Make iptables additional rules a list.

A list of iptables commands that come after the "-A OPENSTACK-INPUT"
bit.

Change-Id: Iee595d9267738365c208f8ecb6f0fd4941b357e3
Reviewed-on: https://review.openstack.org/17172
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins

manifests/init.pp

@@ -2,8 +2,16 @@
 #
 # http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
 #
+# params:
+#   rules4: A list of additional iptables v4 rules
+#          eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
+#   rules6: A list of additional iptables v6 rules
+#          eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
+#   public_tcp_ports: List of integer TCP ports on which to allow all traffic
+#   public_udp_ports: List of integer UDP ports on which to allow all traffic
 class iptables(
-  $rules = '',
+  $rules4 = [],
+  $rules6 = [],
   $public_tcp_ports = [],
   $public_udp_ports = []
 ) {

templates/rules.erb

@@ -23,6 +23,8 @@
 -A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
 <% end -%>
 # Per-host rules
-<%= rules %>
+<% rules4.each do |rule| -%>
+-A openstack-INPUT <%= rule %>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT

templates/rules.v6.erb

@@ -21,6 +21,8 @@
 -A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
 <% end -%>
 # Per-host rules
-<%= rules %>
+<% rules6.each do |rule| -%>
+-A openstack-INPUT <%= rule %>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT