]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 38fa3ce)
Support rootwrap sysctl and conntrack commands for non-l3 nodes
authorrossella <rsblendido@suse.com>
Tue, 22 Dec 2015 19:14:15 +0000 (19:14 +0000)
committerCarl Baldwin <carl@ecbaldwin.net>
Mon, 4 Jan 2016 20:05:10 +0000 (20:05 +0000)
Iptables-firewall use commands sysctl and conntrack.
These are missed out in the plugins resulting in (No filter matched) errors in
non-l3 nodes. L3 nodes do not have this problem as l3.filters rootwraps these
commands.

Closes-bug: #1528641

Change-Id: I1167544a41f2ea91781ae2bb7aa208e25fec1524

etc/neutron/rootwrap.d/iptables-firewall.filters patch | blob | history

diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters
index b8a6ab5b3babc4303c4a0b1aec772799f3ea798f..29c78dae3f0bbc38566645d52f2a3bc0757ba0c6 100644 (file)
--- a/etc/neutron/rootwrap.d/iptables-firewall.filters
+++ b/etc/neutron/rootwrap.d/iptables-firewall.filters
@@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
+
+# neutron/agent/linux/iptables_manager.py
+#   "sysctl", "-w", ...
+sysctl: CommandFilter, sysctl, root
+
+# neutron/agent/linux/ip_conntrack.py
+conntrack: CommandFilter, conntrack, root
\ No newline at end of file