Split out iptables

Depends-on: I7d8788e8ca9e95a1c6f79f562898464f6fb74ff7
Change-Id: I5c5599c53437c4af4dfc2e3071c42082d2688521

modules.env

@@ -60,6 +60,7 @@ INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-asterisk"]
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-elasticsearch"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-gerrit"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-storyboard"]="origin/master"
+INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-iptables"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-zuul"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-kibana"]="origin/master"
 INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-lodgeit"]="origin/master"

modules/iptables/manifests/init.pp

@@ -1,89 +0,0 @@
-# Class: iptables
-#
-# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
-#
-# params:
-#   rules4: A list of additional iptables v4 rules
-#          eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
-#   rules6: A list of additional iptables v6 rules
-#          eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
-#   public_tcp_ports: List of integer TCP ports on which to allow all traffic
-#   public_udp_ports: List of integer UDP ports on which to allow all traffic
-class iptables(
-  $rules4 = [],
-  $rules6 = [],
-  $public_tcp_ports = [],
-  $public_udp_ports = []
-) {
-
-  include iptables::params
-
-  package { 'iptables':
-    ensure => present,
-    name   => $::iptables::params::package_name,
-  }
-
-  if ($::in_chroot) {
-    notify { 'iptables in chroot':
-      message => 'Iptables not refreshed, running in chroot',
-    }
-    $notify_iptables = []
-  }
-  else {
-    service { 'iptables':
-      name       => $::iptables::params::service_name,
-      require    => Package['iptables'],
-      hasstatus  => $::iptables::params::service_has_status,
-      status     => $::iptables::params::service_status_cmd,
-      hasrestart => $::iptables::params::service_has_restart,
-      enable     => true,
-    }
-    $notify_iptables = Service['iptables']
-  }
-
-  file { $::iptables::params::rules_dir:
-    ensure     => directory,
-    require    => Package['iptables'],
-  }
-
-  # This file is not required on Red Hat distros... but it
-  # won't hurt to softlink to it either
-  file { "${::iptables::params::rules_dir}/rules":
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0640',
-    content => template('iptables/rules.erb'),
-    require => [
-      Package['iptables'],
-      File[$::iptables::params::rules_dir],
-    ],
-    # When this file is updated, make sure the rules get reloaded.
-    notify  => $notify_iptables,
-  }
-
-  file { $::iptables::params::ipv4_rules:
-    ensure  => link,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0640',
-    target  => "${::iptables::params::rules_dir}/rules",
-    require => File["${::iptables::params::rules_dir}/rules"],
-    notify  => $notify_iptables,
-  }
-
-  file { $::iptables::params::ipv6_rules:
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0640',
-    content => template('iptables/rules.v6.erb'),
-    require => [
-      Package['iptables'],
-      File[$::iptables::params::rules_dir],
-    ],
-    # When this file is updated, make sure the rules get reloaded.
-    notify  => $notify_iptables,
-    replace => true,
-  }
-}

modules/iptables/manifests/params.pp

@@ -1,60 +0,0 @@
-# Class: iptables::params
-#
-# This class holds parameters that need to be
-# accessed by other classes.
-class iptables::params {
-  case $::osfamily {
-    'RedHat': {
-      case $::operatingsystem {
-        'Fedora': {
-          $package_name = 'iptables-services'
-          $service_has_restart = true
-        }
-        'RedHat','CentOS','Scientific': {
-            case $::operatingsystemrelease {
-              /^7/: {
-                $package_name = 'iptables-services'
-                $service_has_restart = true
-              }
-              /^6/: {
-                $package_name = 'iptables'
-                $service_has_restart = false
-              }
-              default: {
-                fail("Unsupported operatingsystemrelease: ${::operatingsystemrelease} The 'iptables' module recognize only 6, 7 as RedHat major versions.")
-              }
-          }
-        }
-        default: {
-          fail("Unsupported operatingsystem: ${::operatingsystem} The 'iptables' module with RedHat osfamily.")
-        }
-      }
-      $service_name = 'iptables'
-      $rules_dir = '/etc/sysconfig'
-      $ipv4_rules = '/etc/sysconfig/iptables'
-      $ipv6_rules = '/etc/sysconfig/ip6tables'
-      $service_has_status = true
-      $service_status_cmd = undef
-    }
-    'Debian': {
-      $package_name = 'iptables-persistent'
-      $service_name = 'iptables-persistent'
-      $rules_dir = '/etc/iptables'
-      $ipv4_rules = '/etc/iptables/rules.v4'
-      $ipv6_rules = '/etc/iptables/rules.v6'
-      # Because there is no running process for this service, the normal status
-      # checks fail.  Because puppet then thinks the service has been manually
-      # stopped, it won't restart it.  This fake status command will trick
-      # puppet into thinking the service is *always* running (which in a way
-      # it is, as iptables is part of the kernel.)
-      $service_has_status = true
-      $service_status_cmd = true
-      # Under Debian, the "restart" parameter does not reload the rules, so
-      # tell Puppet to fall back to stop/start, which does work.
-      $service_has_restart = false
-    }
-    default: {
-      fail("Unsupported osfamily: ${::osfamily} The 'iptables' module only supports osfamily Debian or RedHat (slaves only).")
-    }
-  }
-}

modules/iptables/templates/rules.erb

@@ -1,29 +0,0 @@
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:openstack-INPUT - [0:0]
--A INPUT -j openstack-INPUT
--A openstack-INPUT -i lo -j ACCEPT
--A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
-#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
--A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# SSH from anywhere
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 50.57.120.246 -j ACCEPT
--A openstack-INPUT -m udp -p udp --dport 161 -s 198.61.215.188 -j ACCEPT
-# Public TCP ports
-<% @public_tcp_ports.each do |port| -%>
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Public UDP ports
-<% @public_udp_ports.each do |port| -%>
--A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Per-host rules
-<% @rules4.each do |rule| -%>
--A openstack-INPUT <%= rule %>
-<% end -%>
--A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
-COMMIT

modules/iptables/templates/rules.v6.erb

@@ -1,27 +0,0 @@
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:openstack-INPUT - [0:0]
--A INPUT -j openstack-INPUT
--A openstack-INPUT -i lo -j ACCEPT
--A openstack-INPUT -p icmpv6 -j ACCEPT
--A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# SSH from anywhere
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-# SNMP from openstack cacti
--A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:780d:0509:3bc3:d7f6:ff04:49de -j ACCEPT
-# Public TCP ports
-<% @public_tcp_ports.each do |port| -%>
--A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Public UDP ports
-<% @public_udp_ports.each do |port| -%>
--A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
-<% end -%>
-# Per-host rules
-<% @rules6.each do |rule| -%>
--A openstack-INPUT <%= rule %>
-<% end -%>
--A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
-COMMIT