Comment 10 for bug 1657108

So I think I have seen ipv6 jobs timeout because we did not address the ipv6 part of this problem. Namely in a stock iptables rpm we have the following /etc/sysconfig/ip6tables:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Now we can just clean this file like we did for ipv4 via Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3, but ipv6 is slightly different because of the dhcpv6 rule which we would lose:
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT

Which according to https://bugzilla.redhat.com/show_bug.cgi?id=1169036 would breack dhcpv6 responses and is present today in our installations where firewall is enabled.

So to fix this we either do
A) add this only rule to /etc/sysconfig/ip6tables like this:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
COMMIT

That way when puppet-firewall kicks in for ipv6 it will add its rules and will let the above rule be around

B) We add a specific generic rule for ipv6 to mimick the above rule so that puppet-firewall will

Also note that the dhcpv6 iptables client rules started being shipped by default in the iptables package due to https://bugzilla.redhat.com/show_bug.cgi?id=1169036

I will implement B.