Revert "Prevent nftables to interfere with tripleo firewall"

This reverts commit d44df735e9. Revert "Do not fail if /usr/sbin/nft is not present" This reverts commit aa019cdd5d. The nftables rules are not enabled now after [1] so reverting the original changes which are not needed. [1] https://git.centos.org/rpms/nftables/c/3730f48 Related-Bug: #1870095 Related-Bug: #1869166 Change-Id: I3923ea24c640941961624326cf3abe1012020771 (cherry picked from commit 8e3c4f5728)
2020-07-10 20:12:45 +05:30 · 2020-07-10 20:12:45 +05:30 · 9c861fcfc4
commit 9c861fcfc4
parent 3b6874daa9
1 changed files with 7 additions and 28 deletions
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
@ -62,39 +62,18 @@ outputs:
                    dport: 22
          - {get_param: ExtraFirewallRules}
      host_prep_tasks:
-        list_concat:
-          - - name: Prevent Nftables to set up any rules
-              copy:
-                dest: /etc/sysconfig/nftables.conf
-                content: |
-                  # This file has been explicitely emptied and disabled by TripleO
-                  # so that nftables and iptables do not race each other
-              register: nftablesconf
-            - when: nftablesconf is changed
-              block:
-                - name: Flush Nftables rules when nftables.conf changed
-                  shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
-                - name: Restart iptables to restore firewall after flushing nftables
-                  systemd:
-                    state: reloaded
-                    name: "{{item}}"
-                  loop:
-                     - iptables.service
-                     - ip6tables.service
-          - if:
+        - if:
            - no_ctlplane
-            - -
-                name: Ensure ctlplane subnet is set
-                fail:
+            - name: Failure - ctlplane subnet is unset
+              fail:
                msg: |
                  No CIDRs found in the ctlplane network tags.
                  Please refer to the documentation in order to
                  set the correct network tags in DeployedServerPortMap.
-            - -
-                name: Notice - ctlplane subnet is set
-                debug:
-                  msg: |
-                    CIDRs found in the ctlplane network tags.
+            - name: Notice - ctlplane subnet is set
+              debug:
+                msg: |
+                  CIDRs found in the ctlplane network tags.
      deploy_steps_tasks:
        - when:
            - (step|int) == 0