From 8c246943788e53c097005e29dafb0d0dd83b1cf9 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Thu, 29 Jan 2015 14:00:54 -0800 Subject: [PATCH] Expand ranges on iptables rules for floating IPs We have a small set of iptables rules on our single use slaves that enable ironic and heat functionality. We are shifting the floating IP range from 172.24.4.0/24 to 172.24.5.0/24 and placing an overlapping range of 172.24.4.0/23 to give compute nodes routes to the floating IPs in multinode situations. To accmodate these changes expand the existing rules to cover 172.24.4.0/23 instead of just 172.24.4.0/24. Change-Id: I0b28c3607747c3939912ce4664627910f431dba6 --- .../openstack_project/manifests/single_use_slave.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/openstack_project/manifests/single_use_slave.pp b/modules/openstack_project/manifests/single_use_slave.pp index 6e70691bd6..3cbc54bee8 100644 --- a/modules/openstack_project/manifests/single_use_slave.pp +++ b/modules/openstack_project/manifests/single_use_slave.pp @@ -30,13 +30,13 @@ class openstack_project::single_use_slave ( [ # Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and # the ironic API from the neutron public net - '-p udp --dport 69 -s 172.24.4.0/24 -j ACCEPT', - '-p tcp --dport 6385 -s 172.24.4.0/24 -j ACCEPT', + '-p udp --dport 69 -s 172.24.4.0/23 -j ACCEPT', + '-p tcp --dport 6385 -s 172.24.4.0/23 -j ACCEPT', # Ports 8000, 8003, 8004 from the devstack neutron public net to allow # nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api - '-p tcp --dport 8000 -s 172.24.4.0/24 -j ACCEPT', - '-p tcp --dport 8003 -s 172.24.4.0/24 -j ACCEPT', - '-p tcp --dport 8004 -s 172.24.4.0/24 -j ACCEPT', + '-p tcp --dport 8000 -s 172.24.4.0/23 -j ACCEPT', + '-p tcp --dport 8003 -s 172.24.4.0/23 -j ACCEPT', + '-p tcp --dport 8004 -s 172.24.4.0/23 -j ACCEPT', '-m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "', ], }