From 0074098f0e5e1c20b0c47c9bdf8cbebb4192725c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Mon, 3 Oct 2022 07:58:23 +0200 Subject: [PATCH] Cleanup iptables resources The only supported firewall engine is nftables from now on. Tripleo-ansible has been cleaned from its tripleo_iptables related resources and actions, meaning we don't need to keep the FirewallEngine anymore. This patch also removes an old and deprecated upgrade action related to puppet-firewall - since Train, we're using tripleo_iptables and related, meaning there shouldn't be any trailing config at this point. Especially since iptables and ip6tables services are now deactivated for good. Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/860063 Change-Id: I18d23125a468cb2db5ff33979d8b810a0207819a --- .../neutron-ovs-agent-container-puppet.yaml | 17 +----- .../tripleo-firewall-baremetal-ansible.yaml | 59 ------------------- .../clean-iptables-18a9278719384bb8.yaml | 8 +++ 3 files changed, 9 insertions(+), 75 deletions(-) create mode 100644 releasenotes/notes/clean-iptables-18a9278719384bb8.yaml diff --git a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml index 3a062bd451..b2a7f00d7a 100644 --- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml +++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml @@ -402,19 +402,4 @@ outputs: shell: | ip link set dev "{{ item.split(':')[1] }}" up with_items: {get_attr: [RoleParametersValue, value, 'neutron::agents::ml2::ovs::bridge_mappings']} - update_tasks: - # puppetlabs-firewall manages security rules via Puppet but make the rules - # consistent by default. Since Neutron also creates some rules, we don't - # want them to be consistent so we have to ensure that they're not stored - # into sysconfig. - # https://bugzilla.redhat.com/show_bug.cgi?id=1541528 - - name: Remove IPv4 iptables rules created by Neutron that are persistent - lineinfile: dest=/etc/sysconfig/iptables - regexp=".*neutron-" - state=absent - when: step|int == 5 - - name: Remove IPv6 iptables rules created by Neutron that are persistent - lineinfile: dest=/etc/sysconfig/ip6tables - regexp=".*neutron-" - state=absent - when: step|int == 5 + update_tasks: [] diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml index 0396fe165d..854eea9003 100644 --- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml +++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml @@ -33,12 +33,6 @@ parameters: type: json tags: - role_specific - FirewallEngine: - default: 'nftables' - description: Set the actual firewall engine. Can be "iptables" or "nftables" - type: string - constraints: - - allowed_values: ['iptables', 'nftables'] resources: # Merging role-specific parameters (RoleParameters) with the default parameters. @@ -75,8 +69,6 @@ outputs: - {get_attr: [RoleParametersValue, value, extra_firewall_rules]} host_firewall_tasks: - name: Run firewall role - vars: - tripleo_firewall_engine: {get_param: FirewallEngine} include_role: name: tripleo_firewall update_tasks: @@ -116,54 +108,3 @@ outputs: when: - (step | int) == 1 block: *tripleo_firewall_teardown - - when: - - (step | int) == 3 - block: - - name: blank ipv6 rule before activating ipv6 firewall. - shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat/etc/sysconfig/ip6tables - args: - creates: /etc/sysconfig/ip6tables.n-o-upgrade - - name: cleanup unmanaged rules pushed by iptables-services - shell: | - iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ - iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \ - iptables -D INPUT -p icmp -j ACCEPT - iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \ - iptables -D INPUT -i lo -j ACCEPT - iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ - iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT - iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ - iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited - iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ - iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited - - sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables - sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables - sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables - sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables - sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables - sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables - - ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ - ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \ - ip6tables -D INPUT -p ipv6-icmp -j ACCEPT - ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \ - ip6tables -D INPUT -i lo -j ACCEPT - ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ - ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT - ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \ - ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT - ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ - ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited - ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ - ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited - - sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables - sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables - sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables - sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables - sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables - sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables - sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables diff --git a/releasenotes/notes/clean-iptables-18a9278719384bb8.yaml b/releasenotes/notes/clean-iptables-18a9278719384bb8.yaml new file mode 100644 index 0000000000..e842cbcf47 --- /dev/null +++ b/releasenotes/notes/clean-iptables-18a9278719384bb8.yaml @@ -0,0 +1,8 @@ +--- +other: + - | + Cleanup iptables related resources in the firewall configuration. Also + remove the now useless FirewallEngine parameter - nftables is the only + supported engine within TripleO. Note that some applications may still + rely on iptables, such as Neutron - but the rules aren't managed from + within TripleO itself.