From 588ac0a4317625f9feb879eb0e32cfb0b43dd276 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harald=20Jens=C3=A5s?= Date: Tue, 24 Sep 2019 12:02:57 +0200 Subject: [PATCH] Open ipv6-icmp traffic by default puppet-tripleo had special conditions in the rule manifest to convert the protocol for 'icmp' to 'ipv6-icmp'. This made it possible to open 'icmp' for ipv4 and 'ipv6-icmp' for ipv6 using a single rule defenition. ceph-ansible does not have the logic to support a single rule. Since the rule to allow icmp traffic is in defined in the defaults for the role and not in THT. This change uses the 'ipversion' property for the existing 'icmp' rule and likewise adds a default rule for 'ipv6-icmp'. Change-Id: I8b453f7c13c2015aa208ed1bddcdca246cdca58d Closes-Bug: #1845175 --- tripleo_ansible/roles/tripleo-firewall/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml b/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml index 15ecfd505..40acc8673 100644 --- a/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml +++ b/tripleo_ansible/roles/tripleo-firewall/defaults/main.yml @@ -38,7 +38,11 @@ tripleo_firewall_default_rules: - RELATED - ESTABLISHED '001 accept all icmp': + ipversion: ipv4 proto: icmp + '001 accept all ipv6-icmp': + ipversion: ipv6 + proto: ipv6-icmp '002 accept all to lo interface': proto: all interface: lo