make firewall rules more intelligent.

This adds the following functionality for firewall rules
used by browbeat and connman:

* checks if firewalld or iptables is in use
* applies the appropriate rules depending on firewall mechanism
* saves rulesets and reloads with persistence without clobbering
  any existing rulesets that might already be in place.
* does nothing is firewall is disabled.

This improves upon the current functionality which does not add
persistence to rules, assumes iptables-services and only saves
the rules in memory.  Further, on EL7+ firewalld is the default
so this seems a better course of action.

Patchset #2: use no_log: true to suppress unecessary verbosity
during firewall status discovery
Patchset #3: connmon isn't "connman"

Change-Id: Ic223e64de9570d4b269228faeaee9f444358f42b

ansible/install/group_vars/all.yml

@@ -104,6 +104,12 @@ shaker_flavor: m1.small
 shaker_centos: "{{shaker_venv}}/lib/python2.7/site-packages/shaker/resources/image_builder_templates/centos.yaml"
 shaker_region: regionOne
 
+#######################################
+# Connman Configuration
+#######################################
+# Port for Connman
+connmon_port: 5800
+
 ########################################
 # Browbeat Network Configuration
 ########################################

ansible/install/roles/browbeat/tasks/main.yml

@@ -79,18 +79,65 @@
 - name: Install shaker
   pip: name=pyshaker version=0.0.10 virtualenv={{ shaker_venv }}
 
-- name: Check for shaker port in iptables
+### begin firewall ###
-  shell: iptables -nvL | grep -q "dpt:"{{ shaker_port }}""
+# we need TCP/5555 open
-  become: true
+# determine firewall status and take action
-  changed_when: false
+# 1) use firewall-cmd if firewalld is utilized
-  register: shaker_iptables
+# 2) insert iptables rule if iptables is used
+
+# Firewalld
+- name: (shaker) Determine if firewalld is in use
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
   ignore_errors: true
+  register: firewalld_in_use
+  no_log: true
 
-- name: Open up shaker port in iptables
+- name: (shaker) Determine if firewalld is active
-  shell: /usr/sbin/iptables -I INPUT 1 -p tcp --dport {{ shaker_port }} -j ACCEPT
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+  no_log: true
+
+- name: (shaker) Determine if TCP/{{shaker_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{shaker_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp{{shaker_port}}_exists
+  no_log: true
+
+# add firewall rule via firewall-cmd
+- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{shaker_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
   become: true
-  when: shaker_iptables.rc == 1
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{shaker_port}}_exists.rc != 0
 
+# iptables-services
+- name: (shaker) check firewall rules for TCP/{{shaker_port}} (iptables-services)
+  shell: grep "dport {{shaker_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp5555_exists
+  failed_when: iptables_tcp{{shaker_port}}_exists == 127
+  no_log: true
+
+- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{shaker_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5555_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: (shaker) Restart iptables-services for TCP/{{shaker_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+### end firewall ###
 #
 # Serve results out of httpd if results_in_httpd is set to true
 #

ansible/install/roles/connmon/tasks/main.yml

@@ -37,13 +37,62 @@
   changed_when: false
   ignore_errors: true
 
-- name: check iptables
+### begin firewall ###
-  shell: iptables -nvL | grep -q "dpt:5800"
+# we need TCP/5555 open
-  changed_when: false
+# determine firewall status and take action
-  when: undercloud
+# 1) use firewall-cmd if firewalld is utilized
-  register: connmon_port
+# 2) insert iptables rule if iptables is used
-  ignore_errors: true
 
-- name: open up iptables
+# Firewalld
-  shell: /usr/sbin/iptables -I INPUT 1 -p tcp --dport 5800 -j ACCEPT
+- name: (connmon) Determine if firewalld is in use
-  when: undercloud and connmon_port.rc == 1
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
+  ignore_errors: true
+  register: firewalld_in_use
+  no_log: true
+
+- name: (connmon) Determine if firewalld is active
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+  no_log: true
+
+- name: (connmon) Determine if TCP/{{connmon_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{connmon_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp{{connmon_port}}_exists
+  no_log: true
+
+# add firewall rule via firewall-cmd
+- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{connmon_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
+  become: true
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{connmon_port}}_exists.rc != 0
+
+# iptables-services
+- name: (connmon) check firewall rules for TCP/{{connmon_port}} (iptables-services)
+  shell: grep "dport {{connmon_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp5800_exists
+  failed_when: iptables_tcp{{connmon_port}}_exists == 127
+  no_log: true
+
+- name: (connmon) Add firewall rule for TCP/{{connmon_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{connmon_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5800_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: (connmon) Restart iptables-services for TCP/{{connmon_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+### end firewall ###