656c1aba3d
This patch introduces a new role (tripleo_nftables) as well as a new tripleo_firewall_engine parameter, allowing to switch from iptables to nftables. All of tripleo rules are pushed in the "inet" family, in a dedicated chains therein. It allows to avoid rule duplication between IPv6 and IPv4, while ensuring we don't break the compatibility layer for iptables-nft - that tool is checking only the "ip" family, while ip6tables-nft is checking the "ip6" one. This means some changes are needed in the doc, when it comes to listing the existing rules. Also, please note some tools such as neutron are still heavily using the iptables family, as well as some part of podman apparently. Change-Id: Ia43b58f304d8ef41b80820c3c98696650eb362e1 |
||
|---|---|---|
| .. | ||
| defaults | ||
| files | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| templates | ||