Add DHCPv6 rules + set ipversion for dhcp rules

Use the ipversion parameter for firewall rules to contain
rule creation in either iptables or ip6tables. Add rules
in ironic-inspector and neutron deployment template to
add rules for DHCPv6 in ip6tables.

DHCPv6 relay and DHCPv6 server both use port 547 so 547
need to be open for both INPUT and OUTPUT.

Related-bug: #1845153
Depends-On: Id872c55cfc6b958fef3ccda2d923f821a1fe6a13
Depends-On: I8b453f7c13c2015aa208ed1bddcdca246cdca58d
Change-Id: If91b883459488856ae54e3ca0d0fb97d4d248f97
This commit is contained in:
Harald Jensås 2019-09-24 17:39:20 +02:00
parent 505b43dfed
commit add2d39da7
2 changed files with 34 additions and 0 deletions

View File

@ -219,13 +219,31 @@ outputs:
- 5050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv4'
proto: 'udp'
chain: 'INPUT'
dport: 67
'137 ironic-inspector dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'137 ironic-inspector dhcpv6 input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv6'
proto: 'udp'
chain: 'INPUT'
dport: 547
'137 ironic-inspector dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'137 ironic-inspector dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
ironic::inspector::ironic_username: 'ironic'
ironic::inspector::ironic_password: {get_param: IronicPassword}
ironic::inspector::ironic_tenant_name: 'service'

View File

@ -211,12 +211,28 @@ outputs:
- {get_param: NeutronDhcpAgentDebug}
tripleo::neutron_dhcp::firewall_rules:
'115 neutron dhcp input':
ipversion: 'ipv4'
proto: 'udp'
dport: 67
'116 neutron dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'115 neutron dhcpv6 input':
ipversion: 'ipv6'
proto: 'udp'
dport: 547
'116 neutron dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'116 neutron dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
- if:
- internal_tls_enabled
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'