From a1ec856e61532daa49f38683857918fd2cc561aa Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Mon, 19 Feb 2018 15:10:01 -0700 Subject: [PATCH] Add firewall chain configuration Adds the ability to specify firewall chains via heat templates. Additionally newer versions of docker have switched to updating the FORWARD chain to DROP by default. Neutron needs this to be ACCEPT by default. This change adds the ability to specify firewall chains via templates. Depends-On: Ib75f97748540b9162d76c9c189d3ca7e082b3784 Change-Id: I15ec9216013a1b0b935dcd1f5bc8281348777189 Related-Bug: #1750194 --- puppet/services/tripleo-firewall.yaml | 16 ++++++++++++++++ ...rewall-chain-management-cf0b38d533646a08.yaml | 6 ++++++ 2 files changed, 22 insertions(+) create mode 100644 releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index b92be457ac..b5ea0e8fba 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -38,6 +38,17 @@ parameters: default: false description: Whether IPtables rules should be purged before setting up the new ones. type: boolean + FirewallChains: + default: {} + description: > + Firewall chains definitions to manage. The keys of the dictionary must be + in the format "::". When specified, these rules + are merged with { 'FORWARD:filter:IPv4': { 'policy': 'accept' }, + 'FORWARD:filter:IPv6': { 'policy': 'accept' } }. The current available + features 'ensure' Adds or removes a chain (present|absent), 'policy' + Action the packet will performa at the end of the chain (accept|drop|queue|return), + and 'purge' Remove all rules for this change (true|false). + type: json outputs: role_data: @@ -47,6 +58,11 @@ outputs: config_settings: tripleo::firewall::manage_firewall: {get_param: ManageFirewall} tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules} + tripleo::firewall::firewall_chains: + map_merge: + - { 'FORWARD:filter:IPv4': { 'policy': 'accept' }, + 'FORWARD:filter:IPv6': { 'policy': 'accept' } } + - {get_param: FirewallChains} step_config: | include ::tripleo::firewall upgrade_tasks: diff --git a/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml b/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml new file mode 100644 index 0000000000..bf67ff870e --- /dev/null +++ b/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds `FirewallChains` parameter that can be used to manage the defined + firewall chains. By default the FORWARD chain configured to be present + and set to ACCEPT.