aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/firewall/rule.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/firewall/rule.pp')
-rw-r--r--manifests/firewall/rule.pp51
1 files changed, 45 insertions, 6 deletions
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 6801dc4..688144e 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -45,7 +45,7 @@
#
# [*source*]
# (optional) The source IP address associated to the rule.
-# Defaults to '0.0.0.0/0'
+# Defaults to undef
#
# [*iniface*]
# (optional) The network interface associated to the rule.
@@ -70,15 +70,23 @@ define tripleo::firewall::rule (
$proto = 'tcp',
$action = 'accept',
$state = ['NEW'],
- $source = '0.0.0.0/0',
+ $source = undef,
$iniface = undef,
$chain = 'INPUT',
$destination = undef,
$extras = {},
) {
+ if $port == 'all' {
+ warning("All ${proto} traffic will be open on this host.")
+ # undef so the IPtables rule won't have any port specified.
+ $port_real = undef
+ } else {
+ $port_real = $port
+ }
+
$basic = {
- 'port' => $port,
+ 'port' => $port_real,
'dport' => $dport,
'sport' => $sport,
'proto' => $proto,
@@ -88,6 +96,16 @@ define tripleo::firewall::rule (
'chain' => $chain,
'destination' => $destination,
}
+ if $proto == 'icmp' {
+ $ipv6 = {
+ 'provider' => 'ip6tables',
+ 'proto' => 'ipv6-icmp',
+ }
+ } else {
+ $ipv6 = {
+ 'provider' => 'ip6tables',
+ }
+ }
if $proto != 'gre' {
$state_rule = {
'state' => $state
@@ -97,9 +115,30 @@ define tripleo::firewall::rule (
}
- $rule = merge($basic, $state_rule, $extras)
- validate_hash($rule)
+ $ipv4_rule = merge($basic, $state_rule, $extras)
+ $ipv6_rule = merge($basic, $state_rule, $ipv6, $extras)
+ validate_hash($ipv4_rule)
+ validate_hash($ipv6_rule)
- create_resources('firewall', { "${title}" => $rule })
+ # This conditional will ensure that TCP and UDP firewall rules have
+ # a port specified in the configuration when using INPUT or OUTPUT chains.
+ # If not, the Puppet catalog will fail.
+ # If we don't do this sanity check, a user could create some TCP/UDP
+ # rules without port, and the result would be an iptables rule that allow any
+ # traffic on the host.
+ if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
+ fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
+ }
+ if $source or $destination {
+ if ('.' in $destination or '.' in $source) {
+ create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
+ }
+ if (':' in $destination or ':' in $source) {
+ create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+ }
+ } else {
+ create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
+ create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+ }
}