Switch default firewall engine
Switching the FirewallEngine to nftables instead of puppet has some consequences regarding security: the new tripleo_nftables acts on the chain policy instead of relying on a final drop rule. `iptables' cli cannot see nftables content we inject, since we're using the "inet" family. Therefore, please use the `nft' CLI from now on. Doc has been updated accordingly. Depends-On: https://review.opendev.org/c/openstack/tripleo-puppet-elements/+/853224 Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/853252 Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/853934 Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/856487 Depends-On: https://review.opendev.org/c/openstack/tripleo-quickstart-extras/+/857096 Depends-On: https://review.opendev.org/c/openstack/tripleo-quickstart/+/857128 Change-Id: I8124da3e53afbb410dfe6fe020ab5eead72a349a
This commit is contained in:
parent
6d8fe0aba5
commit
9cdf72876b
|
@ -34,7 +34,7 @@ parameters:
|
|||
tags:
|
||||
- role_specific
|
||||
FirewallEngine:
|
||||
default: 'iptables'
|
||||
default: 'nftables'
|
||||
description: Set the actual firewall engine. Can be "iptables" or "nftables"
|
||||
type: string
|
||||
constraints:
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
Switching the FirewallEngine to nftables instead of puppet has some
|
||||
consequences regarding security: the new tripleo_nftables acts on the
|
||||
chain policy instead of relying on a final drop rule.
|
||||
other:
|
||||
- |
|
||||
iptables cli cannot see nftables content we inject, since we're
|
||||
using the "inet" family. Therefore, please use the "nft" CLI from
|
||||
now on. Doc has been updated accordingly.
|
Loading…
Reference in New Issue