51bf7ed8c1
Updates the iptables module so that it uses parameters to define the package, service, and files used to setup and configure persistent iptables rules. With these updates the module should now support both RHEL and Ubuntu. Change-Id: I45af4e72065c9baaf1d9a03f18b47f6effdce322 Reviewed-on: https://review.openstack.org/23278 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
80 lines
2.3 KiB
Puppet
80 lines
2.3 KiB
Puppet
# Class: iptables
|
|
#
|
|
# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
|
|
#
|
|
# params:
|
|
# rules4: A list of additional iptables v4 rules
|
|
# eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
|
|
# rules6: A list of additional iptables v6 rules
|
|
# eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
|
|
# public_tcp_ports: List of integer TCP ports on which to allow all traffic
|
|
# public_udp_ports: List of integer UDP ports on which to allow all traffic
|
|
class iptables(
|
|
$rules4 = [],
|
|
$rules6 = [],
|
|
$public_tcp_ports = [],
|
|
$public_udp_ports = []
|
|
) {
|
|
|
|
include iptables::params
|
|
|
|
package { 'iptables':
|
|
ensure => present,
|
|
name => $::iptables::params::package_name,
|
|
}
|
|
|
|
service { 'iptables':
|
|
name => $::iptables::params::service_name,
|
|
require => Package['iptables'],
|
|
hasstatus => $::iptables::params::service_has_status,
|
|
status => $::iptables::params::service_status_cmd,
|
|
hasrestart => $::iptables::params::service_has_restart,
|
|
}
|
|
|
|
file { $::iptables::params::rules_dir:
|
|
ensure => directory,
|
|
require => Package['iptables'],
|
|
}
|
|
|
|
# This file is not required on Red Hat distros... but it
|
|
# won't hurt to softlink to it either
|
|
file { "${::iptables::params::rules_dir}/rules":
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0640',
|
|
content => template('iptables/rules.erb'),
|
|
require => [
|
|
Package['iptables'],
|
|
File[$::iptables::params::rules_dir],
|
|
],
|
|
# When this file is updated, make sure the rules get reloaded.
|
|
notify => Service['iptables'],
|
|
}
|
|
|
|
file { $::iptables::params::ipv4_rules:
|
|
ensure => link,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0640',
|
|
target => "${::iptables::params::rules_dir}/rules",
|
|
require => File["${::iptables::params::rules_dir}/rules"],
|
|
notify => Service['iptables'],
|
|
}
|
|
|
|
file { $::iptables::params::ipv6_rules:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0640',
|
|
content => template('iptables/rules.v6.erb'),
|
|
require => [
|
|
Package['iptables'],
|
|
File[$::iptables::params::rules_dir],
|
|
],
|
|
# When this file is updated, make sure the rules get reloaded.
|
|
notify => Service['iptables'],
|
|
replace => true,
|
|
}
|
|
}
|