opendev/system-config
Code Issues Proposed changes
3e6c282d54
system-config/playbooks/roles/iptables/templates/rules.v6.j2
Ian Wienand efa858c58e
iptables: handle hosts in allowed groups not having an ipv6 address 
The modified section of the rules.v6 template looks at the groups in
the iptables_allowed_groups list and then allows access for each host
specified in that group.

Currently this extracts the 'public_v6' from the hostvars[host]
directly, but this fails if the host in question doesn't actually have
an ipv6 address.

Modify this so we check if the variable exists, and then reference it
via the hostvars dict.  Note that in gate testing, ipv6 may be empty
string (set from nodepool values), while it may not be a value at all
if it is left out of the production inventory.
"hostvars[host]['public_v6'] | default(False)" should catch both
cases.

Change-Id: I90069efc7d72d881ec57670b9c6b426a8a5422a3
2023-01-12 21:48:22 +11:00

45 lines
1.7 KiB
Django/Jinja
Raw Blame History

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
:openstack-OUTPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmpv6 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Public TCP ports
{% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Public UDP ports
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host ingress rules
{% for rule in iptables_rules_v6 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
{% for host in iptables_allowed_hosts -%}
{% for addr in host.hostname | dns_aaaa -%}
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %}-m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
{% endfor -%}
{% endfor -%}
{% for group in iptables_allowed_groups -%}
{% for host in groups.get(group.group, []) -%}
{% if hostvars[host]['public_v6'] | default(False) -%}
-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ hostvars[host]['public_v6'] }} --dport {{ group.port }} -j ACCEPT
{% endif -%}
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
# Egress filtering
-A OUTPUT -j openstack-OUTPUT
# Per-host egress rules
{% for rule in iptables_egress_rules_v6 -%}
-A openstack-OUTPUT {{ rule }}
{% endfor -%}
COMMIT
View Git Blame Copy Permalink