iptables: stop 'fixing' kernel sysctl bridge firewalling knobs

Those are different on different kernel versions, and have reasonable default values on all newer kernel versions, including RHEL. We nevertheless made devstack to set those in the past; now I propose to clean the code from neutron tree and leave it up to deployment tools to fix in an unlikely case the system has broken default values. Now that iptables firewall code does not trigger sysctl, we can also remove this filter from the corresponding rootwrap .filters file. DocImpact make sure deployment docs mention the expected sysctl knob values. Change-Id: Iabf61021c90b0536be274463d48fb5a572ecc023 Related-Bug: #1622914
2017-02-11 12:50:04 +00:00 · 2017-02-11 12:50:04 +00:00 · c1dfb53bf1
parent 715e9c81fc
commit c1dfb53bf1
2 changed files with 1 additions and 49 deletions
--- a/etc/neutron/rootwrap.d/iptables-firewall.filters
+++ b/etc/neutron/rootwrap.d/iptables-firewall.filters
@ -20,8 +20,5 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root

-# neutron/agent/linux/iptables_firewall.py
-sysctl: CommandFilter, sysctl, root
-
 # neutron/agent/linux/ip_conntrack.py
 conntrack: CommandFilter, conntrack, root
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -19,17 +19,15 @@ import netaddr
 from neutron_lib import constants
 from oslo_config import cfg
 from oslo_log import log as logging
-from oslo_log import versionutils
 from oslo_utils import netutils
 import six

-from neutron._i18n import _, _LI, _LW
+from neutron._i18n import _LI
 from neutron.agent import firewall
 from neutron.agent.linux import ip_conntrack
 from neutron.agent.linux import ipset_manager
 from neutron.agent.linux import iptables_comments as ic
 from neutron.agent.linux import iptables_manager
-from neutron.agent.linux import utils
 from neutron.common import constants as n_const
 from neutron.common import ipv6_utils
 from neutron.common import utils as c_utils
@ -85,52 +83,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
            lambda: collections.defaultdict(list))
        self.pre_sg_members = None
        self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset
-        self._enabled_netfilter_for_bridges = False
        self.updated_rule_sg_ids = set()
        self.updated_sg_members = set()
        self.devices_with_updated_sg_members = collections.defaultdict(list)

-    def _enable_netfilter_for_bridges(self):
-        # we only need to set these values once, but it has to be when
-        # we create a bridge; before that the bridge module might not
-        # be loaded and the proc values aren't there.
-        if self._enabled_netfilter_for_bridges:
-            return
-        else:
-            self._enabled_netfilter_for_bridges = True
-
-        # These proc values ensure that netfilter is enabled on
-        # bridges; essential for enforcing security groups rules with
-        # OVS Hybrid.  Distributions can differ on whether this is
-        # enabled by default or not (Ubuntu - yes, Redhat - no, for
-        # example).
-        LOG.debug("Enabling netfilter for bridges")
-        try:
-            entries = utils.execute(
-                ['sysctl', '-N', 'net.bridge'], run_as_root=True,
-                log_fail_as_error=False).splitlines()
-        except utils.ProcessExecutionError:
-            LOG.info(_LI("Process is probably running in namespace or "
-                         "kernel module br_netfilter is not loaded. "
-                         "Please ensure that netfilter options for bridge "
-                         "are enabled to provide working security groups."))
-            return
-
-        for proto in ('ip', 'ip6'):
-            knob = 'net.bridge.bridge-nf-call-%stables' % proto
-            if knob not in entries:
-                raise SystemExit(
-                    _("sysctl value %s not present on this system.") % knob)
-            enabled = utils.execute(['sysctl', '-b', knob])
-            if enabled != '1':
-                versionutils.report_deprecated_feature(
-                    LOG,
-                    _LW('Bridge firewalling is disabled; enabling to make '
-                        'iptables firewall work. This may not work in future '
-                        'releases.'))
-                utils.execute(
-                    ['sysctl', '-w', '%s=1' % knob], run_as_root=True)
-
    @property
    def ports(self):
        return dict(self.filtered_ports, **self.unfiltered_ports)
@ -196,7 +152,6 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
    def prepare_port_filter(self, port):
        LOG.debug("Preparing device (%s) filter", port['device'])
        self._set_ports(port)
-        self._enable_netfilter_for_bridges()
        # each security group has it own chains
        self._setup_chains()
        return self.iptables.apply()