From 766e9fba5c2933af89f0c1b94bab9a417d558f95 Mon Sep 17 00:00:00 2001
From: Samuel Cassiba <s@cassiba.com>
Date: Mon, 25 Jun 2018 06:08:27 -0700
Subject: [PATCH] Stop iptables from being enabled by force

This change enables convergence in containers by removing iptables in a
workaround as a result of upstream[1] efforts[2].

[1] https://review.rdoproject.org/r/9702
[2] https://review.rdoproject.org/r/9703

Change-Id: I8793cb8d1ee376d45e7521b8ff9434c704e05497
---
 files/default/neutron-enable-bridge-firewall.sh | 7 +++++++
 recipes/default.rb                              | 9 +++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 files/default/neutron-enable-bridge-firewall.sh

diff --git a/files/default/neutron-enable-bridge-firewall.sh b/files/default/neutron-enable-bridge-firewall.sh
new file mode 100644
index 00000000..a6741152
--- /dev/null
+++ b/files/default/neutron-enable-bridge-firewall.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# this script is intentionally reduced to an exit call to eliminate the
+# automatic invocation of iptables.
+# lp: https://bugs.launchpad.net/neutron/+bug/1622914
+# bz: https://bugzilla.redhat.com/show_bug.cgi?id=1421022
+exit 0
diff --git a/recipes/default.rb b/recipes/default.rb
index ab36fd66..3c8137aa 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -73,6 +73,15 @@ template '/etc/neutron/rootwrap.conf' do
   )
 end
 
+cookbook_file '/usr/bin/neutron-enable-bridge-firewall.sh' do
+  source 'neutron-enable-bridge-firewall.sh'
+  owner 'root'
+  group 'wheel'
+  mode '0755'
+  action :create
+  only_if { node['platform_family'] == 'redhat' }
+end
+
 if node['openstack']['mq']['service_type'] == 'rabbit'
   node.default['openstack']['network']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'network'
 end