diff options
-rw-r--r-- | manifests/firewall/post.pp | 2 | ||||
-rw-r--r-- | manifests/firewall/rule.pp | 16 | ||||
-rw-r--r-- | manifests/pacemaker/haproxy_with_vip.pp | 20 |
3 files changed, 30 insertions, 8 deletions
diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp index b76db75..7b5f563 100644 --- a/manifests/firewall/post.pp +++ b/manifests/firewall/post.pp @@ -36,7 +36,7 @@ class tripleo::firewall::post( if $debug { warning('debug is enabled, the traffic is not blocked.') } else { - firewall { '998 log all': + tripleo::firewall::rule{ '998 log all': proto => 'all', jump => 'LOG', } diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index 688144e..f1ea0c9 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -39,6 +39,10 @@ # (optional) The action policy associated to the rule. # Defaults to 'accept' # +# [*jump*] +# (optional) The chain to jump to. +# If present, overrides action +# # [*state*] # (optional) Array of states associated to the rule.. # Defaults to ['NEW'] @@ -75,6 +79,7 @@ define tripleo::firewall::rule ( $chain = 'INPUT', $destination = undef, $extras = {}, + $jump = undef, ) { if $port == 'all' { @@ -85,16 +90,25 @@ define tripleo::firewall::rule ( $port_real = $port } + if $jump != undef { + $jump_real = $jump + $action_real = undef + } else { + $jump_real = undef + $action_real = $action + } + $basic = { 'port' => $port_real, 'dport' => $dport, 'sport' => $sport, 'proto' => $proto, - 'action' => $action, + 'action' => $action_real, 'source' => $source, 'iniface' => $iniface, 'chain' => $chain, 'destination' => $destination, + 'jump' => $jump_real, } if $proto == 'icmp' { $ipv6 = { diff --git a/manifests/pacemaker/haproxy_with_vip.pp b/manifests/pacemaker/haproxy_with_vip.pp index a27b94b..1fc3ff7 100644 --- a/manifests/pacemaker/haproxy_with_vip.pp +++ b/manifests/pacemaker/haproxy_with_vip.pp @@ -57,17 +57,25 @@ define tripleo::pacemaker::haproxy_with_vip( $ensure = true) { if($ensure) { + # NB: Until the IPaddr2 RA has a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1445628 + # we need to specify the nic when creating the ipv6 vip. if is_ipv6_address($ip_address) { - $netmask = '64' + $netmask = '128' + $nic = interface_for_ip($ip_address) + $ipv6_addrlabel = '99' } else { - $netmask = '32' + $netmask = '32' + $nic = '' + $ipv6_addrlabel = '' } pacemaker::resource::ip { "${vip_name}_vip": - ip_address => $ip_address, - cidr_netmask => $netmask, - location_rule => $location_rule, - tries => $pcs_tries, + ip_address => $ip_address, + cidr_netmask => $netmask, + nic => $nic, + ipv6_addrlabel => $ipv6_addrlabel, + location_rule => $location_rule, + tries => $pcs_tries, } pacemaker::constraint::order { "${vip_name}_vip-then-haproxy": first_resource => "ip-${ip_address}", |