Modify existing notes related to the firewall

Change-Id: I73daef9e040ad4dc42287ea97b06cb56fd5b5041
This commit is contained in:
Takashi Kajinami 2022-10-06 15:27:00 +09:00 committed by Cedric Jeanneret
parent 0074098f0e
commit f14174d353
3 changed files with 13 additions and 16 deletions

View File

@ -1,8 +0,0 @@
---
other:
- |
Cleanup iptables related resources in the firewall configuration. Also
remove the now useless FirewallEngine parameter - nftables is the only
supported engine within TripleO. Note that some applications may still
rely on iptables, such as Neutron - but the rules aren't managed from
within TripleO itself.

View File

@ -1,5 +0,0 @@
---
features:
- |
Add a new parameter "FirewallEngine" in order to chose what firewall
engine we want to use. Values can be iptables (default), or nftables.

View File

@ -1,9 +1,19 @@
---
security:
- |
Switching the FirewallEngine to nftables instead of puppet has some
consequences regarding security: the new tripleo_nftables acts on the
chain policy instead of relying on a final drop rule.
TripleO is now configuring the firewall using nftables instead of iptables.
- |
The firewall layout is now a bit different, since all of the TripleO managed rules are in
dedicated chains, such as TRIPLEO_INPUT. Jumps are added in the original chains.
- |
The INPUT chain has now a "drop" policy, meaning we do not need the final "drop" rule
like we had while using iptables. This means any packet that don't match a rule will be
dropped. This also mean rule ordering is less important.
upgrade:
- |
All firewall rules are implemented by nftables instead of iptables. This means we don't
need to edit anything anymore on the generated iptables/ip6tables files, and keep only the
cleaning of service and files in the upgrade tasks.
other:
- |
iptables cli cannot see nftables content we inject, since we're