diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters index 0a81f9ddb48..3960a786f78 100644 --- a/etc/neutron/rootwrap.d/iptables-firewall.filters +++ b/etc/neutron/rootwrap.d/iptables-firewall.filters @@ -20,8 +20,5 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root iptables: CommandFilter, iptables, root ip6tables: CommandFilter, ip6tables, root -# neutron/agent/linux/iptables_firewall.py -sysctl: CommandFilter, sysctl, root - # neutron/agent/linux/ip_conntrack.py conntrack: CommandFilter, conntrack, root diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index f68ebc5403d..daa400d23d7 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -19,17 +19,15 @@ import netaddr from neutron_lib import constants from oslo_config import cfg from oslo_log import log as logging -from oslo_log import versionutils from oslo_utils import netutils import six -from neutron._i18n import _, _LI, _LW +from neutron._i18n import _LI from neutron.agent import firewall from neutron.agent.linux import ip_conntrack from neutron.agent.linux import ipset_manager from neutron.agent.linux import iptables_comments as ic from neutron.agent.linux import iptables_manager -from neutron.agent.linux import utils from neutron.common import constants as n_const from neutron.common import ipv6_utils from neutron.common import utils as c_utils @@ -85,52 +83,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver): lambda: collections.defaultdict(list)) self.pre_sg_members = None self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset - self._enabled_netfilter_for_bridges = False self.updated_rule_sg_ids = set() self.updated_sg_members = set() self.devices_with_updated_sg_members = collections.defaultdict(list) - def _enable_netfilter_for_bridges(self): - # we only need to set these values once, but it has to be when - # we create a bridge; before that the bridge module might not - # be loaded and the proc values aren't there. - if self._enabled_netfilter_for_bridges: - return - else: - self._enabled_netfilter_for_bridges = True - - # These proc values ensure that netfilter is enabled on - # bridges; essential for enforcing security groups rules with - # OVS Hybrid. Distributions can differ on whether this is - # enabled by default or not (Ubuntu - yes, Redhat - no, for - # example). - LOG.debug("Enabling netfilter for bridges") - try: - entries = utils.execute( - ['sysctl', '-N', 'net.bridge'], run_as_root=True, - log_fail_as_error=False).splitlines() - except utils.ProcessExecutionError: - LOG.info(_LI("Process is probably running in namespace or " - "kernel module br_netfilter is not loaded. " - "Please ensure that netfilter options for bridge " - "are enabled to provide working security groups.")) - return - - for proto in ('ip', 'ip6'): - knob = 'net.bridge.bridge-nf-call-%stables' % proto - if knob not in entries: - raise SystemExit( - _("sysctl value %s not present on this system.") % knob) - enabled = utils.execute(['sysctl', '-b', knob]) - if enabled != '1': - versionutils.report_deprecated_feature( - LOG, - _LW('Bridge firewalling is disabled; enabling to make ' - 'iptables firewall work. This may not work in future ' - 'releases.')) - utils.execute( - ['sysctl', '-w', '%s=1' % knob], run_as_root=True) - @property def ports(self): return dict(self.filtered_ports, **self.unfiltered_ports) @@ -196,7 +152,6 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def prepare_port_filter(self, port): LOG.debug("Preparing device (%s) filter", port['device']) self._set_ports(port) - self._enable_netfilter_for_bridges() # each security group has it own chains self._setup_chains() return self.iptables.apply()