From 41f19ebf86f54deda7c38b802dd104198f481f45 Mon Sep 17 00:00:00 2001
From: Muhammad Shahzeb <mshahzeb@plumgrid.com>
Date: Wed, 8 Jun 2016 15:56:53 -0700
Subject: [PATCH] Update PG Firewall rules for MOS

Change-Id: I0309dd9bf00a9d0f340653b977dfa8f05a54ceab
Ticket: [SOL-904]
Signed-off-by: Muhammad Shahzeb <mshahzeb@plumgrid.com>
---
 .../puppet/manifests/director.pp              |  6 +--
 deployment_scripts/puppet/manifests/edge.pp   |  7 +--
 .../puppet/manifests/gateway.pp               |  7 +--
 .../modules/plumgrid/manifests/firewall.pp    | 51 -------------------
 .../puppet/modules/plumgrid/manifests/init.pp | 21 ++++++++
 .../puppet/modules/sal/manifests/init.pp      | 16 ++++++
 6 files changed, 43 insertions(+), 65 deletions(-)
 delete mode 100644 deployment_scripts/puppet/modules/plumgrid/manifests/firewall.pp

diff --git a/deployment_scripts/puppet/manifests/director.pp b/deployment_scripts/puppet/manifests/director.pp
index a51963c..6536fcc 100644
--- a/deployment_scripts/puppet/manifests/director.pp
+++ b/deployment_scripts/puppet/manifests/director.pp
@@ -70,17 +70,15 @@ class { 'plumgrid':
   fabric_dev   => $fabric_dev,
   lvm_keypath  => "/var/lib/plumgrid/zones/$plumgrid_zone/id_rsa.pub",
   md_ip        => $md_ip,
+  source_net   => $mgmt_net,
+  dest_net     => $mgmt_net,
 }
 
 class { 'sal':
   plumgrid_ip => $controller_ipaddresses,
   virtual_ip  => $plumgrid_vip,
   md_ip       => $md_ip,
-}
-
-class { plumgrid::firewall:
   source_net => $mgmt_net,
-  dest_net   => $mgmt_net,
 }
 
 # Setup Neutron PLUMgrid Configurations
diff --git a/deployment_scripts/puppet/manifests/edge.pp b/deployment_scripts/puppet/manifests/edge.pp
index bf47466..d4c5b54 100644
--- a/deployment_scripts/puppet/manifests/edge.pp
+++ b/deployment_scripts/puppet/manifests/edge.pp
@@ -40,11 +40,8 @@ class { 'plumgrid':
   fabric_dev  => $fabric_dev,
   lvm_keypath => "/var/lib/plumgrid/zones/$plumgrid_zone/id_rsa.pub",
   md_ip       => $md_ip,
-}
-
-class { plumgrid::firewall:
-  source_net=> $mgmt_net,
-  dest_net=> $mgmt_net,
+  source_net  => $mgmt_net,
+  dest_net    => $mgmt_net,
 }
 
 package { 'nova-api':
diff --git a/deployment_scripts/puppet/manifests/gateway.pp b/deployment_scripts/puppet/manifests/gateway.pp
index b36788c..b7abd73 100644
--- a/deployment_scripts/puppet/manifests/gateway.pp
+++ b/deployment_scripts/puppet/manifests/gateway.pp
@@ -36,11 +36,8 @@ class { 'plumgrid':
   gateway_devs => split($plumgrid_gw_devs, ','),
   lvm_keypath  => "/var/lib/plumgrid/zones/$plumgrid_zone/id_rsa.pub",
   md_ip        => $md_ip,
-}
-
-class { plumgrid::firewall:
-  source_net => $mgmt_net,
-  dest_net   => $mgmt_net,
+  source_net   => $mgmt_net,
+  dest_net     => $mgmt_net,
 }
 
 package { 'iptables-persistent':
diff --git a/deployment_scripts/puppet/modules/plumgrid/manifests/firewall.pp b/deployment_scripts/puppet/modules/plumgrid/manifests/firewall.pp
deleted file mode 100644
index 3565fea..0000000
--- a/deployment_scripts/puppet/modules/plumgrid/manifests/firewall.pp
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# Copyright (c) 2016, PLUMgrid Inc, http://plumgrid.com
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-class plumgrid::firewall (
-  $source_net = undef,
-  $dest_net = undef,
-) {
-
-  if $source_net != undef {
-    firewall { '001 plumgrid udp':
-      proto       => 'udp',
-      action      => 'accept',
-      state       => ['NEW'],
-      destination => $dest_net,
-      source      => $source_net,
-      before      => Class['plumgrid'],
-    }
-    firewall { '001 plumgrid rpc':
-      proto       => 'tcp',
-      action      => 'accept',
-      state       => ['NEW'],
-      destination => $dest_net,
-      source      => $source_net,
-      before      => Class['plumgrid'],
-    }
-    firewall { '040 allow vrrp':
-      proto       => 'vrrp',
-      action      => 'accept',
-      before      => Class['plumgrid'],
-    }
-    firewall { '040 keepalived':
-      proto       => 'all',
-      action      => 'accept',
-      destination => '224.0.0.18/32',
-      source      => $source_net,
-      before      => Class['plumgrid'],
-    }
-  }
-}
diff --git a/deployment_scripts/puppet/modules/plumgrid/manifests/init.pp b/deployment_scripts/puppet/modules/plumgrid/manifests/init.pp
index 6bfa377..1069223 100644
--- a/deployment_scripts/puppet/modules/plumgrid/manifests/init.pp
+++ b/deployment_scripts/puppet/modules/plumgrid/manifests/init.pp
@@ -31,6 +31,8 @@ class plumgrid (
   $repo_baseurl = '',
   $repo_component = '',
   $physical_location = '',
+  $source_net = undef,
+  $dest_net = undef,
 ) inherits plumgrid::params {
   Exec { path => [ '/bin', '/sbin' , '/usr/bin', '/usr/sbin', '/usr/local/bin', ] }
 
@@ -106,6 +108,25 @@ class plumgrid (
     notify => Service['plumgrid'],
   }
 
+  if $source_net != undef {
+    firewall { '001 plumgrid udp':
+      proto       => 'udp',
+      action      => 'accept',
+      state       => ['NEW'],
+      destination => $dest_net,
+      source      => $source_net,
+      before => Service['plumgrid'],
+    }
+    firewall { '001 plumgrid rpc':
+      proto       => 'tcp',
+      action      => 'accept',
+      state       => ['NEW'],
+      destination => $dest_net,
+      source      => $source_net,
+      before => Service['plumgrid'],
+    }
+  }
+
   service { 'plumgrid':
     ensure => running,
     enable => true,
diff --git a/deployment_scripts/puppet/modules/sal/manifests/init.pp b/deployment_scripts/puppet/modules/sal/manifests/init.pp
index 7e1e5fc..27bc78f 100644
--- a/deployment_scripts/puppet/modules/sal/manifests/init.pp
+++ b/deployment_scripts/puppet/modules/sal/manifests/init.pp
@@ -17,6 +17,7 @@ class sal ($plumgrid_ip = '',
            $virtual_ip = '',
            $rest_port = '9180',
            $mgmt_dev = '%AUTO_DEV%',
+           $source_net = undef,
            $md_ip = '127.0.0.1',
            ) {
   $lxc_root_path = '/var/lib/libvirt/filesystems/plumgrid'
@@ -30,6 +31,21 @@ class sal ($plumgrid_ip = '',
     before => [ Class['sal::nginx'], Class['sal::keepalived'] ],
   }
 
+  if $source_net != undef {
+    firewall { '040 allow vrrp':
+        proto       => 'vrrp',
+        action      => 'accept',
+        before => [ Class['sal::nginx'], Class['sal::keepalived'] ],
+    }
+    firewall { '040 keepalived':
+        proto       => 'all',
+        action      => 'accept',
+        destination => '224.0.0.18/32',
+        source      => $source_net,
+        before => [ Class['sal::nginx'], Class['sal::keepalived'] ],
+    }
+  }
+
   class { 'sal::nginx':
     plumgrid_ip => $plumgrid_ip,
     md_ip => $md_ip,