Merge "Remove some firewall rules"

puppet-manifests/src/modules/openstack/manifests/barbican.pp

@@ -88,15 +88,6 @@ class openstack::barbican::service
   }
 }
 
-class openstack::barbican::firewall
-  inherits ::openstack::barbican::params {
-
-  platform::firewall::rule { 'barbican-api':
-    service_name => 'barbican-api',
-    ports        => $api_port,
-  }
-}
-
 class openstack::barbican::haproxy
   inherits ::openstack::barbican::params {
 
@@ -137,7 +128,6 @@ class openstack::barbican::api
 
   if $service_enabled {
     include ::openstack::barbican::service
-    include ::openstack::barbican::firewall
     include ::openstack::barbican::haproxy
   }
 }

puppet-manifests/src/modules/openstack/manifests/horizon.pp

@@ -174,32 +174,9 @@ class openstack::horizon
       user        => 'root',
     }
 
-    include ::openstack::horizon::firewall
   }
 }
 
-
-class openstack::horizon::firewall
-  inherits ::openstack::horizon::params {
-
-  # horizon is run behind a proxy server, therefore
-  # set the dashboard access based on the configuration
-  # of HTTPS for external protocols.  The horizon
-  # server runs on port 8080 behind the proxy server.
-  if $enable_https {
-    $firewall_port = $https_port
-  } else {
-    $firewall_port = $http_port
-  }
-
-  platform::firewall::rule { 'dashboard':
-    host         => 'ALL',
-    service_name => 'horizon',
-    ports        => $firewall_port,
-  }
-}
-
-
 class openstack::horizon::reload {
 
   # Remove all active Horizon user sessions

puppet-manifests/src/modules/openstack/manifests/keystone.pp

@@ -133,19 +133,6 @@ class openstack::keystone (
   }
 }
 
-
-class openstack::keystone::firewall
-  inherits ::openstack::keystone::params {
-
-  if !$::platform::params::region_config {
-    platform::firewall::rule { 'keystone-api':
-      service_name => 'keystone',
-      ports        => $api_port,
-    }
-  }
-}
-
-
 class openstack::keystone::haproxy
   inherits ::openstack::keystone::params {
 
@@ -202,7 +189,6 @@ class openstack::keystone::api
     }
   }
 
-  include ::openstack::keystone::firewall
   include ::openstack::keystone::haproxy
 }
 

puppet-manifests/src/modules/platform/manifests/ceph.pp

@@ -387,19 +387,6 @@ class platform::ceph::osds(
   create_resources('platform_ceph_journal', $journal_config)
 }
 
-
-class platform::ceph::firewall
-  inherits ::platform::ceph::params {
-
-  if $service_enabled {
-    platform::firewall::rule { 'ceph-radosgw':
-      service_name => 'ceph-radosgw',
-      ports        => $rgw_port,
-    }
-  }
-}
-
-
 class platform::ceph::haproxy
   inherits ::platform::ceph::params {
 
@@ -457,7 +444,6 @@ class platform::ceph::rgw
     }
   }
 
-  include ::platform::ceph::firewall
   include ::platform::ceph::haproxy
 }
 

puppet-manifests/src/modules/platform/manifests/dcmanager.pp

@@ -34,18 +34,6 @@ class platform::dcmanager
   }
 }
 
-
-class platform::dcmanager::firewall
-  inherits ::platform::dcmanager::params {
-  if $::platform::params::distributed_cloud_role =='systemcontroller' {
-    platform::firewall::rule { 'dcmanager-api':
-      service_name => 'dcmanager',
-      ports        => $api_port,
-    }
-  }
-}
-
-
 class platform::dcmanager::haproxy
   inherits ::platform::dcmanager::params {
   if $::platform::params::distributed_cloud_role =='systemcontroller' {
@@ -76,7 +64,6 @@ class platform::dcmanager::api
     }
 
 
-    include ::platform::dcmanager::firewall
     include ::platform::dcmanager::haproxy
   }
 }

puppet-manifests/src/modules/platform/manifests/dcorch.pp

@@ -51,10 +51,6 @@ class platform::dcorch::firewall
       service_name => 'dcorch',
       ports        => $api_port,
     }
-    platform::firewall::rule { 'dcorch-sysinv-api-proxy':
-      service_name => 'dcorch-sysinv-api-proxy',
-      ports        => $sysinv_api_proxy_port,
-    }
     platform::firewall::rule { 'dcorch-nova-api-proxy':
       service_name => 'dcorch-nova-api-proxy',
       ports        => $nova_api_proxy_port,
@@ -67,14 +63,6 @@ class platform::dcorch::firewall
       service_name => 'dcorch-cinder-api-proxy',
       ports        => $cinder_api_proxy_port,
     }
-    platform::firewall::rule { 'dcorch-patch-api-proxy':
-      service_name => 'dcorch-patch-api-proxy',
-      ports        => $patch_api_proxy_port,
-    }
-    platform::firewall::rule { 'dcorch-identity-api-proxy':
-      service_name => 'dcorch-identity-api-proxy',
-      ports        => $identity_api_proxy_port,
-    }
   }
 }
 

puppet-manifests/src/modules/platform/manifests/firewall.pp

@@ -76,275 +76,6 @@ define platform::firewall::rule (
   }
 }
 
-
-define platform::firewall::common (
-  $version,
-  $interface,
-) {
-
-  $provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'}
-
-  firewall { "000 platform accept non-oam ${version}":
-    proto    => 'all',
-    iniface  => "! ${$interface}",
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "001 platform accept related ${version}":
-    proto    => 'all',
-    state    => ['RELATED', 'ESTABLISHED'],
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  # explicitly drop some types of traffic without logging
-  firewall { "800 platform drop tcf-agent udp ${version}":
-    proto    => 'udp',
-    dport    => 1534,
-    action   => 'drop',
-    provider => $provider,
-  }
-
-  firewall { "800 platform drop tcf-agent tcp ${version}":
-    proto    => 'tcp',
-    dport    => 1534,
-    action   => 'drop',
-    provider => $provider,
-  }
-
-  firewall { "800 platform drop all avahi-daemon ${version}":
-    proto    => 'udp',
-    dport    => 5353,
-    action   => 'drop',
-    provider => $provider,
-  }
-
-  firewall { "999 platform log dropped ${version}":
-    proto      => 'all',
-    limit      => '2/min',
-    jump       => 'LOG',
-    log_prefix => "${provider}-in-dropped: ",
-    log_level  => 4,
-    provider   => $provider,
-  }
-
-  firewall { "000 platform forward non-oam ${version}":
-    chain    => 'FORWARD',
-    proto    => 'all',
-    iniface  => "! ${interface}",
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "001 platform forward related ${version}":
-    chain    => 'FORWARD',
-    proto    => 'all',
-    state    => ['RELATED', 'ESTABLISHED'],
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "999 platform log dropped ${version} forwarded":
-    chain      => 'FORWARD',
-    proto      => 'all',
-    limit      => '2/min',
-    jump       => 'LOG',
-    log_prefix => "${provider}-fwd-dropped: ",
-    log_level  => 4,
-    provider   => $provider,
-  }
-}
-
-# Declare OAM service rules
-define platform::firewall::services (
-  $version,
-) {
-  # platform rules to be applied before custom rules
-  Firewall {
-    require => undef,
-  }
-
-  $provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'}
-
-  $proto_icmp = $version ? {'ipv4' => 'icmp', 'ipv6' => 'ipv6-icmp'}
-
-  # Provider specific service rules
-  firewall { "010 platform accept sm ${version}":
-    proto    => 'udp',
-    dport    => [2222, 2223],
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "011 platform accept ssh ${version}":
-    proto    => 'tcp',
-    dport    => 22,
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "200 platform accept icmp ${version}":
-    proto    => $proto_icmp,
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "201 platform accept ntp ${version}":
-    proto    => 'udp',
-    dport    => 123,
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "202 platform accept snmp ${version}":
-    proto    => 'udp',
-    dport    => 161,
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "202 platform accept snmp trap ${version}":
-    proto    => 'udp',
-    dport    => 162,
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  firewall { "203 platform accept ptp ${version}":
-    proto    => 'udp',
-    dport    => [319, 320],
-    action   => 'accept',
-    provider => $provider,
-  }
-
-  # allow IGMP Query traffic if IGMP Snooping is
-  # enabled on the TOR switch
-  firewall { "204 platform accept igmp ${version}":
-    proto    => 'igmp',
-    action   => 'accept',
-    provider => $provider,
-  }
-}
-
-
-define platform::firewall::hooks (
-  $version = undef,
-) {
-  $protocol = $version ? {'ipv4' => 'IPv4', 'ipv6' => 'IPv6'}
-
-  $input_pre_chain = 'INPUT-custom-pre'
-  $input_post_chain = 'INPUT-custom-post'
-
-  firewallchain { "${input_pre_chain}:filter:${protocol}":
-    ensure => present,
-  }
-  -> firewallchain { "${input_post_chain}:filter:${protocol}":
-    ensure => present,
-  }
-  -> firewall { "100 ${input_pre_chain} ${version}":
-    proto => 'all',
-    chain => 'INPUT',
-    jump  => $input_pre_chain
-  }
-  -> firewall { "900 ${input_post_chain} ${version}":
-    proto => 'all',
-    chain => 'INPUT',
-    jump  => $input_post_chain
-  }
-}
-
-
-class platform::firewall::custom (
-  $version = undef,
-  $rules_file = undef,
-) {
-
-  $restore = $version ? {
-    'ipv4' => 'iptables-restore',
-    'ipv6' => 'ip6tables-restore'}
-
-  platform::firewall::hooks { '::platform:firewall:hooks':
-    version => $version,
-  }
-
-  -> exec { 'Flush firewall custom pre rules':
-    command => 'iptables --flush INPUT-custom-pre',
-  }
-  -> exec { 'Flush firewall custom post rules':
-    command => 'iptables --flush INPUT-custom-post',
-  }
-  -> exec { 'Apply firewall custom rules':
-    command => "${restore} --noflush ${rules_file}",
-  }
-}
-
-
-class platform::firewall::oam (
-  $rules_file = undef,
-) {
-
-  include ::platform::network::oam::params
-  $interface_name = $::platform::network::oam::params::interface_name
-  $subnet_version = $::platform::network::oam::params::subnet_version
-
-  $version = $subnet_version ? {
-    4 => 'ipv4',
-    6 => 'ipv6',
-  }
-
-  platform::firewall::common { 'platform:firewall:ipv4':
-    interface => $interface_name,
-    version   => 'ipv4',
-  }
-
-  -> platform::firewall::common { 'platform:firewall:ipv6':
-    interface => $interface_name,
-    version   => 'ipv6',
-  }
-
-  -> platform::firewall::services { 'platform:firewall:services':
-    version => $version,
-  }
-
-  # Set default table policies
-  -> firewallchain { 'INPUT:filter:IPv4':
-    ensure => present,
-    policy => drop,
-    before => undef,
-    purge  => false,
-  }
-
-  -> firewallchain { 'INPUT:filter:IPv6':
-    ensure => present,
-    policy => drop,
-    before => undef,
-    purge  => false,
-  }
-
-  -> firewallchain { 'FORWARD:filter:IPv4':
-    ensure => present,
-    policy => drop,
-    before => undef,
-    purge  => false,
-  }
-
-  -> firewallchain { 'FORWARD:filter:IPv6':
-    ensure => present,
-    policy => drop,
-    before => undef,
-    purge  => false,
-  }
-
-  if $rules_file {
-
-    class { '::platform::firewall::custom':
-      version    => $version,
-      rules_file => $rules_file,
-    }
-  }
-}
-
 class platform::firewall::calico::oam::services {
   include ::platform::params
   include ::platform::network::oam::params

puppet-manifests/src/modules/platform/manifests/fm.pp

@@ -35,15 +35,6 @@ class platform::fm
   }
 }
 
-class platform::fm::firewall
-  inherits ::platform::fm::params {
-
-  platform::firewall::rule { 'fm-api':
-    service_name => 'fm',
-    ports        => $api_port,
-  }
-}
-
 class platform::fm::haproxy
   inherits ::platform::fm::params {
 
@@ -84,7 +75,6 @@ class platform::fm::api
       sync_db => $::platform::params::init_database,
     }
 
-    include ::platform::fm::firewall
     include ::platform::fm::haproxy
   }
 }

puppet-manifests/src/modules/platform/manifests/nfv.pp

@@ -52,16 +52,6 @@ class platform::nfv::runtime {
 }
 
 
-class platform::nfv::firewall
-  inherits ::platform::nfv::params {
-
-  platform::firewall::rule { 'nfv-vim-api':
-    service_name => 'nfv-vim',
-    ports        => $api_port,
-  }
-}
-
-
 class platform::nfv::haproxy
   inherits ::platform::nfv::params {
 
@@ -81,6 +71,5 @@ class platform::nfv::api
     include ::nfv::keystone::auth
   }
 
-  include ::platform::nfv::firewall
   include ::platform::nfv::haproxy
 }

puppet-manifests/src/modules/platform/manifests/patching.pp

@@ -35,16 +35,6 @@ class platform::patching
 }
 
 
-class platform::patching::firewall
-  inherits ::platform::patching::params {
-
-  platform::firewall::rule { 'patching-api':
-    service_name => 'patching',
-    ports        => $public_port,
-  }
-}
-
-
 class platform::patching::haproxy
   inherits ::platform::patching::params {
 
@@ -67,7 +57,6 @@ class platform::patching::api (
     include ::patching::keystone::auth
   }
 
-  include ::platform::patching::firewall
   include ::platform::patching::haproxy
 }
 

puppet-manifests/src/modules/platform/manifests/smapi.pp

@@ -10,15 +10,6 @@ class platform::smapi::params (
   $region = undef,
 ) {}
 
-class platform::smap::firewall
-  inherits ::platform::smapi::params {
-
-  platform::firewall::rule { 'sm-api':
-    service_name => 'sm-api',
-    ports        => $port,
-  }
-}
-
 class platform::smapi::haproxy
   inherits ::platform::smapi::params {
 
@@ -47,7 +38,6 @@ class platform::smapi
   }
 
   include ::platform::params
-  include ::platform::smap::firewall
   include ::platform::smapi::haproxy
   $bind_host_name = $::platform::params::hostname
   file { '/etc/sm-api/sm-api.conf':

puppet-manifests/src/modules/platform/manifests/sysinv.pp

@@ -120,16 +120,6 @@ class platform::sysinv::conductor {
 }
 
 
-class platform::sysinv::firewall
-  inherits ::platform::sysinv::params {
-
-  platform::firewall::rule { 'sysinv-api':
-    service_name => 'sysinv',
-    ports        => $api_port,
-  }
-}
-
-
 class platform::sysinv::haproxy
   inherits ::platform::sysinv::params {
 
@@ -173,7 +163,6 @@ class platform::sysinv::api
     'DEFAULT/sysinv_api_workers': value => $::platform::params::eng_workers_by_5;
   }
 
-  include ::platform::sysinv::firewall
   include ::platform::sysinv::haproxy
 }