So I think I have seen ipv6 jobs timeout because we did not address the ipv6 part of this problem. Namely in a stock iptables rpm we have the following /etc/sysconfig/ip6tables:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
Now we can just clean this file like we did for ipv4 via Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3, but ipv6 is slightly different because of the dhcpv6 rule which we would lose:
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
So to fix this we either do
A) add this only rule to /etc/sysconfig/ip6tables like this:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
COMMIT
That way when puppet-firewall kicks in for ipv6 it will add its rules and will let the above rule be around
B) We add a specific generic rule for ipv6 to mimick the above rule so that puppet-firewall will
So I think I have seen ipv6 jobs timeout because we did not address the ipv6 part of this problem. Namely in a stock iptables rpm we have the following /etc/sysconfig/ ip6tables: prohibited prohibited
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-
-A FORWARD -j REJECT --reject-with icmp6-adm-
COMMIT
Now we can just clean this file like we did for ipv4 via Iddc21316a1a3d4 2a1a43cbb4b9c17 8adba8f8db3, but ipv6 is slightly different because of the dhcpv6 rule which we would lose:
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
Which according to https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1169036 would breack dhcpv6 responses and is present today in our installations where firewall is enabled.
So to fix this we either do ip6tables like this:
A) add this only rule to /etc/sysconfig/
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
COMMIT
That way when puppet-firewall kicks in for ipv6 it will add its rules and will let the above rule be around
B) We add a specific generic rule for ipv6 to mimick the above rule so that puppet-firewall will
Also note that the dhcpv6 iptables client rules started being shipped by default in the iptables package due to https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1169036
I will implement B.