aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/firewall/post.pp2
-rw-r--r--manifests/firewall/rule.pp16
-rw-r--r--manifests/pacemaker/haproxy_with_vip.pp20
3 files changed, 30 insertions, 8 deletions
diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp
index b76db75..7b5f563 100644
--- a/manifests/firewall/post.pp
+++ b/manifests/firewall/post.pp
@@ -36,7 +36,7 @@ class tripleo::firewall::post(
if $debug {
warning('debug is enabled, the traffic is not blocked.')
} else {
- firewall { '998 log all':
+ tripleo::firewall::rule{ '998 log all':
proto => 'all',
jump => 'LOG',
}
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 688144e..f1ea0c9 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -39,6 +39,10 @@
# (optional) The action policy associated to the rule.
# Defaults to 'accept'
#
+# [*jump*]
+# (optional) The chain to jump to.
+# If present, overrides action
+#
# [*state*]
# (optional) Array of states associated to the rule..
# Defaults to ['NEW']
@@ -75,6 +79,7 @@ define tripleo::firewall::rule (
$chain = 'INPUT',
$destination = undef,
$extras = {},
+ $jump = undef,
) {
if $port == 'all' {
@@ -85,16 +90,25 @@ define tripleo::firewall::rule (
$port_real = $port
}
+ if $jump != undef {
+ $jump_real = $jump
+ $action_real = undef
+ } else {
+ $jump_real = undef
+ $action_real = $action
+ }
+
$basic = {
'port' => $port_real,
'dport' => $dport,
'sport' => $sport,
'proto' => $proto,
- 'action' => $action,
+ 'action' => $action_real,
'source' => $source,
'iniface' => $iniface,
'chain' => $chain,
'destination' => $destination,
+ 'jump' => $jump_real,
}
if $proto == 'icmp' {
$ipv6 = {
diff --git a/manifests/pacemaker/haproxy_with_vip.pp b/manifests/pacemaker/haproxy_with_vip.pp
index a27b94b..1fc3ff7 100644
--- a/manifests/pacemaker/haproxy_with_vip.pp
+++ b/manifests/pacemaker/haproxy_with_vip.pp
@@ -57,17 +57,25 @@ define tripleo::pacemaker::haproxy_with_vip(
$ensure = true)
{
if($ensure) {
+ # NB: Until the IPaddr2 RA has a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1445628
+ # we need to specify the nic when creating the ipv6 vip.
if is_ipv6_address($ip_address) {
- $netmask = '64'
+ $netmask = '128'
+ $nic = interface_for_ip($ip_address)
+ $ipv6_addrlabel = '99'
} else {
- $netmask = '32'
+ $netmask = '32'
+ $nic = ''
+ $ipv6_addrlabel = ''
}
pacemaker::resource::ip { "${vip_name}_vip":
- ip_address => $ip_address,
- cidr_netmask => $netmask,
- location_rule => $location_rule,
- tries => $pcs_tries,
+ ip_address => $ip_address,
+ cidr_netmask => $netmask,
+ nic => $nic,
+ ipv6_addrlabel => $ipv6_addrlabel,
+ location_rule => $location_rule,
+ tries => $pcs_tries,
}
pacemaker::constraint::order { "${vip_name}_vip-then-haproxy":
first_resource => "ip-${ip_address}",