diff options
Diffstat (limited to 'roles/contiv/tasks/netmaster_iptables.yml')
| -rw-r--r-- | roles/contiv/tasks/netmaster_iptables.yml | 51 |
1 files changed, 28 insertions, 23 deletions
diff --git a/roles/contiv/tasks/netmaster_iptables.yml b/roles/contiv/tasks/netmaster_iptables.yml index c98e7b6a5..3b68ea0c3 100644 --- a/roles/contiv/tasks/netmaster_iptables.yml +++ b/roles/contiv/tasks/netmaster_iptables.yml @@ -1,27 +1,32 @@ --- -- name: Netmaster IPtables | Get iptables rules - command: iptables -L --wait - register: iptablesrules - check_mode: no - -- name: Netmaster IPtables | Enable iptables at boot - service: - name: iptables - enabled: yes - state: started - -- name: Netmaster IPtables | Open Netmaster with iptables - command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv" - with_items: - - "{{ contiv_rpc_port1 }}" - - "{{ contiv_rpc_port2 }}" - - "{{ contiv_rpc_port3 }}" - when: iptablesrules.stdout.find("contiv") == -1 +- name: Netmaster IPtables | Add internal rules + iptables: + action: insert + chain: INPUT + # Parsed from the contiv_netmaster_internal list, this will be tcp or udp. + protocol: "{{ item[0].split('/')[1] }}" + match: "{{ item[0].split('/')[1] }}" + # Parsed from the contiv_netmaster_internal list, this will be a port number. + destination_port: "{{ item[0].split('/')[0] }}" + # This is an IP address from a node in the cluster. + source: "{{ item[1] }}" + jump: ACCEPT + comment: contiv + with_nested: + - "{{ contiv_netmaster_internal }}" + - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}" notify: Save iptables rules -- name: Netmaster IPtables | Open netmaster main port - command: /sbin/iptables -I INPUT 1 -p tcp -s {{ item }} --dport {{ netmaster_port }} -j ACCEPT -m comment --comment "contiv" - with_items: - - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + netmaster_interface].ipv4.address)|list }}" - when: iptablesrules.stdout.find("contiv") == -1 +- name: Netmaster IPtables | Add external rules + iptables: + action: insert + chain: INPUT + # Parsed from the contiv_netmaster_external list, this will be tcp or udp. + protocol: "{{ item.split('/')[1] }}" + match: "{{ item.split('/')[1] }}" + # Parsed from the contiv_netmaster_external list, this will be a port number. + destination_port: "{{ item.split('/')[0] }}" + jump: ACCEPT + comment: contiv + with_items: "{{ contiv_netmaster_external }}" notify: Save iptables rules |