diff options
author | Martin Polden <martin.polden@gmail.com> | 2017-01-25 13:16:18 +0100 |
---|---|---|
committer | Martin Polden <martin.polden@gmail.com> | 2017-01-25 13:16:18 +0100 |
commit | 88f26a4763148b20361fe97fec1f0cd57939f101 (patch) | |
tree | bc4bafca8d14ad372d5c236c8855c15089fcd4e1 /node-admin | |
parent | c0cfd43467653b407594f8c6800f6caceb9559c1 (diff) |
Allow all ICMPv6 packets
Diffstat (limited to 'node-admin')
3 files changed, 9 insertions, 0 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java index 11712f03bb7..8ecd0716958 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java @@ -55,6 +55,8 @@ public class AclMaintainer implements Runnable { try { dockerOperations.executeCommandInNetworkNamespace(containerName, IpTables.flushChain()); dockerOperations.executeCommandInNetworkNamespace(containerName, IpTables.allowAssociatedConnections()); + // ICMPv6 packets are always accepted as they are required for PMTU discovery to work properly. + dockerOperations.executeCommandInNetworkNamespace(containerName, IpTables.allowIcmp()); aclSpecs.stream() .map(ContainerAclSpec::ipAddress) .filter(AclMaintainer::isIpv6) diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java index c133f56331a..68dbc6b1dbc 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java @@ -18,6 +18,9 @@ public class IpTables { Action.ACCEPT.target}; } + public static String[] allowIcmp() { + return new String[]{COMMAND, "-A", Chain.INPUT.name, "-p", "icmpv6", "-j", Action.ACCEPT.target}; + } public static String[] chainPolicy(Action action) { return new String[]{COMMAND, "-P", Chain.INPUT.name, action.target}; } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java index 13745aa421f..419ee0b7268 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java @@ -84,6 +84,10 @@ public class AclMaintainerTest { aryEq(new String[]{"ip6tables", "-A", "INPUT", "-m", "state", "--state", "RELATED,ESTABLISHED", "-j", "ACCEPT"}) ); + verify(dockerOperations).executeCommandInNetworkNamespace( + eq(containerName), + aryEq(new String[]{"ip6tables", "-A", "INPUT", "-p", "icmpv6", "-j", "ACCEPT"}) + ); containerAclSpecs.forEach(aclSpec -> verify(dockerOperations).executeCommandInNetworkNamespace( eq(containerName), aryEq(new String[]{"ip6tables", "-A", "INPUT", "-s", aclSpec.ipAddress(), "-j", "ACCEPT"}) |