Merge "Enable bridge firewalling if iptables are used"
This commit is contained in:
commit
093d815d9f
18
functions
18
functions
@ -646,6 +646,24 @@ function set_mtu {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling
|
||||||
|
function enable_kernel_bridge_firewall {
|
||||||
|
# Load bridge module. This module provides access to firewall for bridged
|
||||||
|
# frames; and also on older kernels (pre-3.18) it provides sysctl knobs to
|
||||||
|
# enable/disable bridge firewalling
|
||||||
|
sudo modprobe bridge
|
||||||
|
# For newer kernels (3.18+), those sysctl settings are split into a separate
|
||||||
|
# kernel module (br_netfilter). Load it too, if present.
|
||||||
|
sudo modprobe br_netfilter 2>> /dev/null || :
|
||||||
|
# Enable bridge firewalling in case it's disabled in kernel (upstream
|
||||||
|
# default is enabled, but some distributions may decide to change it).
|
||||||
|
# This is at least needed for RHEL 7.2 and earlier releases.
|
||||||
|
for proto in arp ip ip6; do
|
||||||
|
sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Restore xtrace
|
# Restore xtrace
|
||||||
$_XTRACE_FUNCTIONS
|
$_XTRACE_FUNCTIONS
|
||||||
|
|
||||||
|
@ -182,6 +182,8 @@ function configure_neutron_new {
|
|||||||
iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables_hybrid
|
iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables_hybrid
|
||||||
iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
|
iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
enable_kernel_bridge_firewall
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# DHCP Agent
|
# DHCP Agent
|
||||||
|
@ -69,6 +69,7 @@ function neutron_plugin_configure_plugin_agent {
|
|||||||
fi
|
fi
|
||||||
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
|
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
|
||||||
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
|
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
|
||||||
|
enable_kernel_bridge_firewall
|
||||||
else
|
else
|
||||||
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
|
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
|
||||||
fi
|
fi
|
||||||
|
@ -84,6 +84,7 @@ function _neutron_ovs_base_configure_debug_command {
|
|||||||
function _neutron_ovs_base_configure_firewall_driver {
|
function _neutron_ovs_base_configure_firewall_driver {
|
||||||
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
|
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
|
||||||
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
|
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
|
||||||
|
enable_kernel_bridge_firewall
|
||||||
else
|
else
|
||||||
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
|
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
|
||||||
fi
|
fi
|
||||||
|
6
lib/nova
6
lib/nova
@ -864,9 +864,13 @@ function start_nova_rest {
|
|||||||
run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf"
|
run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf"
|
||||||
run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf"
|
run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf"
|
||||||
run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf"
|
run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf"
|
||||||
|
|
||||||
run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf"
|
run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf"
|
||||||
|
|
||||||
|
if is_service_enabled n-net; then
|
||||||
|
enable_kernel_bridge_firewall
|
||||||
|
fi
|
||||||
run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf"
|
run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf"
|
||||||
|
|
||||||
run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf"
|
run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf"
|
||||||
run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf"
|
run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user