Fix the way iptables rules are managed
Today we use iptables-save to store the configuration related to the firewall (we enable INPUT traffic for pacemaker remote on all the hosts) but this method is not reliable since Neutron put and remove rules by itself, and by using iptables-save we also store them. This patch treat the single rule in both apply and undo playbooks so that we don't touch anything that neutron might touch. Change-Id: I6293d7a065f8e531de6218f272a8b08844b3eb42
This commit is contained in:
parent
e3aca95dca
commit
20bbd0f456
@ -89,8 +89,18 @@
|
||||
- name: Enable iptables traffic for pacemaker_remote
|
||||
become: yes
|
||||
shell: |
|
||||
iptables -I INPUT -p tcp --dport 3121 -j ACCEPT
|
||||
/sbin/service iptables save
|
||||
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT
|
||||
delegate_to: "{{ item }}"
|
||||
with_items:
|
||||
- "{{ groups['controller'] }}"
|
||||
- "{{ groups['compute'] }}"
|
||||
|
||||
- name: Make iptables pacemaker_remote rule permanent
|
||||
become: yes
|
||||
lineinfile:
|
||||
path: /etc/sysconfig/iptables
|
||||
line: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT"
|
||||
insertafter: ":OUTPUT ACCEPT"
|
||||
delegate_to: "{{ item }}"
|
||||
with_items:
|
||||
- "{{ groups['controller'] }}"
|
||||
|
@ -129,11 +129,21 @@
|
||||
- name: Disable iptables traffic for pacemaker_remote
|
||||
become: yes
|
||||
shell: |
|
||||
for rule in $(iptables-save | grep "\-A INPUT \-p tcp \-\-dport 3121 \-j ACCEPT")
|
||||
while [ $(iptables-save | grep -c "\-A INPUT \-p tcp \-m state \-\-state NEW \-m tcp \-\-dport 3121 \-j ACCEPT") -ne 0 ]
|
||||
do
|
||||
iptables -D INPUT -p tcp --dport 3121 -j ACCEPT
|
||||
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT
|
||||
done
|
||||
/sbin/service iptables save
|
||||
delegate_to: "{{ item }}"
|
||||
with_items:
|
||||
- "{{ groups['controller'] }}"
|
||||
- "{{ groups['compute'] }}"
|
||||
|
||||
- name: Remove iptables pacemaker_remote permanent rule
|
||||
become: yes
|
||||
lineinfile:
|
||||
path: /etc/sysconfig/iptables
|
||||
line: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT"
|
||||
state: absent
|
||||
delegate_to: "{{ item }}"
|
||||
with_items:
|
||||
- "{{ groups['controller'] }}"
|
||||
|
Loading…
x
Reference in New Issue
Block a user