From 320466728eb40d55eebd4b9d2075e9abe8bc9006 Mon Sep 17 00:00:00 2001
From: CoprDistGit <infra@openeuler.org>
Date: Tue, 14 Nov 2023 08:12:23 +0000
Subject: automatic import of openstack-neutron

---
 neutron-enable-bridge-firewall.sh | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100755 neutron-enable-bridge-firewall.sh

(limited to 'neutron-enable-bridge-firewall.sh')

diff --git a/neutron-enable-bridge-firewall.sh b/neutron-enable-bridge-firewall.sh
new file mode 100755
index 0000000..ae7a141
--- /dev/null
+++ b/neutron-enable-bridge-firewall.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# This script is triggered on every ovs/linuxbridge agent start. Its intent is
+# to make sure the firewall for bridged traffic is enabled before we start an
+# agent that may atttempt to set firewall rules on a bridge (a common thing for
+# linuxbridge and ovs/hybrid backend setup).
+
+# before enabling the firewall, load the relevant module
+/usr/sbin/modprobe bridge
+
+# on newer kernels (3.18+), sysctl knobs are split into a separate module;
+# attempt to load it, but don't fail if it's missing (f.e. when running against
+# an older kernel version)
+/usr/sbin/modprobe br_netfilter 2>> /dev/null || :
+
+# now enable the firewall in case it's disabled (f.e. rhel 7.2 and earlier)
+for proto in ip ip6; do
+    /usr/sbin/sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
+done
-- 
cgit v1.2.3