Allow all packet state for selected ironic services

With nftables, we drop all types of connection that don't have any "accept" rule. This is a change compared to the current iptables, where we drop only the NEW ones. We detected some of the ironic connections as SYN and/or ACK only, and they were dropped. We can see such drops in the hackmd set to track the nftables switch[1]. [1] https://hackmd.io/F0W2gYw_SiaiWkowjFU9cw Change-Id: I97e24d6eab8944193c7ce458ec2e45d9e37571cb
2022-08-03 09:36:20 +02:00 · 2022-08-03 09:36:20 +02:00 · 8044148451
commit 8044148451
parent 09e8ccac77
2 changed files with 3 additions and 0 deletions
--- a/deployment/ironic/ironic-api-container-puppet.yaml
+++ b/deployment/ironic/ironic-api-container-puppet.yaml
@ -164,10 +164,12 @@ outputs:
        '100 ironic_haproxy_frontend':
          dport:
            - 6385
+          state: []
      firewall_ssl_frontend_rules:
        '100 ironic_haproxy_frontend_ssl':
          dport:
            - 13385
+          state: []
      keystone_resources:
        ironic:
          endpoints:
--- a/deployment/ironic/ironic-conductor-container-puppet.yaml
+++ b/deployment/ironic/ironic-conductor-container-puppet.yaml
@ -401,6 +401,7 @@ outputs:
          proto: udp
        '135 ironic conductor HTTP':
          dport: {get_param: IronicIPXEPort}
+          state: []
      monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor}
      config_settings:
        map_merge: