Modify existing notes related to the firewall
Change-Id: I73daef9e040ad4dc42287ea97b06cb56fd5b5041
This commit is contained in:
parent
0074098f0e
commit
f14174d353
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
other:
|
||||
- |
|
||||
Cleanup iptables related resources in the firewall configuration. Also
|
||||
remove the now useless FirewallEngine parameter - nftables is the only
|
||||
supported engine within TripleO. Note that some applications may still
|
||||
rely on iptables, such as Neutron - but the rules aren't managed from
|
||||
within TripleO itself.
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Add a new parameter "FirewallEngine" in order to chose what firewall
|
||||
engine we want to use. Values can be iptables (default), or nftables.
|
|
@ -1,9 +1,19 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
Switching the FirewallEngine to nftables instead of puppet has some
|
||||
consequences regarding security: the new tripleo_nftables acts on the
|
||||
chain policy instead of relying on a final drop rule.
|
||||
TripleO is now configuring the firewall using nftables instead of iptables.
|
||||
- |
|
||||
The firewall layout is now a bit different, since all of the TripleO managed rules are in
|
||||
dedicated chains, such as TRIPLEO_INPUT. Jumps are added in the original chains.
|
||||
- |
|
||||
The INPUT chain has now a "drop" policy, meaning we do not need the final "drop" rule
|
||||
like we had while using iptables. This means any packet that don't match a rule will be
|
||||
dropped. This also mean rule ordering is less important.
|
||||
upgrade:
|
||||
- |
|
||||
All firewall rules are implemented by nftables instead of iptables. This means we don't
|
||||
need to edit anything anymore on the generated iptables/ip6tables files, and keep only the
|
||||
cleaning of service and files in the upgrade tasks.
|
||||
other:
|
||||
- |
|
||||
iptables cli cannot see nftables content we inject, since we're
|
||||
|
|
Loading…
Reference in New Issue