neutron

  1. Bug #1622914
  2. Comment #20

Comment 20 for bug 1622914

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to devstack (stable/newton)

Reviewed: https://review.openstack.org/399142
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=88dbdefc7ed0a074c473cf9eeaff31a1f8390ca4
Submitter: Jenkins
Branch: stable/newton

commit 88dbdefc7ed0a074c473cf9eeaff31a1f8390ca4
Author: Ihar Hrachyshka <email address hidden>
Date: Thu Sep 29 13:26:30 2016 +0000

    Enable bridge firewalling if iptables are used

    With the plan [1] to stop enabling it by Neutron iptables firewall
    driver itself, deployment tools should catch up and enable the firewall
    themselves.

    This is needed for distributions that decided to disable the kernel
    firewall by default (upstream kernel has it enabled). This is also
    needed for distributions that ship newer kernels but don't load the
    br_netfilter module before starting nova-network or Neutron iptables
    firewall driver. In the latter case, firewall may not work, depending on
    the order of operations executed by the driver.

    To isolate devstack setups from the difference in distribution
    kernel configuration and version, the following steps are done:

    - we load bridge kernel module, and br_netfilter if present, to get
      access to sysctl knobs controlling the firewall;
    - once knobs are available, we unconditionally set them to 1, to make
      sure the firewall is in effect.

    More details at:
    http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

    [1] I9137ea017624ac92a05f73863b77f9ee4681bbe7

    Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
    Related-Bug: #1622914
    (cherry picked from commit b3a210f643989603d192b32a40b2001664f8ed73)