From 8f2af6849cf987e36e9a594024eb3470f801db4d Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Thu, 14 Dec 2017 11:08:35 -0800 Subject: [PATCH] Add support for resolving hostnames in rules This allows us to specify rules with hostnames, but have puppet resolve those to IP addresses before writing out the iptables config. This ensures that iptables will always be able to start, as well as keeping firewalls up to date as hosts change. Change-Id: I7a0dfbab67bdba72c0a56acc611503795d2bc350 Depends-On: I29d36cc527351e3e6d2ee2dc1919988379b8db3a --- manifests/init.pp | 7 +++++++ metadata.json | 4 +++- templates/rules.erb | 5 +++++ templates/rules.v6.erb | 5 +++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index c3fbf88..d6bab5c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -9,6 +9,12 @@ # eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ] # public_tcp_ports: List of integer TCP ports on which to allow all traffic # public_udp_ports: List of integer UDP ports on which to allow all traffic +# allowed_hosts: An array of hashes in the form: +# hostname => str +# port => int +# protocol => 'udp' or 'tcp' +# All entries in allowed_hosts will be resolved to ip addresses and added as +# additional ACCEPT rules class iptables( $rules4 = [], $rules6 = [], @@ -16,6 +22,7 @@ class iptables( $public_udp_ports = [], $snmp_v4hosts = [], $snmp_v6hosts = [], + $allowed_hosts = [], ) { include ::iptables::params diff --git a/metadata.json b/metadata.json index ef93b9e..a8c4a64 100644 --- a/metadata.json +++ b/metadata.json @@ -7,5 +7,7 @@ "source": "git://git.openstack.org/openstack-infra/puppet-iptables.git", "project_page": "http://docs.openstack.org/infra/system-config/", "issues_url": "https://storyboard.openstack.org/#!/project/770", - "dependencies": [] + "dependencies": [ + {"name":"dalen/dnsquery","version_requirement":"2.0.1"} + ] } diff --git a/templates/rules.erb b/templates/rules.erb index e427df9..1056b9f 100644 --- a/templates/rules.erb +++ b/templates/rules.erb @@ -26,5 +26,10 @@ <% @rules4.each do |rule| -%> -A openstack-INPUT <%= rule %> <% end -%> +<% @allowed_hosts.each do |host| -%> +<% scope.call_function('dns_a', [host['hostname']]).each do |addr| -%> +-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT +<% end -%> +<% end -%> -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT diff --git a/templates/rules.v6.erb b/templates/rules.v6.erb index d54a1f3..e6f195e 100644 --- a/templates/rules.v6.erb +++ b/templates/rules.v6.erb @@ -25,5 +25,10 @@ <% @rules6.each do |rule| -%> -A openstack-INPUT <%= rule %> <% end -%> +<% @allowed_hosts.each do |host| -%> +<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%> +-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT +<% end -%> +<% end -%> -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited COMMIT