From bb5013920ac658c99d9ae2ab7f81847b274aa177 Mon Sep 17 00:00:00 2001
From: Alex Schultz <aschultz@redhat.com>
Date: Mon, 5 Mar 2018 11:06:52 -0700
Subject: [PATCH] Reload iptables instead of restart

Due to bz#1520534, restarting iptables may cause unrelated kernel
modules to be unloaded. In order to not trigger this condition we should
reload iptables from the configuration rather than restart the whole
process.

Change-Id: Ifc625eb51f6cc2a0a4cf4f83ac7a4978db641d75
Closes-Bug: #1752441
Closes-Bug: #1753492
---
 manifests/firewall.pp | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index beaf7c1ad..3b55fecf8 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -136,25 +136,28 @@ class tripleo::firewall(
     # want them to be consistent so we have to ensure that they're not stored
     # into sysconfig.
     # https://bugzilla.redhat.com/show_bug.cgi?id=1541528
-    # Also, we need to restart IPtables after the cleanup to make sure rules aren't persistent
+    # Also, we need to reload IPtables after the cleanup to make sure rules aren't persistent
     # anymore.
+    # NOTE(aschultz): this needs to be a reload and not a restart due to
+    # BZ#1520534 where iptables my unload modules (like openvswitch) when it
+    # restarts.
     exec { 'nonpersistent_v4_rules_cleanup':
       command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
       onlyif  => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables',
-      notify  => Exec['restart_iptables'],
+      notify  => Exec['reload_iptables'],
     }
-    exec { 'restart_iptables':
-      command     => 'sudo service iptables restart',
+    exec { 'reload_iptables':
+      command     => 'systemctl reload iptables',
       path        => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
       refreshonly => true,
     }
     exec { 'nonpersistent_v6_rules_cleanup':
       command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
       onlyif  => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables',
-      notify  => Exec['restart_ip6tables'],
+      notify  => Exec['reload_ip6tables'],
     }
-    exec { 'restart_ip6tables':
-      command     => 'sudo service ip6tables restart',
+    exec { 'reload_ip6tables':
+      command     => 'systemctl reload ip6tables',
       path        => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
       refreshonly => true,
     }