Hashar has uploaded a new change for review.
https://gerrit.wikimedia.org/r/122788
Change subject: iptables.pp: retab to four spaces
......................................................................
iptables.pp: retab to four spaces
Change-Id: I0859e70a4cdadbf7a1985e9e1591f1a5b650bdfe
---
M manifests/iptables.pp
1 file changed, 221 insertions(+), 220 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/88/122788/1
diff --git a/manifests/iptables.pp b/manifests/iptables.pp
index d6f17d2..4eb6982 100644
--- a/manifests/iptables.pp
+++ b/manifests/iptables.pp
@@ -1,267 +1,268 @@
# NOTE: This is being replaced by ferm
$iptables_ports = {
- all => "",
- beam1 => "33416",
- beam2 => "5672",
- beam3 => "56918",
- epmd => "4369",
- gearman => "4370",
- git_daemon => "9418",
- glance_api => "9292",
- glance_registry => "9191",
- gmond_tcp => "8649",
- gmond_udp => "8649",
- http => "80",
- http-alt => "8080",
- https => "443",
- icmp => "",
- igmp => "",
- ldap => "389",
- ldap_admin_connector => "4444",
- ldap_replication => "8989",
- ldap_backend => "1389",
- ldaps => "636",
- ldaps_backend => "1636",
- memcached => "11000",
- memcached-standard => "11211",
- mysql => "3306",
- nova_ajax_proxy => "8000",
- nova_ec2_api => "8773",
- nova_openstack_api => "8774",
- nrpe => "5666",
- nsca => "5667",
- ntp_tcp => "123",
- ntp_udp => "123",
- puppetmaster => "8140",
- redis => "6379",
- rsyncd_tcp => "873",
- rsyncd_udp => "873",
- snmptrap => "162",
- smtp => "25",
- ssh => "22",
- swift_account => "6002",
- swift_container => "6001",
- swift_object => "6000",
- udp => "",
- keystone_service => "5000",
- keystone_admin => "35357",
- salt_publish => "4505",
- salt_ret => "4506",
- inetd => "10080",
- zuul_webservice => "8001",
+ all => "",
+ beam1 => "33416",
+ beam2 => "5672",
+ beam3 => "56918",
+ epmd => "4369",
+ gearman => "4370",
+ git_daemon => "9418",
+ glance_api => "9292",
+ glance_registry => "9191",
+ gmond_tcp => "8649",
+ gmond_udp => "8649",
+ http => "80",
+ http-alt => "8080",
+ https => "443",
+ icmp => "",
+ igmp => "",
+ ldap => "389",
+ ldap_admin_connector => "4444",
+ ldap_replication => "8989",
+ ldap_backend => "1389",
+ ldaps => "636",
+ ldaps_backend => "1636",
+ memcached => "11000",
+ memcached-standard => "11211",
+ mysql => "3306",
+ nova_ajax_proxy => "8000",
+ nova_ec2_api => "8773",
+ nova_openstack_api => "8774",
+ nrpe => "5666",
+ nsca => "5667",
+ ntp_tcp => "123",
+ ntp_udp => "123",
+ puppetmaster => "8140",
+ redis => "6379",
+ rsyncd_tcp => "873",
+ rsyncd_udp => "873",
+ snmptrap => "162",
+ smtp => "25",
+ ssh => "22",
+ swift_account => "6002",
+ swift_container => "6001",
+ swift_object => "6000",
+ udp => "",
+ keystone_service => "5000",
+ keystone_admin => "35357",
+ salt_publish => "4505",
+ salt_ret => "4506",
+ inetd => "10080",
+ zuul_webservice => "8001",
}
$iptables_protocols = {
- all => "all",
- beam1 => "tcp",
- beam2 => "tcp",
- beam3 => "tcp",
- epmd => "tcp",
- gearman => "tcp",
- git_daemon => "tcp",
- glance_api => "tcp",
- glance_registry => "tcp",
- gmond_tcp => "tcp",
- gmond_udp => "udp",
- http-alt => "tcp",
- https => "tcp",
- http => "tcp",
- icmp => "icmp",
- igmp => "igmp",
- ldap_admin_connector => "tcp",
- ldap_replication => "tcp",
- ldap_backend => "tcp",
- ldaps_backend => "tcp",
- ldaps => "tcp",
- ldap => "tcp",
- memcached-standard => "tcp",
- memcached => "tcp",
- mysql => "tcp",
- nova_ajax_proxy => "tcp",
- nova_ec2_api => "tcp",
- nova_openstack_api => "tcp",
- nrpe => "tcp",
- nsca => "tcp",
- ntp_tcp => "tcp",
- ntp_udp => "udp",
- puppetmaster => "tcp",
- rsyncd_tcp => "tcp",
- rsyncd_udp => "udp",
- smtp => "tcp",
- snmptrap => "udp",
- ssh => "tcp",
- swift_account => "tcp",
- swift_container => "tcp",
- swift_object => "tcp",
- udp => "udp",
- keystone_service => "tcp",
- keystone_admin => "tcp",
- salt_publish => "tcp",
- salt_ret => "tcp",
- redis => "tcp",
- inetd => "tcp",
- zuul_webservice => "tcp",
+ all => "all",
+ beam1 => "tcp",
+ beam2 => "tcp",
+ beam3 => "tcp",
+ epmd => "tcp",
+ gearman => "tcp",
+ git_daemon => "tcp",
+ glance_api => "tcp",
+ glance_registry => "tcp",
+ gmond_tcp => "tcp",
+ gmond_udp => "udp",
+ http-alt => "tcp",
+ https => "tcp",
+ http => "tcp",
+ icmp => "icmp",
+ igmp => "igmp",
+ ldap_admin_connector => "tcp",
+ ldap_replication => "tcp",
+ ldap_backend => "tcp",
+ ldaps_backend => "tcp",
+ ldaps => "tcp",
+ ldap => "tcp",
+ memcached-standard => "tcp",
+ memcached => "tcp",
+ mysql => "tcp",
+ nova_ajax_proxy => "tcp",
+ nova_ec2_api => "tcp",
+ nova_openstack_api => "tcp",
+ nrpe => "tcp",
+ nsca => "tcp",
+ ntp_tcp => "tcp",
+ ntp_udp => "udp",
+ puppetmaster => "tcp",
+ rsyncd_tcp => "tcp",
+ rsyncd_udp => "udp",
+ smtp => "tcp",
+ snmptrap => "udp",
+ ssh => "tcp",
+ swift_account => "tcp",
+ swift_container => "tcp",
+ swift_object => "tcp",
+ udp => "udp",
+ keystone_service => "tcp",
+ keystone_admin => "tcp",
+ salt_publish => "tcp",
+ salt_ret => "tcp",
+ redis => "tcp",
+ inetd => "tcp",
+ zuul_webservice => "tcp",
}
class iptables::tables {
- augeas { "$hostname iptables tables":
- context => "/files/etc/iptables-save",
- changes => [ "set table[1] nat", "set table[2] filter" ];
- }
+ augeas { "$hostname iptables tables":
+ context => "/files/etc/iptables-save",
+ changes => [ "set table[1] nat", "set table[2] filter" ];
+ }
- augeas { "$hostname iptables nat chains":
- context => "/files/etc/iptables-save",
- changes => [
- "set table[. = 'nat']/chain[1] PREROUTING",
- "set table[. = 'nat']/chain[1]/policy ACCEPT",
- "set table[. = 'nat']/chain[2] POSTROUTING",
- "set table[. = 'nat']/chain[2]/policy ACCEPT",
- "set table[. = 'nat']/chain[3] OUTPUT",
- "set table[. = 'nat']/chain[3]/policy ACCEPT" ],
- require => Augeas["$hostname iptables tables"];
- }
+ augeas { "$hostname iptables nat chains":
+ context => "/files/etc/iptables-save",
+ changes => [
+ "set table[. = 'nat']/chain[1] PREROUTING",
+ "set table[. = 'nat']/chain[1]/policy ACCEPT",
+ "set table[. = 'nat']/chain[2] POSTROUTING",
+ "set table[. = 'nat']/chain[2]/policy ACCEPT",
+ "set table[. = 'nat']/chain[3] OUTPUT",
+ "set table[. = 'nat']/chain[3]/policy ACCEPT" ],
+ require => Augeas["$hostname iptables tables"];
+ }
- if $iptables_default_deny {
- augeas { "$hostname iptables filter chains":
- context => "/files/etc/iptables-save",
- changes => [
- "set table[. = 'filter']/chain[1] INPUT",
- "set table[. = 'filter']/chain[1]/policy DROP",
- "set table[. = 'filter']/chain[2] FORWARD",
- "set table[. = 'filter']/chain[2]/policy
ACCEPT",
- "set table[. = 'filter']/chain[3] OUTPUT",
- "set table[. = 'filter']/chain[3]/policy
ACCEPT" ],
- require => Augeas["$hostname iptables tables"];
- }
- }
- else {
- augeas { "$hostname iptables filter chains":
- context => "/files/etc/iptables-save",
- changes => [
- "set table[. = 'filter']/chain[1] INPUT",
- "set table[. = 'filter']/chain[1]/policy
ACCEPT",
- "set table[. = 'filter']/chain[2] FORWARD",
- "set table[. = 'filter']/chain[2]/policy
ACCEPT",
- "set table[. = 'filter']/chain[3] OUTPUT",
- "set table[. = 'filter']/chain[3]/policy
ACCEPT" ],
- require => Augeas["$hostname iptables tables"];
- }
- }
+ if $iptables_default_deny {
+ augeas { "$hostname iptables filter chains":
+ context => "/files/etc/iptables-save",
+ changes => [
+ "set table[. = 'filter']/chain[1] INPUT",
+ "set table[. = 'filter']/chain[1]/policy DROP",
+ "set table[. = 'filter']/chain[2] FORWARD",
+ "set table[. = 'filter']/chain[2]/policy ACCEPT",
+ "set table[. = 'filter']/chain[3] OUTPUT",
+ "set table[. = 'filter']/chain[3]/policy ACCEPT" ],
+ require => Augeas["$hostname iptables tables"];
+ }
+ }
+ else {
+ augeas { "$hostname iptables filter chains":
+ context => "/files/etc/iptables-save",
+ changes => [
+ "set table[. = 'filter']/chain[1] INPUT",
+ "set table[. = 'filter']/chain[1]/policy ACCEPT",
+ "set table[. = 'filter']/chain[2] FORWARD",
+ "set table[. = 'filter']/chain[2]/policy ACCEPT",
+ "set table[. = 'filter']/chain[3] OUTPUT",
+ "set table[. = 'filter']/chain[3]/policy ACCEPT" ],
+ require => Augeas["$hostname iptables tables"];
+ }
+ }
}
define iptables_add_exec( $service ) {
- $service_title = "${title}_${service}"
+ $service_title = "${title}_${service}"
- # We need to ensure this exec always runs after all rules are added for
a service
- # This hack is here to ensure we have an exec per service. This service
is being added
- # last in a requirement chain
- exec { "exec_$service_title":
- command => "/sbin/iptables-restore /etc/iptables-save",
- user => root
- }
+ # We need to ensure this exec always runs after all rules are added for a
service
+ # This hack is here to ensure we have an exec per service. This service is
being added
+ # last in a requirement chain
+ exec { "exec_$service_title":
+ command => "/sbin/iptables-restore /etc/iptables-save",
+ user => root
+ }
}
# TODO: make this work with other tables, and other chains
define iptables_add_service( $service, $source="", $destination="",
$interface="", $jump="ACCEPT" ) {
- $service_title = "${title}_${service}"
+ $service_title = "${title}_${service}"
- iptables_add_rule{ $service_title: table => "filter", chain => "INPUT",
source => $source, destination => $destination, protocol =>
$iptables_protocols["$service"], destination_port =>
$iptables_ports["$service"], interface => $interface, jump => $jump }
+ iptables_add_rule{ $service_title: table => "filter", chain => "INPUT",
source => $source, destination => $destination, protocol =>
$iptables_protocols["$service"], destination_port =>
$iptables_ports["$service"], interface => $interface, jump => $jump }
}
# TODO: Make this work with other tables
define iptables_purge_service( $service ) {
- $service_title = "${title}_${service}"
+ $service_title = "${title}_${service}"
- iptables_purge_rule{ $service_title: table => "filter" }
+ iptables_purge_rule{ $service_title: table => "filter" }
}
define iptables_add_rule( $table, $chain, $source="", $destination="",
$protocol, $source_port="", $destination_port="", $interface="",
$accept_established="false", $jump ) {
- $path_exact = "table[. = \"$table\"]/append[./comment = \"$title\"]"
+ $path_exact = "table[. = \"$table\"]/append[./comment = \"$title\"]"
- # We are basing everything on the comment, so the comment must be added
- # before the entry is set. The match rule for comment must be before the
- # comment though, so we'll explicitly insert it before the comment,
then set it.
- augeas { "iptables $title":
- context => "/files/etc/iptables-save",
- onlyif => "match $path_exact size == 0",
- changes => [
- "set $path_exact/comment \"$title\"",
- "set $path_exact $chain",
- "ins match before $path_exact/comment",
- "set $path_exact/match comment",
- "set $path_exact/protocol $protocol",
- "set $path_exact/jump $jump"
- ];
- }
+ # We are basing everything on the comment, so the comment must be added
+ # before the entry is set. The match rule for comment must be before the
+ # comment though, so we'll explicitly insert it before the comment, then
+ # set it.
+ augeas { "iptables $title":
+ context => "/files/etc/iptables-save",
+ onlyif => "match $path_exact size == 0",
+ changes => [
+ "set $path_exact/comment \"$title\"",
+ "set $path_exact $chain",
+ "ins match before $path_exact/comment",
+ "set $path_exact/match comment",
+ "set $path_exact/protocol $protocol",
+ "set $path_exact/jump $jump"
+ ];
+ }
- if $source {
- augeas { "iptables $title source":
- context => "/files/etc/iptables-save",
- changes => [ "set $path_exact/source $source" ],
- require => Augeas["iptables $title"];
- }
- }
+ if $source {
+ augeas { "iptables $title source":
+ context => "/files/etc/iptables-save",
+ changes => [ "set $path_exact/source $source" ],
+ require => Augeas["iptables $title"];
+ }
+ }
- if $destination {
- augeas { "iptables $title destination":
- context => "/files/etc/iptables-save",
- changes => [ "set $path_exact/destination $destination"
],
- require => Augeas["iptables $title"];
- }
- }
+ if $destination {
+ augeas { "iptables $title destination":
+ context => "/files/etc/iptables-save",
+ changes => [ "set $path_exact/destination $destination" ],
+ require => Augeas["iptables $title"];
+ }
+ }
- if $source_port {
- augeas { "iptables $title source_port":
- context => "/files/etc/iptables-save",
- changes => [ "set $path_exact/sport $source_port" ],
- require => Augeas["iptables $title"];
- }
- }
+ if $source_port {
+ augeas { "iptables $title source_port":
+ context => "/files/etc/iptables-save",
+ changes => [ "set $path_exact/sport $source_port" ],
+ require => Augeas["iptables $title"];
+ }
+ }
- if $destination_port {
- augeas { "iptables $title destination_port":
- context => "/files/etc/iptables-save",
- changes => [ "set $path_exact/dport $destination_port"
],
- require => Augeas["iptables $title"];
- }
- }
+ if $destination_port {
+ augeas { "iptables $title destination_port":
+ context => "/files/etc/iptables-save",
+ changes => [ "set $path_exact/dport $destination_port" ],
+ require => Augeas["iptables $title"];
+ }
+ }
- if $accept_established == "true" {
- augeas { "iptables $title accept_established":
- context => "/files/etc/iptables-save",
- onlyif => "match $path_exact/ctstate size == 0",
- changes => [
- "set $path_exact/ctstate
\"RELATED,ESTABLISHED\"",
- "ins match before $path_exact/ctstate",
- "set $path_exact/match[2] conntrack"
- ],
- require => Augeas["iptables $title"];
- }
- }
+ if $accept_established == "true" {
+ augeas { "iptables $title accept_established":
+ context => "/files/etc/iptables-save",
+ onlyif => "match $path_exact/ctstate size == 0",
+ changes => [
+ "set $path_exact/ctstate \"RELATED,ESTABLISHED\"",
+ "ins match before $path_exact/ctstate",
+ "set $path_exact/match[2] conntrack"
+ ],
+ require => Augeas["iptables $title"];
+ }
+ }
- if $interface {
- augeas { "iptables $title in_interface":
- context => "/files/etc/iptables-save",
- changes => [ "set $path_exact/in-interface $interface"
],
- require => Augeas["iptables $title"];
- }
- }
+ if $interface {
+ augeas { "iptables $title in_interface":
+ context => "/files/etc/iptables-save",
+ changes => [ "set $path_exact/in-interface $interface" ],
+ require => Augeas["iptables $title"];
+ }
+ }
}
define iptables_purge_rule( $table ) {
- $path_exact = "table[. = \"$table\"]/append[./comment = \"$title\"]"
+ $path_exact = "table[. = \"$table\"]/append[./comment = \"$title\"]"
- # We are removing the entire node based on the comment field
- augeas { "iptables $title purge":
- context => "/files/etc/iptables-save",
- changes => [ "rm $path_exact" ];
- }
+ # We are removing the entire node based on the comment field
+ augeas { "iptables $title purge":
+ context => "/files/etc/iptables-save",
+ changes => [ "rm $path_exact" ];
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/122788
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I0859e70a4cdadbf7a1985e9e1591f1a5b650bdfe
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <has...@free.fr>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
