Change the initial firewall to subscribe to the rule file to be able to

trigger changes, make the default ipv6 firewall subscribe to shorewall6,
if it exists, and finally reject all outgoing IPv6 packets.

All of this will complete the platform-side of route IPv6 through
OpenVPN gateway, and block it. (Feature #4163)

Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810

1 files changed, 3 insertions, 1 deletions

diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp
index 51cceb31..93cfb847 100644
--- a/puppet/modules/site_config/manifests/initial_firewall.pp
+++ b/puppet/modules/site_config/manifests/initial_firewall.pp
@@ -51,12 +51,14 @@ class site_config::initial_firewall {
       command   => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
       logoutput => true,
       unless    => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+      subscribe => File['/etc/network/ipv4firewall_up.rules'],
       require   => File['/etc/network/ipv4firewall_up.rules'];
 
     'default_ipv6_firewall':
       command   => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
       logoutput => true,
-      unless    => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+      unless    => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status',
+      subscribe => File['/etc/network/ipv6firewall_up.rules'],
       require   => File['/etc/network/ipv6firewall_up.rules'];
   }
 }