tripleo-heat-templates/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
Cédric Jeanneret 6168a9d4b1 Add new parameter in order to switch firewall engine
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/841414
Change-Id: If6fd1200629df555d5d9f007cd433da6eb1f952a
2022-06-07 08:46:55 +00:00

170 lines
7.7 KiB
YAML

heat_template_version: wallaby
description: >
TripleO Firewall settings
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ExtraFirewallRules:
default: {}
description: Mapping of firewall rules.
type: json
tags:
- role_specific
FirewallEngine:
default: 'iptables'
description: Set the actual firewall engine. Can be "iptables" or "nftables"
type: string
constraints:
- allowed_values: ['iptables', 'nftables']
resources:
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- extra_firewall_rules: ExtraFirewallRules
- values: {get_param: [RoleParameters]}
- values:
ExtraFirewallRules: {get_param: ExtraFirewallRules}
outputs:
role_data:
description: Role data for the TripleO firewall settings
value:
service_name: tripleo_firewall
config_settings: {}
firewall_rules:
map_merge:
- map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'003 accept ssh from ctlplane subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: 22
- {get_attr: [RoleParametersValue, value, extra_firewall_rules]}
host_firewall_tasks:
- name: Run firewall role
vars:
tripleo_firewall_engine: {get_param: FirewallEngine}
include_role:
name: tripleo_firewall
update_tasks:
- name: Cleanup tripleo-iptables services
when:
- (step | int) == 1
block: &tripleo_firewall_teardown
- name: Disable tripleo-iptables.service
systemd:
name: tripleo-iptables.service
state: stopped
enabled: false
register: systemd_tripleo_iptables
failed_when: false
- name: Cleanup tripleo-iptables.services
file:
path: /etc/systemd/system/tripleo-iptables.service
state: absent
- name: Disable tripleo-ip6tables.service
systemd:
name: tripleo-ip6tables.service
state: stopped
enabled: false
register: systemd_tripleo_ip6tables
failed_when: false
- name: Cleanup tripleo-ip6tables.services
file:
path: /etc/systemd/system/tripleo-ip6tables.service
state: absent
- name: Reload systemd
systemd:
daemon_reload: true
when:
- (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed)
upgrade_tasks:
- name: Cleanup tripleo-iptables services
when:
- (step | int) == 1
block: *tripleo_firewall_teardown
- when:
- (step | int) == 3
block:
- name: blank ipv6 rule before activating ipv6 firewall.
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
args:
creates: /etc/sysconfig/ip6tables.n-o-upgrade
- name: cleanup unmanaged rules pushed by iptables-services
shell: |
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
iptables -D INPUT -p icmp -j ACCEPT
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
iptables -D INPUT -i lo -j ACCEPT
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -i lo -j ACCEPT
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables