Enable bridge firewalling if iptables are used

With the plan [1] to stop enabling it by Neutron iptables firewall
driver itself, deployment tools should catch up and enable the firewall
themselves.

This is needed for distributions that decided to disable the kernel
firewall by default (upstream kernel has it enabled). This is also
needed for distributions that ship newer kernels but don't load the
br_netfilter module before starting nova-network or Neutron iptables
firewall driver. In the latter case, firewall may not work, depending on
the order of operations executed by the driver.

To isolate devstack setups from the difference in distribution
kernel configuration and version, the following steps are done:

- we load bridge kernel module, and br_netfilter if present, to get
  access to sysctl knobs controlling the firewall;
- once knobs are available, we unconditionally set them to 1, to make
  sure the firewall is in effect.

More details at:
http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

[1] I9137ea017624ac92a05f73863b77f9ee4681bbe7

Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Related-Bug: #1622914

functions

@@ -646,6 +646,24 @@ function set_mtu {
 }
 
 
+# enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling
+function enable_kernel_bridge_firewall {
+    # Load bridge module. This module provides access to firewall for bridged
+    # frames; and also on older kernels (pre-3.18) it provides sysctl knobs to
+    # enable/disable bridge firewalling
+    sudo modprobe bridge
+    # For newer kernels (3.18+), those sysctl settings are split into a separate
+    # kernel module (br_netfilter). Load it too, if present.
+    sudo modprobe br_netfilter 2>> /dev/null || :
+    # Enable bridge firewalling in case it's disabled in kernel (upstream
+    # default is enabled, but some distributions may decide to change it).
+    # This is at least needed for RHEL 7.2 and earlier releases.
+    for proto in arp ip ip6; do
+        sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
+    done
+}
+
+
 # Restore xtrace
 $_XTRACE_FUNCTIONS
 

lib/neutron

@@ -182,6 +182,8 @@ function configure_neutron_new {
             iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables_hybrid
             iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
         fi
+
+        enable_kernel_bridge_firewall
     fi
 
     # DHCP Agent

lib/neutron_plugins/linuxbridge_agent

@@ -69,6 +69,7 @@ function neutron_plugin_configure_plugin_agent {
     fi
     if [[ "$Q_USE_SECGROUP" == "True" ]]; then
         iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
+        enable_kernel_bridge_firewall
     else
         iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
     fi

lib/neutron_plugins/ovs_base

@@ -84,6 +84,7 @@ function _neutron_ovs_base_configure_debug_command {
 function _neutron_ovs_base_configure_firewall_driver {
     if [[ "$Q_USE_SECGROUP" == "True" ]]; then
         iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+        enable_kernel_bridge_firewall
     else
         iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
     fi

lib/nova

@@ -866,9 +866,13 @@ function start_nova_rest {
     run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf"
     run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf"
     run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf"
-
     run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf"
+
+    if is_service_enabled n-net; then
+        enable_kernel_bridge_firewall
+    fi
     run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf"
+
     run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf"
     run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf"