Set bridge-nf-call-* values to 1
Although the kernel default is 1, some distros override the defaults via sysctl.conf. Loading br_netfilter manually will show values of 1, but then doing a 'sysctl network restart' will set the values to 0--so go ahead and override these values. Co-Author: Luke Short <ekultails@gmail.com> Depends-On: Ia28f2fdef34e739801c51828c99e9e6598dd2efb Change-Id: I53dec308d359b27e62ed44e91a8eaae38d945a4f Closes-Bug: #1843259
This commit is contained in:
Terry Wilson
parent
9a09779db4
commit
3d722dbc81
@ -72,6 +72,18 @@ parameters:
|
||||
default: 1024
|
||||
description: Configures sysctl fs.inotify.max_user_instances key
|
||||
type: number
|
||||
BridgeNfCallArpTables:
|
||||
default: 1
|
||||
description: Configures sysctl net.bridge.bridge-nf-call-arptables key
|
||||
type: number
|
||||
BridgeNfCallIpTables:
|
||||
default: 1
|
||||
description: Configures sysctl net.bridge.bridge-nf-call-iptables key
|
||||
type: number
|
||||
BridgeNfCallIp6Tables:
|
||||
default: 1
|
||||
description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
|
||||
type: number
|
||||
ExtraKernelModules:
|
||||
default: {}
|
||||
description: Hash of extra Kernel modules to load.
|
||||
@ -126,6 +138,7 @@ outputs:
|
||||
- 'localhost'
|
||||
kernel_modules:
|
||||
map_merge:
|
||||
- br_netfilter: {}
|
||||
- nf_conntrack: {}
|
||||
- {get_attr: [RoleParametersValue, value, extra_kernel_modules]}
|
||||
kernel_packages: {get_attr: [RoleParametersValue, value, extra_kernel_packages]}
|
||||
@ -203,6 +216,12 @@ outputs:
|
||||
value: {get_param: NeighbourGcThreshold2}
|
||||
net.ipv4.neigh.default.gc_thresh3:
|
||||
value: {get_param: NeighbourGcThreshold3}
|
||||
net.bridge.bridge-nf-call-arptables:
|
||||
value: {get_param: BridgeNfCallArpTables}
|
||||
net.bridge.bridge-nf-call-iptables:
|
||||
value: {get_param: BridgeNfCallIpTables}
|
||||
net.bridge.bridge-nf-call-ip6tables:
|
||||
value: {get_param: BridgeNfCallIp6Tables}
|
||||
# set inotify value for neutron/dnsmasq scale
|
||||
fs.inotify.max_user_instances:
|
||||
value: {get_param: InotifyIntancesMax}
|
||||
|
||||
@ -72,6 +72,18 @@ parameters:
|
||||
default: 1024
|
||||
description: Configures sysctl fs.inotify.max_user_instances key
|
||||
type: number
|
||||
BridgeNfCallArpTables:
|
||||
default: 1
|
||||
description: Configures sysctl net.bridge.bridge-nf-call-arptables key
|
||||
type: number
|
||||
BridgeNfCallIpTables:
|
||||
default: 1
|
||||
description: Configures sysctl net.bridge.bridge-nf-call-iptables key
|
||||
type: number
|
||||
BridgeNfCallIp6Tables:
|
||||
default: 1
|
||||
description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
|
||||
type: number
|
||||
ExtraKernelModules:
|
||||
default: {}
|
||||
description: Hash of extra Kernel modules to load.
|
||||
@ -149,6 +161,12 @@ outputs:
|
||||
value: {get_param: NeighbourGcThreshold2}
|
||||
net.ipv4.neigh.default.gc_thresh3:
|
||||
value: {get_param: NeighbourGcThreshold3}
|
||||
net.bridge.bridge-nf-call-arptables:
|
||||
value: {get_param: BridgeNfCallArpTables}
|
||||
net.bridge.bridge-nf-call-iptables:
|
||||
value: {get_param: BridgeNfCallIpTables}
|
||||
net.bridge.bridge-nf-call-ip6tables:
|
||||
value: {get_param: BridgeNfCallIp6Tables}
|
||||
fs.inotify.max_user_instances:
|
||||
value: {get_param: InotifyIntancesMax}
|
||||
- {get_attr: [RoleParametersValue, value, extra_sysctl_settings]}
|
||||
|
||||
6
releasenotes/notes/fix-bridge-nf-call-defaults.rst
Normal file
6
releasenotes/notes/fix-bridge-nf-call-defaults.rst
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Sets the bridge-nf-call-* values to 1, overriding any distro defaults that
|
||||
may not be applied due to br_netfilter not being loaded. These values must
|
||||
be 1 for security groups to work.
|
||||
Loading…
Reference in New Issue
Block a user