Merge "Import default rules and sort rules"
This commit is contained in:
commit
4344c5a7ac
|
@ -30,3 +30,29 @@
|
||||||
# extras:
|
# extras:
|
||||||
# ensure: 'absent'
|
# ensure: 'absent'
|
||||||
tripleo_firewall_rules: {}
|
tripleo_firewall_rules: {}
|
||||||
|
|
||||||
|
tripleo_firewall_default_rules:
|
||||||
|
'000 accept related established rules':
|
||||||
|
proto: all
|
||||||
|
state:
|
||||||
|
- RELATED
|
||||||
|
- ESTABLISHED
|
||||||
|
'001 accept all icmp':
|
||||||
|
proto: icmp
|
||||||
|
'002 accept all to lo interface':
|
||||||
|
proto: all
|
||||||
|
interface: lo
|
||||||
|
'004 accept ipv6 dhcpv6':
|
||||||
|
dport: 546
|
||||||
|
proto: udp
|
||||||
|
state:
|
||||||
|
- NEW
|
||||||
|
destination: 'fe80::/64'
|
||||||
|
'998 log all':
|
||||||
|
proto: all
|
||||||
|
jump: LOG
|
||||||
|
limit: 20/min
|
||||||
|
limit_burst: 15
|
||||||
|
'999 drop all':
|
||||||
|
proto: all
|
||||||
|
action: drop
|
||||||
|
|
|
@ -28,6 +28,17 @@
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- name: Set rule fact
|
||||||
|
set_fact:
|
||||||
|
firewall_rules_sorted: "{{
|
||||||
|
tripleo_firewall_default_rules |
|
||||||
|
combine(tripleo_firewall_rules) |
|
||||||
|
dict2items(key_name='rule_name', value_name='rule') |
|
||||||
|
sort(attribute='rule_name') |
|
||||||
|
reverse |
|
||||||
|
list
|
||||||
|
}}"
|
||||||
|
|
||||||
- name: Check rule set
|
- name: Check rule set
|
||||||
fail:
|
fail:
|
||||||
msg: >-
|
msg: >-
|
||||||
|
@ -38,7 +49,7 @@
|
||||||
(item['rule']['dport'] is undefined) and
|
(item['rule']['dport'] is undefined) and
|
||||||
((item['rule']['chain'] | default('INPUT')) != 'FORWARD') and
|
((item['rule']['chain'] | default('INPUT')) != 'FORWARD') and
|
||||||
((item['rule']['table'] | default('filter')) != 'nat')
|
((item['rule']['table'] | default('filter')) != 'nat')
|
||||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
loop: "{{ firewall_rules_sorted }}"
|
||||||
|
|
||||||
- name: Firewall add block
|
- name: Firewall add block
|
||||||
become: true
|
become: true
|
||||||
|
@ -56,13 +67,4 @@
|
||||||
|
|
||||||
- name: Enable filewall port config
|
- name: Enable filewall port config
|
||||||
include_tasks: tripleo_firewall_add.yml
|
include_tasks: tripleo_firewall_add.yml
|
||||||
when:
|
loop: "{{ firewall_rules_sorted }}"
|
||||||
- item['rule']['dport'] is defined
|
|
||||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
|
||||||
|
|
||||||
- name: Enable filewall protocol config
|
|
||||||
include_tasks: tripleo_firewall_protocol_rules.yml
|
|
||||||
when:
|
|
||||||
- item['rule']['proto'] is defined
|
|
||||||
- item['rule']['dport'] is undefined
|
|
||||||
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
|
|
||||||
|
|
|
@ -43,48 +43,114 @@
|
||||||
|
|
||||||
- include_tasks: tripleo_firewall_state.yml
|
- include_tasks: tripleo_firewall_state.yml
|
||||||
|
|
||||||
|
# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
|
||||||
|
# the multiport key word. While multiport is perfectly functional
|
||||||
|
# using raw iptables rules, it is not supported in the ansible
|
||||||
|
# module. The use of the loop will be revised just as soon as the
|
||||||
|
# pull request [ https://github.com/ansible/ansible/pull/21071 ]
|
||||||
|
# is merged.
|
||||||
- name: Firewall port rule (ipv4)
|
- name: Firewall port rule (ipv4)
|
||||||
iptables:
|
iptables:
|
||||||
|
action: insert
|
||||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||||
destination_port: "{{ port | replace('-', ':') }}"
|
destination_port: "{{ port | replace('-', ':') }}"
|
||||||
|
destination: "{{ item['rule']['destination'] | default(omit) }}"
|
||||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||||
comment: "{{ item['rule_name'] }} ipv4"
|
comment: "{{ item['rule_name'] }} ipv4"
|
||||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||||
ctstate: "{{ tripleo_ctstate }}"
|
ctstate: "{{ tripleo_ctstate }}"
|
||||||
|
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||||
|
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||||
ip_version: ipv4
|
ip_version: ipv4
|
||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
when:
|
when:
|
||||||
|
- item['rule']['dport'] is defined
|
||||||
- (item['rule']['proto'] | default('tcp')) != 'ipv6'
|
- (item['rule']['proto'] | default('tcp')) != 'ipv6'
|
||||||
- item['rule']['source'] | default('127.0.0.1') | ipv4
|
- item['rule']['source'] | default('127.0.0.1') | ipv4
|
||||||
|
- item['rule']['destination'] | default('127.0.0.1') | ipv4
|
||||||
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: port
|
loop_var: port
|
||||||
notify:
|
notify:
|
||||||
- Save firewall rules
|
- Save firewall rules
|
||||||
|
|
||||||
|
# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
|
||||||
|
# the multiport key word. While multiport is perfectly functional
|
||||||
|
# using raw iptables rules, it is not supported in the ansible
|
||||||
|
# module. The use of the loop will be revised just as soon as the
|
||||||
|
# pull request [ https://github.com/ansible/ansible/pull/21071 ]
|
||||||
|
# is merged.
|
||||||
- name: Firewall port rule (ipv6)
|
- name: Firewall port rule (ipv6)
|
||||||
iptables:
|
iptables:
|
||||||
|
action: insert
|
||||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||||
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
protocol: "{{ item['rule']['proto'] | default('tcp') }}"
|
||||||
destination_port: "{{ port | replace('-', ':') }}"
|
destination_port: "{{ port | replace('-', ':') }}"
|
||||||
|
destination: "{{ item['rule']['destination'] | default(omit) }}"
|
||||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||||
comment: "{{ item['rule_name'] }} ipv6"
|
comment: "{{ item['rule_name'] }} ipv6"
|
||||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||||
ctstate: "{{ tripleo_ctstate }}"
|
ctstate: "{{ tripleo_ctstate }}"
|
||||||
|
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||||
|
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||||
ip_version: ipv6
|
ip_version: ipv6
|
||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
when:
|
when:
|
||||||
|
- item['rule']['dport'] is defined
|
||||||
- (item['rule']['proto'] | default('tcp')) != 'ipv4'
|
- (item['rule']['proto'] | default('tcp')) != 'ipv4'
|
||||||
- item['rule']['source'] | default('::') | ipv6
|
- item['rule']['source'] | default('::') | ipv6
|
||||||
|
- item['rule']['destination'] | default('::') | ipv6
|
||||||
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: port
|
loop_var: port
|
||||||
notify:
|
notify:
|
||||||
- Save firewall rules
|
- Save firewall rules
|
||||||
|
|
||||||
|
- name: Firewall protocol rule (ipv4)
|
||||||
|
iptables:
|
||||||
|
action: insert
|
||||||
|
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||||
|
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||||
|
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||||
|
protocol: "{{ item['rule']['proto'] | default(omit) }}"
|
||||||
|
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||||
|
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||||
|
comment: "{{ item['rule_name'] }} ipv4"
|
||||||
|
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||||
|
ctstate: "{{ tripleo_ctstate }}"
|
||||||
|
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||||
|
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||||
|
ip_version: ipv4
|
||||||
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
|
when:
|
||||||
|
- (item['rule']['proto'] | default('all')) != 'ipv6'
|
||||||
|
- item['rule']['proto'] is defined
|
||||||
|
- item['rule']['dport'] is undefined
|
||||||
|
|
||||||
|
- name: Firewall protocol rule (ipv6)
|
||||||
|
iptables:
|
||||||
|
action: insert
|
||||||
|
table: "{{ item['rule']['table'] | default(omit) }}"
|
||||||
|
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
||||||
|
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
||||||
|
protocol: "{{ item['rule']['proto'] | default(omit) }}"
|
||||||
|
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||||
|
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||||
|
comment: "{{ item['rule_name'] }} ipv4"
|
||||||
|
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||||
|
ctstate: "{{ tripleo_ctstate }}"
|
||||||
|
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||||
|
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
|
||||||
|
ip_version: ipv6
|
||||||
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
|
when:
|
||||||
|
- (item['rule']['proto'] | default('all')) != 'ipv4'
|
||||||
|
- item['rule']['proto'] is defined
|
||||||
|
- item['rule']['dport'] is undefined
|
||||||
|
|
|
@ -1,50 +0,0 @@
|
||||||
---
|
|
||||||
# Copyright 2019 Red Hat, Inc.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
|
|
||||||
- include_tasks: tripleo_firewall_state.yml
|
|
||||||
|
|
||||||
- name: Firewall protocol rule (ipv4)
|
|
||||||
iptables:
|
|
||||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
|
||||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
|
||||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
|
||||||
protocol: "{{ item['rule']['proto'] }}"
|
|
||||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
|
||||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
|
||||||
comment: "{{ item['rule_name'] }} ipv4"
|
|
||||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
|
||||||
ctstate: "{{ tripleo_ctstate }}"
|
|
||||||
ip_version: ipv4
|
|
||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
|
||||||
when:
|
|
||||||
- item['rule']['proto'] != 'ipv6'
|
|
||||||
|
|
||||||
- name: Firewall protocol rule (ipv6)
|
|
||||||
iptables:
|
|
||||||
table: "{{ item['rule']['table'] | default(omit) }}"
|
|
||||||
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
|
|
||||||
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
|
|
||||||
protocol: "{{ item['rule']['proto'] }}"
|
|
||||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
|
||||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
|
||||||
comment: "{{ item['rule_name'] }} ipv4"
|
|
||||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
|
||||||
ctstate: "{{ tripleo_ctstate }}"
|
|
||||||
ip_version: ipv6
|
|
||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
|
||||||
when:
|
|
||||||
- item['rule']['proto'] != 'ipv4'
|
|
Loading…
Reference in New Issue