From 187d8cc0436149b65efdd6ba778efd03ec3c367f Mon Sep 17 00:00:00 2001
From: Terry Wilson <twilson@redhat.com>
Date: Mon, 30 Sep 2019 13:00:49 -0500
Subject: [PATCH] Set bridge-nf-call-* values to 1

Although the kernel default is 1, some distros override the defaults
via sysctl.conf. Loading br_netfilter manually will show values of
1, but then doing a 'sysctl network restart' will set the values to
0--so go ahead and override these values.

Co-Author: Luke Short <ekultails@gmail.com>
Change-Id: I53dec308d359b27e62ed44e91a8eaae38d945a4f
Closes-Bug: #1843259
(cherry picked from commit 3d722dbc810b0f9521ce1cfc461789bdfe20e36d)
---
 puppet/services/kernel.yaml                   | 19 +++++++++++++++++++
 .../notes/fix-bridge-nf-call-defaults.rst     |  6 ++++++
 2 files changed, 25 insertions(+)
 create mode 100644 releasenotes/notes/fix-bridge-nf-call-defaults.rst

diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 07c0f89bdf..aaaf3fe08f 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -72,6 +72,18 @@ parameters:
     default: 1024
     description: Configures sysctl fs.inotify.max_user_instances key
     type: number
+  BridgeNfCallArpTables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-arptables key
+    type: number
+  BridgeNfCallIpTables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-iptables key
+    type: number
+  BridgeNfCallIp6Tables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
+    type: number
   ExtraKernelModules:
     default: {}
     description: Hash of extra Kernel modules to load.
@@ -126,6 +138,7 @@ outputs:
           - 'localhost'
         kernel_modules:
           map_merge:
+            - br_netfilter: {}
             - nf_conntrack: {}
               nf_conntrack_proto_sctp: {}
             - {get_attr: [RoleParametersValue, value, extra_kernel_modules]}
@@ -204,6 +217,12 @@ outputs:
                 value: {get_param: NeighbourGcThreshold2}
               net.ipv4.neigh.default.gc_thresh3:
                 value: {get_param: NeighbourGcThreshold3}
+              net.bridge.bridge-nf-call-arptables:
+                value: {get_param: BridgeNfCallArpTables}
+              net.bridge.bridge-nf-call-iptables:
+                value: {get_param: BridgeNfCallIpTables}
+              net.bridge.bridge-nf-call-ip6tables:
+                value: {get_param: BridgeNfCallIp6Tables}
               # set inotify value for neutron/dnsmasq scale
               fs.inotify.max_user_instances:
                 value: {get_param: InotifyIntancesMax}
diff --git a/releasenotes/notes/fix-bridge-nf-call-defaults.rst b/releasenotes/notes/fix-bridge-nf-call-defaults.rst
new file mode 100644
index 0000000000..4543de0b39
--- /dev/null
+++ b/releasenotes/notes/fix-bridge-nf-call-defaults.rst
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Sets the bridge-nf-call-* values to 1, overriding any distro defaults that
+    may not be applied due to br_netfilter not being loaded. These values must
+    be 1 for security groups to work.