tripleo-ansible - uses 'proto' field to decide if rule is created in iptables or ip6tables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Harald Jensås |
Bug Description
The 'firewall'[1] role in tripleo-ansible uses the 'proto' field in a condition to decide if rules should be created in iptables|ip6tables. This is incorrect.
When 'ipv4' or 'ipv6' is in the protocol field it is to tell the firewall to take action on ip-in-ip encapsulation. Allowing encapsulation of 'ipv6' inside 'ipv4' is a valid usecase[2][3], _and_ it is potentially used by tripleo[4].
Thus rules should be created in iptables when proto == 'ipv6' and vice versa.
TripleO should add support to set define if a rule is intended for iptables or ip6tables. See separate bug regarding this: https:/
[1] https:/
[2] https:/
[3] https:/
[4] https:/
description: | updated |
Fix proposed to branch: master /review. opendev. org/684277
Review: https:/