Add support for resolving hostnames in rules

This allows us to specify rules with hostnames, but have puppet resolve those to IP addresses before writing out the iptables config. This ensures that iptables will always be able to start, as well as keeping firewalls up to date as hosts change. Change-Id: I7a0dfbab67bdba72c0a56acc611503795d2bc350 Depends-On: I29d36cc527351e3e6d2ee2dc1919988379b8db3a
2017-12-14 11:08:35 -08:00 · 2017-12-14 11:08:35 -08:00 · 8f2af6849c
commit 8f2af6849c
parent e69236f2e6
4 changed files with 20 additions and 1 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -9,6 +9,12 @@
 #          eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
 #   public_tcp_ports: List of integer TCP ports on which to allow all traffic
 #   public_udp_ports: List of integer UDP ports on which to allow all traffic
+#   allowed_hosts: An array of hashes in the form:
+#      hostname => str
+#      port => int
+#      protocol => 'udp' or 'tcp'
+#   All entries in allowed_hosts will be resolved to ip addresses and added as
+#   additional ACCEPT rules
 class iptables(
  $rules4           = [],
  $rules6           = [],
@ -16,6 +22,7 @@ class iptables(
  $public_udp_ports = [],
  $snmp_v4hosts     = [],
  $snmp_v6hosts     = [],
+  $allowed_hosts    = [],
 ) {

  include ::iptables::params
--- a/metadata.json
+++ b/metadata.json
@ -7,5 +7,7 @@
  "source": "git://git.openstack.org/openstack-infra/puppet-iptables.git",
  "project_page": "http://docs.openstack.org/infra/system-config/",
  "issues_url": "https://storyboard.openstack.org/#!/project/770",
-  "dependencies": []
+  "dependencies": [
+    {"name":"dalen/dnsquery","version_requirement":"2.0.1"}
+  ]
 }
--- a/templates/rules.erb
+++ b/templates/rules.erb
@ -26,5 +26,10 @@
 <% @rules4.each do |rule| -%>
 -A openstack-INPUT <%= rule %>
 <% end -%>
+<% @allowed_hosts.each do |host| -%>
+<% scope.call_function('dns_a', [host['hostname']]).each do |addr| -%>
+-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
+<% end -%>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT
--- a/templates/rules.v6.erb
+++ b/templates/rules.v6.erb
@ -25,5 +25,10 @@
 <% @rules6.each do |rule| -%>
 -A openstack-INPUT <%= rule %>
 <% end -%>
+<% @allowed_hosts.each do |host| -%>
+<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%>
+-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
+<% end -%>
+<% end -%>
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
 COMMIT