Update iptables role for ip / dns addresses

We now support both an ip / dns address for iptables_allowed_hosts. As a result we replaced hostname with address. Change-Id: Ia1accc226ca2ecdafeec4d45ad9296b6fc42b254 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2019-03-21 20:01:22 -04:00 · 2019-03-21 20:01:22 -04:00 · 3b36b26a0f
parent 0297e898f6
commit 3b36b26a0f
2 changed files with 8 additions and 2 deletions
--- a/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v4.j2
+++ b/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v4.j2
@ -22,7 +22,10 @@

 # Host specific rules
 {% for host in iptables_allowed_hosts %}
-{% for addr in host.hostname | dns_a %}
+{% if host['address'] | ipv4 %}
+-A INPUT {% if host['protocol'] == 'tcp' %}-m state --state NEW {% endif %}-m {{ host['protocol'] }} -p {{ host['protocol'] }} -s {{ host['address'] | ipv4 }} --dport {{ host['port'] }} -j ACCEPT
+{% endif %}
+{% for addr in host['address'] | dns_a %}
 -A INPUT {% if host['protocol'] == 'tcp' %}-m state --state NEW {% endif %}-m {{ host['protocol'] }} -p {{ host['protocol'] }} -s {{ addr | ipv4 }} --dport {{ host['port'] }} -j ACCEPT
 {% endfor %}
 {% endfor %}
--- a/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v6.j2
+++ b/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v6.j2
@ -22,7 +22,10 @@

 # Host specific rules
 {% for host in iptables_allowed_hosts %}
-{% for addr in host.hostname | dns_aaaa %}
+{% if host['address'] | ipv6 %}
+-A INPUT {% if host['protocol'] == 'tcp' %}-m state --state NEW {% endif %}-m {{ host['protocol'] }} -p {{ host['protocol'] }} -s {{ host['address'] | ipv6 }} --dport {{ host['port'] }} -j ACCEPT
+{% endif %}
+{% for addr in host['address'] | dns_aaaa %}
 -A INPUT {% if host['protocol'] == 'tcp' %}-m state --state NEW {% endif %}-m {{ host['protocol'] }} -p {{ host['protocol'] }} -s {{ addr | ipv6 }} --dport {{ host['port'] }} -j ACCEPT
 {% endfor %}
 {% endfor %}