openstack
/
fuel-library
Code Issues Proposed changes

Merge "Restore forwarding and iptables cleanup"

This commit is contained in:
Jenkins 2016-04-14 10:27:43 +00:00 committed by Gerrit Code Review
parent 7278f2558a e10a88344e
commit e986a50ab5
4 changed files with 189 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
deployment/puppet/cobbler/manifests/iptables.pp
View File

@ -38,37 +38,37 @@ class cobbler::iptables (
firewall { '101 dns_tcp':
chain => $chain,
port => '53',
dport => '53',
proto => 'tcp',
action => 'accept',
}
firewall { '102 dns_udp':
chain => $chain,
port => '53',
dport => '53',
proto => 'udp',
action => 'accept',
}
firewall { '103 dhcp':
chain => $chain,
port => ['67','68'],
dport => ['67','68'],
proto => 'udp',
action => 'accept',
}
firewall { '104 tftp':
chain => $chain,
port => '69',
dport => '69',
proto => 'udp',
action => 'accept',
}
firewall { '110 squidproxy':
firewall { '105 squidproxy':
chain => $chain,
port => '3128',
dport => '3128',
proto => 'tcp',
action => 'accept',
}
firewall { '111 cobbler_web':
firewall { '106 cobbler_web':
chain => $chain,
port => ['80','443'],
dport => ['80','443'],
proto => 'tcp',
action => 'accept',
}

3
deployment/puppet/fuel/examples/host.pp
View File

@ -135,6 +135,9 @@ class { 'fuel::iptables':
network_cidr => ipcalc_network_cidr_by_netmask($::fuel_settings['ADMIN_NETWORK']['netmask']),
}
# enable forwarding for the NAT/MASQUERADE configured by iptables
sysctl::value{'net.ipv4.ip_forward': value=>'1'}
# FIXME(kozhukalov): this should be a part of repo management tool
class { 'fuel::auxiliaryrepos':
fuel_version => $::fuel_release,

85
deployment/puppet/fuel/manifests/iptables.pp
View File

@ -22,7 +22,7 @@ class fuel::iptables (
) inherits fuel::params {
#Enable cobbler's iptables rules even if Cobbler not called
include cobbler::iptables
include ::cobbler::iptables
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
@ -91,7 +91,7 @@ class fuel::iptables (
firewall { '010 ssh':
chain => $chain,
table => 'filter',
port => $ssh_port,
dport => $ssh_port,
proto => 'tcp',
source => $ssh_network,
action => 'accept',
@ -101,7 +101,7 @@ class fuel::iptables (
firewall { '020 ntp':
chain => $chain,
table => 'filter',
port => $ntp_port,
dport => $ntp_port,
proto => 'tcp',
iniface => $admin_iface,
action => 'accept',
@ -111,7 +111,7 @@ class fuel::iptables (
firewall { '030 ntp_udp':
chain => $chain,
table => 'filter',
port => $ntp_port,
dport => $ntp_port,
proto => 'udp',
iniface => $admin_iface,
action => 'accept',
@ -121,17 +121,16 @@ class fuel::iptables (
firewall { '040 snmp':
chain => $chain,
table => 'filter',
port => '162',
dport => '162',
proto => 'udp',
action => 'accept',
state => ['NEW'],
}
#Containerized services
firewall { '050 nailgun_web':
chain => $chain,
table => 'filter',
port => $nailgun_web_port,
dport => $nailgun_web_port,
proto => 'tcp',
action => 'accept',
state => ['NEW'],
@ -140,7 +139,7 @@ class fuel::iptables (
firewall { '060 nailgun_internal':
chain => $chain,
table => 'filter',
port => $nailgun_internal_port,
dport => $nailgun_internal_port,
proto => 'tcp',
iniface => $admin_iface,
action => 'accept',
@ -150,7 +149,7 @@ class fuel::iptables (
firewall { '070 nailgun_internal_block_ext':
chain => $chain,
table => 'filter',
port => $nailgun_internal_port,
dport => $nailgun_internal_port,
proto => 'tcp',
action => 'reject',
state => ['NEW'],
@ -159,7 +158,7 @@ class fuel::iptables (
firewall { '080 postgres_local':
chain => $chain,
table => 'filter',
port => $postgres_port,
dport => $postgres_port,
proto => 'tcp',
src_type => 'LOCAL',
action => 'accept',
@ -169,7 +168,7 @@ class fuel::iptables (
firewall { '090 postgres':
chain => $chain,
table => 'filter',
port => $postgres_port,
dport => $postgres_port,
proto => 'tcp',
iniface => $admin_iface,
action => 'accept',
@ -179,7 +178,7 @@ class fuel::iptables (
firewall { '100 postgres_block_ext':
chain => $chain,
table => 'filter',
port => $postgres_port,
dport => $postgres_port,
proto => 'tcp',
action => 'reject',
state => ['NEW'],
@ -188,7 +187,7 @@ class fuel::iptables (
firewall { '110 ostf_admin':
chain => $chain,
table => 'filter',
port => $ostf_port,
dport => $ostf_port,
proto => 'tcp',
iniface => $admin_iface,
action => 'accept',
@ -198,7 +197,7 @@ class fuel::iptables (
firewall { '120 ostf_local':
chain => $chain,
table => 'filter',
port => $ostf_port,
dport => $ostf_port,
proto => 'tcp',
src_type => 'LOCAL',
action => 'accept',
@ -208,7 +207,7 @@ class fuel::iptables (
firewall { '130 ostf_block_ext':
chain => $chain,
table => 'filter',
port => $ostf_port,
dport => $ostf_port,
proto => 'tcp',
action => 'reject',
state => ['NEW'],
@ -217,7 +216,7 @@ class fuel::iptables (
firewall { '140 rsync':
chain => $chain,
table => 'filter',
port => $rsync_port,
dport => $rsync_port,
proto => 'tcp',
action => 'accept',
state => ['NEW'],
@ -226,7 +225,7 @@ class fuel::iptables (
firewall { '150 rsyslog':
chain => $chain,
table => 'filter',
port => $rsyslog_port,
dport => $rsyslog_port,
proto => 'tcp',
iniface => $admin_iface,
action => 'accept',
@ -236,7 +235,7 @@ class fuel::iptables (
firewall { '160 rsyslog':
chain => $chain,
table => 'filter',
port => $rsyslog_port,
dport => $rsyslog_port,
proto => 'udp',
iniface => $admin_iface,
action => 'accept',
@ -246,7 +245,7 @@ class fuel::iptables (
firewall { '170 rabbitmq_admin_net':
chain => $chain,
table => 'filter',
port => $rabbitmq_ports,
dport => $rabbitmq_ports,
proto => 'tcp',
iniface => $admin_iface,
action => 'accept',
@ -256,7 +255,7 @@ class fuel::iptables (
firewall { '180 rabbitmq_local':
chain => $chain,
table => 'filter',
port => concat($rabbitmq_ports, $rabbitmq_admin_port),
dport => concat($rabbitmq_ports, $rabbitmq_admin_port),
proto => 'tcp',
src_type => 'LOCAL',
action => 'accept',
@ -266,7 +265,7 @@ class fuel::iptables (
firewall { '190 rabbitmq_block_ext':
chain => $chain,
table => 'filter',
port => $rabbitmq_ports,
dport => $rabbitmq_ports,
proto => 'tcp',
action => 'reject',
state => ['NEW'],
@ -275,7 +274,7 @@ class fuel::iptables (
firewall { '200 fuelweb_port':
chain => $chain,
table => 'filter',
port => $fuelweb_port,
dport => $fuelweb_port,
proto => 'tcp',
action => 'accept',
state => ['NEW'],
@ -284,7 +283,7 @@ class fuel::iptables (
firewall { '210 keystone_admin':
chain => $chain,
table => 'filter',
port => $keystone_port,
dport => $keystone_port,
proto => 'tcp',
action => 'accept',
state => ['NEW'],
@ -293,7 +292,7 @@ class fuel::iptables (
firewall { '220 keystone_admin_port admin_net':
chain => $chain,
table => 'filter',
port => $keystone_admin_port,
dport => $keystone_admin_port,
proto => 'tcp',
iniface => $admin_iface,
action => 'accept',
@ -303,7 +302,7 @@ class fuel::iptables (
firewall { '230 nailgun_repo_admin':
chain => $chain,
table => 'filter',
port => $nailgun_repo_port,
dport => $nailgun_repo_port,
proto => 'tcp',
action => 'accept',
state => ['NEW'],
@ -348,6 +347,7 @@ class fuel::iptables (
firewall { '970 externally defined rules: ext-filter-input':
chain => 'INPUT',
table => 'filter',
proto => 'all',
jump => 'ext-filter-input',
}
@ -362,6 +362,7 @@ class fuel::iptables (
firewall { '999 iptables denied':
chain => 'INPUT',
table => 'filter',
proto => 'all',
limit => '5/min',
jump => 'LOG',
log_prefix => 'iptables denied: ',
@ -381,22 +382,22 @@ class fuel::iptables (
}
firewall { '970 externally defined rules':
chain => 'FORWARD',
table => 'filter',
jump => 'ext-filter-forward',
chain => 'FORWARD',
table => 'filter',
proto => 'all',
jump => 'ext-filter-forward',
}
firewall { '980 forward admin_net conntrack':
chain => 'FORWARD',
table => 'filter',
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
chain => 'FORWARD',
table => 'filter',
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
## POSTROUTING:nat:IPv4
#Host services
firewall { '010 forward_admin_net':
chain => 'POSTROUTING',
table => 'nat',
@ -407,9 +408,10 @@ class fuel::iptables (
}
firewall { '980 externally defined rules: ext-nat-postrouting':
chain => 'POSTROUTING',
table => 'nat',
jump => 'ext-nat-postrouting',
chain => 'POSTROUTING',
table => 'nat',
proto => 'all',
jump => 'ext-nat-postrouting',
}
## POSTROUTING:mangle:IPv4
@ -418,14 +420,15 @@ class fuel::iptables (
chain => 'POSTROUTING',
table => 'mangle',
proto => 'udp',
port => 68,
dport => 68,
jump => 'CHECKSUM',
checksum_fill => true,
}
firewall { '980 externally defined rules: ext-mangle-postrouting':
chain => 'POSTROUTING',
table => 'mangle',
jump => 'ext-mangle-postrouting',
chain => 'POSTROUTING',
table => 'mangle',
proto => 'all',
jump => 'ext-mangle-postrouting',
}
}

172
tests/noop/spec/hosts/master/host_spec.rb
View File

@ -39,6 +39,7 @@ describe manifest do
['net.ipv4.neigh.default.gc_thresh1', '256'],
['net.ipv4.neigh.default.gc_thresh2', '1024'],
['net.ipv4.neigh.default.gc_thresh3', '2048'],
['net.ipv4.ip_forward', '1'],
].each do |key, value|
it { is_expected.to contain_sysctl__value(key).with(:value => value) }
end
@ -122,44 +123,139 @@ describe manifest do
end
it 'class "fuel::iptables" should contain the correct firewall rules' do
should contain_firewall('000 allow loopback')
should contain_firewall('010 ssh')
should contain_firewall('020 ntp')
should contain_firewall('030 ntp_udp')
should contain_firewall('040 snmp')
should contain_firewall('050 nailgun_web')
should contain_firewall('060 nailgun_internal')
should contain_firewall('070 nailgun_internal_block_ext')
should contain_firewall('080 postgres_local')
should contain_firewall('090 postgres')
should contain_firewall('100 postgres_block_ext')
should contain_firewall('110 ostf_admin')
should contain_firewall('120 ostf_local')
should contain_firewall('130 ostf_block_ext')
should contain_firewall('140 rsync')
should contain_firewall('150 rsyslog')
should contain_firewall('160 rsyslog')
should contain_firewall('170 rabbitmq_admin_net')
should contain_firewall('180 rabbitmq_local')
should contain_firewall('190 rabbitmq_block_ext')
should contain_firewall('200 fuelweb_port')
should contain_firewall('210 keystone_admin')
should contain_firewall('220 keystone_admin_port admin_net')
should contain_firewall('230 nailgun_repo_admin')
should contain_firewall('240 allow icmp echo-request')
should contain_firewall('250 allow icmp echo-reply')
should contain_firewall('260 allow icmp dest-unreach')
should contain_firewall('270 allow icmp time-exceeded')
should contain_firewall('970 externally defined rules: ext-filter-input')
should contain_firewall('980 accept related established rules')
should contain_firewall('999 iptables denied')
should contain_firewall('010 forward admin_net')
should contain_firewall('970 externally defined rules')
should contain_firewall('980 forward admin_net conntrack')
should contain_firewall('010 forward_admin_net')
should contain_firewall('980 externally defined rules: ext-nat-postrouting')
should contain_firewall('010 recalculate dhcp checksum')
should contain_firewall('980 externally defined rules: ext-mangle-postrouting')
should contain_firewall('000 allow loopback').with(
:table => 'filter',
)
should contain_firewall('010 ssh').with(
:table => 'filter',
)
should contain_firewall('020 ntp').with(
:table => 'filter',
)
should contain_firewall('030 ntp_udp').with(
:table => 'filter',
)
should contain_firewall('040 snmp').with(
:table => 'filter',
)
should contain_firewall('050 nailgun_web').with(
:table => 'filter',
)
should contain_firewall('060 nailgun_internal').with(
:table => 'filter',
)
should contain_firewall('070 nailgun_internal_block_ext').with(
:table => 'filter',
)
should contain_firewall('080 postgres_local').with(
:table => 'filter',
)
should contain_firewall('090 postgres').with(
:table => 'filter',
)
should contain_firewall('100 postgres_block_ext').with(
:table => 'filter',
)
should contain_firewall('110 ostf_admin').with(
:table => 'filter',
)
should contain_firewall('120 ostf_local').with(
:table => 'filter',
)
should contain_firewall('130 ostf_block_ext').with(
:table => 'filter',
)
should contain_firewall('140 rsync').with(
:table => 'filter',
)
should contain_firewall('150 rsyslog').with(
:table => 'filter',
)
should contain_firewall('160 rsyslog').with(
:table => 'filter',
)
should contain_firewall('170 rabbitmq_admin_net').with(
:table => 'filter',
)
should contain_firewall('180 rabbitmq_local').with(
:table => 'filter',
)
should contain_firewall('190 rabbitmq_block_ext').with(
:table => 'filter',
)
should contain_firewall('200 fuelweb_port').with(
:table => 'filter',
)
should contain_firewall('210 keystone_admin').with(
:table => 'filter',
)
should contain_firewall('220 keystone_admin_port admin_net').with(
:table => 'filter',
)
should contain_firewall('230 nailgun_repo_admin').with(
:table => 'filter',
)
should contain_firewall('240 allow icmp echo-request').with(
:table => 'filter',
)
should contain_firewall('250 allow icmp echo-reply').with(
:table => 'filter',
)
should contain_firewall('260 allow icmp dest-unreach').with(
:table => 'filter',
)
should contain_firewall('270 allow icmp time-exceeded').with(
:table => 'filter',
)
should contain_firewall('970 externally defined rules: ext-filter-input').with(
:table => 'filter',
)
should contain_firewall('980 accept related established rules').with(
:table => 'filter',
)
should contain_firewall('999 iptables denied').with(
:table => 'filter',
)
should contain_firewall('010 forward admin_net').with(
:table => 'filter',
:chain => 'FORWARD',
)
should contain_firewall('970 externally defined rules').with(
:table => 'filter',
:chain => 'FORWARD',
)
should contain_firewall('980 forward admin_net conntrack').with(
:table => 'filter',
:chain => 'FORWARD',
)
should contain_firewall('010 forward_admin_net').with(
:chain => 'POSTROUTING',
:table => 'nat',
)
should contain_firewall('980 externally defined rules: ext-nat-postrouting').with(
:chain => 'POSTROUTING',
:table => 'nat',
)
should contain_firewall('010 recalculate dhcp checksum').with(
:chain => 'POSTROUTING',
:table => 'mangle',
)
should contain_firewall('980 externally defined rules: ext-mangle-postrouting').with(
:chain => 'POSTROUTING',
:table => 'mangle',
)
end
it 'class "fuel::iptables" should contain firewall rules from cobbler module' do
should contain_firewall('101 dns_tcp')
should contain_firewall('102 dns_udp')
should contain_firewall('103 dhcp')
should contain_firewall('104 tftp')
should contain_firewall('105 squidproxy')
should contain_firewall('106 cobbler_web')
end
it 'should declare "openstack::clocksync" class with parameters' do