This change adds firewall rules for non-DC installations that will
limit the traffic allowed in the management, cluster-host, pxeboot,
and storage interfaces to the local platform network, any outside
traffic will not be accepted. The filtering only looks at the source
IP address to allow or deny ingress into the node.
For IPv4, the DHCP's UDP port 67 is allowed without source address
filtering because the DHCP-Offer message sent by the client comes
with the source address "0.0.0.0".
For IPv6, the local link network address (fe80::/64) is also added to
the source nets to allow the cases where the initial communication,
inside the local network, starts with the local link source address
(e. g. DHCPv6-Solicit message).
Also, for IPv6, the cluster-pod network is also added to the
cluster-host firewall, this is done because, unlike IPv4 setups, the
pod traffic is not tunneled, running over the cluster-host interface.
DC scenarios will be part of a future task.
In all test scenarios below the correct presence of iptables/ip6tables
was verified, together with traffic tests using netcat, when directly
from the host network.
Test Plan
[PASS] Install Standard (controller+worker+storage) in IPv6
[PASS] Install Standard (controller+worker+storage) in IPv4
[PASS] Install AIO-DX in IPv4
[PASS] Install AIO-DX in IPv6
[PASS] Controller Lock/Unlock/Reinstall
[PASS] Worker Lock/Unlock/Reinstall
[PASS] Storage Lock/Unlock/Reinstall
[PASS] Change HTTP port during runtime
[PASS] IPv4 pod-to-pod communication between nodes
[PASS] IPv6 pod-to-pod communication between nodes
[PASS] Validate WRA installation
[PASS] Validate WRO installation
Story: 2010591
Task: 48088
Change-Id: I453c7cd8fcb9e63eb9a5c9d321ca6b504ea21e0d
Signed-off-by: Andre Kantek <andrefernandozanella.kantek@windriver.com>
77b751e9c7