Do not apply firewall rules for bridges
Do not apply firewall rules for transit traffic in the bridges to allow
use linux bridges when connecting Ironic VMs.
Related-Prod: PRODX-3456
Change-Id: I52fcc245ea7f043015c57feea940f63d38a12d5a
diff --git a/de/heat-templates/scripts/instance_boot.sh b/de/heat-templates/scripts/instance_boot.sh
index b55a006..977fe9d 100644
--- a/de/heat-templates/scripts/instance_boot.sh
+++ b/de/heat-templates/scripts/instance_boot.sh
@@ -333,6 +333,17 @@
sysctl -p /etc/sysctl.d/100-contrackd.conf
}
+# NOTE(vsaienko): disable calling iptables when sending packets via bridge.
+function disable_iptables_for_bridges {
+ cat << EOF > /etc/sysctl.d/101-bridge-nf-call-iptables.conf
+net.bridge.bridge-nf-call-ip6tables=0
+net.bridge.bridge-nf-call-iptables=0
+net.bridge.bridge-nf-call-arptables=0
+EOF
+
+ sysctl -p /etc/sysctl.d/101-bridge-nf-call-iptables.conf
+}
+
function network_config {
PUBLIC_NODE_IP_ADDRESS=${PUBLIC_INTERFACE_IP:-$(ip addr show dev ${PUBLIC_INTERFACE} | grep -Po 'inet \K[\d.]+' | egrep -v "127.0.|172.17")}
PUBLIC_NODE_IP_NETMASK=${PUBLIC_INTERFACE_NETMASK:-$(ip addr show dev ${PUBLIC_INTERFACE} | grep -Po 'inet \K[\d.]+\/[\d]+' | egrep -v "127.0.|172.17" | cut -d'/' -f2)}
@@ -469,6 +480,7 @@
set_node_labels
collect_ceph_metadata
configure_contrack
+ disable_iptables_for_bridges
;;
master)
prepare_metadata_files
@@ -487,6 +499,7 @@
set_node_labels
collect_ceph_metadata
configure_contrack
+ disable_iptables_for_bridges
;;
worker)
prepare_metadata_files
@@ -505,6 +518,7 @@
set_node_labels
collect_ceph_metadata
configure_contrack
+ disable_iptables_for_bridges
;;
spare)
prepare_metadata_files
@@ -518,6 +532,7 @@
download_bundles
workaround_default_forward_policy
configure_contrack
+ disable_iptables_for_bridges
;;
*)
echo "Usage: $0 {ucp|master|worker}"