Masqeurading: NOT persist ephemeral firewall rules
Puppet class tripleo::firewall makes an effort to not persist ephemeral firewall rules created by neutron and ironic-inspector. In instack-undercloud the rules are persisted anyway because we run iptables-save when configuring masquerading. This changes the masquerading to also filter the rules, similar to what we do in tripleo::firewall. Additionally filtering of the Ironic Inspector iptables pxe_filter rules are implemented. Closes-Bug: #1765700 Change-Id: I0cebfe4177981958c6e1a3b4b772f0a365f79e39
This commit is contained in:
parent
0498f5a64e
commit
e49688be98
|
@ -6,3 +6,36 @@ RULES_SCRIPT=/var/opt/undercloud-stack/masquerade
|
|||
. $RULES_SCRIPT
|
||||
|
||||
iptables-save > /etc/sysconfig/iptables
|
||||
|
||||
|
||||
# We are specifically running the following commands after the
|
||||
# iptables rules to ensure the persisted file does not contain any
|
||||
# ephemeral neutron rules. Neutron assumes the iptables rules are not
|
||||
# persisted so it may cause an issue if the rule is loaded on boot
|
||||
# (or via iptables restart). If an operator needs to reload iptables
|
||||
# for any reason, they may need to manually reload the appropriate
|
||||
# neutron agent to restore these iptables rules.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
|
||||
if /bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables
|
||||
then
|
||||
/bin/sed -i /neutron-/d /etc/sysconfig/iptables
|
||||
fi
|
||||
|
||||
if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables
|
||||
then
|
||||
/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables
|
||||
fi
|
||||
|
||||
|
||||
# Do not persist ephemeral firewall rules managed by ironic-inspector
|
||||
# pxe_filter 'iptables' driver.
|
||||
# https://bugs.launchpad.net/tripleo/+bug/1765700
|
||||
if /bin/test -f /etc/sysconfig/iptables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector
|
||||
then
|
||||
/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables
|
||||
fi
|
||||
|
||||
if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector
|
||||
then
|
||||
/bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue