aa019cdd5d
In change Ia4a2a58aada3b893fa23e04722f0a7d77e05a981 we added some rules to forcefully cleanup nftables in case those were changed outside our control. Turns out that some Centos8 CI jobs do not have it installed. Let's not fail in that cases. Change-Id: I693d2b3c9de7135416d809b625cff62184a10668 Closes-Bug: #1870095
199 lines
8.9 KiB
YAML
199 lines
8.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
TripleO Firewall settings
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ExtraFirewallRules:
|
|
default: {}
|
|
description: Mapping of firewall rules.
|
|
type: json
|
|
|
|
conditions:
|
|
no_ctlplane:
|
|
equals:
|
|
- get_params: [ServiceData, net_cidr_map, ctlplane]
|
|
- Null
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the TripleO firewall settings
|
|
value:
|
|
service_name: tripleo_firewall
|
|
config_settings:
|
|
tripleo::firewall::manage_firewall: false
|
|
tripleo::firewall::purge_firewall_rules: false
|
|
firewall_rules:
|
|
map_merge:
|
|
- map_merge:
|
|
repeat:
|
|
for_each:
|
|
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
|
template:
|
|
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
|
source: <%net_cidr%>
|
|
proto: 'tcp'
|
|
dport: 22
|
|
- {get_param: ExtraFirewallRules}
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- - name: Prevent Nftables to set up any rules
|
|
copy:
|
|
dest: /etc/sysconfig/nftables.conf
|
|
content: |
|
|
# This file has been explicitely emptied and disabled by TripleO
|
|
# so that nftables and iptables do not race each other
|
|
register: nftablesconf
|
|
- when: nftablesconf is changed
|
|
block:
|
|
- name: Flush Nftables rules when nftables.conf changed
|
|
shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
|
|
- name: Restart iptables to restore firewall after flushing nftables
|
|
systemd:
|
|
state: reloaded
|
|
name: "{{item}}"
|
|
loop:
|
|
- iptables.service
|
|
- ip6tables.service
|
|
- if:
|
|
- no_ctlplane
|
|
- -
|
|
name: Ensure ctlplane subnet is set
|
|
fail:
|
|
msg: |
|
|
No CIDRs found in the ctlplane network tags.
|
|
Please refer to the documentation in order to
|
|
set the correct network tags in DeployedServerPortMap.
|
|
- -
|
|
name: Notice - ctlplane subnet is set
|
|
debug:
|
|
msg: |
|
|
CIDRs found in the ctlplane network tags.
|
|
deploy_steps_tasks:
|
|
- when:
|
|
- (step|int) == 0
|
|
block:
|
|
- name: create iptables service
|
|
copy:
|
|
dest: /etc/systemd/system/tripleo-iptables.service
|
|
content: |
|
|
[Unit]
|
|
Description=Initialize iptables
|
|
Before=iptables.service
|
|
AssertPathExists=/etc/sysconfig/iptables
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/sbin/iptables -t raw -nL
|
|
Environment=BOOTUP=serial
|
|
Environment=CONSOLETYPE=serial
|
|
StandardOutput=syslog
|
|
StandardError=syslog
|
|
[Install]
|
|
WantedBy=basic.target
|
|
- name: create ip6tables service
|
|
copy:
|
|
dest: /etc/systemd/system/tripleo-ip6tables.service
|
|
content: |
|
|
[Unit]
|
|
Description=Initialize ip6tables
|
|
Before=ip6tables.service
|
|
AssertPathExists=/etc/sysconfig/ip6tables
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/sbin/ip6tables -t raw -nL
|
|
Environment=BOOTUP=serial
|
|
Environment=CONSOLETYPE=serial
|
|
StandardOutput=syslog
|
|
StandardError=syslog
|
|
[Install]
|
|
WantedBy=basic.target
|
|
- name: enable tripleo-iptables service (and do a daemon-reload systemd)
|
|
systemd:
|
|
daemon_reload: yes
|
|
enabled: yes
|
|
name: tripleo-iptables.service
|
|
- name: enable tripleo-ip6tables service
|
|
systemd:
|
|
enabled: yes
|
|
name: tripleo-ip6tables.service
|
|
upgrade_tasks:
|
|
- when:
|
|
- (step | int) == 3
|
|
block:
|
|
- name: blank ipv6 rule before activating ipv6 firewall.
|
|
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
|
|
args:
|
|
creates: /etc/sysconfig/ip6tables.n-o-upgrade
|
|
- name: cleanup unmanaged rules pushed by iptables-services
|
|
shell: |
|
|
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -p icmp -j ACCEPT
|
|
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -i lo -j ACCEPT
|
|
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
|
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
|
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
|
|
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
|
|
|
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
|
|
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -i lo -j ACCEPT
|
|
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
|
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
|
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
|
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
|
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
|
|
|
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|