripleo_firewall_state.yml
|
||||
|
||||
# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
|
||||
# the multiport key word. While multiport is perfectly functional
|
||||
# using raw iptables rules, it is not supported in the ansible
|
||||
# module. The use of the loop will be revised just as soon as the
|
||||
# pull request [ https://github.com/ansible/ansible/pull/21071 ]
|
||||
# is merged.
|
||||
- name: Firewall port rule (ipv4)
|
||||
iptables:
|
||||
action: insert
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||
destination_port: "{{ port | replace('-', ':') }}"
|
||||
destination: "{{ item['rule']['destination'] | default(omit) }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv4"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ tripleo_ctstate }}"
|
||||
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||
ip_version: ipv4
|
||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||
when:
|
||||
- item['rule']['dport'] is defined
|
||||
- (item['rule']['proto'] | default('tcp')) != 'ipv6'
|
||||
- item['rule']['source'] | default('127.0.0.1') | ipv4
|
||||
- item['rule']['destination'] | default('127.0.0.1') | ipv4
|
||||
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||
loop_control:
|
||||
loop_var: port
|
||||
notify:
|
||||
- Save firewall rules
|
||||
|
||||
# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
|
||||
# the multiport key word. While multiport is perfectly functional
|
||||
# using raw iptables rules, it is not supported in the ansible
|
||||
# module. The use of the loop will be revised just as soon as the
|
||||
# pull request [ https://github.com/ansible/ansible/pull/21071 ]
|
||||
# is merged.
|
||||
- name: Firewall port rule (ipv6)
|
||||
iptables:
|
||||
action: insert
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||
destination_port: "{{ port | replace('-', ':') }}"
|
||||
destination: "{{ item['rule']['destination'] | default(omit) }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv6"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ tripleo_ctstate }}"
|
||||
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||
ip_version: ipv6
|
||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||
when:
|
||||
- item['rule']['dport'] is defined
|
||||
- (item['rule']['proto'] | default('tcp')) != 'ipv4'
|
||||
- item['rule']['source'] | default('::') | ipv6
|
||||
- item['rule']['destination'] | default('::') | ipv6
|
||||
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||
loop_control:
|
||||
loop_var: port
|
||||
notify:
|
||||
- Save firewall rules
|
||||
|
||||
- name: Firewall protocol rule (ipv4)
|
||||
iptables:
|
||||
action: insert
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default(omit) }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv4"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ tripleo_ctstate }}"
|
||||
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||
ip_version: ipv4
|
||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||
when:
|
||||
- (item['rule']['proto'] | default('all')) != 'ipv6'
|
||||
- item['rule']['proto'] is defined
|
||||
- item['rule']['dport'] is undefined
|
||||
|
||||
- name: Firewall protocol rule (ipv6)
|
||||
iptables:
|
||||
action: insert
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] | default(omit) }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv4"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ tripleo_ctstate }}"
|
||||
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||
ip_version: ipv6
|
||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||
when:
|
||||
- (item['rule']['proto'] | default('all')) != 'ipv4'
|
||||
- item['rule']['proto'] is defined
|
||||
- item['rule']['dport'] is undefined
|
||||
|
|
|
@ -1,50 +0,0 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- include_tasks: tripleo_firewall_state.yml
|
||||
|
||||
- name: Firewall protocol rule (ipv4)
|
||||
iptables:
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv4"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ tripleo_ctstate }}"
|
||||
ip_version: ipv4
|
||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||
when:
|
||||
- item['rule']['proto'] != 'ipv6'
|
||||
|
||||
- name: Firewall protocol rule (ipv6)
|
||||
iptables:
|
||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||
protocol: "{{ item['rule']['proto'] }}"
|
||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||
comment: "{{ item['rule_name'] }} ipv4"
|
||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||
ctstate: "{{ tripleo_ctstate }}"
|
||||
ip_version: ipv6
|
||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||
when:
|
||||
- item['rule']['proto'] != 'ipv4'
|
Loading…
Reference in New Issue