From 8e3c4f572891717e1ce9b997e5ab35bb602a544b Mon Sep 17 00:00:00 2001
From: yatinkarel <ykarel@redhat.com>
Date: Fri, 10 Jul 2020 20:12:45 +0530
Subject: [PATCH] Revert "Prevent nftables to interfere with tripleo firewall"

This reverts commit d44df735e9675f4bb55dd56091217abc776bd4cd.

Revert "Do not fail if /usr/sbin/nft is not present"

This reverts commit aa019cdd5d84b6678395c18ff536b804a8b10005.

The nftables rules are not enabled now after [1] so reverting
the original changes which are not needed.

[1] https://git.centos.org/rpms/nftables/c/3730f48

Related-Bug: #1870095
Related-Bug: #1869166
Change-Id: I3923ea24c640941961624326cf3abe1012020771
---
 .../tripleo-firewall-baremetal-ansible.yaml   | 35 ++++---------------
 1 file changed, 7 insertions(+), 28 deletions(-)

diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
index c0f52b3227..834029186f 100644
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
@@ -62,39 +62,18 @@ outputs:
                     dport: 22
           - {get_param: ExtraFirewallRules}
       host_prep_tasks:
-        list_concat:
-          - - name: Prevent Nftables to set up any rules
-              copy:
-                dest: /etc/sysconfig/nftables.conf
-                content: |
-                  # This file has been explicitely emptied and disabled by TripleO
-                  # so that nftables and iptables do not race each other
-              register: nftablesconf
-            - when: nftablesconf is changed
-              block:
-                - name: Flush Nftables rules when nftables.conf changed
-                  shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
-                - name: Restart iptables to restore firewall after flushing nftables
-                  systemd:
-                    state: reloaded
-                    name: "{{item}}"
-                  loop:
-                     - iptables.service
-                     - ip6tables.service
-          - if:
+        - if:
             - no_ctlplane
-            - -
-                name: Ensure ctlplane subnet is set
-                fail:
+            - name: Failure - ctlplane subnet is unset
+              fail:
                 msg: |
                   No CIDRs found in the ctlplane network tags.
                   Please refer to the documentation in order to
                   set the correct network tags in DeployedServerPortMap.
-            - -
-                name: Notice - ctlplane subnet is set
-                debug:
-                  msg: |
-                    CIDRs found in the ctlplane network tags.
+            - name: Notice - ctlplane subnet is set
+              debug:
+                msg: |
+                  CIDRs found in the ctlplane network tags.
       deploy_steps_tasks:
         - when:
             - (step|int) == 0