Add support for resolving hostnames in rules

This allows us to specify rules with hostnames, but have puppet
resolve those to IP addresses before writing out the iptables
config.  This ensures that iptables will always be able to start,
as well as keeping firewalls up to date as hosts change.

Change-Id: I7a0dfbab67bdba72c0a56acc611503795d2bc350
Depends-On: I29d36cc527351e3e6d2ee2dc1919988379b8db3a
This commit is contained in:
James E. Blair 2017-12-14 11:08:35 -08:00
parent e69236f2e6
commit 8f2af6849c
4 changed files with 20 additions and 1 deletions

View File

@ -9,6 +9,12 @@
# eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
# public_tcp_ports: List of integer TCP ports on which to allow all traffic
# public_udp_ports: List of integer UDP ports on which to allow all traffic
# allowed_hosts: An array of hashes in the form:
# hostname => str
# port => int
# protocol => 'udp' or 'tcp'
# All entries in allowed_hosts will be resolved to ip addresses and added as
# additional ACCEPT rules
class iptables(
$rules4 = [],
$rules6 = [],
@ -16,6 +22,7 @@ class iptables(
$public_udp_ports = [],
$snmp_v4hosts = [],
$snmp_v6hosts = [],
$allowed_hosts = [],
) {
include ::iptables::params

View File

@ -7,5 +7,7 @@
"source": "git://git.openstack.org/openstack-infra/puppet-iptables.git",
"project_page": "http://docs.openstack.org/infra/system-config/",
"issues_url": "https://storyboard.openstack.org/#!/project/770",
"dependencies": []
"dependencies": [
{"name":"dalen/dnsquery","version_requirement":"2.0.1"}
]
}

View File

@ -26,5 +26,10 @@
<% @rules4.each do |rule| -%>
-A openstack-INPUT <%= rule %>
<% end -%>
<% @allowed_hosts.each do |host| -%>
<% scope.call_function('dns_a', [host['hostname']]).each do |addr| -%>
-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
<% end -%>
<% end -%>
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

View File

@ -25,5 +25,10 @@
<% @rules6.each do |rule| -%>
-A openstack-INPUT <%= rule %>
<% end -%>
<% @allowed_hosts.each do |host| -%>
<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%>
-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
<% end -%>
<% end -%>
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT