tripleo

tripleo-ansible - firewall role does not open ipv6-icmp

Bug #1845175 reported by Harald Jensås on 2019-09-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Harald Jensås	tripleo ussuri-1

Bug Description

puppet-tripleo have special handling for protocol 'icmp'. It automatically modifies the rule to enable ipv6-icmp in ip6tables. The tripleo-ansible firewall role does not have any such handling. Based on examining the code[2] it will create a rule for 'icmp' in ip6tables which is incorrect.

[1] https://github.com/openstack/puppet-tripleo/blob/master/manifests/firewall/rule.pp#L127-L131
[2] https://opendev.org/openstack/tripleo-ansible/src/branch/master/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml#L40-L41

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-24: Fix proposed to tripleo-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/684278

Changed in tripleo:
assignee:	nobody → Harald Jensås (harald-jensas)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-25: Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/684278
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=588ac0a4317625f9feb879eb0e32cfb0b43dd276
Submitter: Zuul
Branch: master

commit 588ac0a4317625f9feb879eb0e32cfb0b43dd276
Author: Harald Jensås <email address hidden>
Date: Tue Sep 24 12:02:57 2019 +0200

Open ipv6-icmp traffic by default

    puppet-tripleo had special conditions in the rule manifest
    to convert the protocol for 'icmp' to 'ipv6-icmp'. This
    made it possible to open 'icmp' for ipv4 and 'ipv6-icmp'
    for ipv6 using a single rule defenition.

    ceph-ansible does not have the logic to support a single
    rule. Since the rule to allow icmp traffic is in defined in
    the defaults for the role and not in THT. This change uses
    the 'ipversion' property for the existing 'icmp' rule and
    likewise adds a default rule for 'ipv6-icmp'.

Change-Id: I8b453f7c13c2015aa208ed1bddcdca246cdca58d
Closes-Bug: #1845175

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-21: Fix included in openstack/tripleo-ansible 0.4.0

This issue was fixed in the openstack/tripleo-ansible 0.4.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.