Adds Firewall rules for neutron access.

Allows connection to the neutron api service only for: CONFIG_NEUTRON_SERVER_HOST CONFIG_NEUTRON_L3_HOSTS CONFIG_NEUTRON_DHCP_HOSTS CONFIG_NEUTRON_METADATA_HOSTS CONFIG_NOVA_COMPUTE_HOSTS This patch is for neutron only, rules for the other services are being developed since the bug addresses the entire openstack installation. Fixes (partially): rhbz#1002063 Change-Id: I1e850ed9f205567a05e8115d1ce9c3644cd705a9
2013-09-21 19:12:47 -06:00
parent 6b19e22919
commit 750dd0019f
2 changed files with 6 additions and 5 deletions
--- a/packstack/plugins/neutron_350.py
+++ b/packstack/plugins/neutron_350.py
@@ -377,6 +377,12 @@ def createManifest(config):
        elif controller.CONF['CONFIG_NEUTRON_L2_PLUGIN'] == 'linuxbridge':
            manifest_data = getManifestTemplate("neutron_lb_plugin.pp")
            appendManifestFile(manifest_file, manifest_data, 'neutron')
+    # Firewall Rules
+    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in q_hosts])
+    config['FIREWALL_SERVICE_NAME'] = "neutron"
+    config['FIREWALL_PORTS'] = "'9696'"
+    manifest_data = getManifestTemplate("firewall.pp")
+    appendManifestFile(manifest_file, manifest_data, 'neutron')

 def createKeystoneManifest(config):
    manifestfile = "%s_keystone.pp"%controller.CONF['CONFIG_KEYSTONE_HOST']
--- a/packstack/puppet/templates/neutron_api.pp
+++ b/packstack/puppet/templates/neutron_api.pp
@@ -4,8 +4,3 @@ class { 'neutron::server':
  enabled => true,
 }

-firewall { '001 neutron incoming':
-    proto    => 'tcp',
-    dport    => ['9696'],
-    action   => 'accept',
-}