From 4a9d8b32e2aebc019285a517662e393f49e930b1 Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Thu, 25 Jul 2019 12:40:04 -0400
Subject: [PATCH] Add clear-firewall role

Some jobs need to start with a clean slate of firewall rules so that
they can manage their own rules. Add a simple role that clears out
everything.

Change-Id: I92d3b02a6bd4f19460294ca5293dfbbd67bfd295
---
 doc/source/general-roles.rst         |  1 +
 roles/clear-firewall/README.rst      |  5 +++++
 roles/clear-firewall/tasks/main.yaml | 20 ++++++++++++++++++++
 zuul-tests.d/general-roles-jobs.yaml | 10 ++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 roles/clear-firewall/README.rst
 create mode 100644 roles/clear-firewall/tasks/main.yaml

diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst
index f8d1111e2..ba1dff296 100644
--- a/doc/source/general-roles.rst
+++ b/doc/source/general-roles.rst
@@ -7,6 +7,7 @@ General Purpose Roles
 .. zuul:autorole:: add-sshkey
 .. zuul:autorole:: bindep
 .. zuul:autorole:: buildset-artifacts-location
+.. zuul:autorole:: clear-firewall
 .. zuul:autorole:: configure-mirrors
 .. zuul:autorole:: copy-build-sshkey
 .. zuul:autorole:: download-artifact
diff --git a/roles/clear-firewall/README.rst b/roles/clear-firewall/README.rst
new file mode 100644
index 000000000..54f00a6ad
--- /dev/null
+++ b/roles/clear-firewall/README.rst
@@ -0,0 +1,5 @@
+Clear firewall rules from test nodes
+
+Some test workloads manage all of their own firewall rules, and
+pre-existing firewall rules can pollute the system. This role
+clears out firewall rules for both ipv4 and ipv6.
diff --git a/roles/clear-firewall/tasks/main.yaml b/roles/clear-firewall/tasks/main.yaml
new file mode 100644
index 000000000..91f662f36
--- /dev/null
+++ b/roles/clear-firewall/tasks/main.yaml
@@ -0,0 +1,20 @@
+- name: Clear iptables rules
+  become: true
+  shell: |
+    iptables -P INPUT ACCEPT
+    iptables -P FORWARD ACCEPT
+    iptables -P OUTPUT ACCEPT
+    iptables -t nat -F
+    iptables -t mangle -F
+    iptables -F
+    iptables -X
+    ip6tables -P INPUT ACCEPT
+    ip6tables -P FORWARD ACCEPT
+    ip6tables -P OUTPUT ACCEPT
+    ip6tables -t nat -F
+    ip6tables -t mangle -F
+    ip6tables -F
+    ip6tables -X
+
+    iptables -L
+    ip6tables -L
diff --git a/zuul-tests.d/general-roles-jobs.yaml b/zuul-tests.d/general-roles-jobs.yaml
index 108152981..9455c3a70 100644
--- a/zuul-tests.d/general-roles-jobs.yaml
+++ b/zuul-tests.d/general-roles-jobs.yaml
@@ -214,6 +214,15 @@
         - name: ubuntu-xenial
           label: ubuntu-xenial
 
+- job:
+    name: zuul-jobs-test-clear-firewall
+    description: Test the clear-firewall role
+    files:
+      - roles/clear-firewall/.*
+    run: test-playbooks/simple-role-test.yaml
+    vars:
+      role_name: clear-firewall
+
 - job:
     name: zuul-jobs-test-dstat-graph
     description: Test the dstat-graph roles
@@ -444,6 +453,7 @@
         - zuul-jobs-test-base-roles-ubuntu-bionic
         - zuul-jobs-test-base-roles-ubuntu-trusty
         - zuul-jobs-test-base-roles-ubuntu-xenial
+        - zuul-jobs-test-clear-firewall
         - zuul-jobs-test-dstat-graph
         - zuul-jobs-test-multinode-roles-centos-7
         - zuul-jobs-test-multinode-roles-debian-stretch