Merge "Revert "[train/backport] Prevent nftables to interfere with tripleo firewall"" into stable/train
This commit is contained in:
commit
a8c4160ec5
@ -68,28 +68,9 @@ outputs:
|
|||||||
include ::tripleo::firewall
|
include ::tripleo::firewall
|
||||||
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
list_concat:
|
if:
|
||||||
- - name: Prevent Nftables to set up any rules
|
|
||||||
copy:
|
|
||||||
dest: /etc/sysconfig/nftables.conf
|
|
||||||
content: |
|
|
||||||
# This file has been explicitely emptied and disabled by TripleO
|
|
||||||
# so that nftables and iptables do not race each other
|
|
||||||
register: nftablesconf
|
|
||||||
- when: nftablesconf is changed
|
|
||||||
block:
|
|
||||||
- name: Flush Nftables rules when nftables.conf changed
|
|
||||||
shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
|
|
||||||
- name: Restart iptables to restore firewall after flushing nftables
|
|
||||||
systemd:
|
|
||||||
state: reloaded
|
|
||||||
name: "{{item}}"
|
|
||||||
loop:
|
|
||||||
- iptables.service
|
|
||||||
- ip6tables.service
|
|
||||||
- if:
|
|
||||||
- no_ctlplane
|
- no_ctlplane
|
||||||
- -
|
-
|
||||||
name: Ensure ctlplane subnet is set
|
name: Ensure ctlplane subnet is set
|
||||||
fail:
|
fail:
|
||||||
msg: |
|
msg: |
|
||||||
|
Loading…
Reference in New Issue
Block a user