diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml index 393c8c1dbd..502845f33f 100644 --- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml +++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml @@ -68,16 +68,35 @@ outputs: include ::tripleo::firewall host_prep_tasks: - if: - - no_ctlplane - - - name: Ensure ctlplane subnet is set - fail: - msg: | - No CIDRs found in the ctlplane network tags. - Please refer to the documentation in order to - set the correct network tags in DeployedServerPortMap. - - null + list_concat: + - - name: Prevent Nftables to set up any rules + copy: + dest: /etc/sysconfig/nftables.conf + content: | + # This file has been explicitely emptied and disabled by TripleO + # so that nftables and iptables do not race each other + register: nftablesconf + - when: nftablesconf is changed + block: + - name: Flush Nftables rules when nftables.conf changed + command: /usr/sbin/nft flush ruleset + - name: Restart iptables to restore firewall after flushing nftables + systemd: + state: reloaded + name: "{{item}}" + loop: + - iptables.service + - ip6tables.service + - if: + - no_ctlplane + - - + name: Ensure ctlplane subnet is set + fail: + msg: | + No CIDRs found in the ctlplane network tags. + Please refer to the documentation in order to + set the correct network tags in DeployedServerPortMap. + - null deploy_steps_tasks: - when: step|int == 0