Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / iptables / 33df4d643a6f209e13d690356c8580c7fc2bc0b8 / . / iptables / rules.sls
blob: 54fbbc4d16a46c64ed021788280aedbd15fec222 [file] [log] [blame]
Filip Pytlounbd5d1362016-04-11 12:06:09 +0200[diff] [blame]1{% from "iptables/map.jinja" import service with context %}
Michel Nederlofdd2d4cf2017-06-27 15:12:36 +0200[diff] [blame]2{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
Filip Pytlounbd5d1362016-04-11 12:06:09 +0200[diff] [blame]3
4{%- for chain_name, chain in service.get('chain', {}).iteritems() %}
5
Michel Nederlofdd2d4cf2017-06-27 15:12:36 +0200[diff] [blame]6iptables_{{ chain_name }}:
7 iptables.chain_present:
8 - family: ipv4
9 - name: {{ chain_name }}
10 - table: filter
11 - require:
12 - pkg: iptables_packages
13
14{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
15iptables_{{ chain_name }}_ipv6:
16 iptables.chain_present:
17 - family: ipv6
18 - name: {{ chain_name }}
19 - table: filter
20 - require:
21 - pkg: iptables_packages
22{%- if chain.policy is defined %}
23 - require_in:
24 - iptables: iptables_{{ chain_name }}_ipv6_policy
25{%- endif %}
26{%- endif %}
27
Filip Pytlounbd5d1362016-04-11 12:06:09 +0200[diff] [blame]28{%- if chain.policy is defined %}
29iptables_{{ chain_name }}_policy:
30 iptables.set_policy:
Dennis van Dok3bee76d2017-02-07 15:22:23 +0100[diff] [blame]31 - family: ipv4
Filip Pytlounbd5d1362016-04-11 12:06:09 +0200[diff] [blame]32 - chain: {{ chain_name }}
33 - policy: {{ chain.policy }}
34 - table: filter
Michel Nederlofdd2d4cf2017-06-27 15:12:36 +0200[diff] [blame]35 - require:
36 - iptables: iptables_{{ chain_name }}
Dennis van Dok3bee76d2017-02-07 15:22:23 +0100[diff] [blame]37
38{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
39iptables_{{ chain_name }}_ipv6_policy:
40 iptables.set_policy:
41 - family: ipv6
42 - chain: {{ chain_name }}
43 - policy: {{ chain.policy }}
44 - table: filter
Michel Nederlofdd2d4cf2017-06-27 15:12:36 +0200[diff] [blame]45 - require:
46 - iptables: iptables_{{ chain_name }}_ipv6
Dennis van Dok3bee76d2017-02-07 15:22:23 +0100[diff] [blame]47{%- endif %}
Filip Pytlounbd5d1362016-04-11 12:06:09 +0200[diff] [blame]48{%- endif %}
49
Filip Pytloun8e838922016-04-11 15:14:00 +0200[diff] [blame]50{%- for service_name, service in pillar.items() %}
Piotr Pieprzycki7df3a162017-12-13 12:41:31 +0100[diff] [blame]51{%- if service is mapping %}
Filip Pytloun8e838922016-04-11 15:14:00 +0200[diff] [blame]52{%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}
53
54{%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
55{%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
56{%- set grains_yaml = load_grains_file()|load_yaml %}
57
58{%- for rule in grains_yaml.iptables.rules %}
59{%- set rule_name = service_name+'_'+loop.index|string %}
60{% include "iptables/_rule.sls" %}
61{%- endfor %}
62
63{%- endif %}
Piotr Pieprzycki7df3a162017-12-13 12:41:31 +0100[diff] [blame]64{%- endif %}
Filip Pytloun8e838922016-04-11 15:14:00 +0200[diff] [blame]65{%- endfor %}
66
Filip Pytlouncb65f8a2016-04-11 14:35:09 +0200[diff] [blame]67{%- for rule in chain.get('rules', []) %}
68{%- set rule_name = loop.index %}
69{% include "iptables/_rule.sls" %}
70{%- endfor %}
71
Filip Pytlounbd5d1362016-04-11 12:06:09 +0200[diff] [blame]72{%- endfor %}
Michel Nederlofdd2d4cf2017-06-27 15:12:36 +0200[diff] [blame]73{%- endif %}