neutron

  1. Bug #1622914
  2. Comment #14

Comment 14 for bug 1622914

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to devstack (master)

Reviewed: https://review.openstack.org/371504
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=b3a210f643989603d192b32a40b2001664f8ed73
Submitter: Jenkins
Branch: master

commit b3a210f643989603d192b32a40b2001664f8ed73
Author: Ihar Hrachyshka <email address hidden>
Date: Thu Sep 29 13:26:30 2016 +0000

    Enable bridge firewalling if iptables are used

    With the plan [1] to stop enabling it by Neutron iptables firewall
    driver itself, deployment tools should catch up and enable the firewall
    themselves.

    This is needed for distributions that decided to disable the kernel
    firewall by default (upstream kernel has it enabled). This is also
    needed for distributions that ship newer kernels but don't load the
    br_netfilter module before starting nova-network or Neutron iptables
    firewall driver. In the latter case, firewall may not work, depending on
    the order of operations executed by the driver.

    To isolate devstack setups from the difference in distribution
    kernel configuration and version, the following steps are done:

    - we load bridge kernel module, and br_netfilter if present, to get
      access to sysctl knobs controlling the firewall;
    - once knobs are available, we unconditionally set them to 1, to make
      sure the firewall is in effect.

    More details at:
    http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

    [1] I9137ea017624ac92a05f73863b77f9ee4681bbe7

    Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
    Related-Bug: #1622914