Merge "Add a new task file for masquerade" into stable/wallaby
This commit is contained in:
commit
47d0ab588f
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
vars:
|
||||
tripleo_masquerade_networks:
|
||||
'10.10.0.0/24':
|
||||
- '10.10.0.0/24'
|
||||
- '10.10.1.0/24'
|
||||
roles:
|
||||
- role: "tripleo_firewall"
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
driver:
|
||||
name: delegated
|
||||
options:
|
||||
managed: false
|
||||
login_cmd_template: >-
|
||||
ssh
|
||||
-o UserKnownHostsFile=/dev/null
|
||||
-o StrictHostKeyChecking=no
|
||||
-o Compression=no
|
||||
-o TCPKeepAlive=yes
|
||||
-o VerifyHostKeyDNS=no
|
||||
-o ForwardX11=no
|
||||
-o ForwardAgent=no
|
||||
{instance}
|
||||
ansible_connection_options:
|
||||
ansible_connection: ssh
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: instance
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
fact_caching: jsonfile
|
||||
fact_caching_connection: /tmp/molecule/facts
|
||||
inventory:
|
||||
hosts:
|
||||
all:
|
||||
hosts:
|
||||
instance:
|
||||
ansible_host: localhost
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
|
||||
|
||||
scenario:
|
||||
name: firewall-masquerade
|
||||
test_sequence:
|
||||
- prepare
|
||||
- converge
|
||||
- check
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
roles:
|
||||
- role: test_deps
|
|
@ -28,11 +28,15 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: Get masquerade rules
|
||||
import_tasks: masquerade.yaml
|
||||
|
||||
- name: Set rule fact
|
||||
set_fact:
|
||||
firewall_rules_sorted: "{{
|
||||
tripleo_firewall_default_rules |
|
||||
combine(tripleo_firewall_rules) |
|
||||
combine(masquerade_rules|from_yaml) |
|
||||
dict2items(key_name='rule_name', value_name='rule') |
|
||||
sort(attribute='rule_name') |
|
||||
reverse |
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
---
|
||||
- name: Create empty var for masquerade rules
|
||||
set_fact:
|
||||
masquerade_rules: {}
|
||||
|
||||
- name: Enable masquerade
|
||||
when:
|
||||
- tripleo_masquerade_networks is defined
|
||||
- tripleo_masquerade_networks|length > 0
|
||||
set_fact:
|
||||
masquerade_rules: |-
|
||||
{% for source, destinations in tripleo_masquerade_networks.items() %}
|
||||
{% for destination in destinations %}
|
||||
"137 routed_network return src {{ source }} dest {{ destination }}":
|
||||
chain: "POSTROUTING"
|
||||
destination: "{{ destination }}"
|
||||
jump: "RETURN"
|
||||
proto: "all"
|
||||
source: "{{ source }}"
|
||||
state:
|
||||
- 'ESTABLISHED'
|
||||
- 'NEW'
|
||||
- 'RELATED'
|
||||
table: "nat"
|
||||
{% endfor %}
|
||||
"138 routed_network masquerade {{ source }}":
|
||||
chain: "POSTROUTING"
|
||||
jump: "MASQUERADE"
|
||||
proto: "all"
|
||||
source: "{{ source }}"
|
||||
state:
|
||||
- 'ESTABLISHED'
|
||||
- 'NEW'
|
||||
- 'RELATED'
|
||||
table: "nat"
|
||||
"139 routed_network forward source {{ source }}":
|
||||
chain: "FORWARD"
|
||||
proto: "all"
|
||||
source: "{{ source }}"
|
||||
state:
|
||||
- 'ESTABLISHED'
|
||||
- 'NEW'
|
||||
- 'RELATED'
|
||||
"140 routed_network forward destinations {{ source }}":
|
||||
chain: "FORWARD"
|
||||
proto: "all"
|
||||
source: "{{ source }}"
|
||||
state:
|
||||
- 'ESTABLISHED'
|
||||
- 'NEW'
|
||||
- 'RELATED'
|
||||
{% endfor %}
|
Loading…
Reference in New Issue