Merge "Separate metadata api into its own service"

1 files changed, 0 insertions, 158 deletions

diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh
deleted file mode 100755
index 8be8cd812..000000000
--- a/tools/setup_iptables.sh
+++ /dev/null
@@ -1,158 +0,0 @@
-#!/usr/bin/env bash
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright 2010 United States Government as represented by the
-# Administrator of the National Aeronautics and Space Administration.
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-# NOTE(vish): This script sets up some reasonable defaults for iptables and
-#             creates nova-specific chains.  If you use this script you should
-#             run nova-network and nova-compute with --use_nova_chains=True
-
-# NOTE(vish): If you run nova-api on a different port, make sure to change
-#             the port here
-API_PORT=${API_PORT:-"8773"}
-if [ -n "$1" ]; then
-    CMD=$1
-else
-    CMD="all"
-fi
-
-if [ -n "$2" ]; then
-    IP=$2
-else
-    # NOTE(vish): This will just get the first ip in the list, so if you
-    #             have more than one eth device set up, this will fail, and
-    #             you should explicitly pass in the ip of the instance
-    IP=`LC_ALL=C ifconfig  | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'`
-fi
-
-if [ -n "$3" ]; then
-    PRIVATE_RANGE=$3
-else
-    PRIVATE_RANGE="10.0.0.0/12"
-fi
-
-
-if [ -n "$4" ]; then
-    # NOTE(vish): Management IP is the ip over which to allow ssh traffic.  It
-    #             will also allow traffic to nova-api
-    MGMT_IP=$4
-else
-    MGMT_IP="$IP"
-fi
-if [ "$CMD" == "clear" ]; then
-    iptables -P INPUT ACCEPT
-    iptables -P FORWARD ACCEPT
-    iptables -P OUTPUT ACCEPT
-    iptables -F
-    iptables -t nat -F
-    iptables -F nova_input
-    iptables -F nova_output
-    iptables -F nova_forward
-    iptables -t nat -F nova_input
-    iptables -t nat -F nova_output
-    iptables -t nat -F nova_forward
-    iptables -t nat -X
-    iptables -X
-fi
-
-if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then
-    iptables -P INPUT DROP
-    iptables -A INPUT -m state --state INVALID -j DROP
-    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-    iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT
-    iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT
-    iptables -N nova_input
-    iptables -A INPUT -j nova_input
-    iptables -A INPUT -p icmp -j ACCEPT
-    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
-    iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
-
-    iptables -P FORWARD DROP
-    iptables -A FORWARD -m state --state INVALID -j DROP
-    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-    iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-    iptables -N nova_forward
-    iptables -A FORWARD -j nova_forward
-
-    # NOTE(vish): DROP on output is too restrictive for now.  We need to add
-    #             in a bunch of more specific output rules to use it.
-    # iptables -P OUTPUT DROP
-    iptables -A OUTPUT -m state --state INVALID -j DROP
-    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-    iptables -N nova_output
-    iptables -A OUTPUT -j nova_output
-
-    iptables -t nat -N nova_prerouting
-    iptables -t nat -A PREROUTING -j nova_prerouting
-
-    iptables -t nat -N nova_postrouting
-    iptables -t nat -A POSTROUTING -j nova_postrouting
-
-    iptables -t nat -N nova_output
-    iptables -t nat -A OUTPUT -j nova_output
-fi
-
-if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT
-    iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT
-fi
-
-if [ "$CMD" == "web" ] || [ "$CMD" == "all" ]; then
-    # NOTE(vish): This opens up ports for web access, allowing web-based
-    #             dashboards to work.
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT
-fi
-
-if [ "$CMD" == "objectstore" ] || [ "$CMD" == "all" ]; then
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT
-fi
-
-if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT
-    if [ "$IP" != "$MGMT_IP" ]; then
-        iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT
-    fi
-fi
-
-if [ "$CMD" == "redis" ] || [ "$CMD" == "all" ]; then
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT
-fi
-
-if [ "$CMD" == "mysql" ] || [ "$CMD" == "all" ]; then
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT
-fi
-
-if [ "$CMD" == "rabbitmq" ] || [ "$CMD" == "all" ]; then
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT
-fi
-
-if [ "$CMD" == "dnsmasq" ] || [ "$CMD" == "all" ]; then
-    # NOTE(vish): this could theoretically be setup per network
-    #             for each host, but it seems like overkill
-    iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
-    iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
-    iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT
-fi
-
-if [ "$CMD" == "ldap" ] || [ "$CMD" == "all" ]; then
-    iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT
-fi
-
-