Use iptables for openSUSE

In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor of firewalld[1]. This commit updates the iptables persistance tasks to avoid using SuSEfirewall2 and instead use rc.local to restore saved rules upon restart, and undefines the iptables_service variable for SUSE since there is no service to restart any more. See the related change for image builds[2]. [1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html [2] https://review.opendev.org/683236 Change-Id: I0f8d74dd00df192c20b96a9368b964839c306171
2019-09-27 14:21:46 -07:00 · 2019-09-27 14:21:46 -07:00 · 18285584f1
commit 18285584f1
parent 01f6c26e29
3 changed files with 17 additions and 23 deletions
--- a/roles/persistent-firewall/tasks/persist/Suse.yaml
+++ b/roles/persistent-firewall/tasks/persist/Suse.yaml
@ -10,27 +10,11 @@
    content: "{{ ip6tables_rules.stdout }}"
    dest: "/etc/sysconfig/ip6tables"

- name: Set up SuSEfirewall2 custom rules to be loaded
-  become: yes
-  replace:
-    path: /etc/sysconfig/SuSEfirewall2
-    regexp: '^FW_CUSTOMRULES=.*$'
-    replace: 'FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"'
-
- name: Configure SuSEfirewall2 to restore saved rules on restart
+- name: Configure rc.local to restore saved rules on restart
  become: yes
  blockinfile:
-    path: /etc/sysconfig/scripts/SuSEfirewall2-custom
-    insertafter: EOF
+    path: /etc/init.d/boot.local
+    insertbefore: "exit 0"
    content: |
-      fw_custom_after_finished() {
-          /usr/sbin/iptables-restore /etc/sysconfig/iptables
-          /usr/sbin/ip6tables-restore /etc/sysconfig/ip6tables
-      }
-
- name: Ensure SuSEfirewall2 is started
-  become: yes
-  service:
-    name: SuSEfirewall2
-    state: started
-    enabled: yes
+      iptables-restore /etc/sysconfig/iptables
+      ip6tables-restore /etc/sysconfig/ip6tables
--- a/test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml
+++ b/test-playbooks/multinode/multinode_firewall_persistence_vars/Suse.yaml
@ -1,2 +0,0 @@
-iptables_service:
-  - SuSEfirewall2
--- a/test-playbooks/multinode/persistent-firewall.yaml
+++ b/test-playbooks/multinode/persistent-firewall.yaml
@ -34,6 +34,18 @@
      when: iptables_service is defined
      with_items: "{{ iptables_service }}"

+    # If there is no iptables service (ie on opensuse), run the rc file to apply the rules
+    - name: Check for boot.local
+      stat:
+        path: /etc/init.d/boot.local
+      register: boot_local_file
+      when: ansible_os_family == "Suse"
+
+    - name: Restore iptables
+      become: yes
+      command: "/etc/init.d/boot.local"
+      when: ansible_os_family == "Suse" and iptables_service is not defined and boot_local_file.stat.exists == True
+
    - name: switch and peer nodes should be in the ipv4 firewall
      become: yes
      command: iptables-save