From 264866ca2bf6e493692be3fc183fb059931c93d8 Mon Sep 17 00:00:00 2001
From: Doug Szumski <doug@stackhpc.com>
Date: Fri, 20 Jul 2018 16:31:30 +0100
Subject: [PATCH] Support setting rp_filter mode

Enables setting rp_filter mode on Neutron L3 agent and Nova compute
hosts whilst maintaining the default that it is disabled.

Closes-Bug: #1782799
Change-Id: I93e53bad9727beb786b00bd7fcd6d78785c619c2
---
 ansible/roles/neutron/defaults/main.yml | 2 ++
 ansible/roles/neutron/tasks/config.yml  | 4 ++--
 ansible/roles/nova/defaults/main.yml    | 1 +
 ansible/roles/nova/tasks/config.yml     | 4 ++--
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml
index 4418b6698e..5e946bd5f5 100644
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -242,6 +242,8 @@ neutron_logging_debug: "{{ openstack_logging_debug }}"
 
 openstack_neutron_auth: "{{ openstack_auth }}"
 
+neutron_l3_agent_host_rp_filter_mode: 0
+
 ####################
 # Extension drivers
 ####################
diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml
index 983a55ed90..f5b3153552 100644
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@@ -6,8 +6,8 @@
   sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
   with_items:
     - { name: "net.ipv4.ip_forward", value: 1}
-    - { name: "net.ipv4.conf.all.rp_filter", value: 0}
-    - { name: "net.ipv4.conf.default.rp_filter", value: 0}
+    - { name: "net.ipv4.conf.all.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
+    - { name: "net.ipv4.conf.default.rp_filter", value: "{{ neutron_l3_agent_host_rp_filter_mode }}"}
   when:
     - set_sysctl | bool
     - (neutron_l3_agent.enabled | bool and neutron_l3_agent.host_in_groups | bool)
diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index 689c1bef8a..dffa7f4d85 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -277,6 +277,7 @@ nova_logging_debug: "{{ openstack_logging_debug }}"
 openstack_nova_auth: "{{ openstack_auth }}"
 openstack_placement_auth: "{{ openstack_auth }}"
 
+nova_compute_host_rp_filter_mode: 0
 
 nova_libvirt_port: "16509"
 nova_ssh_port: "8022"
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index d3199e7f7c..3b87f0af87 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -5,8 +5,8 @@
   with_items:
     - { name: "net.bridge.bridge-nf-call-iptables", value: 1}
     - { name: "net.bridge.bridge-nf-call-ip6tables", value: 1}
-    - { name: "net.ipv4.conf.all.rp_filter", value: 0}
-    - { name: "net.ipv4.conf.default.rp_filter", value: 0}
+    - { name: "net.ipv4.conf.all.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
+    - { name: "net.ipv4.conf.default.rp_filter", value: "{{ nova_compute_host_rp_filter mode }}"}
   when:
     - set_sysctl | bool
     - inventory_hostname in groups['compute']