Undercloud is persisting iptables rules in two places.
- First in puppet class tripleo::firewall
- Then in /usr/libexec/os-refresh-config/post-configure.d/80-seedstack-masquerade
In tripleo::firewall there is code to ensure neutron firewall rules are not persisted.
But ... the neutron rules are then persisted when 80-seedstack-masquerade is executed making the tripleo::firewall's attempts to filter these useless on the undercloud.
Since the Ironi Inspector rules are ephemeral as well, it would make sense to filter these as ell.
a) Implement filtering of ironic-inspector pxe_filter rules in tripleo::firewall:
Patch: https://review.openstack.org/563461
b) Implement similar filtering in ``80-seedstack-masquerade`` to make sure neutron and ironic-inspector pxe_filter iptables rules are not persisted.
Patch: https://review.openstack.org/563467
Undercloud is persisting iptables rules in two places.
- First in puppet class tripleo::firewall os-refresh- config/ post-configure. d/80-seedstack- masquerade
- Then in /usr/libexec/
In tripleo::firewall there is code to ensure neutron firewall rules are not persisted. masquerade is executed making the tripleo::firewall's attempts to filter these useless on the undercloud.
But ... the neutron rules are then persisted when 80-seedstack-
Since the Ironi Inspector rules are ephemeral as well, it would make sense to filter these as ell.
a) Implement filtering of ironic-inspector pxe_filter rules in tripleo::firewall: /review. openstack. org/563461 masquerade` ` to make sure neutron and ironic-inspector pxe_filter iptables rules are not persisted. /review. openstack. org/563467
Patch: https:/
b) Implement similar filtering in ``80-seedstack-
Patch: https:/