Cleanup iptables resources
The only supported firewall engine is nftables from now on. Tripleo-ansible has been cleaned from its tripleo_iptables related resources and actions, meaning we don't need to keep the FirewallEngine anymore. This patch also removes an old and deprecated upgrade action related to puppet-firewall - since Train, we're using tripleo_iptables and related, meaning there shouldn't be any trailing config at this point. Especially since iptables and ip6tables services are now deactivated for good. Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/860063 Change-Id: I18d23125a468cb2db5ff33979d8b810a0207819a
This commit is contained in:
parent
c16d9aca8a
commit
0074098f0e
|
@ -402,19 +402,4 @@ outputs:
|
||||||
shell: |
|
shell: |
|
||||||
ip link set dev "{{ item.split(':')[1] }}" up
|
ip link set dev "{{ item.split(':')[1] }}" up
|
||||||
with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']}
|
with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']}
|
||||||
update_tasks:
|
update_tasks: []
|
||||||
# puppetlabs-firewall manages security rules via Puppet but make the rules
|
|
||||||
# consistent by default. Since Neutron also creates some rules, we don't
|
|
||||||
# want them to be consistent so we have to ensure that they're not stored
|
|
||||||
# into sysconfig.
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
|
|
||||||
- name: Remove IPv4 iptables rules created by Neutron that are persistent
|
|
||||||
lineinfile: dest=/etc/sysconfig/iptables
|
|
||||||
regexp=".*neutron-"
|
|
||||||
state=absent
|
|
||||||
when: step|int == 5
|
|
||||||
- name: Remove IPv6 iptables rules created by Neutron that are persistent
|
|
||||||
lineinfile: dest=/etc/sysconfig/ip6tables
|
|
||||||
regexp=".*neutron-"
|
|
||||||
state=absent
|
|
||||||
when: step|int == 5
|
|
||||||
|
|
|
@ -33,12 +33,6 @@ parameters:
|
||||||
type: json
|
type: json
|
||||||
tags:
|
tags:
|
||||||
- role_specific
|
- role_specific
|
||||||
FirewallEngine:
|
|
||||||
default: 'nftables'
|
|
||||||
description: Set the actual firewall engine. Can be "iptables" or "nftables"
|
|
||||||
type: string
|
|
||||||
constraints:
|
|
||||||
- allowed_values: ['iptables', 'nftables']
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
# Merging role-specific parameters (RoleParameters) with the default parameters.
|
||||||
|
@ -75,8 +69,6 @@ outputs:
|
||||||
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
|
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
|
||||||
host_firewall_tasks:
|
host_firewall_tasks:
|
||||||
- name: Run firewall role
|
- name: Run firewall role
|
||||||
vars:
|
|
||||||
tripleo_firewall_engine: {get_param: FirewallEngine}
|
|
||||||
include_role:
|
include_role:
|
||||||
name: tripleo_firewall
|
name: tripleo_firewall
|
||||||
update_tasks:
|
update_tasks:
|
||||||
|
@ -116,54 +108,3 @@ outputs:
|
||||||
when:
|
when:
|
||||||
- (step | int) == 1
|
- (step | int) == 1
|
||||||
block: *tripleo_firewall_teardown
|
block: *tripleo_firewall_teardown
|
||||||
- when:
|
|
||||||
- (step | int) == 3
|
|
||||||
block:
|
|
||||||
- name: blank ipv6 rule before activating ipv6 firewall.
|
|
||||||
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
|
|
||||||
args:
|
|
||||||
creates: /etc/sysconfig/ip6tables.n-o-upgrade
|
|
||||||
- name: cleanup unmanaged rules pushed by iptables-services
|
|
||||||
shell: |
|
|
||||||
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
|
||||||
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
|
|
||||||
iptables -D INPUT -p icmp -j ACCEPT
|
|
||||||
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
|
||||||
iptables -D INPUT -i lo -j ACCEPT
|
|
||||||
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
|
||||||
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
||||||
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
|
||||||
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
||||||
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
|
||||||
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
||||||
|
|
||||||
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
||||||
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
||||||
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
||||||
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
||||||
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
|
||||||
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
|
||||||
|
|
||||||
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
|
||||||
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
|
|
||||||
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
|
|
||||||
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
|
||||||
ip6tables -D INPUT -i lo -j ACCEPT
|
|
||||||
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
|
||||||
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
||||||
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
|
|
||||||
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
|
||||||
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
|
||||||
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
|
||||||
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
|
||||||
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
|
||||||
|
|
||||||
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
||||||
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
||||||
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
||||||
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
||||||
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
||||||
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
|
||||||
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
other:
|
||||||
|
- |
|
||||||
|
Cleanup iptables related resources in the firewall configuration. Also
|
||||||
|
remove the now useless FirewallEngine parameter - nftables is the only
|
||||||
|
supported engine within TripleO. Note that some applications may still
|
||||||
|
rely on iptables, such as Neutron - but the rules aren't managed from
|
||||||
|
within TripleO itself.
|
Loading…
Reference in New Issue