diff options
| author |   Emilien Macchi <emilien@redhat.com> | 2015-06-08 17:45:58 -0400 |
|---|---|---|
| committer | Emilien Macchi <emilien@redhat.com> | 2015-06-12 14:28:27 -0400 |
| commit | d091e46dc061d81c3a9e2f561efa15a4ee94a187 (patch) | |
| tree | 5eea7413685c733817f901fcf1137da7d84ea331 /manifests/init.pp | |
| parent | a077eaf307998b3a9996fc5c0846f6604139a3e7 (diff) | |
Implement Advanced Firewalling support
* Provide a Define function which will allow to manage IPtables rules.
* Manage rules in 'pre' and 'post' Puppet stages, it allows to create
rules before and after regular Puppet stages (ie: to make sure no rule
exists *before* and everything is blocked *after* regular Puppet
stages)
Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89
Diffstat (limited to 'manifests/init.pp')
| -rw-r--r-- | manifests/init.pp | 70 |
1 files changed, 69 insertions, 1 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 9f6d775..cdaf95a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,7 +17,75 @@ # # Installs the system requirements # +# === Parameters: +# +# [*manage_firewall*] +# (optional) Completely enable or disable firewall settings +# (false means disabled, and true means enabled) +# Defaults to false +# +# [*firewall_rules*] +# (optional) Allow to add custom firewall rules +# Should be an hash. +# Default to {} +# +# [*purge_firewall_rules*] +# (optional) Boolean, purge all firewall resources +# Defaults to false +# +# [*firewall_pre_extras*] +# (optional) Allow to add custom parameters to firewall rules (pre stage) +# Should be an hash. +# Default to {} +# +# [*firewall_post_extras*] +# (optional) Allow to add custom parameters to firewall rules (post stage) +# Should be an hash. +# Default to {} +# +class tripleo( + $manage_firewall = false, + $firewall_rules = {}, + $purge_firewall_rules = false, + $firewall_pre_extras = {}, + $firewall_post_extras = {}, +) { + + include ::stdlib + + if $manage_firewall { + + # Only purges IPv4 rules + if $purge_firewall_rules { + resources { 'firewall': + purge => true + } + } + + # anyone can add your own rules + # example with Hiera: + # + # tripleo::firewall::rules: + # '300 allow custom application 1': + # port: 999 + # proto: udp + # action: accept + # '301 allow custom application 2': + # port: 8081 + # proto: tcp + # action: accept + # + create_resources('tripleo::firewall::rule', $firewall_rules) + + ensure_resource('class', 'tripleo::firewall::pre', { + 'firewall_settings' => $firewall_pre_extras, + 'stage' => 'setup', + }) -class tripleo{ + ensure_resource('class', 'tripleo::firewall::post', { + 'stage' => 'runtime', + 'firewall_settings' => $firewall_post_extras, + }) + } } |