Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change iptables to nftables on ovn adoption #764

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+8 −8
Open

Change iptables to nftables on ovn adoption #764

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions tests/roles/ovn_adoption/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,22 +151,22 @@
$CONTROLLER3_SSH sudo systemctl stop tripleo_ovn_cluster_northd.service

# If ovn_adoption is done using scenario A (different networks between podified
# and tripleo deployments) in order to be able to dump OVN database an iptable
# and tripleo deployments) in order to be able to dump OVN database a nftable
# filter allowing traffic from podified network is needed. Adding the rules
# no matter the scenario to simplify logic and on a non-scenario-A environment
# this rule shouldn't harm.
- name: Add iptables rule to allow podified internalapi trafic to controllers
- name: Add nftables rule to allow podified internalapi trafic to controllers
ansible.builtin.shell: |
{{ shell_header }}
{{ oc_header }}
{{ ovn_copy_shell_vars }}

$CONTROLLER1_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT
$CONTROLLER1_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT
$CONTROLLER2_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT
$CONTROLLER2_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT
$CONTROLLER3_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6641 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT
$CONTROLLER3_SSH sudo iptables -I INPUT -s 172.17.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment \'121 OVN DB server and cluster ports for 172.17.1.0/24 ipv4\' -j ACCEPT
$CONTROLLER1_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter accept
$CONTROLLER1_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter accept
$CONTROLLER2_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter accept
$CONTROLLER2_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter accept
$CONTROLLER3_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6641 ct state new counter accept
$CONTROLLER3_SSH sudo nft add rule inet filter INPUT ip saddr 172.17.1.0/24 tcp dport 6642 ct state new counter accept

- name: dump OVN databases using tcp connection
no_log: "{{ use_no_log }}"
Expand Down
Loading