From d975326a1b73cc69eab7280622959a6d53d66f3d Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Wed, 22 Jun 2016 18:02:28 +0200
Subject: [PATCH] library/roles/iptables/templates/iptables-rules.v4.j2: More
 conditionals for the postgres and mysql rules.

---
 iptables/defaults/main.yml              | 3 +++
 iptables/templates/iptables-rules.v4.j2 | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/iptables/defaults/main.yml b/iptables/defaults/main.yml
index d1f45b7f..0e284fcb 100644
--- a/iptables/defaults/main.yml
+++ b/iptables/defaults/main.yml
@@ -51,3 +51,6 @@ ganglia_enabled: False
 nagios_enabled: False
 iptables_open_all_to_isti_nets: False
 tomcat_cluster_enabled: False
+# Another variable needs to be defined before the db rules are set
+psql_firewall_enabled: True
+mysql_firewall_enabled: True
diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2
index 683f019f..e0425b4b 100644
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@@ -61,6 +61,7 @@
 -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
 {% endif %}
 {% endif %}
+{% if psql_firewall_enabled %}
 {% if psql_db_port is defined %}
 {% if psql_listen_on_ext_int %}
 # postgresql clients
@@ -73,6 +74,8 @@
 -A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
 -A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
 {% endif %}
+{% endif %}
+{% if mysql_firewall_enabled %}
 {% if mysql_db_port is defined %}
 {% if mysql_listen_on_ext_int %}
 # mysql clients
@@ -85,6 +88,7 @@
 -A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
 -A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
 {% endif %}
+{% endif %}
 {% if openldap_slapd_tcp_port is defined %}
 {% if openldap_allowed_clients is defined %}
 # LDAP