diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-12-22 22:34:41 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-12-22 22:34:41 +0000 |
commit | 1d5e8f11a10d15665f6a752ab1088c7140158eeb (patch) | |
tree | 1d15b32938d33bec3e23654e5b39311d8ad1482b /manifests/haproxy/endpoint.pp | |
parent | 3db7e6bad8d3301eaecbb833c0a934adffbbfb2b (diff) | |
parent | 70c9dca45335150daae65d0bbf44908711b0f1d2 (diff) |
Merge "[CVE-2016-9599] Enforce Firewall TCP / UDP rules management"
Diffstat (limited to 'manifests/haproxy/endpoint.pp')
-rw-r--r-- | manifests/haproxy/endpoint.pp | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 4311049..0bba245 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -149,14 +149,27 @@ define tripleo::haproxy::endpoint ( } if hiera('manage_firewall', true) { include ::tripleo::firewall - $firewall_rules = { - "100 ${name}_haproxy" => { - 'dport' => $service_port, - }, - "100 ${name}_haproxy_ssl" => { - 'dport' => $public_ssl_port, - }, + # This block will construct firewall rules only when we specify + # a port for the regular service and also the ssl port for the service. + # It makes sure we're not trying to create TCP iptables rules where no port + # is specified. + if $service_port { + $haproxy_firewall_rules = { + "100 ${name}_haproxy" => { + 'dport' => $service_port, + }, + } + } + if $public_ssl_port { + $haproxy_ssl_firewall_rules = { + "100 ${name}_haproxy_ssl" => { + 'dport' => $public_ssl_port, + }, + } + } + $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules) + if $service_port or $public_ssl_port { + create_resources('tripleo::firewall::rule', $firewall_rules) } - create_resources('tripleo::firewall::rule', $firewall_rules) } } |