zuul/zuul-jobs
Code Issues Proposed changes

Authorize the multi-node-bridge network in iptables if there's one

Browse Source 
This allows packets to flow freely between things that bind IPs on the
network bridge.

Change-Id: Iaacdca31b27b7033ec08499bcea7061b9d3ec279
This commit is contained in:
David Moreau-Simard 2017-10-31 14:14:55 -04:00
parent 180fa799be
commit efd90dd2f9
No known key found for this signature in database
GPG Key ID: 33A07694CBB71ECC
3 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
roles/multi-node-bridge/README.rst
View File

@ -48,6 +48,13 @@ inventory in order to work:
Whether or not to configure an IP address on the bridge interface. Whether or not to configure an IP address on the bridge interface.
.. zuul:rolevar:: bridge_authorize_internal_traffic
:default: false
When ``bridge_configure_address`` is ``true``, whether or not to set up
firewall rules in order to allow traffic to flow freely within the bridge
subnet (``bridge_address_prefix``.0/``bridge_address_subnet``).
.. zuul:rolevar:: bridge_address_prefix .. zuul:rolevar:: bridge_address_prefix
:default: 172.24.4 :default: 172.24.4

1
roles/multi-node-bridge/defaults/main.yaml
View File

@ -2,6 +2,7 @@ bridge_vni_offset: 1000000
bridge_mtu: 1450 bridge_mtu: 1450
bridge_name: br-infra bridge_name: br-infra
bridge_authorize_internal_traffic: false
bridge_configure_address: true bridge_configure_address: true
bridge_address_prefix: 172.24.4 bridge_address_prefix: 172.24.4
bridge_address_offset: 1 bridge_address_offset: 1

14
roles/multi-node-bridge/tasks/common.yaml
View File

@ -38,3 +38,17 @@
name: "rdo-release" name: "rdo-release"
state: absent state: absent
when: rdo_repos | changed when: rdo_repos | changed
- name: Authorize the multi-node-bridge network
become: yes
iptables:
state: present
action: insert
chain: INPUT
ip_version: ipv4
source: "{{ bridge_address_prefix }}.0/{{ bridge_address_subnet }}"
destination: "{{ bridge_address_prefix }}.0/{{ bridge_address_subnet }}"
jump: ACCEPT
when:
- bridge_configure_address | bool
- bridge_authorize_internal_traffic | bool