make firewall rules more intelligent.

This adds the following functionality for firewall rules used by browbeat and connman: * checks if firewalld or iptables is in use * applies the appropriate rules depending on firewall mechanism * saves rulesets and reloads with persistence without clobbering any existing rulesets that might already be in place. * does nothing is firewall is disabled. This improves upon the current functionality which does not add persistence to rules, assumes iptables-services and only saves the rules in memory. Further, on EL7+ firewalld is the default so this seems a better course of action. Patchset #2: use no_log: true to suppress unecessary verbosity during firewall status discovery Patchset #3: connmon isn't "connman" Change-Id: Ic223e64de9570d4b269228faeaee9f444358f42b
2016-06-17 16:53:27 +01:00 · 2016-06-17 16:53:27 +01:00 · f740759c08
commit f740759c08
parent 0e1429d779
3 changed files with 119 additions and 17 deletions
--- a/ansible/install/group_vars/all.yml
+++ b/ansible/install/group_vars/all.yml
@ -104,6 +104,12 @@ shaker_flavor: m1.small
 shaker_centos: "{{shaker_venv}}/lib/python2.7/site-packages/shaker/resources/image_builder_templates/centos.yaml"
 shaker_region: regionOne

+#######################################
+# Connman Configuration
+#######################################
+# Port for Connman
+connmon_port: 5800
+
 ########################################
 # Browbeat Network Configuration
 ########################################
--- a/ansible/install/roles/browbeat/tasks/main.yml
+++ b/ansible/install/roles/browbeat/tasks/main.yml
@ -79,18 +79,65 @@
 - name: Install shaker
  pip: name=pyshaker version=0.0.10 virtualenv={{ shaker_venv }}

- name: Check for shaker port in iptables
-  shell: iptables -nvL | grep -q "dpt:"{{ shaker_port }}""
-  become: true
-  changed_when: false
-  register: shaker_iptables
+### begin firewall ###
+# we need TCP/5555 open
+# determine firewall status and take action
+# 1) use firewall-cmd if firewalld is utilized
+# 2) insert iptables rule if iptables is used
+
+# Firewalld
+- name: (shaker) Determine if firewalld is in use
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
  ignore_errors: true
+  register: firewalld_in_use
+  no_log: true

- name: Open up shaker port in iptables
-  shell: /usr/sbin/iptables -I INPUT 1 -p tcp --dport {{ shaker_port }} -j ACCEPT
+- name: (shaker) Determine if firewalld is active
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+  no_log: true
+
+- name: (shaker) Determine if TCP/{{shaker_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{shaker_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp{{shaker_port}}_exists
+  no_log: true
+
+# add firewall rule via firewall-cmd
+- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{shaker_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
  become: true
-  when: shaker_iptables.rc == 1
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{shaker_port}}_exists.rc != 0

+# iptables-services
+- name: (shaker) check firewall rules for TCP/{{shaker_port}} (iptables-services)
+  shell: grep "dport {{shaker_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp5555_exists
+  failed_when: iptables_tcp{{shaker_port}}_exists == 127
+  no_log: true
+
+- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{shaker_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5555_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: (shaker) Restart iptables-services for TCP/{{shaker_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+### end firewall ###
 #
 # Serve results out of httpd if results_in_httpd is set to true
 #
--- a/ansible/install/roles/connmon/tasks/main.yml
+++ b/ansible/install/roles/connmon/tasks/main.yml
@ -37,13 +37,62 @@
  changed_when: false
  ignore_errors: true

- name: check iptables
-  shell: iptables -nvL | grep -q "dpt:5800"
-  changed_when: false
-  when: undercloud
-  register: connmon_port
-  ignore_errors: true
+### begin firewall ###
+# we need TCP/5555 open
+# determine firewall status and take action
+# 1) use firewall-cmd if firewalld is utilized
+# 2) insert iptables rule if iptables is used

- name: open up iptables
-  shell: /usr/sbin/iptables -I INPUT 1 -p tcp --dport 5800 -j ACCEPT
-  when: undercloud and connmon_port.rc == 1
+# Firewalld
+- name: (connmon) Determine if firewalld is in use
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
+  ignore_errors: true
+  register: firewalld_in_use
+  no_log: true
+
+- name: (connmon) Determine if firewalld is active
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+  no_log: true
+
+- name: (connmon) Determine if TCP/{{connmon_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{connmon_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp{{connmon_port}}_exists
+  no_log: true
+
+# add firewall rule via firewall-cmd
+- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{connmon_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
+  become: true
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{connmon_port}}_exists.rc != 0
+
+# iptables-services
+- name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
+  shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp5800_exists
+  failed_when: iptables_tcp{{connmon_port}}_exists == 127
+  no_log: true
+
+- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{connmon_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+### end firewall ###