summaryrefslogtreecommitdiffstats
path: root/node-admin
diff options
context:
space:
mode:
authorMartin Polden <martin.polden@gmail.com>2017-01-25 13:16:18 +0100
committerMartin Polden <martin.polden@gmail.com>2017-01-25 13:16:18 +0100
commit88f26a4763148b20361fe97fec1f0cd57939f101 (patch)
treebc4bafca8d14ad372d5c236c8855c15089fcd4e1 /node-admin
parentc0cfd43467653b407594f8c6800f6caceb9559c1 (diff)
Allow all ICMPv6 packets
Diffstat (limited to 'node-admin')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java2
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java3
-rw-r--r--node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java4
3 files changed, 9 insertions, 0 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java
index 11712f03bb7..8ecd0716958 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainer.java
@@ -55,6 +55,8 @@ public class AclMaintainer implements Runnable {
try {
dockerOperations.executeCommandInNetworkNamespace(containerName, IpTables.flushChain());
dockerOperations.executeCommandInNetworkNamespace(containerName, IpTables.allowAssociatedConnections());
+ // ICMPv6 packets are always accepted as they are required for PMTU discovery to work properly.
+ dockerOperations.executeCommandInNetworkNamespace(containerName, IpTables.allowIcmp());
aclSpecs.stream()
.map(ContainerAclSpec::ipAddress)
.filter(AclMaintainer::isIpv6)
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java
index c133f56331a..68dbc6b1dbc 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/util/IpTables.java
@@ -18,6 +18,9 @@ public class IpTables {
Action.ACCEPT.target};
}
+ public static String[] allowIcmp() {
+ return new String[]{COMMAND, "-A", Chain.INPUT.name, "-p", "icmpv6", "-j", Action.ACCEPT.target};
+ }
public static String[] chainPolicy(Action action) {
return new String[]{COMMAND, "-P", Chain.INPUT.name, action.target};
}
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java
index 13745aa421f..419ee0b7268 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/AclMaintainerTest.java
@@ -84,6 +84,10 @@ public class AclMaintainerTest {
aryEq(new String[]{"ip6tables", "-A", "INPUT", "-m", "state", "--state", "RELATED,ESTABLISHED", "-j",
"ACCEPT"})
);
+ verify(dockerOperations).executeCommandInNetworkNamespace(
+ eq(containerName),
+ aryEq(new String[]{"ip6tables", "-A", "INPUT", "-p", "icmpv6", "-j", "ACCEPT"})
+ );
containerAclSpecs.forEach(aclSpec -> verify(dockerOperations).executeCommandInNetworkNamespace(
eq(containerName),
aryEq(new String[]{"ip6tables", "-A", "INPUT", "-s", aclSpec.ipAddress(), "-j", "ACCEPT"})