... | ... |
@@ -646,6 +646,24 @@ function set_mtu { |
646 | 646 |
} |
647 | 647 |
|
648 | 648 |
|
649 |
+# enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling |
|
650 |
+function enable_kernel_bridge_firewall { |
|
651 |
+ # Load bridge module. This module provides access to firewall for bridged |
|
652 |
+ # frames; and also on older kernels (pre-3.18) it provides sysctl knobs to |
|
653 |
+ # enable/disable bridge firewalling |
|
654 |
+ sudo modprobe bridge |
|
655 |
+ # For newer kernels (3.18+), those sysctl settings are split into a separate |
|
656 |
+ # kernel module (br_netfilter). Load it too, if present. |
|
657 |
+ sudo modprobe br_netfilter 2>> /dev/null || : |
|
658 |
+ # Enable bridge firewalling in case it's disabled in kernel (upstream |
|
659 |
+ # default is enabled, but some distributions may decide to change it). |
|
660 |
+ # This is at least needed for RHEL 7.2 and earlier releases. |
|
661 |
+ for proto in arp ip ip6; do |
|
662 |
+ sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1 |
|
663 |
+ done |
|
664 |
+} |
|
665 |
+ |
|
666 |
+ |
|
649 | 667 |
# Restore xtrace |
650 | 668 |
$_XTRACE_FUNCTIONS |
651 | 669 |
|
... | ... |
@@ -69,6 +69,7 @@ function neutron_plugin_configure_plugin_agent { |
69 | 69 |
fi |
70 | 70 |
if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
71 | 71 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver |
72 |
+ enable_kernel_bridge_firewall |
|
72 | 73 |
else |
73 | 74 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver |
74 | 75 |
fi |
... | ... |
@@ -84,6 +84,7 @@ function _neutron_ovs_base_configure_debug_command { |
84 | 84 |
function _neutron_ovs_base_configure_firewall_driver { |
85 | 85 |
if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
86 | 86 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver |
87 |
+ enable_kernel_bridge_firewall |
|
87 | 88 |
else |
88 | 89 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver |
89 | 90 |
fi |
... | ... |
@@ -864,9 +864,13 @@ function start_nova_rest { |
864 | 864 |
run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf" |
865 | 865 |
run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf" |
866 | 866 |
run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf" |
867 |
- |
|
868 | 867 |
run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf" |
868 |
+ |
|
869 |
+ if is_service_enabled n-net; then |
|
870 |
+ enable_kernel_bridge_firewall |
|
871 |
+ fi |
|
869 | 872 |
run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf" |
873 |
+ |
|
870 | 874 |
run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf" |
871 | 875 |
run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf" |
872 | 876 |
|