From 46245c015403c5770d2bd9b6d08f52f89fd6aa40 Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Thu, 7 Mar 2024 14:00:21 -0500 Subject: [PATCH] Add note on iptables cleanup after OVS firewall migration Add an item to the instructions on iptables to OVS firewall migration that the admin should cleanup any stale iptables rules after completion. It is out of scope of our documents on how exactly an adminstrator might do that. Closes-bug: #1864374 Change-Id: Ie1bf6b82e57a00f61640a131a29d897a9cde4629 --- doc/source/contributor/internals/openvswitch_firewall.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/source/contributor/internals/openvswitch_firewall.rst b/doc/source/contributor/internals/openvswitch_firewall.rst index 8db8ee0837e..e98c10bc096 100644 --- a/doc/source/contributor/internals/openvswitch_firewall.rst +++ b/doc/source/contributor/internals/openvswitch_firewall.rst @@ -587,6 +587,14 @@ use the OVS firewall, and instances from other nodes can be live-migrated to it. Once the first node is evacuated, its firewall driver can be then be switched to the OVS driver. +4) Once migration is complete, stale iptables rules should be cleaned-up on +all nodes where the firewall driver was changed. They can be found by +searching for the string 'neutron', for example: + +.. code-block:: bash + + sudo iptables -S | grep neutron + .. note:: During upgrading to openvswitch firewall, the security rules