openstack/neutron
Code Issues Proposed changes

Support rootwrap sysctl and conntrack commands for non-l3 nodes

Browse Source 
Iptables-firewall use commands sysctl and conntrack.
These are missed out in the plugins resulting in (No filter matched) errors in
non-l3 nodes. L3 nodes do not have this problem as l3.filters rootwraps these
commands.

Closes-bug: #1528641

Change-Id: I1167544a41f2ea91781ae2bb7aa208e25fec1524
This commit is contained in:
rossella 2015-12-22 19:14:15 +00:00 committed by Carl Baldwin
parent 38fa3ce848
commit 0d5d014955
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
etc/neutron/rootwrap.d/iptables-firewall.filters
View File

@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_manager.py
# "sysctl", "-w", ...
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root