[MediaWiki-commits] [Gerrit] statistics: converted iptables to ferm rule - change (operations/puppet)

Sun, 09 Mar 2014 01:52:18 -0800 

Matanya has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/117670

Change subject: statistics: converted iptables to ferm rule
......................................................................

statistics: converted iptables to ferm rule

Change-Id: Iba67c80d517afb4861dd4b5e12873789e82088b4
---
M manifests/misc/statistics.pp
M manifests/site.pp
2 files changed, 6 insertions(+), 36 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/70/117670/1

diff --git a/manifests/misc/statistics.pp b/manifests/misc/statistics.pp
index ae09004..10f52b4 100644
--- a/manifests/misc/statistics.pp
+++ b/manifests/misc/statistics.pp
@@ -1,41 +1,11 @@
 # this file is for stat[0-9] statistics servers (per ezachte - RT 2162)
 
-class misc::statistics::iptables-purges {
-    require "iptables::tables"
-
-    # The deny_all rule must always be purged, otherwise ACCEPTs can be placed 
below it
-    iptables_purge_service{ "deny_all_redis": service => "redis" }
-
-    # When removing or modifying a rule, place the old rule here, otherwise it 
won't
-    # be purged, and will stay in the iptables forever
-}
-
-class misc::statistics::iptables-accepts {
-    require "misc::statistics::iptables-purges"
-
-    # Rememeber to place modified or removed rules into purges!
-    iptables_add_service{ "redis_internal": source => "208.80.152.0/22", 
service => "redis", jump => "ACCEPT" }
-}
-
-class misc::statistics::iptables-drops {
-    require "misc::statistics::iptables-accepts"
-
-    # Deny by default
-    iptables_add_service{ "deny_all_redis": service => "redis", jump => "DROP" 
}
-}
-
-class misc::statistics::iptables  {
-    if $realm == "production" {
-        # We use the following requirement chain:
-        # iptables -> iptables::drops -> iptables::accepts -> 
iptables::accept-established -> iptables::purges
-        #
-        # This ensures proper ordering of the rules
-        require "misc::statistics::iptables-drops"
-
-        # This exec should always occur last in the requirement chain.
-        iptables_add_exec{ $hostname: service => "statistics" }
+class misc::statistics::firewall {
+    if $::realm == 'production' {
+        ferm::rule { 'redis_internal':
+            rule => 'proto tcp dport 6379 { saddr $INTERNAL ACCEPT; }',
+        }
     }
-
     # Labs has security groups, and as such, doesn't need firewall rules
 }
 
diff --git a/manifests/site.pp b/manifests/site.pp
index 98eff6f..8446554 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -2432,7 +2432,7 @@
 
     include misc::statistics::cron_blog_pageviews
     include misc::statistics::limn::mobile_data_sync
-    include misc::statistics::iptables
+    include misc::statistics::firewall
 }
 
 node 'stat1001.wikimedia.org' {

-- 
To view, visit https://gerrit.wikimedia.org/r/117670
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iba67c80d517afb4861dd4b5e12873789e82088b4
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Matanya <mata...@foss.co.il>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to