Add firewall chain configuration

Adds the ability to specify firewall chains via heat templates. Additionally newer versions of docker have switched to updating the FORWARD chain to DROP by default. Neutron needs this to be ACCEPT by default. This change adds the ability to specify firewall chains via templates. Depends-On: Ib75f97748540b9162d76c9c189d3ca7e082b3784 Change-Id: I15ec9216013a1b0b935dcd1f5bc8281348777189 Related-Bug: #1750194
2018-02-19 15:10:01 -07:00 · 2018-02-19 15:10:01 -07:00 · a1ec856e61
commit a1ec856e61
parent db56757a66
2 changed files with 22 additions and 0 deletions
--- a/puppet/services/tripleo-firewall.yaml
+++ b/puppet/services/tripleo-firewall.yaml
@ -38,6 +38,17 @@ parameters:
    default: false
    description: Whether IPtables rules should be purged before setting up the new ones.
    type: boolean
+  FirewallChains:
+    default: {}
+    description: >
+      Firewall chains definitions to manage. The keys of the dictionary must be
+      in the format "<chain>:<table>:<protocol>". When specified, these rules
+      are merged with { 'FORWARD:filter:IPv4': { 'policy': 'accept' },
+      'FORWARD:filter:IPv6': { 'policy': 'accept' } }. The current available
+      features 'ensure' Adds or removes a chain (present|absent), 'policy'
+      Action the packet will performa at the end of the chain (accept|drop|queue|return),
+      and 'purge' Remove all rules for this change (true|false).
+    type: json

 outputs:
  role_data:
@ -47,6 +58,11 @@ outputs:
      config_settings:
        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
+        tripleo::firewall::firewall_chains:
+          map_merge:
+            - { 'FORWARD:filter:IPv4': { 'policy': 'accept' },
+                'FORWARD:filter:IPv6': { 'policy': 'accept' } }
+            - {get_param: FirewallChains}
      step_config: |
        include ::tripleo::firewall
      upgrade_tasks:
--- a/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml
+++ b/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds `FirewallChains` parameter that can be used to manage the defined
+    firewall chains. By default the FORWARD chain configured to be present
+    and set to ACCEPT.