Masqeurading: NOT persist ephemeral firewall rules

Puppet class tripleo::firewall makes an effort to not
persist ephemeral firewall rules created by neutron and
ironic-inspector. In instack-undercloud the rules are
persisted anyway because we run iptables-save when
configuring masquerading.

This changes the masquerading to also filter the rules,
similar to what we do in tripleo::firewall.

Additionally filtering of the Ironic Inspector iptables
pxe_filter rules are implemented.

Closes-Bug: #1765700
Change-Id: I0cebfe4177981958c6e1a3b4b772f0a365f79e39
This commit is contained in:
Harald Jensås 2018-04-22 13:12:01 +02:00
parent 0498f5a64e
commit e49688be98
1 changed files with 33 additions and 0 deletions

View File

@ -6,3 +6,36 @@ RULES_SCRIPT=/var/opt/undercloud-stack/masquerade
. $RULES_SCRIPT
iptables-save > /etc/sysconfig/iptables
# We are specifically running the following commands after the
# iptables rules to ensure the persisted file does not contain any
# ephemeral neutron rules. Neutron assumes the iptables rules are not
# persisted so it may cause an issue if the rule is loaded on boot
# (or via iptables restart). If an operator needs to reload iptables
# for any reason, they may need to manually reload the appropriate
# neutron agent to restore these iptables rules.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
if /bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables
then
/bin/sed -i /neutron-/d /etc/sysconfig/iptables
fi
if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables
then
/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables
fi
# Do not persist ephemeral firewall rules managed by ironic-inspector
# pxe_filter 'iptables' driver.
# https://bugs.launchpad.net/tripleo/+bug/1765700
if /bin/test -f /etc/sysconfig/iptables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector
then
/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables
fi
if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector
then
/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables
fi