Expand ranges on iptables rules for floating IPs

We have a small set of iptables rules on our single use slaves that enable ironic and heat functionality. We are shifting the floating IP range from 172.24.4.0/24 to 172.24.5.0/24 and placing an overlapping range of 172.24.4.0/23 to give compute nodes routes to the floating IPs in multinode situations. To accmodate these changes expand the existing rules to cover 172.24.4.0/23 instead of just 172.24.4.0/24. Change-Id: I0b28c3607747c3939912ce4664627910f431dba6
2015-01-29 14:00:54 -08:00 · 2015-01-29 14:00:54 -08:00 · 8c24694378
commit 8c24694378
parent 4ab5d57d5b
1 changed files with 5 additions and 5 deletions
--- a/modules/openstack_project/manifests/single_use_slave.pp
+++ b/modules/openstack_project/manifests/single_use_slave.pp
@ -30,13 +30,13 @@ class openstack_project::single_use_slave (
      [
        # Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and
        # the ironic API from the neutron public net
-        '-p udp --dport 69 -s 172.24.4.0/24 -j ACCEPT',
-        '-p tcp --dport 6385 -s 172.24.4.0/24 -j ACCEPT',
+        '-p udp --dport 69 -s 172.24.4.0/23 -j ACCEPT',
+        '-p tcp --dport 6385 -s 172.24.4.0/23 -j ACCEPT',
        # Ports 8000, 8003, 8004 from the devstack neutron public net to allow
        # nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api
-        '-p tcp --dport 8000 -s 172.24.4.0/24 -j ACCEPT',
-        '-p tcp --dport 8003 -s 172.24.4.0/24 -j ACCEPT',
-        '-p tcp --dport 8004 -s 172.24.4.0/24 -j ACCEPT',
+        '-p tcp --dport 8000 -s 172.24.4.0/23 -j ACCEPT',
+        '-p tcp --dport 8003 -s 172.24.4.0/23 -j ACCEPT',
+        '-p tcp --dport 8004 -s 172.24.4.0/23 -j ACCEPT',
        '-m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "',
      ],
  }