Merge "Add debug option to verify iptables rules"
This commit is contained in:
commit
730da40778
@ -64,6 +64,12 @@ IPTABLES_OPTS = [
|
||||
"generated iptables rules that describe each rule's "
|
||||
"purpose. System must support the iptables comments "
|
||||
"module for addition of comments.")),
|
||||
cfg.BoolOpt('debug_iptables_rules', default=False,
|
||||
help=_("Duplicate every iptables difference calculation to "
|
||||
"ensure the format being generated matches the format "
|
||||
"of iptables-save. This option should not be turned "
|
||||
"on for production systems because it imposes a "
|
||||
"performance penalty.")),
|
||||
]
|
||||
|
||||
PROCESS_MONITOR_OPTS = [
|
||||
|
@ -412,6 +412,9 @@ class IptablesManager(object):
|
||||
finally:
|
||||
try:
|
||||
self.defer_apply_off()
|
||||
except n_exc.IpTablesApplyException:
|
||||
# already in the format we want, just reraise
|
||||
raise
|
||||
except Exception:
|
||||
msg = _('Failure applying iptables rules')
|
||||
LOG.exception(msg)
|
||||
@ -436,7 +439,16 @@ class IptablesManager(object):
|
||||
lock_name += '-' + self.namespace
|
||||
|
||||
with lockutils.lock(lock_name, utils.SYNCHRONIZED_PREFIX, True):
|
||||
return self._apply_synchronized()
|
||||
first = self._apply_synchronized()
|
||||
if not cfg.CONF.AGENT.debug_iptables_rules:
|
||||
return first
|
||||
second = self._apply_synchronized()
|
||||
if second:
|
||||
msg = (_("IPTables Rules did not converge. Diff: %s") %
|
||||
'\n'.join(second))
|
||||
LOG.error(msg)
|
||||
raise n_exc.IpTablesApplyException(msg)
|
||||
return first
|
||||
|
||||
def get_rules_for_table(self, table):
|
||||
"""Runs iptables-save on a table and returns the results."""
|
||||
|
@ -54,6 +54,7 @@ case $VENV in
|
||||
start_new_ovs
|
||||
fi
|
||||
|
||||
load_conf_hook iptables_verify
|
||||
# Make the workspace owned by the stack user
|
||||
sudo chown -R $STACK_USER:$STACK_USER $BASE
|
||||
;;
|
||||
@ -66,6 +67,9 @@ case $VENV in
|
||||
load_rc_hook qos
|
||||
load_rc_hook trunk
|
||||
load_conf_hook osprofiler
|
||||
if [[ "$VENV" =~ "dsvm-scenario" ]]; then
|
||||
load_conf_hook iptables_verify
|
||||
fi
|
||||
if [[ "$VENV" =~ "pecan" ]]; then
|
||||
load_conf_hook pecan
|
||||
fi
|
||||
|
4
neutron/tests/contrib/hooks/iptables_verify
Normal file
4
neutron/tests/contrib/hooks/iptables_verify
Normal file
@ -0,0 +1,4 @@
|
||||
[[post-config|/etc/neutron/neutron.conf]]
|
||||
|
||||
[AGENT]
|
||||
debug_iptables_rules=True
|
Loading…
Reference in New Issue
Block a user