heat_template_version: rocky description: > TripleO Firewall settings parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ExtraFirewallRules: default: {} description: Mapping of firewall rules. type: json tags: - role_specific resources: # Merging role-specific parameters (RoleParameters) with the default parameters. # RoleParameters will have the precedence over the default parameters. RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - extra_firewall_rules: ExtraFirewallRules - values: {get_param: [RoleParameters]} - values: ExtraFirewallRules: {get_param: ExtraFirewallRules} conditions: no_ctlplane: equals: - get_params: [ServiceData, net_cidr_map, ctlplane] - Null outputs: role_data: description: Role data for the TripleO firewall settings value: service_name: tripleo_firewall config_settings: tripleo::firewall::manage_firewall: false tripleo::firewall::purge_firewall_rules: false firewall_rules: map_merge: - map_merge: repeat: for_each: <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]} template: '003 accept ssh from ctlplane subnet <%net_cidr%>': source: <%net_cidr%> proto: 'tcp' dport: 22 - {get_attr: [RoleParametersValue, value, extra_firewall_rules]} host_prep_tasks: - if: - no_ctlplane - name: Failure - ctlplane subnet is unset fail: msg: | No CIDRs found in the ctlplane network tags. Please refer to the documentation in order to set the correct network tags in DeployedServerPortMap. - name: Notice - ctlplane subnet is set debug: msg: | CIDRs found in the ctlplane network tags. update_tasks: - name: Cleanup tripleo-iptables services when: - (step | int) == 1 block: &tripleo_firewall_teardown - name: Disable tripleo-iptables.service systemd: name: tripleo-iptables.service state: stopped enabled: false register: systemd_tripleo_iptables failed_when: false - name: Cleanup tripleo-iptables.services file: path: /etc/systemd/system/tripleo-iptables.service state: absent - name: Disable tripleo-ip6tables.service systemd: name: tripleo-ip6tables.service state: stopped enabled: false register: systemd_tripleo_ip6tables failed_when: false - name: Cleanup tripleo-ip6tables.services file: path: /etc/systemd/system/tripleo-ip6tables.service state: absent - name: Reload systemd systemd: daemon_reload: true when: - (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed) upgrade_tasks: - name: Cleanup tripleo-iptables services when: - (step | int) == 1 block: *tripleo_firewall_teardown - when: - (step | int) == 3 block: - name: blank ipv6 rule before activating ipv6 firewall. shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat/etc/sysconfig/ip6tables args: creates: /etc/sysconfig/ip6tables.n-o-upgrade - name: cleanup unmanaged rules pushed by iptables-services shell: | iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \ iptables -D INPUT -p icmp -j ACCEPT iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \ iptables -D INPUT -i lo -j ACCEPT iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -p ipv6-icmp -j ACCEPT ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -i lo -j ACCEPT ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables