openstack/devstack
Code Issues Proposed changes
Files
b3a210f643989603d192b32a40b2001664f8ed73
devstack/lib/neutron_plugins
History
Ihar Hrachyshka b3a210f643 Enable bridge firewalling if iptables are used 
With the plan [1] to stop enabling it by Neutron iptables firewall
driver itself, deployment tools should catch up and enable the firewall
themselves.

This is needed for distributions that decided to disable the kernel
firewall by default (upstream kernel has it enabled). This is also
needed for distributions that ship newer kernels but don't load the
br_netfilter module before starting nova-network or Neutron iptables
firewall driver. In the latter case, firewall may not work, depending on
the order of operations executed by the driver.

To isolate devstack setups from the difference in distribution
kernel configuration and version, the following steps are done:

- we load bridge kernel module, and br_netfilter if present, to get
  access to sysctl knobs controlling the firewall;
- once knobs are available, we unconditionally set them to 1, to make
  sure the firewall is in effect.

More details at:
http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

[1] I9137ea017624ac92a05f73863b77f9ee4681bbe7

Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Related-Bug: #1622914
2016-09-29 04:26:56 +00:00
..
services
Merge "Make the Neutron l3 plugin use the subnetpools"
2016-09-26 15:01:16 +00:00
bigswitch_floodlight
Namespace XTRACE commands
2015-11-27 15:36:04 +11:00
brocade
Namespace XTRACE commands
2015-11-27 15:36:04 +11:00
cisco
Namespace XTRACE commands
2015-11-27 15:36:04 +11:00
embrane
Namespace XTRACE commands
2015-11-27 15:36:04 +11:00
linuxbridge_agent
Enable bridge firewalling if iptables are used
2016-09-29 04:26:56 +00:00
ml2
Fixes for linux bridge and Q_USE_PROVIDER_NET
2016-08-05 20:15:39 -07:00
nuage
Namespace XTRACE commands
2015-11-27 15:36:04 +11:00
openvswitch
Namespace XTRACE commands
2015-11-27 15:36:04 +11:00
openvswitch_agent
Merge "Remove stale config l3|dhcp_agent_manager options"
2016-08-17 14:02:44 +00:00
ovs_base
Enable bridge firewalling if iptables are used
2016-09-29 04:26:56 +00:00
README.md
Remove NOVA_VIF_DRIVER variable
2015-08-25 13:40:25 -07:00

README.md

Neutron plugin specific files

Neutron plugins require plugin specific behavior. The files under the directory, lib/neutron_plugins/, will be used when their service is enabled. Each plugin has lib/neutron_plugins/$Q_PLUGIN and define the following functions. Plugin specific configuration variables should be in this file.

  • filename: $Q_PLUGIN
    • The corresponding file name MUST be the same to plugin name $Q_PLUGIN. Plugin specific configuration variables should be in this file.

functions

lib/neutron-legacy calls the following functions when the $Q_PLUGIN is enabled

  • neutron_plugin_create_nova_conf : optionally set options in nova_conf
  • neutron_plugin_install_agent_packages : install packages that is specific to plugin agent e.g. install_package bridge-utils
  • neutron_plugin_configure_common : set plugin-specific variables, Q_PLUGIN_CONF_PATH, Q_PLUGIN_CONF_FILENAME, Q_PLUGIN_CLASS
  • neutron_plugin_configure_debug_command
  • neutron_plugin_configure_dhcp_agent
  • neutron_plugin_configure_l3_agent
  • neutron_plugin_configure_plugin_agent
  • neutron_plugin_configure_service
  • neutron_plugin_setup_interface_driver
  • has_neutron_plugin_security_group: return 0 if the plugin support neutron security group otherwise return 1
  • neutron_plugin_check_adv_test_requirements: return 0 if requirements are satisfied otherwise return 1