diff --git a/.gitignore b/.gitignore deleted file mode 100644 index dade81e..0000000 --- a/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -Gemfile.lock -.bundled_gems/ diff --git a/Gemfile b/Gemfile deleted file mode 100644 index 019213a..0000000 --- a/Gemfile +++ /dev/null @@ -1,15 +0,0 @@ -source 'https://rubygems.org' - -if File.exists?('/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper') - gem_checkout_method = {:path => '/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'} -else - gem_checkout_method = {:git => 'https://git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'} -end -gem_checkout_method[:require] = false - -group :development, :test, :system_tests do - gem 'puppet-openstack_infra_spec_helper', - gem_checkout_method -end - -# vim:ft=ruby diff --git a/LICENSE b/LICENSE deleted file mode 100644 index d645695..0000000 --- a/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/README.md b/README.md deleted file mode 100644 index 48e8825..0000000 --- a/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# OpenStack IPTables Module - -This module installs and configures IPTables diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..6d51937 --- /dev/null +++ b/README.rst @@ -0,0 +1,7 @@ + +This Repo is Retired +==================== + +It is no longer maintained. If you are still using it, +you should pin your use to the commit before this one +and then start working on moving off of it. diff --git a/Rakefile b/Rakefile deleted file mode 100644 index 7f22329..0000000 --- a/Rakefile +++ /dev/null @@ -1,8 +0,0 @@ -require 'rubygems' -require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-lint/tasks/puppet-lint' -PuppetLint.configuration.fail_on_warnings = true -PuppetLint.configuration.send('disable_80chars') -PuppetLint.configuration.send('disable_autoloader_layout') -PuppetLint.configuration.send('disable_class_inherits_from_params_class') -PuppetLint.configuration.send('disable_class_parameter_defaults') \ No newline at end of file diff --git a/bindep.txt b/bindep.txt deleted file mode 100644 index 7cdd58e..0000000 --- a/bindep.txt +++ /dev/null @@ -1,11 +0,0 @@ -# This is a cross-platform list tracking distribution packages needed by tests; -# see http://docs.openstack.org/infra/bindep/ for additional information. - -libxml2-devel [test platform:rpm] -libxml2-dev [test platform:dpkg] -libxslt-devel [test platform:rpm] -libxslt1-dev [test platform:dpkg] -ruby-devel [test platform:rpm] -ruby-dev [test platform:dpkg] -zlib1g-dev [test platform:dpkg] -zlib-devel [test platform:rpm] diff --git a/manifests/init.pp b/manifests/init.pp deleted file mode 100644 index e264384..0000000 --- a/manifests/init.pp +++ /dev/null @@ -1,158 +0,0 @@ -# Class: iptables -# -# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns -# -# params: -# rules4: A list of additional iptables v4 rules -# eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ] -# rules6: A list of additional iptables v6 rules -# eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ] -# public_tcp_ports: List of integer TCP ports on which to allow all traffic -# public_udp_ports: List of integer UDP ports on which to allow all traffic -# allowed_hosts: An array of hashes in the form: -# hostname => str -# port => int -# protocol => 'udp' or 'tcp' -# All entries in allowed_hosts will be resolved to ip addresses and added as -# additional ACCEPT rules -class iptables( - $rules4 = [], - $rules6 = [], - $public_tcp_ports = [], - $public_udp_ports = [], - $snmp_v4hosts = [], - $snmp_v6hosts = [], - $allowed_hosts = [], -) { - - include ::iptables::params - - # This is to work-around rhbz#1327786 ; the iptables-service package - # incorrectly "provides" an old iptables version and confuses rpm, - # making it uninstallable (this was apparently done as part of a - # package-split). Pre-installing the iptables instead of leaving it - # up to the dependency resolver works-around this. - # 2016-12-20 : fixed in iptables-1.6.0-3.fc26 so we can remove this - # when we've moved past F25 - if $::operatingsystem == 'Fedora' { - package { 'iptables-actual': - ensure => present, - name => 'iptables', - before => Package['iptables'] - } - } - - package { 'iptables': - ensure => present, - name => $::iptables::params::package_name, - } - - if ($::in_chroot) { - notify { 'iptables in chroot': - message => 'Iptables not refreshed, running in chroot', - } - $notify_iptables = [] - $notify_ip6tables = [] - } - else { - # On centos 7 firewalld and iptables-service confuse each other and you - # end up with no firewall rules at all. Disable firewalld so that - # iptables-service can be in charge. - if ($::osfamily == 'RedHat') { - $notify_iptables = Service['iptables'] - $notify_ip6tables = Service['ip6tables'] - - if ($::operatingsystemmajrelease >= '7') { - exec { 'stop-firewalld-if-running': - command => '/usr/bin/systemctl stop firewalld', - onlyif => '/usr/bin/pgrep firewalld', - } - package { 'firewalld': - ensure => absent, - require => Exec['stop-firewalld-if-running'], - before => Package['iptables'], - } - } - } else { - $notify_iptables = Service['iptables'] - $notify_ip6tables = Service['iptables'] - } - } - - service { 'iptables': - ensure => running, - name => $::iptables::params::service_name, - require => Package['iptables'], - hasstatus => $::iptables::params::service_has_status, - status => $::iptables::params::service_status_cmd, - hasrestart => $::iptables::params::service_has_restart, - enable => true, - } - - if ($::osfamily == 'RedHat') { - # NOTE(pabelanger): Centos-7 has a dedicated service for ip6tables. Aside - # from the different service name, we keep the same settings as iptables. - service { 'ip6tables': - ensure => running, - name => $::iptables::params::service6_name, - require => Package['iptables'], - hasstatus => $::iptables::params::service_has_status, - status => $::iptables::params::service_status_cmd, - hasrestart => $::iptables::params::service_has_restart, - enable => true, - subscribe => File["${::iptables::params::rules_dir}/rules"], - } - } - - file { $::iptables::params::rules_dir: - ensure => directory, - require => Package['iptables'], - } - - # This file is not required on Red Hat distros... but it - # won't hurt to softlink to it either - file { "${::iptables::params::rules_dir}/rules": - ensure => present, - owner => 'root', - group => 'root', - mode => '0640', - content => template('iptables/rules.erb'), - require => [ - Package['iptables'], - File[$::iptables::params::rules_dir], - ], - # When this file is updated, make sure the rules get reloaded. - notify => $notify_iptables, - } - - if $::osfamily == 'redhat' { - $seltype = 'etc_t' - } else { - $seltype = undef - } - - file { $::iptables::params::ipv4_rules: - ensure => link, - owner => 'root', - group => 'root', - seltype => $seltype, - target => "${::iptables::params::rules_dir}/rules", - require => File["${::iptables::params::rules_dir}/rules"], - notify => $notify_iptables, - } - - file { $::iptables::params::ipv6_rules: - ensure => present, - owner => 'root', - group => 'root', - mode => '0640', - content => template('iptables/rules.v6.erb'), - require => [ - Package['iptables'], - File[$::iptables::params::rules_dir], - ], - # When this file is updated, make sure the rules get reloaded. - notify => $notify_ip6tables, - replace => true, - } -} diff --git a/manifests/params.pp b/manifests/params.pp deleted file mode 100644 index 7f2c653..0000000 --- a/manifests/params.pp +++ /dev/null @@ -1,68 +0,0 @@ -# Class: iptables::params -# -# This class holds parameters that need to be -# accessed by other classes. -class iptables::params { - case $::osfamily { - 'RedHat': { - case $::operatingsystem { - 'Fedora': { - $package_name = 'iptables-services' - $service_has_restart = true - } - 'RedHat','CentOS','Scientific': { - case $::operatingsystemrelease { - /^7/: { - $package_name = 'iptables-services' - $service_has_restart = true - } - /^6/: { - $package_name = 'iptables' - $service_has_restart = false - } - default: { - fail("Unsupported operatingsystemrelease: ${::operatingsystemrelease} The 'iptables' module recognize only 6, 7 as RedHat major versions.") - } - } - } - default: { - fail("Unsupported operatingsystem: ${::operatingsystem} The 'iptables' module with RedHat osfamily.") - } - } - $service_name = 'iptables' - $servicev6_name = 'ip6tables' - $rules_dir = '/etc/sysconfig' - $ipv4_rules = '/etc/sysconfig/iptables' - $ipv6_rules = '/etc/sysconfig/ip6tables' - $service_has_status = true - $service_status_cmd = undef - } - 'Debian': { - $package_name = 'iptables-persistent' - case $::operatingsystemrelease { - /^(12|14)\.(04|10)$/: { - $service_name = 'iptables-persistent' - } - default: { - $service_name = 'netfilter-persistent' - } - } - $rules_dir = '/etc/iptables' - $ipv4_rules = '/etc/iptables/rules.v4' - $ipv6_rules = '/etc/iptables/rules.v6' - # Because there is no running process for this service, the normal status - # checks fail. Because puppet then thinks the service has been manually - # stopped, it won't restart it. This fake status command will trick - # puppet into thinking the service is *always* running (which in a way - # it is, as iptables is part of the kernel.) - $service_has_status = true - $service_status_cmd = true - # Under Debian, the "restart" parameter does not reload the rules, so - # tell Puppet to fall back to stop/start, which does work. - $service_has_restart = false - } - default: { - fail("Unsupported osfamily: ${::osfamily} The 'iptables' module only supports osfamily Debian or RedHat (slaves only).") - } - } -} diff --git a/metadata.json b/metadata.json deleted file mode 100644 index efcec83..0000000 --- a/metadata.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "name": "openstackinfra-iptables", - "version": "0.0.1", - "author": "Openstack CI", - "summary": "Puppet module for IPTables", - "license": "Apache 2.0", - "source": "https://git.openstack.org/openstack-infra/puppet-iptables.git", - "project_page": "http://docs.openstack.org/infra/system-config/", - "issues_url": "https://storyboard.openstack.org/#!/project/770", - "dependencies": [ - {"name":"dalen/dnsquery","version_requirement":"2.0.1"} - ] -} diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml deleted file mode 100644 index 3bb3e62..0000000 --- a/spec/acceptance/nodesets/default.yml +++ /dev/null @@ -1,11 +0,0 @@ -HOSTS: - ubuntu-server-1404-x64: - roles: - - master - platform: ubuntu-14.04-amd64 - box: puppetlabs/ubuntu-14.04-64-nocm - box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm - hypervisor: vagrant -CONFIG: - log_level: debug - type: git diff --git a/spec/acceptance/nodesets/nodepool-centos7.yml b/spec/acceptance/nodesets/nodepool-centos7.yml deleted file mode 100644 index c552874..0000000 --- a/spec/acceptance/nodesets/nodepool-centos7.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - centos-70-x64: - roles: - - master - platform: el-7-x86_64 - hypervisor: none - ip: 127.0.0.1 -CONFIG: - type: foss - set_env: false diff --git a/spec/acceptance/nodesets/nodepool-trusty.yml b/spec/acceptance/nodesets/nodepool-trusty.yml deleted file mode 100644 index 9fc624e..0000000 --- a/spec/acceptance/nodesets/nodepool-trusty.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - ubuntu-14.04-amd64: - roles: - - master - platform: ubuntu-14.04-amd64 - hypervisor: none - ip: 127.0.0.1 -CONFIG: - type: foss - set_env: false diff --git a/spec/acceptance/nodesets/nodepool-xenial.yml b/spec/acceptance/nodesets/nodepool-xenial.yml deleted file mode 100644 index 99dd318..0000000 --- a/spec/acceptance/nodesets/nodepool-xenial.yml +++ /dev/null @@ -1,10 +0,0 @@ -HOSTS: - ubuntu-16.04-amd64: - roles: - - master - platform: ubuntu-16.04-amd64 - hypervisor: none - ip: 127.0.0.1 -CONFIG: - type: foss - set_env: false diff --git a/templates/rules.erb b/templates/rules.erb deleted file mode 100644 index 1056b9f..0000000 --- a/templates/rules.erb +++ /dev/null @@ -1,35 +0,0 @@ -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:openstack-INPUT - [0:0] --A INPUT -j openstack-INPUT --A openstack-INPUT -i lo -j ACCEPT --A openstack-INPUT -p icmp --icmp-type any -j ACCEPT -#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT --A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -# SSH from anywhere --A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -# SNMP -<% @snmp_v4hosts.each do |host| -%> --A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT -<% end -%> -# Public TCP ports -<% @public_tcp_ports.each do |port| -%> --A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT -<% end -%> -# Public UDP ports -<% @public_udp_ports.each do |port| -%> --A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT -<% end -%> -# Per-host rules -<% @rules4.each do |rule| -%> --A openstack-INPUT <%= rule %> -<% end -%> -<% @allowed_hosts.each do |host| -%> -<% scope.call_function('dns_a', [host['hostname']]).each do |addr| -%> --A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT -<% end -%> -<% end -%> --A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited -COMMIT diff --git a/templates/rules.v6.erb b/templates/rules.v6.erb deleted file mode 100644 index 3ae8b95..0000000 --- a/templates/rules.v6.erb +++ /dev/null @@ -1,37 +0,0 @@ -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:openstack-INPUT - [0:0] --A INPUT -j openstack-INPUT --A openstack-INPUT -i lo -j ACCEPT --A openstack-INPUT -p icmpv6 -j ACCEPT --A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -# SSH from anywhere --A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -# SNMP -<% @snmp_v6hosts.each do |host| -%> --A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT -<% end -%> -# Public TCP ports -<% @public_tcp_ports.each do |port| -%> --A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT -<% end -%> -# Public UDP ports -<% @public_udp_ports.each do |port| -%> --A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT -<% end -%> -# Per-host rules -<% @rules6.each do |rule| -%> --A openstack-INPUT <%= rule %> -<% end -%> -<% begin -%> -<% @allowed_hosts.each do |host| -%> -<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%> --A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT -<% end -%> -<% end -%> -<% rescue Resolv::ResolvError -%> -<% end -%> --A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited -COMMIT