From 0d08f15f412c381c9c9a13c8ae64f7802590bdb8 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Mon, 9 Jan 2023 19:05:00 -0800
Subject: [PATCH] ip6tables: allow dhcp6d from aws

While we actually use SLAAC in aws, there's a dhcp6d sending out the
router advertisements, so without that the instance doesn't get an ipv6
ip and just doesn't work. With this it does.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/base/templates/iptables/ip6tables | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables
index a1b9e3053c..987eed331a 100644
--- a/roles/base/templates/iptables/ip6tables
+++ b/roles/base/templates/iptables/ip6tables
@@ -14,9 +14,11 @@
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Established connections allowed
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
+# allow dhcp6d from aws
+-A INPUT -d fe80::/64 -p udp -m udp --dport 546 --sport 547 -j ACCEPT
+
 # if the blocked_ips is defined - drop them
 {% if blocked_ip_v6 is defined %}
 {% for ip in blocked_ip_v6 %}