53 lines
1.1 KiB
Puppet
53 lines
1.1 KiB
Puppet
# Create firewall rules to allow only the FIREWALL_ALLOWED
|
|
# hosts that need to connect via FIREWALL_PORTS
|
|
# using FIREWALL_CHAIN
|
|
|
|
define packstack::firewall (
|
|
$host,
|
|
$service_name,
|
|
$chain = 'INPUT',
|
|
$ports = undef,
|
|
$proto = 'tcp'
|
|
) {
|
|
$ip_version = hiera('CONFIG_IP_VERSION')
|
|
|
|
$provider = $ip_version ? {
|
|
'ipv6' => 'ip6tables',
|
|
default => 'iptables',
|
|
# TO-DO(mmagr): Add IPv6 support when hostnames are used
|
|
}
|
|
|
|
$source = $host ? {
|
|
'ALL' => $ip_version ? {
|
|
'ipv6' => '::/0',
|
|
default => '0.0.0.0/0'
|
|
},
|
|
default => $host,
|
|
}
|
|
|
|
$heading = $chain ? {
|
|
'OUTPUT' => 'outgoing',
|
|
default => 'incoming',
|
|
}
|
|
|
|
if $ports == undef {
|
|
firewall { "001 ${service_name} ${heading} ${title}":
|
|
chain => $chain,
|
|
proto => $proto,
|
|
action => 'accept',
|
|
source => $source,
|
|
provider => $provider,
|
|
}
|
|
}
|
|
else {
|
|
firewall { "001 ${service_name} ${heading} ${title}":
|
|
chain => $chain,
|
|
proto => $proto,
|
|
dport => $ports,
|
|
action => 'accept',
|
|
source => $source,
|
|
provider => $provider,
|
|
}
|
|
}
|
|
}
|