From 96cb130c5ac5fb3a312d9831ed2f92568d778399 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Fri, 27 Jan 2017 10:49:12 +0100 Subject: [PATCH] Add a script to zero /etc/sysconfig/ip6tables at build time In change Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3 we zeroed out /etc/sysconfig/iptables, but we did not take care of ipv6. This change is meant to take of the ipv6 part of the problem. When including this element we empty the stock /etc/sysconfig/ip6tables file as shipped by the iptables rpm package. The reason for this is that puppet firewall has a hard time to cope with exiting rules when /etc/sysconfig/iptables is populated and the iptables service is not active. The referenced bug has a full explanation for the problem. Note that ipv6 is slightly more delicate because we will also need a puppet-tripleo change that implements the dhcpv6 rule that is contained by default in /etc/sysconfig/ip6tables: Depends-On: If22080054b2b1fa7acfd101e8c34d2707e8e7864 Change-Id: I0dee5ff045fbfe7b55d078583e16b107eec534aa Partial-Bug: #1657108 --- elements/iptables/install.d/99-empty-iptables | 2 ++ 1 file changed, 2 insertions(+) diff --git a/elements/iptables/install.d/99-empty-iptables b/elements/iptables/install.d/99-empty-iptables index 6b5f0c756..847981c52 100755 --- a/elements/iptables/install.d/99-empty-iptables +++ b/elements/iptables/install.d/99-empty-iptables @@ -4,4 +4,6 @@ set -o pipefail if [[ "rhel rhel7 centos7 fedora" =~ "$DISTRO_NAME" ]]; then echo '# empty ruleset created by tripleo-image-elements' > /etc/sysconfig/iptables + echo '# empty ruleset created by tripleo-image-elements' > /etc/sysconfig/ip6tables + fi