Merge "Add a new task file for masquerade" into stable/wallaby

2022-05-11 20:11:54 +00:00 · 2022-05-11 20:11:54 +00:00 · 47d0ab588f
parent 6778e4e5db 6e4025bc3b
commit 47d0ab588f
5 changed files with 152 additions and 0 deletions
--- a/tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/converge.yml
+++ b/tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/converge.yml
@ -0,0 +1,26 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  vars:
+    tripleo_masquerade_networks:
+      '10.10.0.0/24':
+        - '10.10.0.0/24'
+        - '10.10.1.0/24'
+  roles:
+    - role: "tripleo_firewall"
--- a/tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/molecule.yml
+++ b/tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/molecule.yml
@ -0,0 +1,49 @@
+---
+driver:
+  name: delegated
+  options:
+    managed: false
+    login_cmd_template: >-
+      ssh
+      -o UserKnownHostsFile=/dev/null
+      -o StrictHostKeyChecking=no
+      -o Compression=no
+      -o TCPKeepAlive=yes
+      -o VerifyHostKeyDNS=no
+      -o ForwardX11=no
+      -o ForwardAgent=no
+      {instance}
+    ansible_connection_options:
+      ansible_connection: ssh
+
+log: true
+
+platforms:
+  - name: instance
+
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      fact_caching: jsonfile
+      fact_caching_connection: /tmp/molecule/facts
+  inventory:
+    hosts:
+      all:
+        hosts:
+          instance:
+            ansible_host: localhost
+  log: true
+  env:
+    ANSIBLE_STDOUT_CALLBACK: yaml
+    ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
+
+scenario:
+  name: firewall-masquerade
+  test_sequence:
+    - prepare
+    - converge
+    - check
+
+verifier:
+  name: testinfra
--- a/tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/prepare.yml
+++ b/tripleo_ansible/roles/tripleo_firewall/molecule/firewall-masquerade/prepare.yml
@ -0,0 +1,21 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+  hosts: all
+  roles:
+    - role: test_deps
--- a/tripleo_ansible/roles/tripleo_firewall/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_firewall/tasks/main.yml
@ -28,11 +28,15 @@
  tags:
    - always

+- name: Get masquerade rules
+  import_tasks: masquerade.yaml
+
 - name: Set rule fact
  set_fact:
    firewall_rules_sorted: "{{
      tripleo_firewall_default_rules |
      combine(tripleo_firewall_rules) |
+      combine(masquerade_rules|from_yaml) |
      dict2items(key_name='rule_name', value_name='rule') |
      sort(attribute='rule_name') |
      reverse |
--- a/tripleo_ansible/roles/tripleo_firewall/tasks/masquerade.yaml
+++ b/tripleo_ansible/roles/tripleo_firewall/tasks/masquerade.yaml
@ -0,0 +1,52 @@
+---
+- name: Create empty var for masquerade rules
+  set_fact:
+    masquerade_rules: {}
+
+- name: Enable masquerade
+  when:
+    - tripleo_masquerade_networks is defined
+    - tripleo_masquerade_networks|length > 0
+  set_fact:
+    masquerade_rules: |-
+      {% for source, destinations in tripleo_masquerade_networks.items() %}
+      {% for destination in destinations %}
+      "137 routed_network return src {{ source }} dest {{ destination }}":
+        chain: "POSTROUTING"
+        destination: "{{ destination }}"
+        jump: "RETURN"
+        proto: "all"
+        source: "{{ source }}"
+        state:
+          - 'ESTABLISHED'
+          - 'NEW'
+          - 'RELATED'
+        table: "nat"
+      {% endfor %}
+      "138 routed_network masquerade {{ source }}":
+        chain: "POSTROUTING"
+        jump: "MASQUERADE"
+        proto: "all"
+        source: "{{ source }}"
+        state:
+          - 'ESTABLISHED'
+          - 'NEW'
+          - 'RELATED'
+        table: "nat"
+      "139 routed_network forward source {{ source }}":
+        chain: "FORWARD"
+        proto: "all"
+        source: "{{ source }}"
+        state:
+          - 'ESTABLISHED'
+          - 'NEW'
+          - 'RELATED'
+      "140 routed_network forward destinations {{ source }}":
+        chain: "FORWARD"
+        proto: "all"
+        source: "{{ source }}"
+        state:
+          - 'ESTABLISHED'
+          - 'NEW'
+          - 'RELATED'
+      {% endfor %}