diff options
| author |   Emilien Macchi <emilien@redhat.com> | 2017-01-04 13:56:59 -0500 |
|---|---|---|
| committer | Emilien Macchi <emilien@redhat.com> | 2017-01-05 16:09:43 -0500 |
| commit | 8c990738900cd74c2c5c046435517393d1afb92e (patch) | |
| tree | 6167effae91be24ef3b5272ec27976a0abb28ed8 /manifests/firewall | |
| parent | 20ee458484b150e4f79044e3040dc9f0af0933bc (diff) | |
firewall: add IPv6 support
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
Diffstat (limited to 'manifests/firewall')
| -rw-r--r-- | manifests/firewall/rule.pp | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index 816e6fe..688144e 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -45,7 +45,7 @@ # # [*source*] # (optional) The source IP address associated to the rule. -# Defaults to '0.0.0.0/0' +# Defaults to undef # # [*iniface*] # (optional) The network interface associated to the rule. @@ -70,7 +70,7 @@ define tripleo::firewall::rule ( $proto = 'tcp', $action = 'accept', $state = ['NEW'], - $source = '0.0.0.0/0', + $source = undef, $iniface = undef, $chain = 'INPUT', $destination = undef, @@ -96,6 +96,16 @@ define tripleo::firewall::rule ( 'chain' => $chain, 'destination' => $destination, } + if $proto == 'icmp' { + $ipv6 = { + 'provider' => 'ip6tables', + 'proto' => 'ipv6-icmp', + } + } else { + $ipv6 = { + 'provider' => 'ip6tables', + } + } if $proto != 'gre' { $state_rule = { 'state' => $state @@ -105,8 +115,10 @@ define tripleo::firewall::rule ( } - $rule = merge($basic, $state_rule, $extras) - validate_hash($rule) + $ipv4_rule = merge($basic, $state_rule, $extras) + $ipv6_rule = merge($basic, $state_rule, $ipv6, $extras) + validate_hash($ipv4_rule) + validate_hash($ipv6_rule) # This conditional will ensure that TCP and UDP firewall rules have # a port specified in the configuration when using INPUT or OUTPUT chains. @@ -117,6 +129,16 @@ define tripleo::firewall::rule ( if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) { fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.") } - create_resources('firewall', { "${title}" => $rule }) + if $source or $destination { + if ('.' in $destination or '.' in $source) { + create_resources('firewall', { "${title} ipv4" => $ipv4_rule }) + } + if (':' in $destination or ':' in $source) { + create_resources('firewall', { "${title} ipv6" => $ipv6_rule }) + } + } else { + create_resources('firewall', { "${title} ipv4" => $ipv4_rule }) + create_resources('firewall', { "${title} ipv6" => $ipv6_rule }) + } } |