Cleanup iptables resources

The only supported firewall engine is nftables from now on. Tripleo-ansible has been cleaned from its tripleo_iptables related resources and actions, meaning we don't need to keep the FirewallEngine anymore. This patch also removes an old and deprecated upgrade action related to puppet-firewall - since Train, we're using tripleo_iptables and related, meaning there shouldn't be any trailing config at this point. Especially since iptables and ip6tables services are now deactivated for good. Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/860063 Change-Id: I18d23125a468cb2db5ff33979d8b810a0207819a
2022-10-03 07:58:23 +02:00 · 2022-10-03 07:58:23 +02:00 · 0074098f0e
commit 0074098f0e
parent c16d9aca8a
3 changed files with 9 additions and 75 deletions
--- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
+++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
@ -402,19 +402,4 @@ outputs:
                shell: |
                  ip link set dev "{{ item.split(':')[1] }}" up
                with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']}
-      update_tasks:
-        # puppetlabs-firewall manages security rules via Puppet but make the rules
-        # consistent by default. Since Neutron also creates some rules, we don't
-        # want them to be consistent so we have to ensure that they're not stored
-        # into sysconfig.
-        # https://bugzilla.redhat.com/show_bug.cgi?id=1541528
-        - name: Remove IPv4 iptables rules created by Neutron that are persistent
-          lineinfile: dest=/etc/sysconfig/iptables
-                      regexp=".*neutron-"
-                      state=absent
-          when: step|int == 5
-        - name: Remove IPv6 iptables rules created by Neutron that are persistent
-          lineinfile: dest=/etc/sysconfig/ip6tables
-                      regexp=".*neutron-"
-                      state=absent
-          when: step|int == 5
+      update_tasks: []
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
@ -33,12 +33,6 @@ parameters:
    type: json
    tags:
      - role_specific
-  FirewallEngine:
-    default: 'nftables'
-    description: Set the actual firewall engine. Can be "iptables" or "nftables"
-    type: string
-    constraints:
-      - allowed_values: ['iptables', 'nftables']

 resources:
  # Merging role-specific parameters (RoleParameters) with the default parameters.
@ -75,8 +69,6 @@ outputs:
          - {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
      host_firewall_tasks:
        - name: Run firewall role
-          vars:
-            tripleo_firewall_engine: {get_param: FirewallEngine}
          include_role:
            name: tripleo_firewall
      update_tasks:
@ -116,54 +108,3 @@ outputs:
          when:
            - (step | int) == 1
          block: *tripleo_firewall_teardown
-        - when:
-            - (step | int) == 3
-          block:
-            - name: blank ipv6 rule before activating ipv6 firewall.
-              shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
-              args:
-                creates: /etc/sysconfig/ip6tables.n-o-upgrade
-            - name: cleanup unmanaged rules pushed by iptables-services
-              shell: |
-                iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-                iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -p icmp -j ACCEPT
-                iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -i lo -j ACCEPT
-                iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
-                  iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-                iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
-                  iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
-                iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
-                  iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
-
-                sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
-                sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
-                sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
-
-                ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-                ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
-                ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -i lo -j ACCEPT
-                ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-                ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
-                  ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-                ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
-                  ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
-                ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
-                  ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
-
-                sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
-                sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
--- a/releasenotes/notes/clean-iptables-18a9278719384bb8.yaml
+++ b/releasenotes/notes/clean-iptables-18a9278719384bb8.yaml
@ -0,0 +1,8 @@
+---
+other:
+  - |
+    Cleanup iptables related resources in the firewall configuration. Also
+    remove the now useless FirewallEngine parameter - nftables is the only
+    supported engine within TripleO. Note that some applications may still
+    rely on iptables, such as Neutron - but the rules aren't managed from
+    within TripleO itself.