From efd90dd2f9f3a4a0dd8ec2155ba72852db20bb19 Mon Sep 17 00:00:00 2001 From: David Moreau-Simard Date: Tue, 31 Oct 2017 14:14:55 -0400 Subject: [PATCH] Authorize the multi-node-bridge network in iptables if there's one This allows packets to flow freely between things that bind IPs on the network bridge. Change-Id: Iaacdca31b27b7033ec08499bcea7061b9d3ec279 --- roles/multi-node-bridge/README.rst | 7 +++++++ roles/multi-node-bridge/defaults/main.yaml | 1 + roles/multi-node-bridge/tasks/common.yaml | 14 ++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/roles/multi-node-bridge/README.rst b/roles/multi-node-bridge/README.rst index 5d3bbeb6f..fe6266f8b 100644 --- a/roles/multi-node-bridge/README.rst +++ b/roles/multi-node-bridge/README.rst @@ -48,6 +48,13 @@ inventory in order to work: Whether or not to configure an IP address on the bridge interface. +.. zuul:rolevar:: bridge_authorize_internal_traffic + :default: false + + When ``bridge_configure_address`` is ``true``, whether or not to set up + firewall rules in order to allow traffic to flow freely within the bridge + subnet (``bridge_address_prefix``.0/``bridge_address_subnet``). + .. zuul:rolevar:: bridge_address_prefix :default: 172.24.4 diff --git a/roles/multi-node-bridge/defaults/main.yaml b/roles/multi-node-bridge/defaults/main.yaml index 9458b50eb..dc93e7b81 100644 --- a/roles/multi-node-bridge/defaults/main.yaml +++ b/roles/multi-node-bridge/defaults/main.yaml @@ -2,6 +2,7 @@ bridge_vni_offset: 1000000 bridge_mtu: 1450 bridge_name: br-infra +bridge_authorize_internal_traffic: false bridge_configure_address: true bridge_address_prefix: 172.24.4 bridge_address_offset: 1 diff --git a/roles/multi-node-bridge/tasks/common.yaml b/roles/multi-node-bridge/tasks/common.yaml index 671fe6407..2cc66e18a 100644 --- a/roles/multi-node-bridge/tasks/common.yaml +++ b/roles/multi-node-bridge/tasks/common.yaml @@ -38,3 +38,17 @@ name: "rdo-release" state: absent when: rdo_repos | changed + +- name: Authorize the multi-node-bridge network + become: yes + iptables: + state: present + action: insert + chain: INPUT + ip_version: ipv4 + source: "{{ bridge_address_prefix }}.0/{{ bridge_address_subnet }}" + destination: "{{ bridge_address_prefix }}.0/{{ bridge_address_subnet }}" + jump: ACCEPT + when: + - bridge_configure_address | bool + - bridge_authorize_internal_traffic | bool