heat_template_version: rocky

description: >
  TripleO Firewall settings

parameters:
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ManageFirewall:
    default: true
    description: Whether to manage IPtables rules.
    type: boolean
  PurgeFirewallRules:
    default: false
    description: Whether IPtables rules should be purged before setting up the new ones.
    type: boolean

outputs:
  role_data:
    description: Role data for the TripleO firewall settings
    value:
      service_name: tripleo_firewall
      config_settings:
        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
        tripleo::tripleo_firewall::firewall_rules:
          '003 accept ssh from controlplane':
            source: "%{hiera('ctlplane_subnet')}"
            proto: 'tcp'
            dport: 22

      step_config: |
        include ::tripleo::firewall
      upgrade_tasks:
        - when: step|int == 3
          block:
            - name: blank ipv6 rule before activating ipv6 firewall.
              shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
              args:
                creates: /etc/sysconfig/ip6tables.n-o-upgrade
            - name: cleanup unmanaged rules pushed by iptables-services
              shell: |
                iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
                  iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
                iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
                  iptables -D INPUT -p icmp -j ACCEPT
                iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
                  iptables -D INPUT -i lo -j ACCEPT
                iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
                  iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
                iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
                  iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
                iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
                  iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited

                sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
                sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
                sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
                sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
                sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
                sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables

                ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
                  ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
                ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
                  ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
                ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
                  ip6tables -D INPUT -i lo -j ACCEPT
                ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
                  ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
                ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
                  ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
                ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
                  ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
                ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
                  ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited

                sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
                sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
                sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
                sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
                sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
                sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
                sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables