gerrit.opnfv Code Review - apex-puppet-tripleo.git/commit

author	Emilien Macchi <emilien@redhat.com>
	Wed, 4 Jan 2017 18:56:59 +0000 (13:56 -0500)
committer	Emilien Macchi <emilien@redhat.com>
	Thu, 5 Jan 2017 21:09:43 +0000 (16:09 -0500)
commit	8c990738900cd74c2c5c046435517393d1afb92e
tree	6167effae91be24ef3b5272ec27976a0abb28ed8	tree \| snapshot
parent	20ee458484b150e4f79044e3040dc9f0af0933bc	commit \| diff

firewall: add IPv6 support

This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.

1) Default firewal rules 'source' parameter to undef.
   It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
   support ipv6 rules. undef will create empty source, which is the same as
   0.0.0.0/0 or ::/0.

2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.

3) Automatically create IPv6 rules like it's for IPv4.

4) Only create rules that can be created, depending on
   source/destination ip version.

This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.

Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c

manifests/firewall/rule.pp		diff \| blob \| history
spec/classes/tripleo_firewall_spec.rb		diff \| blob \| history