Add firewall chain configuration

Adds the ability to specify firewall chains via heat templates.
Additionally newer versions of docker have switched to updating
the FORWARD chain to DROP by default. Neutron needs this to be
ACCEPT by default. This change adds the ability to specify
firewall chains via templates.

Depends-On: Ib75f97748540b9162d76c9c189d3ca7e082b3784
Change-Id: I15ec9216013a1b0b935dcd1f5bc8281348777189
Related-Bug: #1750194
This commit is contained in:
Alex Schultz 2018-02-19 15:10:01 -07:00
parent db56757a66
commit a1ec856e61
2 changed files with 22 additions and 0 deletions

View File

@ -38,6 +38,17 @@ parameters:
default: false
description: Whether IPtables rules should be purged before setting up the new ones.
type: boolean
FirewallChains:
default: {}
description: >
Firewall chains definitions to manage. The keys of the dictionary must be
in the format "<chain>:<table>:<protocol>". When specified, these rules
are merged with { 'FORWARD:filter:IPv4': { 'policy': 'accept' },
'FORWARD:filter:IPv6': { 'policy': 'accept' } }. The current available
features 'ensure' Adds or removes a chain (present|absent), 'policy'
Action the packet will performa at the end of the chain (accept|drop|queue|return),
and 'purge' Remove all rules for this change (true|false).
type: json
outputs:
role_data:
@ -47,6 +58,11 @@ outputs:
config_settings:
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
tripleo::firewall::firewall_chains:
map_merge:
- { 'FORWARD:filter:IPv4': { 'policy': 'accept' },
'FORWARD:filter:IPv6': { 'policy': 'accept' } }
- {get_param: FirewallChains}
step_config: |
include ::tripleo::firewall
upgrade_tasks:

View File

@ -0,0 +1,6 @@
---
features:
- |
Adds `FirewallChains` parameter that can be used to manage the defined
firewall chains. By default the FORWARD chain configured to be present
and set to ACCEPT.