aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/firewall
AgeCommit message (Collapse)AuthorFilesLines
2017-04-06firewall: generally accept "jump" param and use tripleo:firewall for log ruleGabriele Cerami2-2/+16
Tentative fix for bug #1669763, trying to use the same class for every rule we want to add to the chain. Change-Id: I4ba451c1b258391c8f1cfb4d73e38828c437b1c1 Closes-Bug: #1669763
2017-01-27Add a default rule for dhcpv6 trafficMichele Baldessari1-0/+6
Via bug https://bugs.launchpad.net/tripleo/+bug/1657108 we need to zero out the default rules in /etc/sysconfig/ip{6}tables in the image. We have done this for ipv4, but when we will do it for ipv6 we will also need to make sure we add a rule for dhcpv6 traffic as it is shipped in the iptables rpm. (See https://bugzilla.redhat.com/show_bug.cgi?id=1169036 for more info) With this change we correctly get the rule present (aka the first ACCEPT line. The second line is due to the stock ip6tables rule I had in my testing): [root@overcloud-controller-0 ~]# iptables -nvL |grep 546 [root@overcloud-controller-0 ~]# ip6tables -nvL |grep 546 0 0 ACCEPT udp * * ::/0 fe80::/64 multiport dports 546 /* 004 accept ipv6 dhcpv6 ipv6 */ state NEW 0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW Change-Id: If22080054b2b1fa7acfd101e8c34d2707e8e7864 Partial-Bug: #1657108
2017-01-05firewall: add IPv6 supportEmilien Macchi1-5/+27
This patch adds support for ip6tables rules in TripleO, in a intuitive and flexible fashion. 1) Default firewal rules 'source' parameter to undef. It was 0.0.0.0/0 before but now undef, so we don't need complex logic to support ipv6 rules. undef will create empty source, which is the same as 0.0.0.0/0 or ::/0. 2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules. 3) Automatically create IPv6 rules like it's for IPv4. 4) Only create rules that can be created, depending on source/destination ip version. This patch should be backward compatible and adds a layer of security for IPv6 deployments. If previous deployments were manually creating Ipv6 rules, it's possible that this patch will override them. Our framework is able to configure any rule, so it shouldn't be a problem for upgrades. Co-Authored-By: Ben Nemec <bnemec@redhat.com> Closes-Bug: #1654050 Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-1/+18
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-11-24Do not configure state matching when using GREBrent Eagles1-2/+9
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
2016-07-21Add firewall::service_rules defineDan Prince1-0/+38
This patch updates the tripleo::firewall class so that it will support loading firewall rules defined in composable services via the following hiera keys (for nova-api for example): tripleo.nova_api.firewall_rules This patch relies on a new 'service_names' hiera array that should be provided on all TripleO overcloud nodes. Depends-On: I60861c5aa760534db3e314bba16a13b90ea72f0c Change-Id: Id370362ab57347b75b1ab25afda877885b047263
2016-05-05Add dport/sport parameter to firewall ruleJames Slagle2-1/+13
The port parameter to puppetlabs-firewall is actually deprecated[1]. This adds support for using the new parameter names dport and sport. The port parameter is still retained in puppet-tripleo for backwards compatibily for anyone using that interface. It is marked deprecated in the documentation, however no deprecation warning is needed because there is already a warning from from puppetlabs-firewall. blueprint undercloud-elements Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
2016-04-20Add destination parameter to firewall ruleJames Slagle1-16/+22
Specifying a destination cidr is already supported by puppetlabs-firewall, we just need to pass through the parameter in rule.pp in puppet-tripleo. This will allow creating iptables rules that forward network traffic for a given cidr via puppet-tripleo. Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
2015-06-12Implement Advanced Firewalling supportEmilien Macchi3-0/+188
* Provide a Define function which will allow to manage IPtables rules. * Manage rules in 'pre' and 'post' Puppet stages, it allows to create rules before and after regular Puppet stages (ie: to make sure no rule exists *before* and everything is blocked *after* regular Puppet stages) Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89