review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Ian Wienand <iwienand@redhat.com>
	Thu, 7 May 2015 04:59:38 +0000 (14:59 +1000)
committer	Ian Wienand <iwienand@redhat.com>
	Fri, 29 May 2015 11:09:27 +0000 (21:09 +1000)
commit	359b7c971a88f6dff64e8e4d558210a880f3ee0f
tree	dd7b52f8bbcaaa6c88f9322f680514d93a430ffd	tree \| snapshot
parent	4e34dded69d9661719dde12e52875ad427998016	commit \| diff

Ensure netfilter is enabled for bridges

Since security-groups use iptables rules on Linux bridges, we need to
ensure that netfilter is enabled for bridges.  Unfortunately, there
seems to be a long history of distributions having differing defaults
for this, best described in [1].

It seems at the moment everyone has to discover this for themselves;
packstack found it in Ia8c86dcb31810a8d6b133a161388604fde9bead4, then
fuel found the same thing in I8582c24706c3a7253e00569eef275f116d765bca
and then finally someone else hit it and put it into documentation
with I4ed3cec03a1b3a7d56dfe18394154ec1b2db6791.  I just spent a long
time figuring it out too when deploying with devstack.

Rather than having yet another fix in devstack, I don't see why
neutron shouldn't be ensuring the setting is correct when it starts up
-- without these settings enabled, security-groups are silently
broken.  This does that, and modifies test-cases to check we make the
calls.

[1] http://wiki.libvirt.org/page/Net.bridge-nf-call_and_sysctl.conf

Change-Id: If2d316eb8c422dc1e4f34b17a50b93dd72993a99

neutron/agent/linux/iptables_firewall.py		diff \| blob \| history
neutron/tests/unit/agent/test_securitygroups_rpc.py		diff \| blob \| history