GitList

Browse code

Enable bridge firewalling if iptables are used

With the plan [1] to stop enabling it by Neutron iptables firewall
driver itself, deployment tools should catch up and enable the firewall
themselves.

This is needed for distributions that decided to disable the kernel
firewall by default (upstream kernel has it enabled). This is also
needed for distributions that ship newer kernels but don't load the
br_netfilter module before starting nova-network or Neutron iptables
firewall driver. In the latter case, firewall may not work, depending on
the order of operations executed by the driver.

To isolate devstack setups from the difference in distribution
kernel configuration and version, the following steps are done:

- we load bridge kernel module, and br_netfilter if present, to get
access to sysctl knobs controlling the firewall;
- once knobs are available, we unconditionally set them to 1, to make
sure the firewall is in effect.

More details at:
http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

[1] I9137ea017624ac92a05f73863b77f9ee4681bbe7

Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd
Related-Bug: #1622914

Ihar Hrachyshka authored on 2016/09/29 22:26:30
Showing 5 changed files

functions index 5856578..6a0ac67 100644
lib/neutron index 5370392..9e9eb2d 100644
lib/neutron_plugins/linuxbridge_agent index 7d59e13..d0de2f5 100644
lib/neutron_plugins/ovs_base index f6d10ea..3cd6c85 100644
lib/nova index 334cba6..d321b73 100644

functions

History View file @ b3a210f

@@ -646,6 +646,24 @@ function set_mtu {
+                     }
                     +# enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling
                     +function enable_kernel_bridge_firewall {
                     +    # Load bridge module. This module provides access to firewall for bridged
                     +    # frames; and also on older kernels (pre-3.18) it provides sysctl knobs to
                     +    # enable/disable bridge firewalling
                     +    sudo modprobe bridge
                     +    # For newer kernels (3.18+), those sysctl settings are split into a separate
                     +    # kernel module (br_netfilter). Load it too, if present.
                     +    sudo modprobe br_netfilter 2>> /dev/null || :
                     +    # Enable bridge firewalling in case it's disabled in kernel (upstream
                     +    # default is enabled, but some distributions may decide to change it).
                     +    # This is at least needed for RHEL 7.2 and earlier releases.
                     +    for proto in arp ip ip6; do
                     +        sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
                     +    done
                     +}
+                    +
+                    +
                      # Restore xtrace
                      $_XTRACE_FUNCTIONS

lib/neutron

History View file @ b3a210f

@@ -182,6 +182,8 @@ function configure_neutron_new {
                                  iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables_hybrid
                                  iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
                              fi
+                    +
                     +        enable_kernel_bridge_firewall
                          fi
                          # DHCP Agent

lib/neutron_plugins/linuxbridge_agent

History View file @ b3a210f

@@ -69,6 +69,7 @@ function neutron_plugin_configure_plugin_agent {
                          fi
                          if [[ "$Q_USE_SECGROUP" == "True" ]]; then
                              iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
                     +        enable_kernel_bridge_firewall
                          else
                              iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
                          fi

lib/neutron_plugins/ovs_base

History View file @ b3a210f

@@ -84,6 +84,7 @@ function _neutron_ovs_base_configure_debug_command {
                      function _neutron_ovs_base_configure_firewall_driver {
                          if [[ "$Q_USE_SECGROUP" == "True" ]]; then
                              iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
                     +        enable_kernel_bridge_firewall
                          else
                              iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
                          fi

lib/nova

History View file @ b3a210f

@@ -866,9 +866,13 @@ function start_nova_rest {
                          run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf"
                          run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf"
                          run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf"
+                    -
                          run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf"
+                    +
                     +    if is_service_enabled n-net; then
                     +        enable_kernel_bridge_firewall
                     +    fi
                          run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf"
+                    +
                          run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf"
                          run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf"