From 7133a73e244d66b21e285f1a93a009f716129d9f Mon Sep 17 00:00:00 2001
From: Antoni Segura Puimedon <asegurap@redhat.com>
Date: Thu, 5 Jul 2018 00:58:04 +0200
Subject: [PATCH] devstack: Set and clean iptables

We were only setting API LB member iptables in gates. This patch makes
them available in development devstack scenarios and adds cleanup of
kuryr devstack set iptables.

Change-Id: I8ebfe20aabd8d94062490063325806cee0d08436
Signed-off-by: Antoni Segura Puimedon <asegurap@redhat.com>
---
 devstack/lib/kuryr_kubernetes | 26 +++++++++++++++++++++++---
 devstack/plugin.sh            |  2 ++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/devstack/lib/kuryr_kubernetes b/devstack/lib/kuryr_kubernetes
index 8f4c3c57d..b722d69e5 100644
--- a/devstack/lib/kuryr_kubernetes
+++ b/devstack/lib/kuryr_kubernetes
@@ -80,8 +80,14 @@ function ovs_bind_for_kubelet() {
     done
     sudo ip route add "$service_subnet_cidr" via "$pod_subnet_gw" dev "$ifname"
     if [ -n "$port_number" ]; then
-        # Ignore the error if openstack-INPUT chain doesn't exist.
-        sudo iptables -I openstack-INPUT 1 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || true
+        # if openstack-INPUT chain doesn't exist we create it in INPUT (for
+        # local development envs since openstack-INPUT is usually only in gates)
+        sudo iptables -I openstack-INPUT 1 \
+            -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport $port_number -j ACCEPT || \
+        sudo iptables -I INPUT 1 \
+            -p tcp -m conntrack --ctstate NEW \
+            -m tcp --dport "$port_number" \
+            -m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
     fi
 }
 
@@ -1170,7 +1176,7 @@ except-interface=lo
 EOF
 
     #Open port 53 so pods can reach the DNS server
-    sudo iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT
+    sudo iptables -I INPUT 1 -p udp -m udp --dport 53 -m comment --comment "kuryr-devstack: Access to OpenShift API" -j ACCEPT
 
     dnsmasq_binary="$(command -v dnsmasq)"
     cmd="${dnsmasq_binary} -k -C ${openshift_dnsmasq_conf_path}"
@@ -1220,3 +1226,17 @@ function run_openshift_dns {
         run_process openshift-dns "sudo $command"
     fi
 }
+
+# cleanup_kuryr_devstack_iptables
+#    Description: Fins all the iptables rules we set and deletes them
+function cleanup_kuryr_devstack_iptables {
+    local chains
+
+    chains=( INPUT FORWARD OUTPUT )
+    for chain in ${chains[@]}; do
+        sudo iptables -n -L "$chain" -v --line-numbers | \
+            awk -v chain="$chain" \
+                '/kuryr-devstack/ {print "sudo iptables -D " chain " " $1}' | \
+            tac | bash /dev/stdin
+    done
+}
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 61f4d6e26..40231e000 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -911,6 +911,8 @@ if [[ "$1" == "unstack" ]]; then
     if is_service_enabled legacy_etcd; then
         stop_container etcd
     fi
+
+    cleanup_kuryr_devstack_iptables
 fi
 
 if [[ "$1" == "clean" ]]; then