Add ipv6 functionality to iptables module.

Rackspace nova cloud supports ipv6. Add ip6tables support to the iptables module so that we can take advantage of ipv6 on this cloud platform. Change-Id: I628b7c71ff486a925cdb3d44277cca0d6ae7c985 Reviewed-on: https://review.openstack.org/14315 Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: James E. Blair <corvus@inaugust.com> Reviewed-by: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2012-10-10 15:29:03 -07:00 · 2012-10-10 15:29:03 -07:00 · a54bdc86b0
commit a54bdc86b0
parent 16ba76b01d
2 changed files with 49 additions and 16 deletions
--- a/modules/iptables/manifests/init.pp
+++ b/modules/iptables/manifests/init.pp
@ -23,28 +23,37 @@ class iptables($rules='', $public_tcp_ports=[], $public_udp_ports=[]) {
  }

  file { '/etc/iptables':
-      ensure => directory,
+    ensure => directory,
  }

  file { '/etc/iptables/rules':
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0640',
-      content => template('iptables/rules.erb'),
-      require => [Package['iptables-persistent'], File['/etc/iptables']],
-
-      # When this file is updated, make sure the rules get reloaded.
-      notify  => Service['iptables-persistent'],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    content => template('iptables/rules.erb'),
+    require => [Package['iptables-persistent'], File['/etc/iptables']],
+    # When this file is updated, make sure the rules get reloaded.
+    notify  => Service['iptables-persistent'],
  }

  file { '/etc/iptables/rules.v4':
-      ensure  => link,
-      owner   => 'root',
-      group   => 'root',
-      mode    => '0640',
-      target  => '/etc/iptables/rules',
-      require => File['/etc/iptables/rules'],
-      notify  => Service['iptables-persistent'],
+    ensure  => link,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    target  => '/etc/iptables/rules',
+    require => File['/etc/iptables/rules'],
+    notify  => Service['iptables-persistent'],
  }

+  file { '/etc/iptables/rules.v6':
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    content => template('iptables/rules.v6.erb'),
+    require => [Package['iptables-persistent'], File['/etc/iptables']],
+    # When this file is updated, make sure the rules get reloaded.
+    notify  => Service['iptables-persistent'],
+    replace => true,
+  }
 }
--- a/modules/iptables/templates/rules.v6.erb
+++ b/modules/iptables/templates/rules.v6.erb
@ -0,0 +1,24 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A FORWARD -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmpv6 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+<% public_tcp_ports.each do |port| -%>
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
+<% end -%>
+# Public UDP ports
+<% public_udp_ports.each do |port| -%>
+-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
+<% end -%>
+# Per-host rules
+<%= rules %>
+-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT