Add some notes and example for vxlan support

With the nftables switch, we may need to add some custom rules in order to make it work properly. Those rules aren't really needed for iptables engine, but they won't hurt nor break things. Change-Id: Id660262fe2879d773a0af1c508856b5083db6c37
2022-08-02 13:50:36 +02:00 · 2022-08-02 13:50:36 +02:00 · d0f073ca95
parent c866d680f3
commit d0f073ca95
1 changed files with 27 additions and 0 deletions
--- a/deploy-guide/source/features/security_hardening.rst
+++ b/deploy-guide/source/features/security_hardening.rst
@ -201,6 +201,33 @@ definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`.
 Additional information regarding the the available interface options, the role,
 some of the implementation details can be reviewed `here <https://docs.openstack.org/tripleo-ansible/latest/roles/role-tripleo_firewall.html>`_.

+VXLAN and nftables
+~~~~~~~~~~~~~~~~~~
+
+In order to properly get VXLAN support, you have to add a couple of rules to
+the Undercloud firewall. This is especially true for a lab environment, or on
+the upstream CI infrastructure. Here's an example of the custom rules for
+the CI, feel free to adapt them. Note that the network is the one used on the
+eth0 interface, aka "public" one of the Undercloud.
+
+.. code-block:: yaml
+
+  parameter_defaults:
+    ExtraFirewallRules:
+      '020 Allow VXLan from CI infra network':
+        proto: "udp"
+        dport: 4789
+        source: "PUBLIC_NETWORK_CIDR"
+        state: []
+      '021 Allow OTV for vxlan from CI infra network':
+        proto: "udp"
+        dport: 8472
+        source: "PUBLIC_NETWORK_CIDR"
+        state: []
+
+.. note:: The ``state: []`` is mandatory in order to not only catch the NEW
+          connection (default with the nftables and iptables modules).
+
 AIDE - Intrusion Detection
 --------------------------