openstack
/
tripleo-ansible
Code Issues Proposed changes

Merge "Import default rules and sort rules"

This commit is contained in:
Zuul 2019-09-10 19:23:29 +00:00 committed by Gerrit Code Review
parent 1a2dd95e1f 1449edf270
commit 4344c5a7ac
4 changed files with 105 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
tripleo_ansible/roles/tripleo-firewall/defaults/main.yml
View File

@ -30,3 +30,29 @@
# extras: # extras:
# ensure: 'absent' # ensure: 'absent'
tripleo_firewall_rules: {} tripleo_firewall_rules: {}
tripleo_firewall_default_rules:
'000 accept related established rules':
proto: all
state:
- RELATED
- ESTABLISHED
'001 accept all icmp':
proto: icmp
'002 accept all to lo interface':
proto: all
interface: lo
'004 accept ipv6 dhcpv6':
dport: 546
proto: udp
state:
- NEW
destination: 'fe80::/64'
'998 log all':
proto: all
jump: LOG
limit: 20/min
limit_burst: 15
'999 drop all':
proto: all
action: drop

24
tripleo_ansible/roles/tripleo-firewall/tasks/main.yml
View File

@ -28,6 +28,17 @@
tags: tags:
- always - always
- name: Set rule fact
set_fact:
firewall_rules_sorted: "{{
tripleo_firewall_default_rules |
combine(tripleo_firewall_rules) |
dict2items(key_name='rule_name', value_name='rule') |
sort(attribute='rule_name') |
reverse |
list
}}"
- name: Check rule set - name: Check rule set
fail: fail:
msg: >- msg: >-
@ -38,7 +49,7 @@
(item['rule']['dport'] is undefined) and (item['rule']['dport'] is undefined) and
((item['rule']['chain'] | default('INPUT')) != 'FORWARD') and ((item['rule']['chain'] | default('INPUT')) != 'FORWARD') and
((item['rule']['table'] | default('filter')) != 'nat') ((item['rule']['table'] | default('filter')) != 'nat')
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}" loop: "{{ firewall_rules_sorted }}"
- name: Firewall add block - name: Firewall add block
become: true become: true
@ -56,13 +67,4 @@
- name: Enable filewall port config - name: Enable filewall port config
include_tasks: tripleo_firewall_add.yml include_tasks: tripleo_firewall_add.yml
when: loop: "{{ firewall_rules_sorted }}"
- item['rule']['dport'] is defined
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"
- name: Enable filewall protocol config
include_tasks: tripleo_firewall_protocol_rules.yml
when:
- item['rule']['proto'] is defined
- item['rule']['dport'] is undefined
loop: "{{ tripleo_firewall_rules | dict2items(key_name='rule_name', value_name='rule') }}"

66
tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml
View File

@ -43,48 +43,114 @@
- include_tasks: tripleo_firewall_state.yml - include_tasks: tripleo_firewall_state.yml
# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
# the multiport key word. While multiport is perfectly functional
# using raw iptables rules, it is not supported in the ansible
# module. The use of the loop will be revised just as soon as the
# pull request [ https://github.com/ansible/ansible/pull/21071 ]
# is merged.
- name: Firewall port rule (ipv4) - name: Firewall port rule (ipv4)
iptables: iptables:
action: insert
table: "{{ item['rule']['table'] | default(omit) }}" table: "{{ item['rule']['table'] | default(omit) }}"
chain: "{{ item['rule']['chain'] | default('INPUT') }}" chain: "{{ item['rule']['chain'] | default('INPUT') }}"
in_interface: "{{ item['rule']['interface'] | default(omit) }}" in_interface: "{{ item['rule']['interface'] | default(omit) }}"
protocol: "{{ item['rule']['proto'] | default('tcp') }}" protocol: "{{ item['rule']['proto'] | default('tcp') }}"
destination_port: "{{ port | replace('-', ':') }}" destination_port: "{{ port | replace('-', ':') }}"
destination: "{{ item['rule']['destination'] | default(omit) }}"
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}" source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
source: "{{ item['rule']['source'] | default(omit) }}" source: "{{ item['rule']['source'] | default(omit) }}"
comment: "{{ item['rule_name'] }} ipv4" comment: "{{ item['rule_name'] }} ipv4"
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}" jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
ctstate: "{{ tripleo_ctstate }}" ctstate: "{{ tripleo_ctstate }}"
limit: "{{ item['rule']['limit'] | default(omit) }}"
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
ip_version: ipv4 ip_version: ipv4
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}" state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when: when:
- item['rule']['dport'] is defined
- (item['rule']['proto'] | default('tcp')) != 'ipv6' - (item['rule']['proto'] | default('tcp')) != 'ipv6'
- item['rule']['source'] | default('127.0.0.1') | ipv4 - item['rule']['source'] | default('127.0.0.1') | ipv4
- item['rule']['destination'] | default('127.0.0.1') | ipv4
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}" loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
loop_control: loop_control:
loop_var: port loop_var: port
notify: notify:
- Save firewall rules - Save firewall rules
# NOTE(Cloudnull): This task adds multiport rules using a loop instead of using
# the multiport key word. While multiport is perfectly functional
# using raw iptables rules, it is not supported in the ansible
# module. The use of the loop will be revised just as soon as the
# pull request [ https://github.com/ansible/ansible/pull/21071 ]
# is merged.
- name: Firewall port rule (ipv6) - name: Firewall port rule (ipv6)
iptables: iptables:
action: insert
table: "{{ item['rule']['table'] | default(omit) }}" table: "{{ item['rule']['table'] | default(omit) }}"
chain: "{{ item['rule']['chain'] | default('INPUT') }}" chain: "{{ item['rule']['chain'] | default('INPUT') }}"
in_interface: "{{ item['rule']['interface'] | default(omit) }}" in_interface: "{{ item['rule']['interface'] | default(omit) }}"
protocol: "{{ item['rule']['proto'] | default('tcp') }}" protocol: "{{ item['rule']['proto'] | default('tcp') }}"
destination_port: "{{ port | replace('-', ':') }}" destination_port: "{{ port | replace('-', ':') }}"
destination: "{{ item['rule']['destination'] | default(omit) }}"
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}" source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
source: "{{ item['rule']['source'] | default(omit) }}" source: "{{ item['rule']['source'] | default(omit) }}"
comment: "{{ item['rule_name'] }} ipv6" comment: "{{ item['rule_name'] }} ipv6"
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}" jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
ctstate: "{{ tripleo_ctstate }}" ctstate: "{{ tripleo_ctstate }}"
limit: "{{ item['rule']['limit'] | default(omit) }}"
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
ip_version: ipv6 ip_version: ipv6
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}" state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when: when:
- item['rule']['dport'] is defined
- (item['rule']['proto'] | default('tcp')) != 'ipv4' - (item['rule']['proto'] | default('tcp')) != 'ipv4'
- item['rule']['source'] | default('::') | ipv6 - item['rule']['source'] | default('::') | ipv6
- item['rule']['destination'] | default('::') | ipv6
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}" loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
loop_control: loop_control:
loop_var: port loop_var: port
notify: notify:
- Save firewall rules - Save firewall rules
- name: Firewall protocol rule (ipv4)
iptables:
action: insert
table: "{{ item['rule']['table'] | default(omit) }}"
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
protocol: "{{ item['rule']['proto'] | default(omit) }}"
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
source: "{{ item['rule']['source'] | default(omit) }}"
comment: "{{ item['rule_name'] }} ipv4"
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
ctstate: "{{ tripleo_ctstate }}"
limit: "{{ item['rule']['limit'] | default(omit) }}"
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
ip_version: ipv4
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- (item['rule']['proto'] | default('all')) != 'ipv6'
- item['rule']['proto'] is defined
- item['rule']['dport'] is undefined
- name: Firewall protocol rule (ipv6)
iptables:
action: insert
table: "{{ item['rule']['table'] | default(omit) }}"
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
protocol: "{{ item['rule']['proto'] | default(omit) }}"
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
source: "{{ item['rule']['source'] | default(omit) }}"
comment: "{{ item['rule_name'] }} ipv4"
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
ctstate: "{{ tripleo_ctstate }}"
limit: "{{ item['rule']['limit'] | default(omit) }}"
limit_burst: "{{ item['rule']['limit_burst'] | default(omit) }}"
ip_version: ipv6
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- (item['rule']['proto'] | default('all')) != 'ipv4'
- item['rule']['proto'] is defined
- item['rule']['dport'] is undefined

50
tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_protocol_rules.yml
View File

@ -1,50 +0,0 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- include_tasks: tripleo_firewall_state.yml
- name: Firewall protocol rule (ipv4)
iptables:
table: "{{ item['rule']['table'] | default(omit) }}"
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
protocol: "{{ item['rule']['proto'] }}"
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
source: "{{ item['rule']['source'] | default(omit) }}"
comment: "{{ item['rule_name'] }} ipv4"
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
ctstate: "{{ tripleo_ctstate }}"
ip_version: ipv4
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- item['rule']['proto'] != 'ipv6'
- name: Firewall protocol rule (ipv6)
iptables:
table: "{{ item['rule']['table'] | default(omit) }}"
chain: "{{ item['rule']['chain'] | default('INPUT') }}"
in_interface: "{{ item['rule']['interface'] | default(omit) }}"
protocol: "{{ item['rule']['proto'] }}"
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
source: "{{ item['rule']['source'] | default(omit) }}"
comment: "{{ item['rule_name'] }} ipv4"
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
ctstate: "{{ tripleo_ctstate }}"
ip_version: ipv6
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- item['rule']['proto'] != 'ipv4'