Masqeurading: NOT persist ephemeral firewall rules
Puppet class tripleo::firewall makes an effort to not persist ephemeral firewall rules created by neutron and ironic-inspector. In instack-undercloud the rules are persisted anyway because we run iptables-save when configuring masquerading. This changes the masquerading to also filter the rules, similar to what we do in tripleo::firewall. Additionally filtering of the Ironic Inspector iptables pxe_filter rules are implemented. Closes-Bug: #1765700 Change-Id: I0cebfe4177981958c6e1a3b4b772f0a365f79e39
This commit is contained in:
parent
0498f5a64e
commit
e49688be98
|
@ -6,3 +6,36 @@ RULES_SCRIPT=/var/opt/undercloud-stack/masquerade
|
||||||
. $RULES_SCRIPT
|
. $RULES_SCRIPT
|
||||||
|
|
||||||
iptables-save > /etc/sysconfig/iptables
|
iptables-save > /etc/sysconfig/iptables
|
||||||
|
|
||||||
|
|
||||||
|
# We are specifically running the following commands after the
|
||||||
|
# iptables rules to ensure the persisted file does not contain any
|
||||||
|
# ephemeral neutron rules. Neutron assumes the iptables rules are not
|
||||||
|
# persisted so it may cause an issue if the rule is loaded on boot
|
||||||
|
# (or via iptables restart). If an operator needs to reload iptables
|
||||||
|
# for any reason, they may need to manually reload the appropriate
|
||||||
|
# neutron agent to restore these iptables rules.
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
|
||||||
|
if /bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables
|
||||||
|
then
|
||||||
|
/bin/sed -i /neutron-/d /etc/sysconfig/iptables
|
||||||
|
fi
|
||||||
|
|
||||||
|
if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables
|
||||||
|
then
|
||||||
|
/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Do not persist ephemeral firewall rules managed by ironic-inspector
|
||||||
|
# pxe_filter 'iptables' driver.
|
||||||
|
# https://bugs.launchpad.net/tripleo/+bug/1765700
|
||||||
|
if /bin/test -f /etc/sysconfig/iptables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector
|
||||||
|
then
|
||||||
|
/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables
|
||||||
|
fi
|
||||||
|
|
||||||
|
if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector
|
||||||
|
then
|
||||||
|
/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables
|
||||||
|
fi
|
||||||
|
|
Loading…
Reference in New Issue