Add DHCPv6 rules + set ipversion for dhcp rules

Use the ipversion parameter for firewall rules to contain rule creation in either iptables or ip6tables. Add rules in ironic-inspector and neutron deployment template to add rules for DHCPv6 in ip6tables. DHCPv6 relay and DHCPv6 server both use port 547 so 547 need to be open for both INPUT and OUTPUT. Related-bug: #1845153 Depends-On: Id872c55cfc6b958fef3ccda2d923f821a1fe6a13 Depends-On: I8b453f7c13c2015aa208ed1bddcdca246cdca58d Change-Id: If91b883459488856ae54e3ca0d0fb97d4d248f97
2019-09-24 17:39:20 +02:00 · 2019-09-24 17:39:20 +02:00 · add2d39da7
commit add2d39da7
parent 505b43dfed
2 changed files with 34 additions and 0 deletions
--- a/deployment/ironic/ironic-inspector-container-puppet.yaml
+++ b/deployment/ironic/ironic-inspector-container-puppet.yaml
@ -219,13 +219,31 @@ outputs:
                  - 5050
              '137 ironic-inspector dhcp input':
                iniface: {get_param: IronicInspectorInterface}
+                ipversion: 'ipv4'
                proto: 'udp'
                chain: 'INPUT'
                dport: 67
              '137 ironic-inspector dhcp output':
+                ipversion: 'ipv4'
                proto: 'udp'
                chain: 'OUTPUT'
                dport: 68
+              '137 ironic-inspector dhcpv6 input':
+                iniface: {get_param: IronicInspectorInterface}
+                ipversion: 'ipv6'
+                proto: 'udp'
+                chain: 'INPUT'
+                dport: 547
+              '137 ironic-inspector dhcpv6 output':
+                ipversion: 'ipv6'
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 546
+              '137 ironic-inspector dhcpv6 relay output':
+                ipversion: 'ipv6'
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 547
            ironic::inspector::ironic_username: 'ironic'
            ironic::inspector::ironic_password: {get_param: IronicPassword}
            ironic::inspector::ironic_tenant_name: 'service'
--- a/deployment/neutron/neutron-dhcp-container-puppet.yaml
+++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml
@ -211,12 +211,28 @@ outputs:
              - {get_param: NeutronDhcpAgentDebug}
            tripleo::neutron_dhcp::firewall_rules:
              '115 neutron dhcp input':
+                ipversion: 'ipv4'
                proto: 'udp'
                dport: 67
              '116 neutron dhcp output':
+                ipversion: 'ipv4'
                proto: 'udp'
                chain: 'OUTPUT'
                dport: 68
+              '115 neutron dhcpv6 input':
+                ipversion: 'ipv6'
+                proto: 'udp'
+                dport: 547
+              '116 neutron dhcpv6 output':
+                ipversion: 'ipv6'
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 546
+              '116 neutron dhcpv6 relay output':
+                ipversion: 'ipv6'
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 547
          - if:
              - internal_tls_enabled
              - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'