Browse code
Merge "Enable bridge firewalling if iptables are used"
Jenkins authored on 2016/10/18 20:23:54Showing 5 changed files
| ... | ... |
@@ -646,6 +646,24 @@ function set_mtu {
|
| 646 | 646 |
} |
| 647 | 647 |
|
| 648 | 648 |
|
| 649 |
+# enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling |
|
| 650 |
+function enable_kernel_bridge_firewall {
|
|
| 651 |
+ # Load bridge module. This module provides access to firewall for bridged |
|
| 652 |
+ # frames; and also on older kernels (pre-3.18) it provides sysctl knobs to |
|
| 653 |
+ # enable/disable bridge firewalling |
|
| 654 |
+ sudo modprobe bridge |
|
| 655 |
+ # For newer kernels (3.18+), those sysctl settings are split into a separate |
|
| 656 |
+ # kernel module (br_netfilter). Load it too, if present. |
|
| 657 |
+ sudo modprobe br_netfilter 2>> /dev/null || : |
|
| 658 |
+ # Enable bridge firewalling in case it's disabled in kernel (upstream |
|
| 659 |
+ # default is enabled, but some distributions may decide to change it). |
|
| 660 |
+ # This is at least needed for RHEL 7.2 and earlier releases. |
|
| 661 |
+ for proto in arp ip ip6; do |
|
| 662 |
+ sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
|
|
| 663 |
+ done |
|
| 664 |
+} |
|
| 665 |
+ |
|
| 666 |
+ |
|
| 649 | 667 |
# Restore xtrace |
| 650 | 668 |
$_XTRACE_FUNCTIONS |
| 651 | 669 |
|
| ... | ... |
@@ -69,6 +69,7 @@ function neutron_plugin_configure_plugin_agent {
|
| 69 | 69 |
fi |
| 70 | 70 |
if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
| 71 | 71 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver |
| 72 |
+ enable_kernel_bridge_firewall |
|
| 72 | 73 |
else |
| 73 | 74 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver |
| 74 | 75 |
fi |
| ... | ... |
@@ -84,6 +84,7 @@ function _neutron_ovs_base_configure_debug_command {
|
| 84 | 84 |
function _neutron_ovs_base_configure_firewall_driver {
|
| 85 | 85 |
if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
| 86 | 86 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver |
| 87 |
+ enable_kernel_bridge_firewall |
|
| 87 | 88 |
else |
| 88 | 89 |
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver |
| 89 | 90 |
fi |
| ... | ... |
@@ -864,9 +864,13 @@ function start_nova_rest {
|
| 864 | 864 |
run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf" |
| 865 | 865 |
run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf" |
| 866 | 866 |
run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf" |
| 867 |
- |
|
| 868 | 867 |
run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf" |
| 868 |
+ |
|
| 869 |
+ if is_service_enabled n-net; then |
|
| 870 |
+ enable_kernel_bridge_firewall |
|
| 871 |
+ fi |
|
| 869 | 872 |
run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf" |
| 873 |
+ |
|
| 870 | 874 |
run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf" |
| 871 | 875 |
run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf" |
| 872 | 876 |
|