From a54bdc86b00a5ffb79f091eda0109a0e13968532 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 10 Oct 2012 15:29:03 -0700 Subject: [PATCH] Add ipv6 functionality to iptables module. Rackspace nova cloud supports ipv6. Add ip6tables support to the iptables module so that we can take advantage of ipv6 on this cloud platform. Change-Id: I628b7c71ff486a925cdb3d44277cca0d6ae7c985 Reviewed-on: https://review.openstack.org/14315 Reviewed-by: Jeremy Stanley Reviewed-by: Clark Boylan Approved: James E. Blair Reviewed-by: James E. Blair Tested-by: Jenkins --- modules/iptables/manifests/init.pp | 41 +++++++++++++++---------- modules/iptables/templates/rules.v6.erb | 24 +++++++++++++++ 2 files changed, 49 insertions(+), 16 deletions(-) create mode 100644 modules/iptables/templates/rules.v6.erb diff --git a/modules/iptables/manifests/init.pp b/modules/iptables/manifests/init.pp index f9527fc155..5cbc19dc5a 100644 --- a/modules/iptables/manifests/init.pp +++ b/modules/iptables/manifests/init.pp @@ -23,28 +23,37 @@ class iptables($rules='', $public_tcp_ports=[], $public_udp_ports=[]) { } file { '/etc/iptables': - ensure => directory, + ensure => directory, } file { '/etc/iptables/rules': - owner => 'root', - group => 'root', - mode => '0640', - content => template('iptables/rules.erb'), - require => [Package['iptables-persistent'], File['/etc/iptables']], - - # When this file is updated, make sure the rules get reloaded. - notify => Service['iptables-persistent'], + owner => 'root', + group => 'root', + mode => '0640', + content => template('iptables/rules.erb'), + require => [Package['iptables-persistent'], File['/etc/iptables']], + # When this file is updated, make sure the rules get reloaded. + notify => Service['iptables-persistent'], } file { '/etc/iptables/rules.v4': - ensure => link, - owner => 'root', - group => 'root', - mode => '0640', - target => '/etc/iptables/rules', - require => File['/etc/iptables/rules'], - notify => Service['iptables-persistent'], + ensure => link, + owner => 'root', + group => 'root', + mode => '0640', + target => '/etc/iptables/rules', + require => File['/etc/iptables/rules'], + notify => Service['iptables-persistent'], } + file { '/etc/iptables/rules.v6': + owner => 'root', + group => 'root', + mode => '0640', + content => template('iptables/rules.v6.erb'), + require => [Package['iptables-persistent'], File['/etc/iptables']], + # When this file is updated, make sure the rules get reloaded. + notify => Service['iptables-persistent'], + replace => true, + } } diff --git a/modules/iptables/templates/rules.v6.erb b/modules/iptables/templates/rules.v6.erb new file mode 100644 index 0000000000..0ccba96e63 --- /dev/null +++ b/modules/iptables/templates/rules.v6.erb @@ -0,0 +1,24 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:openstack-INPUT - [0:0] +-A INPUT -j openstack-INPUT +-A FORWARD -j openstack-INPUT +-A openstack-INPUT -i lo -j ACCEPT +-A openstack-INPUT -p icmpv6 -j ACCEPT +-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +# SSH from anywhere +-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +# Public TCP ports +<% public_tcp_ports.each do |port| -%> +-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT +<% end -%> +# Public UDP ports +<% public_udp_ports.each do |port| -%> +-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT +<% end -%> +# Per-host rules +<%= rules %> +-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited +COMMIT