Set bridge-nf-call-* values to 1

Although the kernel default is 1, some distros override the defaults
via sysctl.conf. Loading br_netfilter manually will show values of
1, but then doing a 'sysctl network restart' will set the values to
0--so go ahead and override these values.

Co-Author: Luke Short <[email protected]>
Depends-On: Ia28f2fdef34e739801c51828c99e9e6598dd2efb
Change-Id: I53dec308d359b27e62ed44e91a8eaae38d945a4f
Closes-Bug: #1843259

deployment/deprecated/kernel/kernel-baremetal-puppet.yaml

@@ -72,6 +72,18 @@ parameters:
     default: 1024
     description: Configures sysctl fs.inotify.max_user_instances key
     type: number
+  BridgeNfCallArpTables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-arptables key
+    type: number
+  BridgeNfCallIpTables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-iptables key
+    type: number
+  BridgeNfCallIp6Tables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
+    type: number
   ExtraKernelModules:
     default: {}
     description: Hash of extra Kernel modules to load.
@@ -126,6 +138,7 @@ outputs:
           - 'localhost'
         kernel_modules:
           map_merge:
+            - br_netfilter: {}
             - nf_conntrack: {}
             - {get_attr: [RoleParametersValue, value, extra_kernel_modules]}
         kernel_packages: {get_attr: [RoleParametersValue, value, extra_kernel_packages]}
@@ -203,6 +216,12 @@ outputs:
                 value: {get_param: NeighbourGcThreshold2}
               net.ipv4.neigh.default.gc_thresh3:
                 value: {get_param: NeighbourGcThreshold3}
+              net.bridge.bridge-nf-call-arptables:
+                value: {get_param: BridgeNfCallArpTables}
+              net.bridge.bridge-nf-call-iptables:
+                value: {get_param: BridgeNfCallIpTables}
+              net.bridge.bridge-nf-call-ip6tables:
+                value: {get_param: BridgeNfCallIp6Tables}
               # set inotify value for neutron/dnsmasq scale
               fs.inotify.max_user_instances:
                 value: {get_param: InotifyIntancesMax}

deployment/kernel/kernel-baremetal-ansible.yaml

@@ -72,6 +72,18 @@ parameters:
     default: 1024
     description: Configures sysctl fs.inotify.max_user_instances key
     type: number
+  BridgeNfCallArpTables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-arptables key
+    type: number
+  BridgeNfCallIpTables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-iptables key
+    type: number
+  BridgeNfCallIp6Tables:
+    default: 1
+    description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key
+    type: number
   ExtraKernelModules:
     default: {}
     description: Hash of extra Kernel modules to load.
@@ -149,6 +161,12 @@ outputs:
                 value: {get_param: NeighbourGcThreshold2}
               net.ipv4.neigh.default.gc_thresh3:
                 value: {get_param: NeighbourGcThreshold3}
+              net.bridge.bridge-nf-call-arptables:
+                value: {get_param: BridgeNfCallArpTables}
+              net.bridge.bridge-nf-call-iptables:
+                value: {get_param: BridgeNfCallIpTables}
+              net.bridge.bridge-nf-call-ip6tables:
+                value: {get_param: BridgeNfCallIp6Tables}
               fs.inotify.max_user_instances:
                 value: {get_param: InotifyIntancesMax}
             - {get_attr: [RoleParametersValue, value, extra_sysctl_settings]}

releasenotes/notes/fix-bridge-nf-call-defaults.rst

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Sets the bridge-nf-call-* values to 1, overriding any distro defaults that
+    may not be applied due to br_netfilter not being loaded. These values must
+    be 1 for security groups to work.