From: rossella <rsblendido@suse.com>
Date: Tue, 22 Dec 2015 19:14:15 +0000 (+0000)
Subject: Support rootwrap sysctl and conntrack commands for non-l3 nodes
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=0d5d0149550345272d7cd04aa92e489777561e58;p=openstack-build%2Fneutron-build.git

Support rootwrap sysctl and conntrack commands for non-l3 nodes

Iptables-firewall use commands sysctl and conntrack.
These are missed out in the plugins resulting in (No filter matched) errors in
non-l3 nodes. L3 nodes do not have this problem as l3.filters rootwraps these
commands.

Closes-bug: #1528641

Change-Id: I1167544a41f2ea91781ae2bb7aa208e25fec1524
---

diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters
index b8a6ab5b3..29c78dae3 100644
--- a/etc/neutron/rootwrap.d/iptables-firewall.filters
+++ b/etc/neutron/rootwrap.d/iptables-firewall.filters
@@ -19,3 +19,10 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
 #   "iptables", "-A", ...
 iptables: CommandFilter, iptables, root
 ip6tables: CommandFilter, ip6tables, root
+
+# neutron/agent/linux/iptables_manager.py
+#   "sysctl", "-w", ...
+sysctl: CommandFilter, sysctl, root
+
+# neutron/agent/linux/ip_conntrack.py
+conntrack: CommandFilter, conntrack, root
\ No newline at end of file