From 20fd60cea18930f3520068f5bdb16419c5934d0b Mon Sep 17 00:00:00 2001 From: Arnau Verdaguer Date: Fri, 13 Dec 2024 09:41:31 +0100 Subject: [PATCH] Change iptables to nftables On 17.1.4 iptables was changed for nftables. --- tests/roles/ovn_adoption/tasks/main.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/roles/ovn_adoption/tasks/main.yaml b/tests/roles/ovn_adoption/tasks/main.yaml index 3792bfe78..477f0db08 100644 --- a/tests/roles/ovn_adoption/tasks/main.yaml +++ b/tests/roles/ovn_adoption/tasks/main.yaml @@ -151,22 +151,22 @@ $CONTROLLER3_SSH sudo systemctl stop tripleo_ovn_cluster_northd.service # If ovn_adoption is done using scenario A (different networks between podified -# and tripleo deployments) in order to be able to dump OVN database an iptable +# and tripleo deployments) in order to be able to dump OVN database a nftable # filter allowing traffic from podified network is needed. Adding the rules # no matter the scenario to simplify logic and on a non-scenario-A environment # this rule shouldn't harm. -- name: Add iptables rule to allow podified internalapi trafic to controllers +- name: Add nftables rule to allow podified internalapi trafic to controllers ansible.builtin.shell: | {{ shell_header }} {{ oc_header }} {{ ovn_copy_shell_vars }} - $CONTROLLER1_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT - $CONTROLLER1_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT - $CONTROLLER2_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT - $CONTROLLER2_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT - $CONTROLLER3_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT - $CONTROLLER3_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT + $CONTROLLER1_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter accept + $CONTROLLER1_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter accept + $CONTROLLER2_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter accept + $CONTROLLER2_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter accept + $CONTROLLER3_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter accept + $CONTROLLER3_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter accept - name: dump OVN databases using tcp connection no_log: "{{ use_no_log }}"