Actually accept all on lo and ipv6-icmp

By default, when we don't pass any "state", ansible iptables module uses NEW - this is also done within the tripleo_nftables role. In order to actually match *all* of lo and ipv6-icmp state, we have to pass an empty list. This will allow to match the RST state among things. Change-Id: Icc8b833dc10f360a875e5c19bc1c5f85e0837d69
2022-07-21 11:31:40 +02:00 · 2022-07-21 11:31:40 +02:00 · fea220321b
commit fea220321b
parent 6a61c977fc
2 changed files with 4 additions and 0 deletions
--- a/tripleo_ansible/roles/tripleo_firewall/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_firewall/defaults/main.yml
@ -59,9 +59,11 @@ tripleo_firewall_default_rules:
  '001 accept all ipv6-icmp':
    ipversion: ipv6
    proto: ipv6-icmp
+    state: []
  '002 accept all to lo interface':
    proto: all
    interface: lo
+    state: []
  '004 accept ipv6 dhcpv6':
    ipversion: ipv6
    dport: 546
--- a/tripleo_ansible/roles/tripleo_nftables/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_nftables/defaults/main.yml
@ -34,10 +34,12 @@ tripleo_nftables_rules:
  - rule:
      ipversion: ipv6
      proto: ipv6-icmp
+      state: []
    rule_name: 001 accept all ipv6-icmp
  - rule:
      interface: lo
      proto: all
+      state: []
    rule_name: 002 accept all to lo interface
  - rule:
      destination: fe80::/64