automatic import of openstack-neutronopeneuler22.03_LTS_SP2

author: CoprDistGit <infra@openeuler.org> 2023-11-14 08:12:23 +0000
committer: CoprDistGit <infra@openeuler.org> 2023-11-14 08:12:23 +0000
commit: 320466728eb40d55eebd4b9d2075e9abe8bc9006 (patch)
tree: 918add67146f450fd1e1eaf042f54ee88e2dd09c /neutron-enable-bridge-firewall.sh
parent: d424ec7beffffc4fa627ceae058272e7be1b3002 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/neutron-enable-bridge-firewall.sh b/neutron-enable-bridge-firewall.sh
new file mode 100755
index 0000000..ae7a141
--- /dev/null
+++ b/neutron-enable-bridge-firewall.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# This script is triggered on every ovs/linuxbridge agent start. Its intent is
+# to make sure the firewall for bridged traffic is enabled before we start an
+# agent that may atttempt to set firewall rules on a bridge (a common thing for
+# linuxbridge and ovs/hybrid backend setup).
+
+# before enabling the firewall, load the relevant module
+/usr/sbin/modprobe bridge
+
+# on newer kernels (3.18+), sysctl knobs are split into a separate module;
+# attempt to load it, but don't fail if it's missing (f.e. when running against
+# an older kernel version)
+/usr/sbin/modprobe br_netfilter 2>> /dev/null || :
+
+# now enable the firewall in case it's disabled (f.e. rhel 7.2 and earlier)
+for proto in ip ip6; do
+    /usr/sbin/sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
+done
author	CoprDistGit <infra@openeuler.org>	2023-11-14 08:12:23 +0000
committer	CoprDistGit <infra@openeuler.org>	2023-11-14 08:12:23 +0000
commit	320466728eb40d55eebd4b9d2075e9abe8bc9006 (patch)
tree	918add67146f450fd1e1eaf042f54ee88e2dd09c /neutron-enable-bridge-firewall.sh
parent	d424ec7beffffc4fa627ceae058272e7be1b3002 (diff)