tripleo

firewall: ipv6 rules are missing

Bug #1654050 reported by Emilien Macchi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Emilien Macchi
tripleo ocata-3 "ocata-3"

Bug Description

IPv6 firewall rules are missing in TripleO.

We need to configure them as well as we already do for ipv4.

Emilien Macchi (emilienm)
Changed in tripleo:
assignee: nobody → Emilien Macchi (emilienm)
milestone: none → ocata-3
status: New → In Progress
importance: Undecided → Critical
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Emilien Macchi (emilienm) → Ben Nemec (bnemec)
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Ben Nemec (bnemec) → Emilien Macchi (emilienm)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/416706
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=8c990738900cd74c2c5c046435517393d1afb92e
Submitter: Jenkins
Branch: master

commit 8c990738900cd74c2c5c046435517393d1afb92e
Author: Emilien Macchi <email address hidden>
Date: Wed Jan 4 13:56:59 2017 -0500

    firewall: add IPv6 support

    This patch adds support for ip6tables rules in TripleO, in a intuitive
    and flexible fashion.

    1) Default firewal rules 'source' parameter to undef.
       It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
       support ipv6 rules. undef will create empty source, which is the same as
       0.0.0.0/0 or ::/0.

    2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.

    3) Automatically create IPv6 rules like it's for IPv4.

    4) Only create rules that can be created, depending on
       source/destination ip version.

    This patch should be backward compatible and adds a layer of security
    for IPv6 deployments. If previous deployments were manually creating
    Ipv6 rules, it's possible that this patch will override them. Our
    framework is able to configure any rule, so it shouldn't be a problem
    for upgrades.

    Co-Authored-By: Ben Nemec <email address hidden>
    Closes-Bug: #1654050
    Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 6.2.0

This issue was fixed in the openstack/puppet-tripleo 6.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/564248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/pike)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/564248
Reason: oops wrong backport

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/564249

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-tripleo (stable/ocata)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/564249
Reason: not needed either

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/564250

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/564250
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=f6d398a7daf777d6854d05f58b88c6309c0e557a
Submitter: Zuul
Branch: stable/newton

commit f6d398a7daf777d6854d05f58b88c6309c0e557a
Author: Emilien Macchi <email address hidden>
Date: Wed Jan 4 13:56:59 2017 -0500

    firewall: add IPv6 support

    This patch adds support for ip6tables rules in TripleO, in a intuitive
    and flexible fashion.

    1) Default firewal rules 'source' parameter to undef.
       It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
       support ipv6 rules. undef will create empty source, which is the same as
       0.0.0.0/0 or ::/0.

    2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.

    3) Automatically create IPv6 rules like it's for IPv4.

    4) Only create rules that can be created, depending on
       source/destination ip version.

    This patch should be backward compatible and adds a layer of security
    for IPv6 deployments. If previous deployments were manually creating
    Ipv6 rules, it's possible that this patch will override them. Our
    framework is able to configure any rule, so it shouldn't be a problem
    for upgrades.

    Note: the code had to be partially rewritten because of Puppet3 vs
    Puppet4.

    Co-Authored-By: Ben Nemec <email address hidden>
    Co-Authored-By: Alex Schultz <email address hidden>
    Closes-Bug: #1654050
    Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
    (cherry picked from commit 8c990738900cd74c2c5c046435517393d1afb92e)

tags: added: in-stable-newton
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/puppet-tripleo 5.6.11

This issue was fixed in the openstack/puppet-tripleo 5.6.11 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.