heat_template_version: wallaby description: > TripleO Firewall settings parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ExtraFirewallRules: default: {} description: Mapping of firewall rules. type: json tags: - role_specific FirewallEngine: default: 'iptables' description: Set the actual firewall engine. Can be "iptables" or "nftables" type: string constraints: - allowed_values: ['iptables', 'nftables'] resources: # Merging role-specific parameters (RoleParameters) with the default parameters. # RoleParameters will have the precedence over the default parameters. RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - extra_firewall_rules: ExtraFirewallRules - values: {get_param: [RoleParameters]} - values: ExtraFirewallRules: {get_param: ExtraFirewallRules} outputs: role_data: description: Role data for the TripleO firewall settings value: service_name: tripleo_firewall config_settings: {} firewall_rules: map_merge: - map_merge: repeat: for_each: <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]} template: '003 accept ssh from ctlplane subnet <%net_cidr%>': source: <%net_cidr%> proto: 'tcp' dport: 22 - {get_attr: [RoleParametersValue, value, extra_firewall_rules]} host_firewall_tasks: - name: Run firewall role vars: tripleo_firewall_engine: {get_param: FirewallEngine} include_role: name: tripleo_firewall update_tasks: - name: Cleanup tripleo-iptables services when: - (step | int) == 1 block: &tripleo_firewall_teardown - name: Disable tripleo-iptables.service systemd: name: tripleo-iptables.service state: stopped enabled: false register: systemd_tripleo_iptables failed_when: false - name: Cleanup tripleo-iptables.services file: path: /etc/systemd/system/tripleo-iptables.service state: absent - name: Disable tripleo-ip6tables.service systemd: name: tripleo-ip6tables.service state: stopped enabled: false register: systemd_tripleo_ip6tables failed_when: false - name: Cleanup tripleo-ip6tables.services file: path: /etc/systemd/system/tripleo-ip6tables.service state: absent - name: Reload systemd systemd: daemon_reload: true when: - (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed) upgrade_tasks: - name: Cleanup tripleo-iptables services when: - (step | int) == 1 block: *tripleo_firewall_teardown - when: - (step | int) == 3 block: - name: blank ipv6 rule before activating ipv6 firewall. shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat/etc/sysconfig/ip6tables args: creates: /etc/sysconfig/ip6tables.n-o-upgrade - name: cleanup unmanaged rules pushed by iptables-services shell: | iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \ iptables -D INPUT -p icmp -j ACCEPT iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \ iptables -D INPUT -i lo -j ACCEPT iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -p ipv6-icmp -j ACCEPT ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -i lo -j ACCEPT ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \ ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables