This repository has been archived by the owner on Aug 8, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
cluster_allow.pp
77 lines (67 loc) · 2.19 KB
/
cluster_allow.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# This function opens the following ports and connection types for the provided
# $trusted_nets.
#
# Port Number(s) Type Use
# 1229 UDP fencing access
# 5404 5405 UDP cman access
# 11111 TCP ricci access
# 11111 UDP ricci access
# 14567 TCP gnbd access
# 16851 TCP modclusterd access
# 21064 TCP dlm access
# 41966 41967 41968 41969 TCP rgmanager access
# 50006 50008 50009 TCP ccsd access
# 50007 UDP ccsd access
#
# @param trusted_nets
# For the widest subnet accessibility, set $trusted_nets to
# nets2cidr(hiera('trusted_nets')).
#
# @author Trevor Vaughan <tvaughan@onyxpoint.com>
#
class gfs2::cluster_allow (
Simplib::Netlist $trusted_nets = simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] }),
) {
iptables::listen::udp { 'allow_cman':
trusted_nets => $trusted_nets,
dports => [ 5404,5405,6809 ]
}
# Conga
iptables::listen::tcp_stateful { 'allow_ricci':
trusted_nets => $trusted_nets,
dports => [ 11111 ]
}
iptables::listen::udp { 'allow_ricci':
trusted_nets => $trusted_nets,
dports => [ 11111 ],
require => Service['ricci']
}
iptables::listen::tcp_stateful { 'allow_gnbd':
trusted_nets => $trusted_nets,
dports => [ 14567 ]
}
iptables::listen::tcp_stateful { 'allow_modclusterd':
trusted_nets => $trusted_nets,
dports => [ 16851 ]
}
iptables::listen::tcp_stateful { 'allow_dlm':
trusted_nets => $trusted_nets,
dports => [ 21064 ]
}
iptables::listen::tcp_stateful { 'allow_ccsd':
trusted_nets => $trusted_nets,
dports => [ 50006,50008,50009 ]
}
iptables::listen::udp { 'allow_ccsd':
trusted_nets => $trusted_nets,
dports => [ 50007 ]
}
iptables::listen::udp { 'allow_fencing':
trusted_nets => $trusted_nets,
dports => [ 1229 ]
}
iptables_rule { 'allow_cluster_multicast':
order => 6,
content => "-s ${trusted_nets} -m addrtype --src-type MULTICAST -j ACCEPT"
}
}