From 3d722dbc810b0f9521ce1cfc461789bdfe20e36d Mon Sep 17 00:00:00 2001 From: Terry Wilson Date: Mon, 30 Sep 2019 13:00:49 -0500 Subject: [PATCH] Set bridge-nf-call-* values to 1 Although the kernel default is 1, some distros override the defaults via sysctl.conf. Loading br_netfilter manually will show values of 1, but then doing a 'sysctl network restart' will set the values to 0--so go ahead and override these values. Co-Author: Luke Short Depends-On: Ia28f2fdef34e739801c51828c99e9e6598dd2efb Change-Id: I53dec308d359b27e62ed44e91a8eaae38d945a4f Closes-Bug: #1843259 --- .../kernel/kernel-baremetal-puppet.yaml | 19 +++++++++++++++++++ .../kernel/kernel-baremetal-ansible.yaml | 18 ++++++++++++++++++ .../notes/fix-bridge-nf-call-defaults.rst | 6 ++++++ 3 files changed, 43 insertions(+) create mode 100644 releasenotes/notes/fix-bridge-nf-call-defaults.rst diff --git a/deployment/deprecated/kernel/kernel-baremetal-puppet.yaml b/deployment/deprecated/kernel/kernel-baremetal-puppet.yaml index 7901ca9064..7415dc8b99 100644 --- a/deployment/deprecated/kernel/kernel-baremetal-puppet.yaml +++ b/deployment/deprecated/kernel/kernel-baremetal-puppet.yaml @@ -72,6 +72,18 @@ parameters: default: 1024 description: Configures sysctl fs.inotify.max_user_instances key type: number + BridgeNfCallArpTables: + default: 1 + description: Configures sysctl net.bridge.bridge-nf-call-arptables key + type: number + BridgeNfCallIpTables: + default: 1 + description: Configures sysctl net.bridge.bridge-nf-call-iptables key + type: number + BridgeNfCallIp6Tables: + default: 1 + description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key + type: number ExtraKernelModules: default: {} description: Hash of extra Kernel modules to load. @@ -126,6 +138,7 @@ outputs: - 'localhost' kernel_modules: map_merge: + - br_netfilter: {} - nf_conntrack: {} - {get_attr: [RoleParametersValue, value, extra_kernel_modules]} kernel_packages: {get_attr: [RoleParametersValue, value, extra_kernel_packages]} @@ -203,6 +216,12 @@ outputs: value: {get_param: NeighbourGcThreshold2} net.ipv4.neigh.default.gc_thresh3: value: {get_param: NeighbourGcThreshold3} + net.bridge.bridge-nf-call-arptables: + value: {get_param: BridgeNfCallArpTables} + net.bridge.bridge-nf-call-iptables: + value: {get_param: BridgeNfCallIpTables} + net.bridge.bridge-nf-call-ip6tables: + value: {get_param: BridgeNfCallIp6Tables} # set inotify value for neutron/dnsmasq scale fs.inotify.max_user_instances: value: {get_param: InotifyIntancesMax} diff --git a/deployment/kernel/kernel-baremetal-ansible.yaml b/deployment/kernel/kernel-baremetal-ansible.yaml index 3b981d2f07..841367ff00 100644 --- a/deployment/kernel/kernel-baremetal-ansible.yaml +++ b/deployment/kernel/kernel-baremetal-ansible.yaml @@ -72,6 +72,18 @@ parameters: default: 1024 description: Configures sysctl fs.inotify.max_user_instances key type: number + BridgeNfCallArpTables: + default: 1 + description: Configures sysctl net.bridge.bridge-nf-call-arptables key + type: number + BridgeNfCallIpTables: + default: 1 + description: Configures sysctl net.bridge.bridge-nf-call-iptables key + type: number + BridgeNfCallIp6Tables: + default: 1 + description: Configures sysctl net.bridge.bridge-nf-call-ip6tables key + type: number ExtraKernelModules: default: {} description: Hash of extra Kernel modules to load. @@ -149,6 +161,12 @@ outputs: value: {get_param: NeighbourGcThreshold2} net.ipv4.neigh.default.gc_thresh3: value: {get_param: NeighbourGcThreshold3} + net.bridge.bridge-nf-call-arptables: + value: {get_param: BridgeNfCallArpTables} + net.bridge.bridge-nf-call-iptables: + value: {get_param: BridgeNfCallIpTables} + net.bridge.bridge-nf-call-ip6tables: + value: {get_param: BridgeNfCallIp6Tables} fs.inotify.max_user_instances: value: {get_param: InotifyIntancesMax} - {get_attr: [RoleParametersValue, value, extra_sysctl_settings]} diff --git a/releasenotes/notes/fix-bridge-nf-call-defaults.rst b/releasenotes/notes/fix-bridge-nf-call-defaults.rst new file mode 100644 index 0000000000..4543de0b39 --- /dev/null +++ b/releasenotes/notes/fix-bridge-nf-call-defaults.rst @@ -0,0 +1,6 @@ +--- +fixes: + - | + Sets the bridge-nf-call-* values to 1, overriding any distro defaults that + may not be applied due to br_netfilter not being loaded. These values must + be 1 for security groups to work.