From e49688be9844b9ae32e14747ad95a07be0fa142c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harald=20Jens=C3=A5s?= Date: Sun, 22 Apr 2018 13:12:01 +0200 Subject: [PATCH] Masqeurading: NOT persist ephemeral firewall rules Puppet class tripleo::firewall makes an effort to not persist ephemeral firewall rules created by neutron and ironic-inspector. In instack-undercloud the rules are persisted anyway because we run iptables-save when configuring masquerading. This changes the masquerading to also filter the rules, similar to what we do in tripleo::firewall. Additionally filtering of the Ironic Inspector iptables pxe_filter rules are implemented. Closes-Bug: #1765700 Change-Id: I0cebfe4177981958c6e1a3b4b772f0a365f79e39 --- .../post-configure.d/80-seedstack-masquerade | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade b/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade index 3036831d3..4e49b23ab 100755 --- a/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade +++ b/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade @@ -6,3 +6,36 @@ RULES_SCRIPT=/var/opt/undercloud-stack/masquerade . $RULES_SCRIPT iptables-save > /etc/sysconfig/iptables + + +# We are specifically running the following commands after the +# iptables rules to ensure the persisted file does not contain any +# ephemeral neutron rules. Neutron assumes the iptables rules are not +# persisted so it may cause an issue if the rule is loaded on boot +# (or via iptables restart). If an operator needs to reload iptables +# for any reason, they may need to manually reload the appropriate +# neutron agent to restore these iptables rules. +# https://bugzilla.redhat.com/show_bug.cgi?id=1541528 +if /bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables +then + /bin/sed -i /neutron-/d /etc/sysconfig/iptables +fi + +if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables +then + /bin/sed -i /neutron-/d /etc/sysconfig/ip6tables +fi + + +# Do not persist ephemeral firewall rules managed by ironic-inspector +# pxe_filter 'iptables' driver. +# https://bugs.launchpad.net/tripleo/+bug/1765700 +if /bin/test -f /etc/sysconfig/iptables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector +then + /bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables +fi + +if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector +then + /bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables +fi