From 108b8469f6e237b462ec03022e76d4fbd88afab7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Wed, 22 May 2019 11:16:53 +0200
Subject: [PATCH] Initialize ip(6)tables "raw" table

With RHEL8, we apparently hit an issue where the "raw" table doesn't
exist. While this is worked around during the deploy, we need to ensure
this table does exist upon reboot.

This patch creates 2 systemd unit in order to ensure this table is
present in both iptables and ip6tables. They are to be launched before
the ip(6)tables.service in order to allow the standard rules to be
loaded at boot time.

Those units will probably be removed once we have an updated iptables
package.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1673609

Change-Id: I5334ac3e8080700d77e7a1de3330fdad76bc633f
(cherry picked from commit e97d4dcfd245a1e50bd6aaad4d45679898936aa2)
---
 .../tripleo-firewall-baremetal-puppet.yaml    | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
index 63bb1852dc..9733e08d24 100644
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
@@ -55,6 +55,53 @@ outputs:
 
       step_config: |
         include ::tripleo::firewall
+      deploy_steps_tasks:
+        - when: step|int == 0
+          block:
+            - name: create iptables service
+              copy:
+                dest: /etc/systemd/system/tripleo-iptables.service
+                content: |
+                  [Unit]
+                  Description=Initialize iptables
+                  Before=iptables.service
+                  AssertPathExists=/etc/sysconfig/iptables
+
+                  [Service]
+                  Type=oneshot
+                  ExecStart=/usr/sbin/iptables -t raw -nL
+                  Environment=BOOTUP=serial
+                  Environment=CONSOLETYPE=serial
+                  StandardOutput=syslog
+                  StandardError=syslog
+                  [Install]
+                  WantedBy=basic.target
+            - name: enable tripleo-iptables service
+              service:
+                enabled: yes
+                name: tripleo-iptables.service
+            - name: create ip6tables service
+              copy:
+                dest: /etc/systemd/system/tripleo-ip6tables.service
+                content: |
+                  [Unit]
+                  Description=Initialize ip6tables
+                  Before=ip6tables.service
+                  AssertPathExists=/etc/sysconfig/ip6tables
+
+                  [Service]
+                  Type=oneshot
+                  ExecStart=/usr/sbin/ip6tables -t raw -nL
+                  Environment=BOOTUP=serial
+                  Environment=CONSOLETYPE=serial
+                  StandardOutput=syslog
+                  StandardError=syslog
+                  [Install]
+                  WantedBy=basic.target
+            - name: enable tripleo-ip6tables service
+              service:
+                enabled: yes
+                name: tripleo-ip6tables.service
       upgrade_tasks:
         - when: step|int == 3
           block: