Log the IPTables rules if "debug_iptables_rules"

If the configuration flag "debug_iptables_rules" is enabled, the
IPTables rules applied will be logged.

Similar to [1], when the IPTables firewall is enabled, it checks the
status of the following sysctl knobs:

* net.bridge.bridge-nf-call-arptables
* net.bridge.bridge-nf-call-ip6tables
* net.bridge.bridge-nf-call-iptables

In this case, the firewall is not enabling them but just checking the
status and logging it, to make easier the debugging process.

[1] https://review.opendev.org/#/c/371523/

Change-Id: I2ec953228d1d45e1d4c493c0b261901e6dbec0f7
Related-Bug: #1843259

etc/neutron/rootwrap.d/iptables-firewall.filters

@@ -20,5 +20,8 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
 
+# neutron/agent/linux/iptables_firewall.py
+sysctl: CommandFilter, sysctl, root
+
 # neutron/agent/linux/ip_conntrack.py
 conntrack: CommandFilter, conntrack, root

neutron/agent/linux/iptables_firewall.py

@@ -30,6 +30,7 @@ from neutron.agent.linux import ip_conntrack
 from neutron.agent.linux import ipset_manager
 from neutron.agent.linux import iptables_comments as ic
 from neutron.agent.linux import iptables_manager
+from neutron.agent.linux import utils as a_utils
 from neutron.common import _constants as const
 from neutron.common import ipv6_utils
 from neutron.common import utils as c_utils
@@ -94,6 +95,36 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
         self.updated_sg_members = set()
         self.devices_with_updated_sg_members = collections.defaultdict(list)
         self._iptables_protocol_name_map = {}
+        self._check_netfilter_for_bridges()
+
+    @staticmethod
+    def _check_netfilter_for_bridges():
+        """Check if br_netfilter is loaded and the needed flags for IPtables"""
+        log_warning = False
+        if not a_utils.execute(
+                ['sysctl', '-N', 'net.bridge'], run_as_root=True,
+                log_fail_as_error=False, check_exit_code=False):
+            LOG.warning('Kernel module br_netfilter is not loaded.')
+            log_warning = True
+        if not log_warning:
+            for proto in ('arp', 'ip', 'ip6'):
+                key = 'net.bridge.bridge-nf-call-%stables' % proto
+                enabled = a_utils.execute(
+                    ['sysctl', '-b', key], run_as_root=True,
+                    log_fail_as_error=False, check_exit_code=False)
+                if enabled == '1':
+                    status = 'enabled'
+                    log_method = LOG.debug
+                else:
+                    status = 'disabled'
+                    log_method = LOG.warning
+                    log_warning = True
+                log_method('Key %(key)s is %(status)s',
+                           {'key': key, 'status': status})
+
+        if log_warning:
+            LOG.warning('Please ensure that netfilter options for bridge are '
+                        'enabled to provide working security groups.')
 
     @property
     def ports(self):

neutron/agent/linux/iptables_manager.py

@@ -464,6 +464,7 @@ class IptablesManager(object):
             first = self._apply_synchronized()
             if not cfg.CONF.AGENT.debug_iptables_rules:
                 return first
+            LOG.debug('List of IPTables Rules applied: %s', '\n'.join(first))
             second = self._apply_synchronized()
             if second:
                 msg = (_("IPTables Rules did not converge. Diff: %s") %

neutron/tests/unit/agent/linux/test_iptables_firewall.py

@@ -94,6 +94,7 @@ class BaseIptablesFirewallTestCase(base.BaseTestCase):
         self.iptables_inst.get_rules_for_table.return_value = (
             RAW_TABLE_OUTPUT.splitlines())
         self.firewall = iptables_firewall.IptablesFirewallDriver()
+        self.utils_exec.reset_mock()
         self.firewall.iptables = self.iptables_inst
         # don't mess with sysctl knobs in unit tests
         self.firewall._enabled_netfilter_for_bridges = True