From 750dd0019fe65e22f72d20b537f9cee9c2f000ea Mon Sep 17 00:00:00 2001 From: Ivan Chavero Date: Sat, 21 Sep 2013 19:12:47 -0600 Subject: [PATCH] Adds Firewall rules for neutron access. Allows connection to the neutron api service only for: CONFIG_NEUTRON_SERVER_HOST CONFIG_NEUTRON_L3_HOSTS CONFIG_NEUTRON_DHCP_HOSTS CONFIG_NEUTRON_METADATA_HOSTS CONFIG_NOVA_COMPUTE_HOSTS This patch is for neutron only, rules for the other services are being developed since the bug addresses the entire openstack installation. Fixes (partially): rhbz#1002063 Change-Id: I1e850ed9f205567a05e8115d1ce9c3644cd705a9 --- packstack/plugins/neutron_350.py | 6 ++++++ packstack/puppet/templates/neutron_api.pp | 5 ----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/packstack/plugins/neutron_350.py b/packstack/plugins/neutron_350.py index f13fa9d78..e1e292c6b 100644 --- a/packstack/plugins/neutron_350.py +++ b/packstack/plugins/neutron_350.py @@ -377,6 +377,12 @@ def createManifest(config): elif controller.CONF['CONFIG_NEUTRON_L2_PLUGIN'] == 'linuxbridge': manifest_data = getManifestTemplate("neutron_lb_plugin.pp") appendManifestFile(manifest_file, manifest_data, 'neutron') + # Firewall Rules + config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in q_hosts]) + config['FIREWALL_SERVICE_NAME'] = "neutron" + config['FIREWALL_PORTS'] = "'9696'" + manifest_data = getManifestTemplate("firewall.pp") + appendManifestFile(manifest_file, manifest_data, 'neutron') def createKeystoneManifest(config): manifestfile = "%s_keystone.pp"%controller.CONF['CONFIG_KEYSTONE_HOST'] diff --git a/packstack/puppet/templates/neutron_api.pp b/packstack/puppet/templates/neutron_api.pp index e3728b01e..57f7be98b 100644 --- a/packstack/puppet/templates/neutron_api.pp +++ b/packstack/puppet/templates/neutron_api.pp @@ -4,8 +4,3 @@ class { 'neutron::server': enabled => true, } -firewall { '001 neutron incoming': - proto => 'tcp', - dport => ['9696'], - action => 'accept', -}