Merge "Remove some firewall rules"
This commit is contained in:
Zuul
Gerrit Code Review
commit
6738f26567
@ -88,15 +88,6 @@ class openstack::barbican::service
|
||||
}
|
||||
}
|
||||
|
||||
class openstack::barbican::firewall
|
||||
inherits ::openstack::barbican::params {
|
||||
|
||||
platform::firewall::rule { 'barbican-api':
|
||||
service_name => 'barbican-api',
|
||||
ports => $api_port,
|
||||
}
|
||||
}
|
||||
|
||||
class openstack::barbican::haproxy
|
||||
inherits ::openstack::barbican::params {
|
||||
|
||||
@ -137,7 +128,6 @@ class openstack::barbican::api
|
||||
|
||||
if $service_enabled {
|
||||
include ::openstack::barbican::service
|
||||
include ::openstack::barbican::firewall
|
||||
include ::openstack::barbican::haproxy
|
||||
}
|
||||
}
|
||||
|
||||
@ -174,32 +174,9 @@ class openstack::horizon
|
||||
user => 'root',
|
||||
}
|
||||
|
||||
include ::openstack::horizon::firewall
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class openstack::horizon::firewall
|
||||
inherits ::openstack::horizon::params {
|
||||
|
||||
# horizon is run behind a proxy server, therefore
|
||||
# set the dashboard access based on the configuration
|
||||
# of HTTPS for external protocols. The horizon
|
||||
# server runs on port 8080 behind the proxy server.
|
||||
if $enable_https {
|
||||
$firewall_port = $https_port
|
||||
} else {
|
||||
$firewall_port = $http_port
|
||||
}
|
||||
|
||||
platform::firewall::rule { 'dashboard':
|
||||
host => 'ALL',
|
||||
service_name => 'horizon',
|
||||
ports => $firewall_port,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class openstack::horizon::reload {
|
||||
|
||||
# Remove all active Horizon user sessions
|
||||
|
||||
@ -133,19 +133,6 @@ class openstack::keystone (
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class openstack::keystone::firewall
|
||||
inherits ::openstack::keystone::params {
|
||||
|
||||
if !$::platform::params::region_config {
|
||||
platform::firewall::rule { 'keystone-api':
|
||||
service_name => 'keystone',
|
||||
ports => $api_port,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class openstack::keystone::haproxy
|
||||
inherits ::openstack::keystone::params {
|
||||
|
||||
@ -202,7 +189,6 @@ class openstack::keystone::api
|
||||
}
|
||||
}
|
||||
|
||||
include ::openstack::keystone::firewall
|
||||
include ::openstack::keystone::haproxy
|
||||
}
|
||||
|
||||
|
||||
@ -387,19 +387,6 @@ class platform::ceph::osds(
|
||||
create_resources('platform_ceph_journal', $journal_config)
|
||||
}
|
||||
|
||||
|
||||
class platform::ceph::firewall
|
||||
inherits ::platform::ceph::params {
|
||||
|
||||
if $service_enabled {
|
||||
platform::firewall::rule { 'ceph-radosgw':
|
||||
service_name => 'ceph-radosgw',
|
||||
ports => $rgw_port,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::ceph::haproxy
|
||||
inherits ::platform::ceph::params {
|
||||
|
||||
@ -457,7 +444,6 @@ class platform::ceph::rgw
|
||||
}
|
||||
}
|
||||
|
||||
include ::platform::ceph::firewall
|
||||
include ::platform::ceph::haproxy
|
||||
}
|
||||
|
||||
|
||||
@ -34,18 +34,6 @@ class platform::dcmanager
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::dcmanager::firewall
|
||||
inherits ::platform::dcmanager::params {
|
||||
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
||||
platform::firewall::rule { 'dcmanager-api':
|
||||
service_name => 'dcmanager',
|
||||
ports => $api_port,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::dcmanager::haproxy
|
||||
inherits ::platform::dcmanager::params {
|
||||
if $::platform::params::distributed_cloud_role =='systemcontroller' {
|
||||
@ -76,7 +64,6 @@ class platform::dcmanager::api
|
||||
}
|
||||
|
||||
|
||||
include ::platform::dcmanager::firewall
|
||||
include ::platform::dcmanager::haproxy
|
||||
}
|
||||
}
|
||||
|
||||
@ -51,10 +51,6 @@ class platform::dcorch::firewall
|
||||
service_name => 'dcorch',
|
||||
ports => $api_port,
|
||||
}
|
||||
platform::firewall::rule { 'dcorch-sysinv-api-proxy':
|
||||
service_name => 'dcorch-sysinv-api-proxy',
|
||||
ports => $sysinv_api_proxy_port,
|
||||
}
|
||||
platform::firewall::rule { 'dcorch-nova-api-proxy':
|
||||
service_name => 'dcorch-nova-api-proxy',
|
||||
ports => $nova_api_proxy_port,
|
||||
@ -67,14 +63,6 @@ class platform::dcorch::firewall
|
||||
service_name => 'dcorch-cinder-api-proxy',
|
||||
ports => $cinder_api_proxy_port,
|
||||
}
|
||||
platform::firewall::rule { 'dcorch-patch-api-proxy':
|
||||
service_name => 'dcorch-patch-api-proxy',
|
||||
ports => $patch_api_proxy_port,
|
||||
}
|
||||
platform::firewall::rule { 'dcorch-identity-api-proxy':
|
||||
service_name => 'dcorch-identity-api-proxy',
|
||||
ports => $identity_api_proxy_port,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -76,275 +76,6 @@ define platform::firewall::rule (
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
define platform::firewall::common (
|
||||
$version,
|
||||
$interface,
|
||||
) {
|
||||
|
||||
$provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'}
|
||||
|
||||
firewall { "000 platform accept non-oam ${version}":
|
||||
proto => 'all',
|
||||
iniface => "! ${$interface}",
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "001 platform accept related ${version}":
|
||||
proto => 'all',
|
||||
state => ['RELATED', 'ESTABLISHED'],
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
# explicitly drop some types of traffic without logging
|
||||
firewall { "800 platform drop tcf-agent udp ${version}":
|
||||
proto => 'udp',
|
||||
dport => 1534,
|
||||
action => 'drop',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "800 platform drop tcf-agent tcp ${version}":
|
||||
proto => 'tcp',
|
||||
dport => 1534,
|
||||
action => 'drop',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "800 platform drop all avahi-daemon ${version}":
|
||||
proto => 'udp',
|
||||
dport => 5353,
|
||||
action => 'drop',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "999 platform log dropped ${version}":
|
||||
proto => 'all',
|
||||
limit => '2/min',
|
||||
jump => 'LOG',
|
||||
log_prefix => "${provider}-in-dropped: ",
|
||||
log_level => 4,
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "000 platform forward non-oam ${version}":
|
||||
chain => 'FORWARD',
|
||||
proto => 'all',
|
||||
iniface => "! ${interface}",
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "001 platform forward related ${version}":
|
||||
chain => 'FORWARD',
|
||||
proto => 'all',
|
||||
state => ['RELATED', 'ESTABLISHED'],
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "999 platform log dropped ${version} forwarded":
|
||||
chain => 'FORWARD',
|
||||
proto => 'all',
|
||||
limit => '2/min',
|
||||
jump => 'LOG',
|
||||
log_prefix => "${provider}-fwd-dropped: ",
|
||||
log_level => 4,
|
||||
provider => $provider,
|
||||
}
|
||||
}
|
||||
|
||||
# Declare OAM service rules
|
||||
define platform::firewall::services (
|
||||
$version,
|
||||
) {
|
||||
# platform rules to be applied before custom rules
|
||||
Firewall {
|
||||
require => undef,
|
||||
}
|
||||
|
||||
$provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'}
|
||||
|
||||
$proto_icmp = $version ? {'ipv4' => 'icmp', 'ipv6' => 'ipv6-icmp'}
|
||||
|
||||
# Provider specific service rules
|
||||
firewall { "010 platform accept sm ${version}":
|
||||
proto => 'udp',
|
||||
dport => [2222, 2223],
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "011 platform accept ssh ${version}":
|
||||
proto => 'tcp',
|
||||
dport => 22,
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "200 platform accept icmp ${version}":
|
||||
proto => $proto_icmp,
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "201 platform accept ntp ${version}":
|
||||
proto => 'udp',
|
||||
dport => 123,
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "202 platform accept snmp ${version}":
|
||||
proto => 'udp',
|
||||
dport => 161,
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "202 platform accept snmp trap ${version}":
|
||||
proto => 'udp',
|
||||
dport => 162,
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
firewall { "203 platform accept ptp ${version}":
|
||||
proto => 'udp',
|
||||
dport => [319, 320],
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
|
||||
# allow IGMP Query traffic if IGMP Snooping is
|
||||
# enabled on the TOR switch
|
||||
firewall { "204 platform accept igmp ${version}":
|
||||
proto => 'igmp',
|
||||
action => 'accept',
|
||||
provider => $provider,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
define platform::firewall::hooks (
|
||||
$version = undef,
|
||||
) {
|
||||
$protocol = $version ? {'ipv4' => 'IPv4', 'ipv6' => 'IPv6'}
|
||||
|
||||
$input_pre_chain = 'INPUT-custom-pre'
|
||||
$input_post_chain = 'INPUT-custom-post'
|
||||
|
||||
firewallchain { "${input_pre_chain}:filter:${protocol}":
|
||||
ensure => present,
|
||||
}
|
||||
-> firewallchain { "${input_post_chain}:filter:${protocol}":
|
||||
ensure => present,
|
||||
}
|
||||
-> firewall { "100 ${input_pre_chain} ${version}":
|
||||
proto => 'all',
|
||||
chain => 'INPUT',
|
||||
jump => $input_pre_chain
|
||||
}
|
||||
-> firewall { "900 ${input_post_chain} ${version}":
|
||||
proto => 'all',
|
||||
chain => 'INPUT',
|
||||
jump => $input_post_chain
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::firewall::custom (
|
||||
$version = undef,
|
||||
$rules_file = undef,
|
||||
) {
|
||||
|
||||
$restore = $version ? {
|
||||
'ipv4' => 'iptables-restore',
|
||||
'ipv6' => 'ip6tables-restore'}
|
||||
|
||||
platform::firewall::hooks { '::platform:firewall:hooks':
|
||||
version => $version,
|
||||
}
|
||||
|
||||
-> exec { 'Flush firewall custom pre rules':
|
||||
command => 'iptables --flush INPUT-custom-pre',
|
||||
}
|
||||
-> exec { 'Flush firewall custom post rules':
|
||||
command => 'iptables --flush INPUT-custom-post',
|
||||
}
|
||||
-> exec { 'Apply firewall custom rules':
|
||||
command => "${restore} --noflush ${rules_file}",
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::firewall::oam (
|
||||
$rules_file = undef,
|
||||
) {
|
||||
|
||||
include ::platform::network::oam::params
|
||||
$interface_name = $::platform::network::oam::params::interface_name
|
||||
$subnet_version = $::platform::network::oam::params::subnet_version
|
||||
|
||||
$version = $subnet_version ? {
|
||||
4 => 'ipv4',
|
||||
6 => 'ipv6',
|
||||
}
|
||||
|
||||
platform::firewall::common { 'platform:firewall:ipv4':
|
||||
interface => $interface_name,
|
||||
version => 'ipv4',
|
||||
}
|
||||
|
||||
-> platform::firewall::common { 'platform:firewall:ipv6':
|
||||
interface => $interface_name,
|
||||
version => 'ipv6',
|
||||
}
|
||||
|
||||
-> platform::firewall::services { 'platform:firewall:services':
|
||||
version => $version,
|
||||
}
|
||||
|
||||
# Set default table policies
|
||||
-> firewallchain { 'INPUT:filter:IPv4':
|
||||
ensure => present,
|
||||
policy => drop,
|
||||
before => undef,
|
||||
purge => false,
|
||||
}
|
||||
|
||||
-> firewallchain { 'INPUT:filter:IPv6':
|
||||
ensure => present,
|
||||
policy => drop,
|
||||
before => undef,
|
||||
purge => false,
|
||||
}
|
||||
|
||||
-> firewallchain { 'FORWARD:filter:IPv4':
|
||||
ensure => present,
|
||||
policy => drop,
|
||||
before => undef,
|
||||
purge => false,
|
||||
}
|
||||
|
||||
-> firewallchain { 'FORWARD:filter:IPv6':
|
||||
ensure => present,
|
||||
policy => drop,
|
||||
before => undef,
|
||||
purge => false,
|
||||
}
|
||||
|
||||
if $rules_file {
|
||||
|
||||
class { '::platform::firewall::custom':
|
||||
version => $version,
|
||||
rules_file => $rules_file,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class platform::firewall::calico::oam::services {
|
||||
include ::platform::params
|
||||
include ::platform::network::oam::params
|
||||
|
||||
@ -35,15 +35,6 @@ class platform::fm
|
||||
}
|
||||
}
|
||||
|
||||
class platform::fm::firewall
|
||||
inherits ::platform::fm::params {
|
||||
|
||||
platform::firewall::rule { 'fm-api':
|
||||
service_name => 'fm',
|
||||
ports => $api_port,
|
||||
}
|
||||
}
|
||||
|
||||
class platform::fm::haproxy
|
||||
inherits ::platform::fm::params {
|
||||
|
||||
@ -84,7 +75,6 @@ class platform::fm::api
|
||||
sync_db => $::platform::params::init_database,
|
||||
}
|
||||
|
||||
include ::platform::fm::firewall
|
||||
include ::platform::fm::haproxy
|
||||
}
|
||||
}
|
||||
|
||||
@ -52,16 +52,6 @@ class platform::nfv::runtime {
|
||||
}
|
||||
|
||||
|
||||
class platform::nfv::firewall
|
||||
inherits ::platform::nfv::params {
|
||||
|
||||
platform::firewall::rule { 'nfv-vim-api':
|
||||
service_name => 'nfv-vim',
|
||||
ports => $api_port,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::nfv::haproxy
|
||||
inherits ::platform::nfv::params {
|
||||
|
||||
@ -81,6 +71,5 @@ class platform::nfv::api
|
||||
include ::nfv::keystone::auth
|
||||
}
|
||||
|
||||
include ::platform::nfv::firewall
|
||||
include ::platform::nfv::haproxy
|
||||
}
|
||||
|
||||
@ -35,16 +35,6 @@ class platform::patching
|
||||
}
|
||||
|
||||
|
||||
class platform::patching::firewall
|
||||
inherits ::platform::patching::params {
|
||||
|
||||
platform::firewall::rule { 'patching-api':
|
||||
service_name => 'patching',
|
||||
ports => $public_port,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::patching::haproxy
|
||||
inherits ::platform::patching::params {
|
||||
|
||||
@ -67,7 +57,6 @@ class platform::patching::api (
|
||||
include ::patching::keystone::auth
|
||||
}
|
||||
|
||||
include ::platform::patching::firewall
|
||||
include ::platform::patching::haproxy
|
||||
}
|
||||
|
||||
|
||||
@ -10,15 +10,6 @@ class platform::smapi::params (
|
||||
$region = undef,
|
||||
) {}
|
||||
|
||||
class platform::smap::firewall
|
||||
inherits ::platform::smapi::params {
|
||||
|
||||
platform::firewall::rule { 'sm-api':
|
||||
service_name => 'sm-api',
|
||||
ports => $port,
|
||||
}
|
||||
}
|
||||
|
||||
class platform::smapi::haproxy
|
||||
inherits ::platform::smapi::params {
|
||||
|
||||
@ -47,7 +38,6 @@ class platform::smapi
|
||||
}
|
||||
|
||||
include ::platform::params
|
||||
include ::platform::smap::firewall
|
||||
include ::platform::smapi::haproxy
|
||||
$bind_host_name = $::platform::params::hostname
|
||||
file { '/etc/sm-api/sm-api.conf':
|
||||
|
||||
@ -120,16 +120,6 @@ class platform::sysinv::conductor {
|
||||
}
|
||||
|
||||
|
||||
class platform::sysinv::firewall
|
||||
inherits ::platform::sysinv::params {
|
||||
|
||||
platform::firewall::rule { 'sysinv-api':
|
||||
service_name => 'sysinv',
|
||||
ports => $api_port,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class platform::sysinv::haproxy
|
||||
inherits ::platform::sysinv::params {
|
||||
|
||||
@ -173,7 +163,6 @@ class platform::sysinv::api
|
||||
'DEFAULT/sysinv_api_workers': value => $::platform::params::eng_workers_by_5;
|
||||
}
|
||||
|
||||
include ::platform::sysinv::firewall
|
||||
include ::platform::sysinv::haproxy
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user