From bac6f6989aacbf9bf07cfc603adc0f0f10765762 Mon Sep 17 00:00:00 2001
From: Seth Vidal <skvidal@fedoraproject.org>
Date: Fri, 24 May 2013 15:08:46 +0000
Subject: [PATCH] add the default template tcp_ports and udp_ports and
 custom_rules to kojibuilders and releng iptables

---
 files/iptables/kojibuilder | 17 +++++++++++++++++
 files/iptables/releng      | 15 +++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/files/iptables/kojibuilder b/files/iptables/kojibuilder
index 2063c20f07..82e98a8a34 100644
--- a/files/iptables/kojibuilder
+++ b/files/iptables/kojibuilder
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 *filter
 :INPUT DROP []
 :FORWARD DROP []
@@ -70,4 +71,20 @@
 
 # dhcp
 -A OUTPUT -m udp -p udp --dport 67 -d 10.5.126.41 -j ACCEPT
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+
 COMMIT
diff --git a/files/iptables/releng b/files/iptables/releng
index eb3d0e3f99..eae4f3ebca 100644
--- a/files/iptables/releng
+++ b/files/iptables/releng
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 #
 # NOTE: Chaging this template updates iptables on all releng hosts :)
 # Please check with sysadmin-main before pushing out an update here. 
@@ -203,6 +204,20 @@ COMMIT
 # Services UDP
 
 # more services we use - ports for random services and TG listeners.
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
 
 # Extra protection for 192.168.100.x vpn hosts. 
 -A INPUT -s 192.168.100.0/24 -j REJECT --reject-with icmp-host-prohibited