openstack/tripleo-ansible
Code Issues Proposed changes

Support 'ipversion' property in rules

Browse Source 
The firewall role incorrectly used the 'proto' field in
a rule as a conditional to decide if the rule should be
created in iptables|ip6tables (or both). When proto was
'ipv6' the rule was not created in iptables, and when
proto was 'ipv4' the rule was not created in ip6tables.

When the proto field have 'ipv4' or 'ipv6' it is to
create rules for ip-in-ip encapsulation. Encapsulating
ipv4 in ipv6 or vice-versa is a valid usecase.

This change adds the 'ipversion' property for rules.

Closes-Bug: #1845170
Change-Id: I4b3463f27714721b2252640d8714da820da2eed6
This commit is contained in:
Harald Jensås 2019-09-24 11:54:53 +02:00
parent b87b54f0da
commit 68ec102343
2 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tripleo_ansible/roles/tripleo-firewall/defaults/main.yml
View File

@ -43,6 +43,7 @@ tripleo_firewall_default_rules:
proto: all
interface: lo
'004 accept ipv6 dhcpv6':
ipversion: ipv6
dport: 546
proto: udp
state:

10
tripleo_ansible/roles/tripleo-firewall/tasks/tripleo_firewall_add.yml
View File

@ -69,7 +69,7 @@
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- item['rule']['dport'] is defined
- (item['rule']['proto'] | default('tcp')) != 'ipv6'
- (item['rule']['ipversion'] | default('ipv4')) != 'ipv6'
- item['rule']['source'] | default('127.0.0.1') | ipv4
- item['rule']['destination'] | default('127.0.0.1') | ipv4
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
@ -104,7 +104,7 @@
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- item['rule']['dport'] is defined
- (item['rule']['proto'] | default('tcp')) != 'ipv4'
- (item['rule']['ipversion'] | default('ipv6')) != 'ipv4'
- item['rule']['source'] | default('::') | ipv6
- item['rule']['destination'] | default('::') | ipv6
loop: "{{ ((item['rule']['dport'] is iterable) and (item['rule']['dport'] is not string)) | ternary(item['rule']['dport'], [item['rule']['dport']]) }}"
@ -130,7 +130,7 @@
ip_version: ipv4
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- (item['rule']['proto'] | default('all')) != 'ipv6'
- (item['rule']['ipversion'] | default('ipv4')) != 'ipv6'
- item['rule']['proto'] is defined
- item['rule']['dport'] is undefined
@ -143,7 +143,7 @@
protocol: "{{ item['rule']['proto'] | default(omit) }}"
source_port: "{{ item['rule']['sport'] | default(omit) | replace('-', ':') }}"
source: "{{ item['rule']['source'] | default(omit) }}"
comment: "{{ item['rule_name'] }} ipv4"
comment: "{{ item['rule_name'] }} ipv6"
jump: "{{ item['rule']['jump'] | default('ACCEPT') }}"
ctstate: "{{ tripleo_ctstate }}"
limit: "{{ item['rule']['limit'] | default(omit) }}"
@ -151,6 +151,6 @@
ip_version: ipv6
state: "{{ tripleo_firewall_port_states[(item['rule']['extras'] | default({}))['ensure'] | default('enabled')] }}"
when:
- (item['rule']['proto'] | default('all')) != 'ipv4'
- (item['rule']['ipversion'] | default('ipv6')) != 'ipv4'
- item['rule']['proto'] is defined
- item['rule']['dport'] is undefined