From c49b36990253f4cba1dc2e4575abb84240705f03 Mon Sep 17 00:00:00 2001 From: Lucas Ratusznei Fonseca Date: Thu, 11 Apr 2024 20:12:17 -0300 Subject: [PATCH] Remove firewall extra rule that blocks IPv6 traffic for IPv4 setups This change removes the extra rule that is added directly to ip6tables to block IPv6 traffic in IPv4 setups. Instead, the firewall for IPv6 will be permanently enabled in Calico. Test plan ========= The tests for https://review.opendev.org/c/starlingx/config/+/915508 also cover this change. Story: 2011027 Task: 49816 Depends-On: https://review.opendev.org/c/starlingx/config/+/915508 Change-Id: Ia7a8a7e2a12c80e0ec0f99af0417efa9dcd8a7a6 Signed-off-by: Lucas Ratusznei Fonseca --- .../src/modules/platform/manifests/firewall.pp | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/firewall.pp b/puppet-manifests/src/modules/platform/manifests/firewall.pp index 7e9973430..a3b3beb63 100644 --- a/puppet-manifests/src/modules/platform/manifests/firewall.pp +++ b/puppet-manifests/src/modules/platform/manifests/firewall.pp @@ -404,16 +404,9 @@ class platform::firewall::extra ( ) { if $config != {} { $config.each |$key, $value| { - if $key == 'ingress-ipv6-for-ipv4-install' { - $value.each |$interface| { - exec { "install ingress-ipv6-for-ipv4 in ${interface}" : - path => '/usr/bin:/usr/sbin:/bin:/usr/local/bin', - command => "ip6tables -t filter -A INPUT -i ${interface} -m comment --comment \"stx: block ingress IPv6 traffic for ${interface}\" -j DROP", # lint:ignore:140chars - logoutput => true, - onlyif => "[ $(ip6tables -n -L INPUT -t filter | grep -c \"stx: block ingress IPv6 traffic for ${interface}\") -eq 0 ]" # lint:ignore:140chars - } - } - } + # if $key == { + # + # } } } }