From 89a129a5555d7a35ec1b2d218e0b148c0281b2ee Mon Sep 17 00:00:00 2001
From: Goutham Pacha Ravi <gouthampravi@gmail.com>
Date: Wed, 27 May 2020 10:25:21 -0700
Subject: [PATCH] [devstack] Allow cephfs daemon port access

If the cephfs protocol is enabled, clients
need to access the ceph daemons.

We also don't need to enable access to NFS
ports when not using NFS.

Change-Id: I077d12785f94c940716f0e479d43dbb29ddc3c3c
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
(cherry picked from commit 341b5777b2350cf07d06327e998394f3795cb283)
(cherry picked from commit 5d1c30676e8deb906eddc59852a9b1b60d3ee7d6)
(cherry picked from commit 51b918a86a6481b181f562d8f5b31ab99bf62572)
(cherry picked from commit b983eda9037a8ad3389d44d91bf817468841b23f)
(cherry picked from commit 58f1f2107345940ab3e174072c11a21885feab35)
---
 devstack/plugin.sh | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index b49bebd8a5..b01a9dc1db 100755
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -963,20 +963,29 @@ function install_libraries {
 
 function allow_host_ports_for_share_mounting {
 
-    TCP_PORTS=(2049 111 32803 892 875 662)
-    UDP_PORTS=(111 32769 892 875 662)
-    for ipcmd in iptables ip6tables; do
-        # (aovchinnikov): extra rules are needed to allow instances talk to
-        # host.
-        sudo $ipcmd -N manila-nfs
-        sudo $ipcmd -I INPUT 1 -j manila-nfs
-        for port in ${TCP_PORTS[*]}; do
-            sudo $ipcmd -A manila-nfs -m tcp -p tcp --dport $port -j ACCEPT
+    if [[ $MANILA_ENABLED_SHARE_PROTOCOLS =~ NFS ]]; then
+        # 111 and 2049 are for rpcbind and NFS
+        # Other ports are for NFSv3 statd, mountd and lockd daemons
+        MANILA_TCP_PORTS=(2049 111 32803 892 875 662)
+        MANILA_UDP_PORTS=(111 32769 892 875 662)
+    fi
+    if [[ $MANILA_ENABLED_SHARE_PROTOCOLS =~ CEPHFS ]]; then
+        # clients need access to the ceph daemons
+        MANILA_TCP_PORTS=(${MANILA_TCP_PORTS[*]} 6789 6800:7300)
+    fi
+
+    if [[ -v MANILA_TCP_PORTS || -v MANILA_UDP_PORTS ]]; then
+        for ipcmd in iptables ip6tables; do
+            sudo $ipcmd -N manila-storage
+            sudo $ipcmd -I INPUT 1 -j manila-storage
+            for port in ${MANILA_TCP_PORTS[*]}; do
+                sudo $ipcmd -A manila-storage -m tcp -p tcp --dport $port -j ACCEPT
+            done
+            for port in ${MANILA_UDP_PORTS[*]}; do
+                sudo $ipcmd -A manila-storage -m udp -p udp --dport $port -j ACCEPT
+            done
         done
-        for port in ${UDP_PORTS[*]}; do
-            sudo $ipcmd -A manila-nfs -m udp -p udp --dport $port -j ACCEPT
-        done
-    done
+    fi
 }
 
 function setup_ipv6 {