From 95d88270432e48f8943a72ecd9ddb1b3da02ed41 Mon Sep 17 00:00:00 2001
From: Jonathan Brownell <brownell@hp.com>
Date: Wed, 7 Jan 2015 13:18:40 -0800
Subject: [PATCH] Adding iptable rules for swift-storage DIB element

Adding iptable rules to enable swift object, container,
and account servers. (Traditionally ports 6000:6002.)

Also open port 873 for rsync to enable cluster per
https://www.swiftstack.com/docs/security/node.html

Closes-bug: #1351455
Change-Id: I5de1bcf5641c17f7b1f43b7ce080797201231c6a
---
 .../configure.d/21-swift-storage-iptables     | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100755 elements/swift-storage/os-refresh-config/configure.d/21-swift-storage-iptables

diff --git a/elements/swift-storage/os-refresh-config/configure.d/21-swift-storage-iptables b/elements/swift-storage/os-refresh-config/configure.d/21-swift-storage-iptables
new file mode 100755
index 000000000..ea1a8d8e1
--- /dev/null
+++ b/elements/swift-storage/os-refresh-config/configure.d/21-swift-storage-iptables
@@ -0,0 +1,25 @@
+#!/bin/bash
+set -eux
+set -o pipefail
+
+get_bind_port () {
+    # first argument is the config file path
+    bind_string=$(grep bind_port $1)
+    if [ "$bind_string" != "" ]; then
+        equals_index=$(expr index "$bind_string" "=")
+        port_number=${bind_string:$equals_index}
+        echo ${port_number/ /}
+    else
+        echo ""
+    fi
+}
+
+# Open ports for swift-storage servers
+add-rule INPUT -p tcp --dport $(get_bind_port /etc/swift/object-server.conf) -j ACCEPT
+add-rule INPUT -p tcp --dport $(get_bind_port /etc/swift/container-server.conf) -j ACCEPT
+add-rule INPUT -p tcp --dport $(get_bind_port /etc/swift/account-server.conf) -j ACCEPT
+
+# Swift performs rsync for clustering on port 873
+add-rule INPUT -p tcp --dport 873 -j ACCEPT
+
+