From 9108a0d6fed8d666f7a35b6223fdf5c296a2a2fc Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 4 Oct 2017 16:40:55 +0000
Subject: [PATCH] now that we have staging moved to its own subnet, we can just
 block that entire thing in prod iptables and no longer need to change
 everytime a stg machine appears or disappears.

---
 roles/base/templates/iptables/iptables | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 21342a2665..0e2f4178ce 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -36,17 +36,12 @@
 {% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
 #
 # In the phx2 datacenter, both production and staging hosts are in the same 
-# subnet/vlan. We want production hosts to reject connectons from staging group hosts
+# vlan, but different subnets. We want production hosts to reject connectons from staging group hosts
 # to prevent them from interfering with production. There are however a few hosts in 
 # production we have marked 'staging-friendly' that we do allow staging to talk to for 
 # mostly read-only data they need.
 #
-{% for host in groups['staging']|sort %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
--A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
+-A INPUT -s 10.5.128.0/24 -j REJECT --reject-with icmp-host-prohibited
 {% endif %}
 
 {% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa-isolated'] %}