From efa858c58e82e0ca2930259f23458b2e10b190f1 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Thu, 12 Jan 2023 13:43:53 +1100 Subject: [PATCH] iptables: handle hosts in allowed groups not having an ipv6 address The modified section of the rules.v6 template looks at the groups in the iptables_allowed_groups list and then allows access for each host specified in that group. Currently this extracts the 'public_v6' from the hostvars[host] directly, but this fails if the host in question doesn't actually have an ipv6 address. Modify this so we check if the variable exists, and then reference it via the hostvars dict. Note that in gate testing, ipv6 may be empty string (set from nodepool values), while it may not be a value at all if it is left out of the production inventory. "hostvars[host]['public_v6'] | default(False)" should catch both cases. Change-Id: I90069efc7d72d881ec57670b9c6b426a8a5422a3 --- playbooks/roles/iptables/templates/rules.v6.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/roles/iptables/templates/rules.v6.j2 b/playbooks/roles/iptables/templates/rules.v6.j2 index 64671e09cf..58a876af5a 100644 --- a/playbooks/roles/iptables/templates/rules.v6.j2 +++ b/playbooks/roles/iptables/templates/rules.v6.j2 @@ -28,9 +28,9 @@ {% endfor -%} {% endfor -%} {% for group in iptables_allowed_groups -%} -{% for addr in groups.get(group.group) | map('extract', hostvars, 'public_v6') -%} -{% if addr -%} --A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ addr }} --dport {{ group.port }} -j ACCEPT +{% for host in groups.get(group.group, []) -%} +{% if hostvars[host]['public_v6'] | default(False) -%} +-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ hostvars[host]['public_v6'] }} --dport {{ group.port }} -j ACCEPT {% endif -%} {% endfor -%} {% endfor -%}