Browse Source

Merge "Import default rules and sort rules"

tags/0.3.0
Zuul 1 week ago
parent
commit
4344c5a7ac

+ 26
- 0
tripleo_ansible/roles/tripleo-firewall/defaults/main.yml View File

@@ -30,3 +30,29 @@
30 30
 #   extras:
31 31
 #     ensure: 'absent'
32 32
 tripleo_firewall_rules: {}
33
+
34
+tripleo_firewall_default_rules:
35
+  '000 accept related established rules':
36
+    proto: all
37
+    state:
38
+      - RELATED
39
+      - ESTABLISHED
40
+  '001 accept all icmp':
41
+    proto: icmp
42
+  '002 accept all to lo interface':
43
+    proto: all
44
+    interface: lo
45
+  '004 accept ipv6 dhcpv6':
46
+    dport: 546
47
+    proto: udp
48
+    state:
49
+      - NEW
50
+    destination: 'fe80::/64'
51
+  '998 log all':
52
+    proto: all
53
+    jump: LOG
54
+    limit: 20/min
55
+    limit_burst: 15
56
+  '999 drop all':
57
+    proto: all
58
+    action: drop

+ 13
- 11
tripleo_ansible/roles/tripleo-firewall/tasks/main.yml View File

@@ -28,6 +28,17 @@
28 28
   tags:
29 29
     - always
30 30
 
31
+- name: Set rule fact
32
+  set_fact:
33
+    firewall_rules_sorted: "{{
34
+      tripleo_firewall_default_rules |
35
+      combine(tripleo_firewall_rules) |
36
+      dict2items(key_name='rule_name', value_name='rule') |
37
+      sort(attribute='rule_name') |
38
+      reverse |
39
+      list
40
+    }}"
41
+
31 42
 - name: Check rule set
32 43
   fail:
33 44
     msg: >-
@@ -38,7 +49,7 @@
38 49
       (item['rule']['dport'] is undefined) and
39 50
       ((item['rule']['chain'] | default('INPUT')) != 'FORWARD') and
40 51
       ((item['rule']['table'] | default('filter')) != 'nat')
41
-  loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
52
+  loop: "{{ firewall_rules_sorted }}"
42 53
 
43 54
 - name: Firewall add block
44 55
   become: true
@@ -56,13 +67,4 @@
56 67
 
57 68
     - name: Enable filewall port config
58 69
       include_tasks: tripleo_firewall_add.yml
59
-      when:
60
-        - item['rule']['dport'] is defined
61
-      loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
62
-
63
-    - name: Enable filewall protocol config
64
-      include_tasks: tripleo_firewall_protocol_rules.yml
65
-      when:
66
-        - item['rule']['proto'] is defined
67
-        - item['rule']['dport'] is undefined
68
-      loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
70
+      loop: "{{ firewall_rules_sorted }}"

+ 66
- 0
tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml View File

@@ -43,48 +43,114 @@
43 43
 
44 44
 - include_tasks: tripleo_firewall_state.yml
45 45
 
46
+# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
47
+#                  the multiport key word. While multiport is perfectly functional
48
+#                  using raw iptables rules, it is not supported in the ansible
49
+#                  module. The use of the loop will be revised just as soon as the
50
+#                  pull request [ https://github.com/ansible/ansible/pull/21071 ]
51
+#                  is merged.
46 52
 - name: Firewall port rule (ipv4)
47 53
   iptables:
54
+    action: insert
48 55
     table: "{{ item['rule']['table'] | default(omit) }}"
49 56
     chain: "{{ item['rule']['chain'] | default('INPUT') }}"
50 57
     in_interface: "{{ item['rule']['interface'] | default(omit) }}"
51 58
     protocol: "{{ item['rule']['proto'] | default('tcp') }}"
52 59
     destination_port: "{{ port | replace('-', ':') }}"
60
+    destination: "{{ item['rule']['destination'] | default(omit) }}"
53 61
     source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
54 62
     source: "{{ item['rule']['source'] | default(omit) }}"
55 63
     comment: "{{ item['rule_name'] }} ipv4"
56 64
     jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
57 65
     ctstate: "{{ tripleo_ctstate }}"
66
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
67
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
58 68
     ip_version: ipv4
59 69
     state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
60 70
   when:
71
+    - item['rule']['dport'] is defined
61 72
     - (item['rule']['proto'] | default('tcp')) != 'ipv6'
62 73
     - item['rule']['source'] | default('127.0.0.1') | ipv4
74
+    - item['rule']['destination'] | default('127.0.0.1') | ipv4
63 75
   loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
64 76
   loop_control:
65 77
     loop_var: port
66 78
   notify:
67 79
     - Save firewall rules
68 80
 
81
+# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
82
+#                  the multiport key word. While multiport is perfectly functional
83
+#                  using raw iptables rules, it is not supported in the ansible
84
+#                  module. The use of the loop will be revised just as soon as the
85
+#                  pull request [ https://github.com/ansible/ansible/pull/21071 ]
86
+#                  is merged.
69 87
 - name: Firewall port rule (ipv6)
70 88
   iptables:
89
+    action: insert
71 90
     table: "{{ item['rule']['table'] | default(omit) }}"
72 91
     chain: "{{ item['rule']['chain'] | default('INPUT') }}"
73 92
     in_interface: "{{ item['rule']['interface'] | default(omit) }}"
74 93
     protocol: "{{ item['rule']['proto'] | default('tcp') }}"
75 94
     destination_port: "{{ port | replace('-', ':') }}"
95
+    destination: "{{ item['rule']['destination'] | default(omit) }}"
76 96
     source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
77 97
     source: "{{ item['rule']['source'] | default(omit) }}"
78 98
     comment: "{{ item['rule_name'] }} ipv6"
79 99
     jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
80 100
     ctstate: "{{ tripleo_ctstate }}"
101
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
102
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
81 103
     ip_version: ipv6
82 104
     state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
83 105
   when:
106
+    - item['rule']['dport'] is defined
84 107
     - (item['rule']['proto'] | default('tcp')) != 'ipv4'
85 108
     - item['rule']['source'] | default('::') | ipv6
109
+    - item['rule']['destination'] | default('::') | ipv6
86 110
   loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
87 111
   loop_control:
88 112
     loop_var: port
89 113
   notify:
90 114
     - Save firewall rules
115
+
116
+- name: Firewall protocol rule (ipv4)
117
+  iptables:
118
+    action: insert
119
+    table: "{{ item['rule']['table'] | default(omit) }}"
120
+    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
121
+    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
122
+    protocol: "{{ item['rule']['proto'] | default(omit) }}"
123
+    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
124
+    source: "{{ item['rule']['source'] | default(omit) }}"
125
+    comment: "{{ item['rule_name'] }} ipv4"
126
+    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
127
+    ctstate: "{{ tripleo_ctstate }}"
128
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
129
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
130
+    ip_version: ipv4
131
+    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
132
+  when:
133
+    - (item['rule']['proto'] | default('all')) != 'ipv6'
134
+    - item['rule']['proto'] is defined
135
+    - item['rule']['dport'] is undefined
136
+
137
+- name: Firewall protocol rule (ipv6)
138
+  iptables:
139
+    action: insert
140
+    table: "{{ item['rule']['table'] | default(omit) }}"
141
+    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
142
+    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
143
+    protocol: "{{ item['rule']['proto'] | default(omit) }}"
144
+    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
145
+    source: "{{ item['rule']['source'] | default(omit) }}"
146
+    comment: "{{ item['rule_name'] }} ipv4"
147
+    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
148
+    ctstate: "{{ tripleo_ctstate }}"
149
+    limit: "{{ item['rule']['limit'] | default(omit) }}"
150
+    limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
151
+    ip_version: ipv6
152
+    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
153
+  when:
154
+    - (item['rule']['proto'] | default('all')) != 'ipv4'
155
+    - item['rule']['proto'] is defined
156
+    - item['rule']['dport'] is undefined

+ 0
- 50
tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_protocol_rules.yml View File

@@ -1,50 +0,0 @@
1
----
2
-# Copyright 2019 Red Hat, Inc.
3
-# All Rights Reserved.
4
-#
5
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
6
-# not use this file except in compliance with the License. You may obtain
7
-# a copy of the License at
8
-#
9
-#     http://www.apache.org/licenses/LICENSE-2.0
10
-#
11
-# Unless required by applicable law or agreed to in writing, software
12
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14
-# License for the specific language governing permissions and limitations
15
-# under the License.
16
-
17
-
18
-- include_tasks: tripleo_firewall_state.yml
19
-
20
-- name: Firewall protocol rule (ipv4)
21
-  iptables:
22
-    table: "{{ item['rule']['table'] | default(omit) }}"
23
-    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
24
-    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
25
-    protocol: "{{ item['rule']['proto'] }}"
26
-    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
27
-    source: "{{ item['rule']['source'] | default(omit) }}"
28
-    comment: "{{ item['rule_name'] }} ipv4"
29
-    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
30
-    ctstate: "{{ tripleo_ctstate }}"
31
-    ip_version: ipv4
32
-    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
33
-  when:
34
-    - item['rule']['proto'] != 'ipv6'
35
-
36
-- name: Firewall protocol rule (ipv6)
37
-  iptables:
38
-    table: "{{ item['rule']['table'] | default(omit) }}"
39
-    chain: "{{ item['rule']['chain'] | default('INPUT') }}"
40
-    in_interface: "{{ item['rule']['interface'] | default(omit) }}"
41
-    protocol: "{{ item['rule']['proto'] }}"
42
-    source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
43
-    source: "{{ item['rule']['source'] | default(omit) }}"
44
-    comment: "{{ item['rule_name'] }} ipv4"
45
-    jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
46
-    ctstate: "{{ tripleo_ctstate }}"
47
-    ip_version: ipv6
48
-    state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
49
-  when:
50
-    - item['rule']['proto'] != 'ipv4'

Loading…
Cancel
Save