firewall: ipv6 rules are missing
Bug #1654050 reported by
Emilien Macchi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
Emilien Macchi |
Bug Description
IPv6 firewall rules are missing in TripleO.
We need to configure them as well as we already do for ipv4.
Changed in tripleo: | |
assignee: | nobody → Emilien Macchi (emilienm) |
milestone: | none → ocata-3 |
status: | New → In Progress |
importance: | Undecided → Critical |
Changed in tripleo: | |
assignee: | Emilien Macchi (emilienm) → Ben Nemec (bnemec) |
Changed in tripleo: | |
assignee: | Ben Nemec (bnemec) → Emilien Macchi (emilienm) |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/416706 /git.openstack. org/cgit/ openstack/ puppet- tripleo/ commit/ ?id=8c990738900 cd74c2c5c046435 517393d1afb92e
Committed: https:/
Submitter: Jenkins
Branch: master
commit 8c990738900cd74 c2c5c0464355173 93d1afb92e
Author: Emilien Macchi <email address hidden>
Date: Wed Jan 4 13:56:59 2017 -0500
firewall: add IPv6 support
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/ destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <email address hidden> e5854632e749cc8 c3a1647298c
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3