Replace iptables by nftables

We can directly use nftables from now on. But the examples need to get
the depends-on merged, especially due to the custom chains.

Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/841414
Change-Id: I5d61e6e36a8c0de9edee149a2ba9a42a3f0d2b10
This commit is contained in:
Cédric Jeanneret 2022-05-24 16:44:18 +02:00 committed by Cedric Jeanneret
parent 8208c61d62
commit c7422008c5
2 changed files with 10 additions and 7 deletions

View File

@ -151,7 +151,7 @@ deployment when needed. For example, for Zabbix monitoring system.
action: accept
Rules can also be used to restrict access. The number used at definition of a
rule will determine where the iptables rule will be inserted. For example,
rule will determine where the nftables rule will be inserted. For example,
rabbitmq rule number is 109 by default. If you want to restrain it, you could
do.
@ -177,13 +177,13 @@ do.
In this example, 098 and 099 are arbitrarily numbers that are smaller than the
default rabbitmq rule number. To know the number of a rule, inspect the active
iptables rules on an appropriate node (controller, in case of rabbitmq)
nftables rules on an appropriate node (controller, in case of rabbitmq)
.. code-block:: shell
iptables-save
nft list chain inet filter TRIPLEO_INPUT
[...]
-A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT
tcp dport { 4369, 5672, 25672-25683 } ct state new counter packets 0 bytes 0 accept comment "109 rabbitmq"
Alternatively it's possible to get the information in tripleo service in the
definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`.

View File

@ -38,7 +38,7 @@ the following procedure:
On all the controller nodes, drop connections to the database port via the VIP by running::
MYSQLIP=$(grep -A1 'listen mysql' /var/lib/config-data/haproxy/etc/haproxy/haproxy.cfg | grep bind | awk '{print $2}' | awk -F":" '{print $1}')
sudo /sbin/iptables -I INPUT -d $MYSQLIP -p tcp --dport 3306 -j DROP
sudo nft add rule inet filter TRIPLEO_INPUT tcp dport 3306 ip daddr $MYSQLIP drop
This will isolate all the MySQL traffic to the nodes.
@ -118,9 +118,12 @@ Test clustercheck on each controller node via xinetd.d::
# curl overcloud-controller-1:9200
# curl overcloud-controller-2:9200
Remove the iptables rule from each node for the services to restore access to the database::
Remove the firewall rule from each node for the services to restore access to the database::
sudo /sbin/iptables -D INPUT -d $MYSQLIP -p tcp --dport 3306 -j DROP
sudo nft -a list chain inet filter TRIPLEO_INPUT | grep mysql
[...]
tcp dport 3306 ip daddr $MYSQLIP drop # handle 499
sudo nft delete rule inet filter TRIPLEO_INPUT handle 499
Filesystem restore
------------------