In change Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3 we zeroed out
/etc/sysconfig/iptables, but we did not take care of ipv6. This change
is meant to take of the ipv6 part of the problem.
When including this element we empty the stock /etc/sysconfig/ip6tables
file as shipped by the iptables rpm package. The reason for this is that
puppet firewall has a hard time to cope with exiting rules when
/etc/sysconfig/iptables is populated and the iptables service is not
active. The referenced bug has a full explanation for the problem.
Note that ipv6 is slightly more delicate because we will also need a puppet-tripleo
change that implements the dhcpv6 rule that is contained by default
in /etc/sysconfig/ip6tables:
Depends-On: If22080054b2b1fa7acfd101e8c34d2707e8e7864
Change-Id: I0dee5ff045fbfe7b55d078583e16b107eec534aa
Partial-Bug: #1657108
When including this element we empty the stock /etc/sysconfig/iptables
file as shipped by the iptables rpm package. The reason for this is that
puppet firewall has a hard time to cope with exiting rules when
/etc/sysconfig/iptables is populated and the iptables service is not
active. The referenced bug has a full explanation for the problem.
Partial-Bug: #1657108
Change-Id: Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3
iptables rules should not be saved on install
of iptables-persistent as rules may leak from
your build environment into your vms.
Use DISTRO_NAME in this element.
Change-Id: I0d61c5453804ef8671ea91b2594f218958b5068f
Use the iptables-persistent package
to implement persistence of iptables during a reboot
for Ubuntu and Debian.
Entries are saved to /etc/iptables/rules* on add-rule.
These entries are restored on reboot.
( Note in later versions iptables-persistent is replaced
by netfilter-persistent with plugins in iptables-persistent)
Change-Id: I44b625111d5db34a444c5aa4f6e31c6009c8a6f5
We currently use the add-rule script to create iptables rules that allow
the cloud we deployed to function.
These iptable rules are required on RedHat based distros that have a
default deny-all policy; but they're also useful on Debian distros if
the operators turn on a deny-all policy as part of locking down their
environment. It would be useful if these operators could leverage the
work RedHat has done to get the Debian distro working.
This change adds a check for Debian and allows the add-rule script to
run, as a first step towards full support for Debian-based distros.
Also, install.d installs iptables and there is a Debian specific change.
Change-Id: Iea773d37b18c15a417896e93e29bcdc1e20096ac
Closes-Bug: #1351412
Ghanshyam Mann