From 1449edf2703f9c9a92a34884bf752ad6bff6c239 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin@cloudnull.com>
Date: Thu, 5 Sep 2019 13:11:55 -0500
Subject: [PATCH] Import default rules and sort rules

This change imports some embedded rules which were missed when the role
was created. Additionally there was some logic missing that sorted the
rules by comment strings. To ensure we're creating rules in the same way
with the same expected ordering a new fact has been created to ensure
rules are all sorted prior to being written. This fact will now be used
in a single loop which will ensure all rules are written in their
expected orders.

Change-Id: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Signed-off-by: Kevin Carter <kecarter@redhat.com>
---
 .../roles/tripleo-firewall/defaults/main.yml  | 26 ++++++++
 .../roles/tripleo-firewall/tasks/main.yml     | 24 +++----
 .../tasks/tripleo_firewall_add.yml            | 66 +++++++++++++++++++
 .../tasks/tripleo_firewall_protocol_rules.yml | 50 --------------
 4 files changed, 105 insertions(+), 61 deletions(-)
 delete mode 100644 tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_protocol_rules.yml

diff --git a/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml b/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml
index 03474a46e..97ea0d791 100644
--- a/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml
@@ -30,3 +30,29 @@
 #   extras:
 #     ensure: 'absent'
 tripleo_firewall_rules: {}
+
+tripleo_firewall_default_rules:
+  '000 accept related established rules':
+    proto: all
+    state:
+      - RELATED
+      - ESTABLISHED
+  '001 accept all icmp':
+    proto: icmp
+  '002 accept all to lo interface':
+    proto: all
+    interface: lo
+  '004 accept ipv6 dhcpv6':
+    dport: 546
+    proto: udp
+    state:
+      - NEW
+    destination: 'fe80::/64'
+  '998 log all':
+    proto: all
+    jump: LOG
+    limit: 20/min
+    limit_burst: 15
+  '999 drop all':
+    proto: all
+    action: drop
diff --git a/tripleo_ansible/roles/tripleo-firewall/tasks/main.yml b/tripleo_ansible/roles/tripleo-firewall/tasks/main.yml
index b73d161d7..42ad60610 100644
--- a/tripleo_ansible/roles/tripleo-firewall/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo-firewall/tasks/main.yml
@@ -28,6 +28,17 @@
   tags:
     - always
 
+- name: Set rule fact
+  set_fact:
+    firewall_rules_sorted: "{{
+      tripleo_firewall_default_rules |
+      combine(tripleo_firewall_rules) |
+      dict2items(key_name='rule_name', value_name='rule') |
+      sort(attribute='rule_name') |
+      reverse |
+      list
+    }}"
+
 - name: Check rule set
   fail:
     msg: >-
@@ -38,7 +49,7 @@
       (item['rule']['dport'] is undefined) and
       ((item['rule']['chain'] | default('INPUT')) != 'FORWARD') and
       ((item['rule']['table'] | default('filter')) != 'nat')
-  loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
+  loop: "{{ firewall_rules_sorted }}"
 
 - name: Firewall add block
   become: true
@@ -56,13 +67,4 @@
 
     - name: Enable filewall port config
       include_tasks: tripleo_firewall_add.yml
-      when:
-        - item['rule']['dport'] is defined
-      loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
-
-    - name: Enable filewall protocol config
-      include_tasks: tripleo_firewall_protocol_rules.yml
-      when:
-        - item['rule']['proto'] is defined
-        - item['rule']['dport'] is undefined
-      loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
+      loop: "{{ firewall_rules_sorted }}"
diff --git a/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml b/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml
index 31e6b305e..22a282480 100644
--- a/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml
+++ b/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml
@@ -43,48 +43,114 @@
 
 - include_tasks: tripleo_firewall_state.yml
 
+# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
+#                  the multiport key word. While multiport is perfectly functional
+#                  using raw iptables rules, it is not supported in the ansible
+#                  module. The use of the loop will be revised just as soon as the
+#                  pull request [ https://github.com/ansible/ansible/pull/21071 ]
+#                  is merged.
 - name: Firewall port rule (ipv4)
   iptables:
+    action: insert
     table: "{{ item['rule']['table'] | default(omit) }}"
     chain: "{{ item['rule']['chain'] | default('INPUT') }}"
     in_interface: "{{ item['rule']['interface'] | default(omit) }}"
     protocol: "{{ item['rule']['proto'] | default('tcp') }}"
     destination_port: "{{ port | replace('-', ':') }}"
+    destination: "{{ item['rule']['destination'] | default(omit) }}"
     source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
     source: "{{ item['rule']['source'] | default(omit) }}"
     comment: "{{ item['rule_name'] }} ipv4"
     jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
     ctstate: "{{ tripleo_ctstate }}"
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
     ip_version: ipv4
     state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
   when:
+    - item['rule']['dport'] is defined
     - (item['rule']['proto'] | default('tcp')) != 'ipv6'
     - item['rule']['source'] | default('127.0.0.1') | ipv4
+    - item['rule']['destination'] | default('127.0.0.1') | ipv4
   loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
   loop_control:
     loop_var: port
   notify:
     - Save firewall rules
 
+# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
+#                  the multiport key word. While multiport is perfectly functional
+#                  using raw iptables rules, it is not supported in the ansible
+#                  module. The use of the loop will be revised just as soon as the
+#                  pull request [ https://github.com/ansible/ansible/pull/21071 ]
+#                  is merged.
 - name: Firewall port rule (ipv6)
   iptables:
+    action: insert
     table: "{{ item['rule']['table'] | default(omit) }}"
     chain: "{{ item['rule']['chain'] | default('INPUT') }}"
     in_interface: "{{ item['rule']['interface'] | default(omit) }}"
     protocol: "{{ item['rule']['proto'] | default('tcp') }}"
     destination_port: "{{ port | replace('-', ':') }}"
+    destination: "{{ item['rule']['destination'] | default(omit) }}"
     source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
     source: "{{ item['rule']['source'] | default(omit) }}"
     comment: "{{ item['rule_name'] }} ipv6"
     jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
     ctstate: "{{ tripleo_ctstate }}"
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
     ip_version: ipv6
     state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
   when:
+    - item['rule']['dport'] is defined
     - (item['rule']['proto'] | default('tcp')) != 'ipv4'
     - item['rule']['source'] | default('::') | ipv6
+    - item['rule']['destination'] | default('::') | ipv6
   loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
   loop_control:
     loop_var: port
   notify:
     - Save firewall rules
+
+- name: Firewall protocol rule (ipv4)
+  iptables:
+    action: insert
+    table: "{{ item['rule']['table'] | default(omit) }}"
+    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
+    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
+    protocol: "{{ item['rule']['proto'] | default(omit) }}"
+    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
+    source: "{{ item['rule']['source'] | default(omit) }}"
+    comment: "{{ item['rule_name'] }} ipv4"
+    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
+    ctstate: "{{ tripleo_ctstate }}"
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
+    ip_version: ipv4
+    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
+  when:
+    - (item['rule']['proto'] | default('all')) != 'ipv6'
+    - item['rule']['proto'] is defined
+    - item['rule']['dport'] is undefined
+
+- name: Firewall protocol rule (ipv6)
+  iptables:
+    action: insert
+    table: "{{ item['rule']['table'] | default(omit) }}"
+    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
+    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
+    protocol: "{{ item['rule']['proto'] | default(omit) }}"
+    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
+    source: "{{ item['rule']['source'] | default(omit) }}"
+    comment: "{{ item['rule_name'] }} ipv4"
+    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
+    ctstate: "{{ tripleo_ctstate }}"
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
+    ip_version: ipv6
+    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
+  when:
+    - (item['rule']['proto'] | default('all')) != 'ipv4'
+    - item['rule']['proto'] is defined
+    - item['rule']['dport'] is undefined
diff --git a/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_protocol_rules.yml b/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_protocol_rules.yml
deleted file mode 100644
index e4af4d001..000000000
--- a/tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_protocol_rules.yml
+++ /dev/null
@@ -1,50 +0,0 @@
----
-# Copyright 2019 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-
-- include_tasks: tripleo_firewall_state.yml
-
-- name: Firewall protocol rule (ipv4)
-  iptables:
-    table: "{{ item['rule']['table'] | default(omit) }}"
-    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
-    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
-    protocol: "{{ item['rule']['proto'] }}"
-    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
-    source: "{{ item['rule']['source'] | default(omit) }}"
-    comment: "{{ item['rule_name'] }} ipv4"
-    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
-    ctstate: "{{ tripleo_ctstate }}"
-    ip_version: ipv4
-    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
-  when:
-    - item['rule']['proto'] != 'ipv6'
-
-- name: Firewall protocol rule (ipv6)
-  iptables:
-    table: "{{ item['rule']['table'] | default(omit) }}"
-    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
-    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
-    protocol: "{{ item['rule']['proto'] }}"
-    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
-    source: "{{ item['rule']['source'] | default(omit) }}"
-    comment: "{{ item['rule_name'] }} ipv4"
-    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
-    ctstate: "{{ tripleo_ctstate }}"
-    ip_version: ipv6
-    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
-  when:
-    - item['rule']['proto'] != 'ipv4'