From eedcaed32bb0eaefda6025b7be548e826757bb12 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 3 Aug 2022 12:32:41 +0200
Subject: [PATCH] Separate ipv4 and ipv6 default policies.

---
 defaults/main.yml              | 4 ++--
 templates/iptables-rules.v6.j2 | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index ec8dfa5..0809c2a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,7 +1,8 @@
 ---
 iptables_persistent_enabled: True
-#iptables_default_policy: REJECT
+# Options: ACCEPT, REJECT, DROP
 iptables_default_policy: ACCEPT
+iptables6_default_policy: '{{ iptables_default_policy }}'
 iptables_log_untracked_traffic: False
 iptables_nat_enabled: False
 iptables_nat_specify_interfaces: True
@@ -13,7 +14,6 @@ iptables_forward_default_policy: '{{ iptables_default_policy }}'
 iptables_banned_default_policy: DROP
 iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
 iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
-ganglia_enabled: False
 nagios_enabled: False
 iptables_open_all_to_isti_nets: False
 jgroups_cluster_enabled: False
diff --git a/templates/iptables-rules.v6.j2 b/templates/iptables-rules.v6.j2
index f9cab76..fd8b875 100644
--- a/templates/iptables-rules.v6.j2
+++ b/templates/iptables-rules.v6.j2
@@ -5,11 +5,11 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
-{% if iptables_default_policy == 'REJECT' %}
+{% if iptables6_default_policy == 'REJECT' %}
 -A INPUT -j REJECT --reject-with icmp6-addr-unreachable
 -A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
 {% else %}
--A INPUT -j {{ iptables_default_policy }}
--A FORWARD -j {{ iptables_default_policy }}
+-A INPUT -j {{ iptables6_default_policy }}
+-A FORWARD -j {{ iptables6_default_policy }}
 {% endif %}
 COMMIT