summaryrefslogtreecommitdiffstats
path: root/spec/classes/tripleo_firewall_spec.rb
AgeCommit message (Collapse)AuthorFilesLines
2017-01-05firewall: add IPv6 supportEmilien Macchi1-13/+57
This patch adds support for ip6tables rules in TripleO, in a intuitive and flexible fashion. 1) Default firewal rules 'source' parameter to undef. It was 0.0.0.0/0 before but now undef, so we don't need complex logic to support ipv6 rules. undef will create empty source, which is the same as 0.0.0.0/0 or ::/0. 2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules. 3) Automatically create IPv6 rules like it's for IPv4. 4) Only create rules that can be created, depending on source/destination ip version. This patch should be backward compatible and adds a layer of security for IPv6 deployments. If previous deployments were manually creating Ipv6 rules, it's possible that this patch will override them. Our framework is able to configure any rule, so it shouldn't be a problem for upgrades. Co-Authored-By: Ben Nemec <bnemec@redhat.com> Closes-Bug: #1654050 Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-2/+15
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-11-24Do not configure state matching when using GREBrent Eagles1-1/+3
The firewall rule quite reasonably sets up a default state matching rule but this is invalid for GRE. This patch conditionally adds the state matching if the protocol is not GRE. Closes-Bug: #1644360 Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
2016-09-21Add in rspec-puppet-facts supportAlex Schultz1-17/+7
This change pulls in rspec-puppet-facts to provide the basic default facts for puppet-tripleo rspec tests. rspec-puppet-facts provides an easy to use interface to allow for the same set of tests to be executed with multiple sets of operating system facts. In most cases this includes defaults for Debian/RedHat based systems. In puppet-tripleo's case this is just RHEL/CentOS. We are removing the Fedora listing from the metadata.json as we only support RHEL and CentOS for tripleo. This change also updates the existing rspec tests to leverage rspec-puppet-facts to be more consistent with how facts are defined. Change-Id: I0ddc71799d74ee95b9828aea6a8dcb4abb4e4e62
2016-05-05Add dport/sport parameter to firewall ruleJames Slagle1-2/+16
The port parameter to puppetlabs-firewall is actually deprecated[1]. This adds support for using the new parameter names dport and sport. The port parameter is still retained in puppet-tripleo for backwards compatibily for anyone using that interface. It is marked deprecated in the documentation, however no deprecation warning is needed because there is already a warning from from puppetlabs-firewall. blueprint undercloud-elements Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
2016-04-20Add destination parameter to firewall ruleJames Slagle1-1/+6
Specifying a destination cidr is already supported by puppetlabs-firewall, we just need to pass through the parameter in rule.pp in puppet-tripleo. This will allow creating iptables rules that forward network traffic for a given cidr via puppet-tripleo. Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
2015-11-25Fix unit tests failing against Puppet 4.3.0Gael Chamoulaud1-1/+4
Change-Id: I10c0d35b473026a5e1ede265099f73c803402adc Related-bug: #1517805 Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
2015-07-15Implement firewalling in tripleo::firewallYanis Guenane1-0/+114
Currently firewalling is implemented in tripleo/init.pp this commit moves it to its own scope tripleo/firewall.pp. This is done so that in tripleo-heat-templates we can have a simple and generic `include tripleo::firewall` in every manifest - unconditional. The rest of the behavior will all be managed by hiera. If a user wants to enable firewalling: ``` tripleo::firewall::manage_firewall: true ``` If a user wants to specify firewall rules: ``` tripleo::firewall::firewall_rules: '103 mongod': port: 27017 ``` Change-Id: I144c60db2a568a94dce5b51257f1d10980173325