Merge "Fix the way iptables rules are managed"

2018-05-23 10:27:50 +00:00 · 2018-05-23 10:27:50 +00:00 · 23b0d18a1f
commit 23b0d18a1f
parent d78e5a9dbb 20bbd0f456
2 changed files with 25 additions and 5 deletions
--- a/roles/instance-ha/tasks/apply.yml
+++ b/roles/instance-ha/tasks/apply.yml
@ -89,8 +89,18 @@
 - name: Enable iptables traffic for pacemaker_remote
  become: yes
  shell: |
-    iptables -I INPUT -p tcp --dport 3121 -j ACCEPT
-    /sbin/service iptables save
+    iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT
+  delegate_to: "{{ item }}"
+  with_items:
+    - "{{ groups['controller'] }}"
+    - "{{ groups['compute'] }}"
+
+- name: Make iptables pacemaker_remote rule permanent
+  become: yes
+  lineinfile:
+    path: /etc/sysconfig/iptables
+    line: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT"
+    insertafter: ":OUTPUT ACCEPT"
  delegate_to: "{{ item }}"
  with_items:
    - "{{ groups['controller'] }}"
--- a/roles/instance-ha/tasks/undo.yml
+++ b/roles/instance-ha/tasks/undo.yml
@ -129,11 +129,21 @@
 - name: Disable iptables traffic for pacemaker_remote
  become: yes
  shell: |
-    for rule in $(iptables-save | grep "\-A INPUT \-p tcp \-\-dport 3121 \-j ACCEPT")
+    while [ $(iptables-save | grep -c "\-A INPUT \-p tcp \-m state \-\-state NEW \-m tcp \-\-dport 3121 \-j ACCEPT") -ne 0 ]
     do
-      iptables -D INPUT -p tcp --dport 3121 -j ACCEPT
+      iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT
     done
-    /sbin/service iptables save
+  delegate_to: "{{ item }}"
+  with_items:
+    - "{{ groups['controller'] }}"
+    - "{{ groups['compute'] }}"
+
+- name: Remove iptables pacemaker_remote permanent rule
+  become: yes
+  lineinfile:
+    path: /etc/sysconfig/iptables
+    line: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 3121 -j ACCEPT"
+    state: absent
  delegate_to: "{{ item }}"
  with_items:
    - "{{ groups['controller'] }}"