summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIan Wienand <iwienand@redhat.com>2018-02-21 12:10:23 +1100
committerIan Wienand <iwienand@redhat.com>2018-02-21 13:40:23 +1100
commitac4f7e77e38ef1092000e71c23ec0eef08a72766 (patch)
tree1fecaf469b51afd952c1f3d0ec5fc6821a787c25
parent8f2af6849cf987e36e9a594024eb3470f801db4d (diff)
Allow allowed_hosts to not have ipv6 interfaces
This puts a conditional around the AAAA lookup so we can add hosts in clouds that don't provide an IPv6 address. Change-Id: I97e82a41fdbe31e7bce6f05b8e6aa39834c42548
Notes
Notes (review): Code-Review+2: Paul Belanger <pabelanger@redhat.com> Code-Review+2: Jeremy Stanley <fungi@yuggoth.org> Workflow+1: Jeremy Stanley <fungi@yuggoth.org> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 21 Feb 2018 21:18:37 +0000 Reviewed-on: https://review.openstack.org/546465 Project: openstack-infra/puppet-iptables Branch: refs/heads/master
-rw-r--r--templates/rules.v6.erb3
1 files changed, 3 insertions, 0 deletions
diff --git a/templates/rules.v6.erb b/templates/rules.v6.erb
index e6f195e..3ae8b95 100644
--- a/templates/rules.v6.erb
+++ b/templates/rules.v6.erb
@@ -25,10 +25,13 @@
25<% @rules6.each do |rule| -%> 25<% @rules6.each do |rule| -%>
26-A openstack-INPUT <%= rule %> 26-A openstack-INPUT <%= rule %>
27<% end -%> 27<% end -%>
28<% begin -%>
28<% @allowed_hosts.each do |host| -%> 29<% @allowed_hosts.each do |host| -%>
29<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%> 30<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%>
30-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT 31-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
31<% end -%> 32<% end -%>
32<% end -%> 33<% end -%>
34<% rescue Resolv::ResolvError -%>
35<% end -%>
33-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited 36-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
34COMMIT 37COMMIT