From d091e46dc061d81c3a9e2f561efa15a4ee94a187 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Mon, 8 Jun 2015 17:45:58 -0400
Subject: Implement Advanced Firewalling support

* Provide a Define function which will allow to manage IPtables rules.
* Manage rules in 'pre' and 'post' Puppet stages, it allows to create
  rules before and after regular Puppet stages (ie: to make sure no rule
  exists *before* and everything is blocked *after* regular Puppet
  stages)

Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89
---
 manifests/firewall/post.pp | 51 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 manifests/firewall/post.pp

(limited to 'manifests/firewall/post.pp')

diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp
new file mode 100644
index 0000000..b76db75
--- /dev/null
+++ b/manifests/firewall/post.pp
@@ -0,0 +1,51 @@
+#
+# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::firewall::post
+#
+# Firewall rules during 'post' Puppet stage
+#
+# === Parameters:
+#
+# [*debug*]
+#   (optional) Set log output to debug output
+#   Defaults to false
+#
+# [*firewall_settings*]
+#   (optional) Allow to add custom parameters to firewall rules
+#   Should be an hash.
+#   Default to {}
+#
+class tripleo::firewall::post(
+  $debug             = false,
+  $firewall_settings = {},
+){
+
+  if $debug {
+    warning('debug is enabled, the traffic is not blocked.')
+  } else {
+    firewall { '998 log all':
+      proto => 'all',
+      jump  => 'LOG',
+    }
+    tripleo::firewall::rule{ '999 drop all':
+      proto  => 'all',
+      action => 'drop',
+      extras => $firewall_settings,
+    }
+    notice('At this stage, all network traffic is blocked.')
+  }
+
+}
-- 
cgit 1.2.3-korg