Support side-loading iptables rules

This brings the concat module in to manage the iptables rules files
piecewise.

This creates three new defined types to allow side-loading of iptables
rules from other puppet code.

Change-Id: I2d425d7671ad672a372c19ac60ef6196e8942ce9

README.md

@@ -1,3 +1,38 @@
 # OpenStack IPTables Module
 
 This module installs and configures IPTables
+
+Works on RedHat and Debian systems.
+
+It has, for now, hardcoded openstack-infra addresses.
+
+The typical entry point to this module is through the openstack_project::server class
+
+class { 'openstack_project::server':
+  sysadmins => ['derp'],
+  iptables_public_tcp_ports => [4444, 2121],
+}
+
+
+It is also possible to 'side load' iptables rules. The defined types below apply both ipv4 and ipv6 rules. These defines can be applied multiple times.
+
+iptables::tcp_allow { 'allow port 80 conns':
+  port => 80,
+}
+
+iptables::tcp_allow { 'allow port 90 and 100 conns':
+  ports => [90, 100],
+}
+
+iptables::udp_allow { 'allow port 80 conns':
+  port => 80,
+}
+
+iptables::udp_allow { 'allow port 90 and 100 conns':
+  ports => [90, 100],
+}
+
+iptables::rules { 'Allow statsd':
+  rules4 => ['-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT'],
+  rules6 => ['-m udp -p udp -s ::1 --dport 8125 -j ACCEPT'],
+}

manifests/init.pp

@@ -42,18 +42,23 @@ class iptables(
   }
 
   file { $::iptables::params::rules_dir:
-    ensure     => directory,
-    require    => Package['iptables'],
+    ensure  => directory,
+    require => Package['iptables'],
   }
 
   # This file is not required on Red Hat distros... but it
   # won't hurt to softlink to it either
-  file { "${::iptables::params::rules_dir}/rules":
+  # build it up with concat
+  # 0xx Headers
+  # 1xx TCP
+  # 2xx UDP
+  # 3xx HOSTS
+  # 9xx Footers
+  concat { "${::iptables::params::rules_dir}/rules":
     ensure  => present,
     owner   => 'root',
     group   => 'root',
     mode    => '0640',
-    content => template('iptables/rules.erb'),
     require => [
       Package['iptables'],
       File[$::iptables::params::rules_dir],
@@ -62,6 +67,38 @@ class iptables(
     notify  => $notify_iptables,
   }
 
+
+  concat::fragment { 'iptables-4-header':
+    target  => "${::iptables::params::rules_dir}/rules",
+    content => template('iptables/rules4_header.erb'),
+    order   => '01'
+  }
+
+  concat::fragment { 'iptables-4-tcp':
+    target  => "${::iptables::params::rules_dir}/rules",
+    content => template('iptables/rules4_tcp.erb'),
+    order   => '100'
+  }
+
+  concat::fragment { 'iptables-4-udp':
+    target  => "${::iptables::params::rules_dir}/rules",
+    content => template('iptables/rules4_udp.erb'),
+    order   => '200'
+  }
+
+  concat::fragment { 'iptables-4-raw':
+    target  => "${::iptables::params::rules_dir}/rules",
+    content => template('iptables/rules4_raw.erb'),
+    order   => '300'
+  }
+
+  concat::fragment { 'iptables-4-footer':
+    target  => "${::iptables::params::rules_dir}/rules",
+    content => template('iptables/rules4_footer.erb'),
+    order   => '999'
+  }
+
+
   file { $::iptables::params::ipv4_rules:
     ensure  => link,
     owner   => 'root',
@@ -72,18 +109,53 @@ class iptables(
     notify  => $notify_iptables,
   }
 
-  file { $::iptables::params::ipv6_rules:
+  # build it up with concat
+  # 0xx Headers
+  # 1xx TCP
+  # 2xx UDP
+  # 3xx HOSTS
+  # 9xx Footers
+  concat { $::iptables::params::ipv6_rules:
     ensure  => present,
     owner   => 'root',
     group   => 'root',
     mode    => '0640',
-    content => template('iptables/rules.v6.erb'),
     require => [
       Package['iptables'],
       File[$::iptables::params::rules_dir],
     ],
     # When this file is updated, make sure the rules get reloaded.
     notify  => $notify_iptables,
-    replace => true,
   }
+
+  concat::fragment { 'iptables-6-header':
+    target  => $::iptables::params::ipv6_rules,
+    content => template('iptables/rules6_header.erb'),
+    order   => '01'
+  }
+
+  concat::fragment { 'iptables-6-tcp':
+    target  => $::iptables::params::ipv6_rules,
+    content => template('iptables/rules6_tcp.erb'),
+    order   => '100'
+  }
+
+  concat::fragment { 'iptables-6-udp':
+    target  => $::iptables::params::ipv6_rules,
+    content => template('iptables/rules6_udp.erb'),
+    order   => '200'
+  }
+
+  concat::fragment { 'iptables-6-raw':
+    target  => $::iptables::params::ipv6_rules,
+    content => template('iptables/rules6_raw.erb'),
+    order   => '300'
+  }
+
+  concat::fragment { 'iptables-6-footer':
+    target  => $::iptables::params::ipv6_rules,
+    content => template('iptables/rules6_footer.erb'),
+    order   => '999'
+  }
+
 }

manifests/rules.pp

@@ -0,0 +1,28 @@
+# Define iptables::rules
+# Add arbitrary iptables rules
+define iptables::rules (
+  $rules4 = undef,
+  $rules6 = undef,
+) {
+
+  if $rules4 == undef and $rules6 == undef {
+    fail('You must pass rules4 or rules6 to iptables::rules')
+  }
+
+  if $rules4 != undef {
+    concat::fragment { "iptables-4-hosts-${name}":
+      target  => "${::iptables::params::rules_dir}/rules",
+      content => template('iptables/rules4_hosts.erb'),
+      order   => '110'
+    }
+  }
+
+  if $rules6 != undef {
+    concat::fragment { "iptables-6-hosts-${name}":
+      target  => $::iptables::params::ipv6_rules,
+      content => template('iptables/rules6_hosts.erb'),
+      order   => '110'
+    }
+  }
+
+}

manifests/tcp_allow.pp

@@ -0,0 +1,27 @@
+# Define iptables::tcp_allow
+# Allow a tcp port to listen on v4 and v6
+define iptables::tcp_allow (
+  $port = undef,
+  $ports = undef,
+) {
+
+  if $port == undef and $ports == undef {
+    fail('You must pass port or ports to iptables::tcp_allow')
+  }
+
+  $pub = pick($port, $ports)
+  $public_tcp_ports = flatten([$pub])
+
+  concat::fragment { "iptables-4-tcp-${name}":
+    target  => "${::iptables::params::rules_dir}/rules",
+    content => template('iptables/rules4_tcp.erb'),
+    order   => '110'
+  }
+
+  concat::fragment { "iptables-6-tcp-${name}":
+    target  => $::iptables::params::ipv6_rules,
+    content => template('iptables/rules6_tcp.erb'),
+    order   => '110'
+  }
+
+}

manifests/udp_allow.pp

@@ -0,0 +1,27 @@
+# Define iptables::udp_allow
+# Allow a udp port to listen on v4 and v6
+define iptables::udp_allow (
+  $port = undef,
+  $ports = undef,
+) {
+
+  if $port == undef and $ports == undef {
+    fail('You must pass port or ports to iptables::udp_allow')
+  }
+
+  $pub = pick($port, $ports)
+  $public_udp_ports = flatten([$pub])
+
+  concat::fragment { "iptables-4-udp-${name}":
+    target  => "${::iptables::params::rules_dir}/rules",
+    content => template('iptables/rules4_udp.erb'),
+    order   => '110'
+  }
+
+  concat::fragment { "iptables-6-udp-${name}":
+    target  => $::iptables::params::ipv6_rules,
+    content => template('iptables/rules6_udp.erb'),
+    order   => '110'
+  }
+
+}

metadata.json

@@ -7,5 +7,7 @@
   "source": "git://git.openstack.org/openstack-infra/puppet-iptables.git",
   "project_page": "http://docs.openstack.org/infra/system-config/",
   "issues_url": "https://storyboard.openstack.org/#!/project/770",
-  "dependencies": []
+  "dependencies": [
+    {"name":"puppetlabs/concat","version_requirement":">=1.0.0 <2.0.0"}
+  ]
 }

templates/rules4_footer.erb

@@ -0,0 +1,2 @@
+-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT

templates/rules4_header.erb

@@ -13,17 +13,3 @@
 # SNMP from openstack cacti
 -A openstack-INPUT -m udp -p udp --dport 161 -s 50.57.120.246 -j ACCEPT
 -A openstack-INPUT -m udp -p udp --dport 161 -s 198.61.215.188 -j ACCEPT
-# Public TCP ports
-<% @public_tcp_ports.each do |port| -%>
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Public UDP ports
-<% @public_udp_ports.each do |port| -%>
--A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Per-host rules
-<% @rules4.each do |rule| -%>
--A openstack-INPUT <%= rule %>
-<% end -%>
--A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
-COMMIT

templates/rules4_raw.erb

@@ -0,0 +1,4 @@
+# Per-host rules
+<% @rules4.each do |rule| -%>
+-A openstack-INPUT <%= rule %>
+<% end -%>

templates/rules4_tcp.erb

@@ -0,0 +1,4 @@
+# Public TCP ports
+<% @public_tcp_ports.each do |port| -%>
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
+<% end -%>

templates/rules4_udp.erb

@@ -0,0 +1,4 @@
+# Public UDP ports
+<% @public_udp_ports.each do |port| -%>
+-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
+<% end -%>

templates/rules6_footer.erb

@@ -0,0 +1,2 @@
+-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT

templates/rules6_header.erb

@@ -11,17 +11,3 @@
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 # SNMP from openstack cacti
 -A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:780d:0509:3bc3:d7f6:ff04:49de -j ACCEPT
-# Public TCP ports
-<% @public_tcp_ports.each do |port| -%>
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Public UDP ports
-<% @public_udp_ports.each do |port| -%>
--A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Per-host rules
-<% @rules6.each do |rule| -%>
--A openstack-INPUT <%= rule %>
-<% end -%>
--A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
-COMMIT

templates/rules6_raw.erb

@@ -0,0 +1,4 @@
+# Per-host rules
+<% @rules6.each do |rule| -%>
+-A openstack-INPUT <%= rule %>
+<% end -%>

templates/rules6_tcp.erb

@@ -0,0 +1,4 @@
+# Public TCP ports
+<% @public_tcp_ports.each do |port| -%>
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
+<% end -%>

templates/rules6_udp.erb

@@ -0,0 +1,4 @@
+# Public UDP ports
+<% @public_udp_ports.each do |port| -%>
+-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
+<% end -%>