2018-04-20 12:52:33 |
Harald Jensås |
description |
In https://review.openstack.org/523944 we switch the ironic inspector filter driver from iptables to dnsmasq.
The old iptables driver created a firewall chain, and will in most cases configure a REJECT rule[1] to block any introspection unless the operator start introspection of nodes.
https://github.com/openstack/ironic-inspector/blob/master/ironic_inspector/pxe_filter/iptables.py#L186
On the upgraded undercloud we have these left-over rules still there:
357 183K ironic-inspector udp -- br-ctlplane any anywhere anywhere udp dpt:bootps
Chain ironic-inspector (1 references) pkts bytes target prot opt in out source destination
357 183K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable |
In https://review.openstack.org/523944 we switch the ironic inspector filter driver from iptables to dnsmasq.
The old iptables driver created a firewall chain, and will in most cases configure a REJECT rule[1] to block any introspection unless the operator start introspection of nodes.
On the upgraded undercloud we have these left-over rules still there:
357 183K ironic-inspector udp -- br-ctlplane any anywhere anywhere udp dpt:bootps
Chain ironic-inspector (1 references) pkts bytes target prot opt in out source destination
357 183K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
[1] https://github.com/openstack/ironic-inspector/blob/master/ironic_inspector/pxe_filter/iptables.py#L186 |
|