Consider the following code:
firewall::service { 'cloudlb-haproxy-wiki-replicas': proto => 'tcp', port => [3306], src_sets => ['CLOUD_NETWORKS'], drange => ['192.0.2.11', '192.0.2.12', '192.0.2.13', '192.0.2.14', '192.0.2.15', '192.0.2.16', '192.0.2.17', '192.0.2.18', '192.0.2.21', '192.0.2.22', '192.0.2.23', '192.0.2.24', '192.0.2.25', '192.0.2.26', '192.0.2.27', '192.0.2.28'], }
This seems to generate the following nftables config:
# Managed by puppet # ip saddr @CLOUD_NETWORKS_ipv4 ip daddr { 192.0.2.11, 192.0.2.12, 192.0.2.13, 192.0.2.14, 192.0.2.15, 192.0.2.16, 192.0.2.17, 192.0.2.18, 192.0.2.21, 192.0.2.22, 192.0.2.23, 192.0.2.24, 192.0.2.25, 192.0.2.26, 192.0.2.27, 192.0.2.28 } tcp dport { 3306 } accept ip6 saddr @CLOUD_NETWORKS_ipv6 tcp dport { 3306 } accept
The IPv4 rule looks correct. However, the IPv6 rule should not be there, right now it's incorrectly allowing v6 traffic to all addresses on port 3306.
Spotted via https://puppet-compiler.wmflabs.org/output/973761/434/