tripleo-heat-templates/puppet/services/tripleo-firewall.yaml

heat_template_version: queens

description: >
  TripleO Firewall settings

parameters:
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  ManageFirewall:
    default: true
    description: Whether to manage IPtables rules.
    type: boolean
  PurgeFirewallRules:
    default: false
    description: Whether IPtables rules should be purged before setting up the new ones.
    type: boolean
  FirewallChains:
    default: {}
    description: >
      Firewall chains definitions to manage. The keys of the dictionary must be
      in the format "<chain>:<table>:<protocol>". When specified, these rules
      are merged with { 'FORWARD:filter:IPv4': { 'policy': 'accept' },
      'FORWARD:filter:IPv6': { 'policy': 'accept' } }. The current available
      features 'ensure' Adds or removes a chain (present|absent), 'policy'
      Action the packet will performa at the end of the chain (accept|drop|queue|return),
      and 'purge' Remove all rules for this change (true|false).
    type: json

outputs:
  role_data:
    description: Role data for the TripleO firewall settings
    value:
      service_name: tripleo_firewall
      config_settings:
        tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
        tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
        tripleo::firewall::firewall_chains:
          map_merge:
            - { 'FORWARD:filter:IPv4': { 'policy': 'accept' },
                'FORWARD:filter:IPv6': { 'policy': 'accept' } }
            - {get_param: FirewallChains}
      step_config: |
        include ::tripleo::firewall
      upgrade_tasks:
        - name: blank ipv6 rule before activating ipv6 firewall.
          when: step|int == 3
          shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
          args:
            creates: /etc/sysconfig/ip6tables.n-o-upgrade