From 0d5d0149550345272d7cd04aa92e489777561e58 Mon Sep 17 00:00:00 2001
From: rossella <rsblendido@suse.com>
Date: Tue, 22 Dec 2015 19:14:15 +0000
Subject: [PATCH] Support rootwrap sysctl and conntrack commands for non-l3
 nodes

Iptables-firewall use commands sysctl and conntrack.
These are missed out in the plugins resulting in (No filter matched) errors in
non-l3 nodes. L3 nodes do not have this problem as l3.filters rootwraps these
commands.

Closes-bug: #1528641

Change-Id: I1167544a41f2ea91781ae2bb7aa208e25fec1524
---
 etc/neutron/rootwrap.d/iptables-firewall.filters | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters
index b8a6ab5b3ba..29c78dae3f0 100644
--- a/etc/neutron/rootwrap.d/iptables-firewall.filters
+++ b/etc/neutron/rootwrap.d/iptables-firewall.filters
@@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
+
+# neutron/agent/linux/iptables_manager.py
+#   "sysctl", "-w", ...
+sysctl: CommandFilter, sysctl, root
+
+# neutron/agent/linux/ip_conntrack.py
+conntrack: CommandFilter, conntrack, root
\ No newline at end of file