Merge "Restore forwarding and iptables cleanup"
This commit is contained in:
commit
e986a50ab5
|
@ -38,37 +38,37 @@ class cobbler::iptables (
|
|||
|
||||
firewall { '101 dns_tcp':
|
||||
chain => $chain,
|
||||
port => '53',
|
||||
dport => '53',
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
firewall { '102 dns_udp':
|
||||
chain => $chain,
|
||||
port => '53',
|
||||
dport => '53',
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
}
|
||||
firewall { '103 dhcp':
|
||||
chain => $chain,
|
||||
port => ['67','68'],
|
||||
dport => ['67','68'],
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
}
|
||||
firewall { '104 tftp':
|
||||
chain => $chain,
|
||||
port => '69',
|
||||
dport => '69',
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
}
|
||||
firewall { '110 squidproxy':
|
||||
firewall { '105 squidproxy':
|
||||
chain => $chain,
|
||||
port => '3128',
|
||||
dport => '3128',
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
firewall { '111 cobbler_web':
|
||||
firewall { '106 cobbler_web':
|
||||
chain => $chain,
|
||||
port => ['80','443'],
|
||||
dport => ['80','443'],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
|
|
@ -135,6 +135,9 @@ class { 'fuel::iptables':
|
|||
network_cidr => ipcalc_network_cidr_by_netmask($::fuel_settings['ADMIN_NETWORK']['netmask']),
|
||||
}
|
||||
|
||||
# enable forwarding for the NAT/MASQUERADE configured by iptables
|
||||
sysctl::value{'net.ipv4.ip_forward': value=>'1'}
|
||||
|
||||
# FIXME(kozhukalov): this should be a part of repo management tool
|
||||
class { 'fuel::auxiliaryrepos':
|
||||
fuel_version => $::fuel_release,
|
||||
|
|
|
@ -22,7 +22,7 @@ class fuel::iptables (
|
|||
) inherits fuel::params {
|
||||
|
||||
#Enable cobbler's iptables rules even if Cobbler not called
|
||||
include cobbler::iptables
|
||||
include ::cobbler::iptables
|
||||
|
||||
firewallchain { 'INPUT:filter:IPv4':
|
||||
ensure => present,
|
||||
|
@ -91,7 +91,7 @@ class fuel::iptables (
|
|||
firewall { '010 ssh':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $ssh_port,
|
||||
dport => $ssh_port,
|
||||
proto => 'tcp',
|
||||
source => $ssh_network,
|
||||
action => 'accept',
|
||||
|
@ -101,7 +101,7 @@ class fuel::iptables (
|
|||
firewall { '020 ntp':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $ntp_port,
|
||||
dport => $ntp_port,
|
||||
proto => 'tcp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -111,7 +111,7 @@ class fuel::iptables (
|
|||
firewall { '030 ntp_udp':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $ntp_port,
|
||||
dport => $ntp_port,
|
||||
proto => 'udp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -121,17 +121,16 @@ class fuel::iptables (
|
|||
firewall { '040 snmp':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => '162',
|
||||
dport => '162',
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
state => ['NEW'],
|
||||
}
|
||||
|
||||
#Containerized services
|
||||
firewall { '050 nailgun_web':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $nailgun_web_port,
|
||||
dport => $nailgun_web_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
state => ['NEW'],
|
||||
|
@ -140,7 +139,7 @@ class fuel::iptables (
|
|||
firewall { '060 nailgun_internal':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $nailgun_internal_port,
|
||||
dport => $nailgun_internal_port,
|
||||
proto => 'tcp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -150,7 +149,7 @@ class fuel::iptables (
|
|||
firewall { '070 nailgun_internal_block_ext':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $nailgun_internal_port,
|
||||
dport => $nailgun_internal_port,
|
||||
proto => 'tcp',
|
||||
action => 'reject',
|
||||
state => ['NEW'],
|
||||
|
@ -159,7 +158,7 @@ class fuel::iptables (
|
|||
firewall { '080 postgres_local':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $postgres_port,
|
||||
dport => $postgres_port,
|
||||
proto => 'tcp',
|
||||
src_type => 'LOCAL',
|
||||
action => 'accept',
|
||||
|
@ -169,7 +168,7 @@ class fuel::iptables (
|
|||
firewall { '090 postgres':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $postgres_port,
|
||||
dport => $postgres_port,
|
||||
proto => 'tcp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -179,7 +178,7 @@ class fuel::iptables (
|
|||
firewall { '100 postgres_block_ext':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $postgres_port,
|
||||
dport => $postgres_port,
|
||||
proto => 'tcp',
|
||||
action => 'reject',
|
||||
state => ['NEW'],
|
||||
|
@ -188,7 +187,7 @@ class fuel::iptables (
|
|||
firewall { '110 ostf_admin':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $ostf_port,
|
||||
dport => $ostf_port,
|
||||
proto => 'tcp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -198,7 +197,7 @@ class fuel::iptables (
|
|||
firewall { '120 ostf_local':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $ostf_port,
|
||||
dport => $ostf_port,
|
||||
proto => 'tcp',
|
||||
src_type => 'LOCAL',
|
||||
action => 'accept',
|
||||
|
@ -208,7 +207,7 @@ class fuel::iptables (
|
|||
firewall { '130 ostf_block_ext':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $ostf_port,
|
||||
dport => $ostf_port,
|
||||
proto => 'tcp',
|
||||
action => 'reject',
|
||||
state => ['NEW'],
|
||||
|
@ -217,7 +216,7 @@ class fuel::iptables (
|
|||
firewall { '140 rsync':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $rsync_port,
|
||||
dport => $rsync_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
state => ['NEW'],
|
||||
|
@ -226,7 +225,7 @@ class fuel::iptables (
|
|||
firewall { '150 rsyslog':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $rsyslog_port,
|
||||
dport => $rsyslog_port,
|
||||
proto => 'tcp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -236,7 +235,7 @@ class fuel::iptables (
|
|||
firewall { '160 rsyslog':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $rsyslog_port,
|
||||
dport => $rsyslog_port,
|
||||
proto => 'udp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -246,7 +245,7 @@ class fuel::iptables (
|
|||
firewall { '170 rabbitmq_admin_net':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $rabbitmq_ports,
|
||||
dport => $rabbitmq_ports,
|
||||
proto => 'tcp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -256,7 +255,7 @@ class fuel::iptables (
|
|||
firewall { '180 rabbitmq_local':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => concat($rabbitmq_ports, $rabbitmq_admin_port),
|
||||
dport => concat($rabbitmq_ports, $rabbitmq_admin_port),
|
||||
proto => 'tcp',
|
||||
src_type => 'LOCAL',
|
||||
action => 'accept',
|
||||
|
@ -266,7 +265,7 @@ class fuel::iptables (
|
|||
firewall { '190 rabbitmq_block_ext':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $rabbitmq_ports,
|
||||
dport => $rabbitmq_ports,
|
||||
proto => 'tcp',
|
||||
action => 'reject',
|
||||
state => ['NEW'],
|
||||
|
@ -275,7 +274,7 @@ class fuel::iptables (
|
|||
firewall { '200 fuelweb_port':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $fuelweb_port,
|
||||
dport => $fuelweb_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
state => ['NEW'],
|
||||
|
@ -284,7 +283,7 @@ class fuel::iptables (
|
|||
firewall { '210 keystone_admin':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $keystone_port,
|
||||
dport => $keystone_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
state => ['NEW'],
|
||||
|
@ -293,7 +292,7 @@ class fuel::iptables (
|
|||
firewall { '220 keystone_admin_port admin_net':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $keystone_admin_port,
|
||||
dport => $keystone_admin_port,
|
||||
proto => 'tcp',
|
||||
iniface => $admin_iface,
|
||||
action => 'accept',
|
||||
|
@ -303,7 +302,7 @@ class fuel::iptables (
|
|||
firewall { '230 nailgun_repo_admin':
|
||||
chain => $chain,
|
||||
table => 'filter',
|
||||
port => $nailgun_repo_port,
|
||||
dport => $nailgun_repo_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
state => ['NEW'],
|
||||
|
@ -348,6 +347,7 @@ class fuel::iptables (
|
|||
firewall { '970 externally defined rules: ext-filter-input':
|
||||
chain => 'INPUT',
|
||||
table => 'filter',
|
||||
proto => 'all',
|
||||
jump => 'ext-filter-input',
|
||||
}
|
||||
|
||||
|
@ -362,6 +362,7 @@ class fuel::iptables (
|
|||
firewall { '999 iptables denied':
|
||||
chain => 'INPUT',
|
||||
table => 'filter',
|
||||
proto => 'all',
|
||||
limit => '5/min',
|
||||
jump => 'LOG',
|
||||
log_prefix => 'iptables denied: ',
|
||||
|
@ -381,22 +382,22 @@ class fuel::iptables (
|
|||
}
|
||||
|
||||
firewall { '970 externally defined rules':
|
||||
chain => 'FORWARD',
|
||||
table => 'filter',
|
||||
jump => 'ext-filter-forward',
|
||||
chain => 'FORWARD',
|
||||
table => 'filter',
|
||||
proto => 'all',
|
||||
jump => 'ext-filter-forward',
|
||||
}
|
||||
|
||||
firewall { '980 forward admin_net conntrack':
|
||||
chain => 'FORWARD',
|
||||
table => 'filter',
|
||||
proto => 'all',
|
||||
state => ['RELATED', 'ESTABLISHED'],
|
||||
action => 'accept',
|
||||
chain => 'FORWARD',
|
||||
table => 'filter',
|
||||
proto => 'all',
|
||||
state => ['RELATED', 'ESTABLISHED'],
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
## POSTROUTING:nat:IPv4
|
||||
|
||||
#Host services
|
||||
firewall { '010 forward_admin_net':
|
||||
chain => 'POSTROUTING',
|
||||
table => 'nat',
|
||||
|
@ -407,9 +408,10 @@ class fuel::iptables (
|
|||
}
|
||||
|
||||
firewall { '980 externally defined rules: ext-nat-postrouting':
|
||||
chain => 'POSTROUTING',
|
||||
table => 'nat',
|
||||
jump => 'ext-nat-postrouting',
|
||||
chain => 'POSTROUTING',
|
||||
table => 'nat',
|
||||
proto => 'all',
|
||||
jump => 'ext-nat-postrouting',
|
||||
}
|
||||
|
||||
## POSTROUTING:mangle:IPv4
|
||||
|
@ -418,14 +420,15 @@ class fuel::iptables (
|
|||
chain => 'POSTROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'udp',
|
||||
port => 68,
|
||||
dport => 68,
|
||||
jump => 'CHECKSUM',
|
||||
checksum_fill => true,
|
||||
}
|
||||
|
||||
firewall { '980 externally defined rules: ext-mangle-postrouting':
|
||||
chain => 'POSTROUTING',
|
||||
table => 'mangle',
|
||||
jump => 'ext-mangle-postrouting',
|
||||
chain => 'POSTROUTING',
|
||||
table => 'mangle',
|
||||
proto => 'all',
|
||||
jump => 'ext-mangle-postrouting',
|
||||
}
|
||||
}
|
||||
|
|
|
@ -39,6 +39,7 @@ describe manifest do
|
|||
['net.ipv4.neigh.default.gc_thresh1', '256'],
|
||||
['net.ipv4.neigh.default.gc_thresh2', '1024'],
|
||||
['net.ipv4.neigh.default.gc_thresh3', '2048'],
|
||||
['net.ipv4.ip_forward', '1'],
|
||||
].each do |key, value|
|
||||
it { is_expected.to contain_sysctl__value(key).with(:value => value) }
|
||||
end
|
||||
|
@ -122,44 +123,139 @@ describe manifest do
|
|||
end
|
||||
|
||||
it 'class "fuel::iptables" should contain the correct firewall rules' do
|
||||
should contain_firewall('000 allow loopback')
|
||||
should contain_firewall('010 ssh')
|
||||
should contain_firewall('020 ntp')
|
||||
should contain_firewall('030 ntp_udp')
|
||||
should contain_firewall('040 snmp')
|
||||
should contain_firewall('050 nailgun_web')
|
||||
should contain_firewall('060 nailgun_internal')
|
||||
should contain_firewall('070 nailgun_internal_block_ext')
|
||||
should contain_firewall('080 postgres_local')
|
||||
should contain_firewall('090 postgres')
|
||||
should contain_firewall('100 postgres_block_ext')
|
||||
should contain_firewall('110 ostf_admin')
|
||||
should contain_firewall('120 ostf_local')
|
||||
should contain_firewall('130 ostf_block_ext')
|
||||
should contain_firewall('140 rsync')
|
||||
should contain_firewall('150 rsyslog')
|
||||
should contain_firewall('160 rsyslog')
|
||||
should contain_firewall('170 rabbitmq_admin_net')
|
||||
should contain_firewall('180 rabbitmq_local')
|
||||
should contain_firewall('190 rabbitmq_block_ext')
|
||||
should contain_firewall('200 fuelweb_port')
|
||||
should contain_firewall('210 keystone_admin')
|
||||
should contain_firewall('220 keystone_admin_port admin_net')
|
||||
should contain_firewall('230 nailgun_repo_admin')
|
||||
should contain_firewall('240 allow icmp echo-request')
|
||||
should contain_firewall('250 allow icmp echo-reply')
|
||||
should contain_firewall('260 allow icmp dest-unreach')
|
||||
should contain_firewall('270 allow icmp time-exceeded')
|
||||
should contain_firewall('970 externally defined rules: ext-filter-input')
|
||||
should contain_firewall('980 accept related established rules')
|
||||
should contain_firewall('999 iptables denied')
|
||||
should contain_firewall('010 forward admin_net')
|
||||
should contain_firewall('970 externally defined rules')
|
||||
should contain_firewall('980 forward admin_net conntrack')
|
||||
should contain_firewall('010 forward_admin_net')
|
||||
should contain_firewall('980 externally defined rules: ext-nat-postrouting')
|
||||
should contain_firewall('010 recalculate dhcp checksum')
|
||||
should contain_firewall('980 externally defined rules: ext-mangle-postrouting')
|
||||
should contain_firewall('000 allow loopback').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('010 ssh').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('020 ntp').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('030 ntp_udp').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('040 snmp').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('050 nailgun_web').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('060 nailgun_internal').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('070 nailgun_internal_block_ext').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('080 postgres_local').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('090 postgres').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('100 postgres_block_ext').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('110 ostf_admin').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('120 ostf_local').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('130 ostf_block_ext').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('140 rsync').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('150 rsyslog').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('160 rsyslog').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('170 rabbitmq_admin_net').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('180 rabbitmq_local').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('190 rabbitmq_block_ext').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('200 fuelweb_port').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('210 keystone_admin').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('220 keystone_admin_port admin_net').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('230 nailgun_repo_admin').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('240 allow icmp echo-request').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('250 allow icmp echo-reply').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('260 allow icmp dest-unreach').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('270 allow icmp time-exceeded').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('970 externally defined rules: ext-filter-input').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('980 accept related established rules').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
should contain_firewall('999 iptables denied').with(
|
||||
:table => 'filter',
|
||||
)
|
||||
|
||||
should contain_firewall('010 forward admin_net').with(
|
||||
:table => 'filter',
|
||||
:chain => 'FORWARD',
|
||||
)
|
||||
should contain_firewall('970 externally defined rules').with(
|
||||
:table => 'filter',
|
||||
:chain => 'FORWARD',
|
||||
)
|
||||
should contain_firewall('980 forward admin_net conntrack').with(
|
||||
:table => 'filter',
|
||||
:chain => 'FORWARD',
|
||||
)
|
||||
|
||||
should contain_firewall('010 forward_admin_net').with(
|
||||
:chain => 'POSTROUTING',
|
||||
:table => 'nat',
|
||||
)
|
||||
should contain_firewall('980 externally defined rules: ext-nat-postrouting').with(
|
||||
:chain => 'POSTROUTING',
|
||||
:table => 'nat',
|
||||
)
|
||||
|
||||
should contain_firewall('010 recalculate dhcp checksum').with(
|
||||
:chain => 'POSTROUTING',
|
||||
:table => 'mangle',
|
||||
)
|
||||
should contain_firewall('980 externally defined rules: ext-mangle-postrouting').with(
|
||||
:chain => 'POSTROUTING',
|
||||
:table => 'mangle',
|
||||
)
|
||||
end
|
||||
|
||||
it 'class "fuel::iptables" should contain firewall rules from cobbler module' do
|
||||
should contain_firewall('101 dns_tcp')
|
||||
should contain_firewall('102 dns_udp')
|
||||
should contain_firewall('103 dhcp')
|
||||
should contain_firewall('104 tftp')
|
||||
should contain_firewall('105 squidproxy')
|
||||
should contain_firewall('106 cobbler_web')
|
||||
end
|
||||
|
||||
it 'should declare "openstack::clocksync" class with parameters' do
|
||||
|
|
Loading…
Reference in New Issue