Replace iptables by nftables

We can directly use nftables from now on. But the examples need to get the depends-on merged, especially due to the custom chains. Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/841414 Change-Id: I5d61e6e36a8c0de9edee149a2ba9a42a3f0d2b10
2022-05-24 16:44:18 +02:00 · 2022-05-24 16:44:18 +02:00 · c7422008c5
commit c7422008c5
parent 8208c61d62
2 changed files with 10 additions and 7 deletions
--- a/deploy-guide/source/features/security_hardening.rst
+++ b/deploy-guide/source/features/security_hardening.rst
@ -151,7 +151,7 @@ deployment when needed. For example, for Zabbix monitoring system.
          action: accept

 Rules can also be used to restrict access. The number used at definition of a
-rule will determine where the iptables rule will be inserted. For example,
+rule will determine where the nftables rule will be inserted. For example,
 rabbitmq rule number is 109 by default. If you want to restrain it, you could
 do.

@ -177,13 +177,13 @@ do.

 In this example, 098 and 099 are arbitrarily numbers that are smaller than the
 default rabbitmq rule number. To know the number of a rule, inspect the active
-iptables rules on an appropriate node (controller, in case of rabbitmq)
+nftables rules on an appropriate node (controller, in case of rabbitmq)

 .. code-block:: shell

-    iptables-save
+    nft list chain inet filter TRIPLEO_INPUT
    [...]
-    -A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT
+    tcp dport { 4369, 5672, 25672-25683 } ct state new counter packets 0 bytes 0 accept comment "109 rabbitmq"

 Alternatively it's possible to get the information in tripleo service in the
 definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`.
--- a/deploy-guide/source/post_deployment/backup_and_restore/04_overcloud_restore.rst
+++ b/deploy-guide/source/post_deployment/backup_and_restore/04_overcloud_restore.rst
@ -38,7 +38,7 @@ the following procedure:
 On all the controller nodes, drop connections to the database port via the VIP by running::

  MYSQLIP=$(grep -A1 'listen mysql' /var/lib/config-data/haproxy/etc/haproxy/haproxy.cfg | grep bind | awk '{print $2}' | awk -F":" '{print $1}')
-  sudo /sbin/iptables -I INPUT -d $MYSQLIP -p tcp --dport 3306 -j DROP
+  sudo nft add rule inet filter TRIPLEO_INPUT tcp dport 3306 ip daddr $MYSQLIP drop

 This will isolate all the MySQL traffic to the nodes.

@ -118,9 +118,12 @@ Test clustercheck on each controller node via xinetd.d::
  # curl overcloud-controller-1:9200
  # curl overcloud-controller-2:9200

-Remove the iptables rule from each node for the services to restore access to the database::
+Remove the firewall rule from each node for the services to restore access to the database::

-  sudo /sbin/iptables -D INPUT -d $MYSQLIP -p tcp --dport 3306 -j DROP
+  sudo nft -a list chain inet filter TRIPLEO_INPUT | grep mysql
+  [...]
+  tcp dport 3306 ip daddr $MYSQLIP drop # handle 499
+  sudo nft delete rule inet filter TRIPLEO_INPUT handle 499

 Filesystem restore
 ------------------