Fix the way iptables rules are managed

Today we use iptables-save to store the configuration related to the firewall (we enable INPUT traffic for pacemaker remote on all the hosts) but this method is not reliable since Neutron put and remove rules by itself, and by using iptables-save we also store them. This patch treat the single rule in both apply and undo playbooks so that we don't touch anything that neutron might touch. Change-Id: I6293d7a065f8e531de6218f272a8b08844b3eb42
2018-05-22 16:42:25 +02:00 · 2018-05-22 16:42:25 +02:00 · 20bbd0f456
commit 20bbd0f456
parent e3aca95dca
2 changed files with 25 additions and 5 deletions
--- a/roles/instance-ha/tasks/apply.yml
+++ b/roles/instance-ha/tasks/apply.yml
@ -89,8 +89,18 @@
 - name: Enable iptables traffic for pacemaker_remote
  become: yes
  shell: |
-    iptables -I INPUT -p tcp --dport 3121 -j ACCEPT
-    /sbin/service iptables save
+    iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT
+  delegate_to: "{{ item }}"
+  with_items:
+    - "{{ groups['controller'] }}"
+    - "{{ groups['compute'] }}"
+
+- name: Make iptables pacemaker_remote rule permanent
+  become: yes
+  lineinfile:
+    path: /etc/sysconfig/iptables
+    line: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT"
+    insertafter: ":OUTPUT ACCEPT"
  delegate_to: "{{ item }}"
  with_items:
    - "{{ groups['controller'] }}"
--- a/roles/instance-ha/tasks/undo.yml
+++ b/roles/instance-ha/tasks/undo.yml
@ -129,11 +129,21 @@
 - name: Disable iptables traffic for pacemaker_remote
  become: yes
  shell: |
-    for rule in $(iptables-save | grep "\-A INPUT \-p tcp \-\-dport 3121 \-j ACCEPT")
+    while [ $(iptables-save | grep -c "\-A INPUT \-p tcp \-m state \-\-state NEW \-m tcp \-\-dport 3121 \-j ACCEPT") -ne 0 ]
     do
-      iptables -D INPUT -p tcp --dport 3121 -j ACCEPT
+      iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT
     done
-    /sbin/service iptables save
+  delegate_to: "{{ item }}"
+  with_items:
+    - "{{ groups['controller'] }}"
+    - "{{ groups['compute'] }}"
+
+- name: Remove iptables pacemaker_remote permanent rule
+  become: yes
+  lineinfile:
+    path: /etc/sysconfig/iptables
+    line: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT"
+    state: absent
  delegate_to: "{{ item }}"
  with_items:
    - "{{ groups['controller'] }}"