summaryrefslogtreecommitdiffstats
path: root/manifests/firewall/pre.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-01-27Add a default rule for dhcpv6 trafficMichele Baldessari1-0/+6
Via bug https://bugs.launchpad.net/tripleo/+bug/1657108 we need to zero out the default rules in /etc/sysconfig/ip{6}tables in the image. We have done this for ipv4, but when we will do it for ipv6 we will also need to make sure we add a rule for dhcpv6 traffic as it is shipped in the iptables rpm. (See https://bugzilla.redhat.com/show_bug.cgi?id=1169036 for more info) With this change we correctly get the rule present (aka the first ACCEPT line. The second line is due to the stock ip6tables rule I had in my testing): [root@overcloud-controller-0 ~]# iptables -nvL |grep 546 [root@overcloud-controller-0 ~]# ip6tables -nvL |grep 546 0 0 ACCEPT udp * * ::/0 fe80::/64 multiport dports 546 /* 004 accept ipv6 dhcpv6 ipv6 */ state NEW 0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW Change-Id: If22080054b2b1fa7acfd101e8c34d2707e8e7864 Partial-Bug: #1657108
2016-05-05Add dport/sport parameter to firewall ruleJames Slagle1-1/+1
The port parameter to puppetlabs-firewall is actually deprecated[1]. This adds support for using the new parameter names dport and sport. The port parameter is still retained in puppet-tripleo for backwards compatibily for anyone using that interface. It is marked deprecated in the documentation, however no deprecation warning is needed because there is already a warning from from puppetlabs-firewall. blueprint undercloud-elements Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
2015-06-12Implement Advanced Firewalling supportEmilien Macchi1-0/+57
* Provide a Define function which will allow to manage IPtables rules. * Manage rules in 'pre' and 'post' Puppet stages, it allows to create rules before and after regular Puppet stages (ie: to make sure no rule exists *before* and everything is blocked *after* regular Puppet stages) Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89