Support 'ipversion' property in rules
The firewall role incorrectly used the 'proto' field in a rule as a conditional to decide if the rule should be created in iptables|ip6tables (or both). When proto was 'ipv6' the rule was not created in iptables, and when proto was 'ipv4' the rule was not created in ip6tables. When the proto field have 'ipv4' or 'ipv6' it is to create rules for ip-in-ip encapsulation. Encapsulating ipv4 in ipv6 or vice-versa is a valid usecase. This change adds the 'ipversion' property for rules. Closes-Bug: #1845170 Change-Id: I4b3463f27714721b2252640d8714da820da2eed6
This commit is contained in:
parent
b87b54f0da
commit
68ec102343
@ -43,6 +43,7 @@ tripleo_firewall_default_rules:
|
|||||||
proto: all
|
proto: all
|
||||||
interface: lo
|
interface: lo
|
||||||
'004 accept ipv6 dhcpv6':
|
'004 accept ipv6 dhcpv6':
|
||||||
|
ipversion: ipv6
|
||||||
dport: 546
|
dport: 546
|
||||||
proto: udp
|
proto: udp
|
||||||
state:
|
state:
|
||||||
|
@ -69,7 +69,7 @@
|
|||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
when:
|
when:
|
||||||
- item['rule']['dport'] is defined
|
- item['rule']['dport'] is defined
|
||||||
- (item['rule']['proto'] | default('tcp')) != 'ipv6'
|
- (item['rule']['ipversion'] | default('ipv4')) != 'ipv6'
|
||||||
- item['rule']['source'] | default('127.0.0.1') | ipv4
|
- item['rule']['source'] | default('127.0.0.1') | ipv4
|
||||||
- item['rule']['destination'] | default('127.0.0.1') | ipv4
|
- item['rule']['destination'] | default('127.0.0.1') | ipv4
|
||||||
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||||
@ -104,7 +104,7 @@
|
|||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
when:
|
when:
|
||||||
- item['rule']['dport'] is defined
|
- item['rule']['dport'] is defined
|
||||||
- (item['rule']['proto'] | default('tcp')) != 'ipv4'
|
- (item['rule']['ipversion'] | default('ipv6')) != 'ipv4'
|
||||||
- item['rule']['source'] | default('::') | ipv6
|
- item['rule']['source'] | default('::') | ipv6
|
||||||
- item['rule']['destination'] | default('::') | ipv6
|
- item['rule']['destination'] | default('::') | ipv6
|
||||||
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
|
||||||
@ -130,7 +130,7 @@
|
|||||||
ip_version: ipv4
|
ip_version: ipv4
|
||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
when:
|
when:
|
||||||
- (item['rule']['proto'] | default('all')) != 'ipv6'
|
- (item['rule']['ipversion'] | default('ipv4')) != 'ipv6'
|
||||||
- item['rule']['proto'] is defined
|
- item['rule']['proto'] is defined
|
||||||
- item['rule']['dport'] is undefined
|
- item['rule']['dport'] is undefined
|
||||||
|
|
||||||
@ -143,7 +143,7 @@
|
|||||||
protocol: "{{ item['rule']['proto'] | default(omit) }}"
|
protocol: "{{ item['rule']['proto'] | default(omit) }}"
|
||||||
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
|
||||||
source: "{{ item['rule']['source'] | default(omit) }}"
|
source: "{{ item['rule']['source'] | default(omit) }}"
|
||||||
comment: "{{ item['rule_name'] }} ipv4"
|
comment: "{{ item['rule_name'] }} ipv6"
|
||||||
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
|
||||||
ctstate: "{{ tripleo_ctstate }}"
|
ctstate: "{{ tripleo_ctstate }}"
|
||||||
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
limit: "{{ item['rule']['limit'] | default(omit) }}"
|
||||||
@ -151,6 +151,6 @@
|
|||||||
ip_version: ipv6
|
ip_version: ipv6
|
||||||
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
|
||||||
when:
|
when:
|
||||||
- (item['rule']['proto'] | default('all')) != 'ipv4'
|
- (item['rule']['ipversion'] | default('ipv6')) != 'ipv4'
|
||||||
- item['rule']['proto'] is defined
|
- item['rule']['proto'] is defined
|
||||||
- item['rule']['dport'] is undefined
|
- item['rule']['dport'] is undefined
|
||||||
|
Loading…
Reference in New Issue
Block a user