From c1dfb53bf1db1fe65ba6a8ef64a0b30151ee5c03 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihrachys@redhat.com>
Date: Sat, 11 Feb 2017 12:50:04 +0000
Subject: [PATCH] iptables: stop 'fixing' kernel sysctl bridge firewalling
 knobs

Those are different on different kernel versions, and have reasonable
default values on all newer kernel versions, including RHEL. We
nevertheless made devstack to set those in the past; now I propose to
clean the code from neutron tree and leave it up to deployment tools to
fix in an unlikely case the system has broken default values.

Now that iptables firewall code does not trigger sysctl, we can also
remove this filter from the corresponding rootwrap .filters file.

DocImpact make sure deployment docs mention the expected sysctl knob
          values.

Change-Id: Iabf61021c90b0536be274463d48fb5a572ecc023
Related-Bug: #1622914
---
 .../rootwrap.d/iptables-firewall.filters      |  3 --
 neutron/agent/linux/iptables_firewall.py      | 47 +------------------
 2 files changed, 1 insertion(+), 49 deletions(-)

diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters
index 0a81f9ddb48..3960a786f78 100644
--- a/etc/neutron/rootwrap.d/iptables-firewall.filters
+++ b/etc/neutron/rootwrap.d/iptables-firewall.filters
@@ -20,8 +20,5 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
 
-# neutron/agent/linux/iptables_firewall.py
-sysctl: CommandFilter, sysctl, root
-
 # neutron/agent/linux/ip_conntrack.py
 conntrack: CommandFilter, conntrack, root
diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index f68ebc5403d..daa400d23d7 100644
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -19,17 +19,15 @@ import netaddr
 from neutron_lib import constants
 from oslo_config import cfg
 from oslo_log import log as logging
-from oslo_log import versionutils
 from oslo_utils import netutils
 import six
 
-from neutron._i18n import _, _LI, _LW
+from neutron._i18n import _LI
 from neutron.agent import firewall
 from neutron.agent.linux import ip_conntrack
 from neutron.agent.linux import ipset_manager
 from neutron.agent.linux import iptables_comments as ic
 from neutron.agent.linux import iptables_manager
-from neutron.agent.linux import utils
 from neutron.common import constants as n_const
 from neutron.common import ipv6_utils
 from neutron.common import utils as c_utils
@@ -85,52 +83,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
             lambda: collections.defaultdict(list))
         self.pre_sg_members = None
         self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset
-        self._enabled_netfilter_for_bridges = False
         self.updated_rule_sg_ids = set()
         self.updated_sg_members = set()
         self.devices_with_updated_sg_members = collections.defaultdict(list)
 
-    def _enable_netfilter_for_bridges(self):
-        # we only need to set these values once, but it has to be when
-        # we create a bridge; before that the bridge module might not
-        # be loaded and the proc values aren't there.
-        if self._enabled_netfilter_for_bridges:
-            return
-        else:
-            self._enabled_netfilter_for_bridges = True
-
-        # These proc values ensure that netfilter is enabled on
-        # bridges; essential for enforcing security groups rules with
-        # OVS Hybrid.  Distributions can differ on whether this is
-        # enabled by default or not (Ubuntu - yes, Redhat - no, for
-        # example).
-        LOG.debug("Enabling netfilter for bridges")
-        try:
-            entries = utils.execute(
-                ['sysctl', '-N', 'net.bridge'], run_as_root=True,
-                log_fail_as_error=False).splitlines()
-        except utils.ProcessExecutionError:
-            LOG.info(_LI("Process is probably running in namespace or "
-                         "kernel module br_netfilter is not loaded. "
-                         "Please ensure that netfilter options for bridge "
-                         "are enabled to provide working security groups."))
-            return
-
-        for proto in ('ip', 'ip6'):
-            knob = 'net.bridge.bridge-nf-call-%stables' % proto
-            if knob not in entries:
-                raise SystemExit(
-                    _("sysctl value %s not present on this system.") % knob)
-            enabled = utils.execute(['sysctl', '-b', knob])
-            if enabled != '1':
-                versionutils.report_deprecated_feature(
-                    LOG,
-                    _LW('Bridge firewalling is disabled; enabling to make '
-                        'iptables firewall work. This may not work in future '
-                        'releases.'))
-                utils.execute(
-                    ['sysctl', '-w', '%s=1' % knob], run_as_root=True)
-
     @property
     def ports(self):
         return dict(self.filtered_ports, **self.unfiltered_ports)
@@ -196,7 +152,6 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
     def prepare_port_filter(self, port):
         LOG.debug("Preparing device (%s) filter", port['device'])
         self._set_ports(port)
-        self._enable_netfilter_for_bridges()
         # each security group has it own chains
         self._setup_chains()
         return self.iptables.apply()