From da31c6e5baaf4abf01a6c2232a0dbac2513f0e06 Mon Sep 17 00:00:00 2001
From: Alex Schultz <aschultz@redhat.com>
Date: Sun, 18 Feb 2018 11:07:22 -0700
Subject: [PATCH] Ensure FORWARD is ACCEPT by default

Newer versions of docker have switched to updating the FORWARD chain to
be DROP by default. This causes issues with the deployment. Update the
FORWARD chains to be ACCEPT by default.

Depends-On: Ib75f97748540b9162d76c9c189d3ca7e082b3784
Closes-Bug: #1750194

Change-Id: I93be7138e6a61cf3aadf19f53097d67469befc17
---
 .../puppet-stack-config.yaml.template               | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/elements/puppet-stack-config/puppet-stack-config.yaml.template b/elements/puppet-stack-config/puppet-stack-config.yaml.template
index bf2041b16..3e053a46a 100644
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@@ -894,6 +894,19 @@ nova::notify_on_state_change: 'vm_state'
 
 # Firewall
 tripleo::firewall::manage_firewall: true
+# Docker switches FORWARD to DROP by default which causes issues on the
+# undercloud. We are already included a REJECT rule in so switch these back
+# to ACCEPT.
+# https://bugs.launchpad.net/tripleo/+bug/1750194
+tripleo::firewall::firewall_chains:
+  'FORWARD:filter:IPv4':
+     ensure: present
+     policy: accept
+     purge: false
+  'FORWARD:filter:IPv6':
+     ensure: present
+     policy: accept
+     purge: false
 tripleo::firewall::firewall_rules:
   '105 ntp':
     dport: 123