add the option to specify the family per rule to support ipv6

salt-formulas / salt-formula-iptables

Other

7 stars 18 forks source link

add the option to specify the family per rule to support ipv6 #3

Closed dvandok closed 7 years ago

dvandok commented 7 years ago

This update adds the ability to specify the protocol family. Here's an example:

  iptables:
    service:
      enabled: True
      chain:
        INPUT:
          policy: DROP
          rules:
            - protocol: tcp
              family: ipv4
              source_network: 192.0.2.0/24
              jump: ACCEPT
            - protocol: tcp
              family: ipv6
              source_network: 2001:DB8::/32
              jump: ACCEPT

cloudlab-autobuild commented 7 years ago

Can one of the admins verify this patch?

fpytloun commented 7 years ago

Great and easy approach :-) Only a few inline notes.

When done, squash commits and add Closes: #2 into commit message to link with issue.

dvandok commented 7 years ago

OK, not sure about the squashing. Github supports this when merging, which I can't in this repo.

fpytloun commented 7 years ago

Ad. determining if host is ipv6 capable, I would use this:

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}

So if there's any IPv6 ip address (including localhost), host is IPv6 capable (eg. doesn't have disabled ipv6 networking). Also it will be possible to override this behavior (disable ipv6 rules in metadata).

dvandok commented 7 years ago

I've incorporated your suggestion.

fpytloun commented 7 years ago

So merging, thank you for your contribution :-)