Merge "Enable bridge firewalling if iptables are used"
diff --git a/functions b/functions
index 5856578..6a0ac67 100644
--- a/functions
+++ b/functions
@@ -646,6 +646,24 @@
}
+# enable_kernel_bridge_firewall - Enable kernel support for bridge firewalling
+function enable_kernel_bridge_firewall {
+ # Load bridge module. This module provides access to firewall for bridged
+ # frames; and also on older kernels (pre-3.18) it provides sysctl knobs to
+ # enable/disable bridge firewalling
+ sudo modprobe bridge
+ # For newer kernels (3.18+), those sysctl settings are split into a separate
+ # kernel module (br_netfilter). Load it too, if present.
+ sudo modprobe br_netfilter 2>> /dev/null || :
+ # Enable bridge firewalling in case it's disabled in kernel (upstream
+ # default is enabled, but some distributions may decide to change it).
+ # This is at least needed for RHEL 7.2 and earlier releases.
+ for proto in arp ip ip6; do
+ sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
+ done
+}
+
+
# Restore xtrace
$_XTRACE_FUNCTIONS
diff --git a/lib/neutron b/lib/neutron
index 5370392..9e9eb2d 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -182,6 +182,8 @@
iniset $NEUTRON_CORE_PLUGIN_CONF securitygroup iptables_hybrid
iniset $NEUTRON_CORE_PLUGIN_CONF ovs local_ip $HOST_IP
fi
+
+ enable_kernel_bridge_firewall
fi
# DHCP Agent
diff --git a/lib/neutron_plugins/linuxbridge_agent b/lib/neutron_plugins/linuxbridge_agent
index 7d59e13..d0de2f5 100644
--- a/lib/neutron_plugins/linuxbridge_agent
+++ b/lib/neutron_plugins/linuxbridge_agent
@@ -69,6 +69,7 @@
fi
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
+ enable_kernel_bridge_firewall
else
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
fi
diff --git a/lib/neutron_plugins/ovs_base b/lib/neutron_plugins/ovs_base
index f6d10ea..3cd6c85 100644
--- a/lib/neutron_plugins/ovs_base
+++ b/lib/neutron_plugins/ovs_base
@@ -84,6 +84,7 @@
function _neutron_ovs_base_configure_firewall_driver {
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+ enable_kernel_bridge_firewall
else
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
fi
diff --git a/lib/nova b/lib/nova
index 3e9857a..f38fb8b 100644
--- a/lib/nova
+++ b/lib/nova
@@ -864,9 +864,13 @@
run_process n-cond "$NOVA_BIN_DIR/nova-conductor --config-file $compute_cell_conf"
run_process n-cell-region "$NOVA_BIN_DIR/nova-cells --config-file $api_cell_conf"
run_process n-cell-child "$NOVA_BIN_DIR/nova-cells --config-file $compute_cell_conf"
-
run_process n-crt "$NOVA_BIN_DIR/nova-cert --config-file $api_cell_conf"
+
+ if is_service_enabled n-net; then
+ enable_kernel_bridge_firewall
+ fi
run_process n-net "$NOVA_BIN_DIR/nova-network --config-file $compute_cell_conf"
+
run_process n-sch "$NOVA_BIN_DIR/nova-scheduler --config-file $compute_cell_conf"
run_process n-api-meta "$NOVA_BIN_DIR/nova-api-metadata --config-file $compute_cell_conf"