puppet-tripleo - not possible to create IPv4 or IPv6 only rules

Bug #1845153 reported by Harald Jensås on 2019-09-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Harald Jensås

Bug Description

In some cases firewall rules for IPv4 and IPv6 should not be the same. Two examples:

1. DHCPv6 uses UDP port number 546 for clients and port number 547 for servers. While DHCP (v4) uses UDP port number 67 for clients and port number 68 for servers.
2. For IPv4 protocol 'icmp', while for IPv6 'ipv6-icmp'

Currently the icmp difference is handled in puppet-tripleo[1], but for DHCP TrieplO currently open port 67 and 68 for both IPv4 and IPv6 and it does not open port 546 and 547 at all.

puppet-tripleo should support setting firewall rules for either IPv4 or IPv6 if the rule defines the ip_version. For rules not providing this info the current behaviour of adding the rule to both IPv4 and IPv6 firewall should be maintained.

[1] https://github.com/openstack/puppet-tripleo/blob/master/manifests/firewall/rule.pp#L127-L136

Changed in tripleo:
assignee: nobody → Emilien Macchi (emilienm)
Changed in tripleo:
assignee: Emilien Macchi (emilienm) → Harald Jensås (harald-jensas)

Fix proposed to branch: master
Review: https://review.opendev.org/684384

Changed in tripleo:
status: Triaged → In Progress

Reviewed: https://review.opendev.org/684384
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=7264c75c37741f269fdd34c45d939019137b3977
Submitter: Zuul
Branch: master

commit 7264c75c37741f269fdd34c45d939019137b3977
Author: Harald Jensås <email address hidden>
Date: Tue Sep 24 12:57:53 2019 +0200

    Add 'ipversion' to firewall/rule.pp

    Add the posibility to add 'ipversion' to the firewall
    rule manifest.

    Closes-Bug: #1845153
    Change-Id: Id872c55cfc6b958fef3ccda2d923f821a1fe6a13

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/684385
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=add2d39da715358859b8bbcf3e413e3dc472eeab
Submitter: Zuul
Branch: master

commit add2d39da715358859b8bbcf3e413e3dc472eeab
Author: Harald Jensås <email address hidden>
Date: Tue Sep 24 17:39:20 2019 +0200

    Add DHCPv6 rules + set ipversion for dhcp rules

    Use the ipversion parameter for firewall rules to contain
    rule creation in either iptables or ip6tables. Add rules
    in ironic-inspector and neutron deployment template to
    add rules for DHCPv6 in ip6tables.

    DHCPv6 relay and DHCPv6 server both use port 547 so 547
    need to be open for both INPUT and OUTPUT.

    Related-bug: #1845153
    Depends-On: Id872c55cfc6b958fef3ccda2d923f821a1fe6a13
    Depends-On: I8b453f7c13c2015aa208ed1bddcdca246cdca58d
    Change-Id: If91b883459488856ae54e3ca0d0fb97d4d248f97

This issue was fixed in the openstack/puppet-tripleo 11.3.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers