openstack/neutron
Code Issues Proposed changes

Merge "iptables: stop 'fixing' kernel sysctl bridge firewalling knobs"

Browse Source
This commit is contained in:
Jenkins 2017-03-15 02:45:53 +00:00 committed by Gerrit Code Review
commit b29339f28f
2 changed files with 1 additions and 49 deletions
etc/neutron/rootwrap.d
iptables-firewall.filters
neutron/agent/linux
iptables_firewall.py

3
etc/neutron/rootwrap.d/iptables-firewall.filters

@ -20,8 +20,5 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root

47
neutron/agent/linux/iptables_firewall.py

@ -19,17 +19,15 @@ import netaddr
from neutron_lib import constants
from oslo_config import cfg
from oslo_log import log as logging
from oslo_log import versionutils
from oslo_utils import netutils
import six
from neutron._i18n import _, _LI, _LW
from neutron._i18n import _LI
from neutron.agent import firewall
from neutron.agent.linux import ip_conntrack
from neutron.agent.linux import ipset_manager
from neutron.agent.linux import iptables_comments as ic
from neutron.agent.linux import iptables_manager
from neutron.agent.linux import utils
from neutron.common import constants as n_const
from neutron.common import ipv6_utils
from neutron.common import utils as c_utils
@ -85,52 +83,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
lambda: collections.defaultdict(list))
self.pre_sg_members = None
self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset
self._enabled_netfilter_for_bridges = False
self.updated_rule_sg_ids = set()
self.updated_sg_members = set()
self.devices_with_updated_sg_members = collections.defaultdict(list)
def _enable_netfilter_for_bridges(self):
# we only need to set these values once, but it has to be when
# we create a bridge; before that the bridge module might not
# be loaded and the proc values aren't there.
if self._enabled_netfilter_for_bridges:
return
else:
self._enabled_netfilter_for_bridges = True
# These proc values ensure that netfilter is enabled on
# bridges; essential for enforcing security groups rules with
# OVS Hybrid. Distributions can differ on whether this is
# enabled by default or not (Ubuntu - yes, Redhat - no, for
# example).
LOG.debug("Enabling netfilter for bridges")
try:
entries = utils.execute(
['sysctl', '-N', 'net.bridge'], run_as_root=True,
log_fail_as_error=False).splitlines()
except utils.ProcessExecutionError:
LOG.info(_LI("Process is probably running in namespace or "
"kernel module br_netfilter is not loaded. "
"Please ensure that netfilter options for bridge "
"are enabled to provide working security groups."))
return
for proto in ('ip', 'ip6'):
knob = 'net.bridge.bridge-nf-call-%stables' % proto
if knob not in entries:
raise SystemExit(
_("sysctl value %s not present on this system.") % knob)
enabled = utils.execute(['sysctl', '-b', knob])
if enabled != '1':
versionutils.report_deprecated_feature(
LOG,
_LW('Bridge firewalling is disabled; enabling to make '
'iptables firewall work. This may not work in future '
'releases.'))
utils.execute(
['sysctl', '-w', '%s=1' % knob], run_as_root=True)
@property
def ports(self):
return dict(self.filtered_ports, **self.unfiltered_ports)
@ -196,7 +152,6 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
def prepare_port_filter(self, port):
LOG.debug("Preparing device (%s) filter", port['device'])
self._set_ports(port)
self._enable_netfilter_for_bridges()
# each security group has it own chains
self._setup_chains()
return self.iptables.apply()