Merge "Allow UDP traffic from host when SG=namespace"
This commit is contained in:
commit
81d8d7ed59
|
@ -280,6 +280,7 @@ function configure_neutron_defaults {
|
||||||
local router_id
|
local router_id
|
||||||
local ext_svc_net_id
|
local ext_svc_net_id
|
||||||
local ext_svc_subnet_id
|
local ext_svc_subnet_id
|
||||||
|
local prot
|
||||||
|
|
||||||
# If a subnetpool is not passed, we get the one created in devstack's
|
# If a subnetpool is not passed, we get the one created in devstack's
|
||||||
# Neutron module
|
# Neutron module
|
||||||
|
@ -409,21 +410,24 @@ function configure_neutron_defaults {
|
||||||
--os-region "$REGION_NAME" \
|
--os-region "$REGION_NAME" \
|
||||||
security group create --project "$project_id" \
|
security group create --project "$project_id" \
|
||||||
allow_from_default -f value -c id)
|
allow_from_default -f value -c id)
|
||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
|
||||||
security group rule create --project "$project_id" \
|
for prot in icmp tcp udp ;
|
||||||
--description "allow traffic from default namespace" \
|
do
|
||||||
--remote-group "$allow_namespace_sg_id" --ethertype IPv4 --protocol tcp \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
"$allow_default_sg_id"
|
security group rule create --project "$project_id" \
|
||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
--description "allow traffic from default namespace" \
|
||||||
security group rule create --project "$project_id" \
|
--remote-group "$allow_namespace_sg_id" --ethertype IPv4 --protocol "$prot" \
|
||||||
--description "allow icmp traffic from default namespace" \
|
"$allow_default_sg_id"
|
||||||
--remote-group "$allow_namespace_sg_id" --ethertype IPv4 --protocol icmp \
|
|
||||||
"$allow_default_sg_id"
|
if [ "$prot" != "icmp" ] ; then
|
||||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||||
security group rule create --project "$project_id" \
|
security group rule create --project "$project_id" \
|
||||||
--description "allow traffic from namespaces at default namespace" \
|
--description "allow traffic from namespaces at default namespace" \
|
||||||
--remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol tcp \
|
--remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol "$prot" \
|
||||||
"$allow_namespace_sg_id"
|
"$allow_namespace_sg_id"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
# NOTE(ltomasbo): Some tempest test are using FIP and depends on icmp
|
# NOTE(ltomasbo): Some tempest test are using FIP and depends on icmp
|
||||||
# traffic being allowed to the pods. To enable these tests we permit
|
# traffic being allowed to the pods. To enable these tests we permit
|
||||||
# icmp traffic from everywhere on the default namespace. Note tcp
|
# icmp traffic from everywhere on the default namespace. Note tcp
|
||||||
|
|
Loading…
Reference in New Issue