Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhos-17.1.6
Affects Version/s: rhos-17.1.z
Component/s: tripleo-ansible
Labels:
None

Story Points:
4
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Docs Approval:
?
Fixed in Build:
tripleo-ansible-3.3.1-17.1.20250228030959.8debef3.el9ost
Regression:
None
Release Note Text:

Hide
.Default policy ensures nftables reload at the end of deployment

Before this update, iptables default tables were added to nftables to ensure backwards compatibility. However, there was a default ALLOW INPUT rule instead of a default DROP rule, and nftables were not reloaded at the end of the deployment. With this update, the correct rules are applied to ensure that nftables are reloaded at the end of the deployment.

Show
.Default policy ensures nftables reload at the end of deployment Before this update, iptables default tables were added to nftables to ensure backwards compatibility. However, there was a default ALLOW INPUT rule instead of a default DROP rule, and nftables were not reloaded at the end of the deployment. With this update, the correct rules are applied to ensure that nftables are reloaded at the end of the deployment.
Release Note Type:
Bug Fix
Release Note Status:
Done
Git Pull Request:
https://gitlab.cee.redhat.com/eng/openstack/tripleo-ansible/-/merge_requests/2
Intelligence Requested:
Market:
Errata Link:
https://errata.engineering.redhat.com/advisory/148328

Sprint:
EDPM Sprint 1
sprint_count:
1
Severity:
Critical

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

To Reproduce Steps to reproduce the behavior: check nftables rules on any overcloud node

Expected behavior chains with firewall rules should either have a rule at the end to drop all traffic that wasn't matched by allow rules or should have a drop policy

Bug impact: firewall doesn't work anymore after update to RHOSP 17.1.4 and above

Known workaround: to manually add a drop rule

Additional context

at first we dropped a separate drop rule and merged it with log rule here https://gitlab.cee.redhat.com/eng/openstack/tripleo-ansible/-/commit/512a543b1e600b2df4d860424548cf82f71e503a
then we made logging rule optional to limit output to serial console https://gitlab.cee.redhat.com/eng/openstack/tripleo-ansible/-/commit/a3f4b4063eb7a8cf1b69319b21dd6a34dde527c3

IMO we need to return a separate drop rule and keep logging rule optional

links to

RHBA-2025:148328 Red Hat OpenStack Platform 17.1 bug fix and enhancement advisory

Assignee:: David Rosenfeld

Reporter:: Alex Stupnikov

Team:: rhos-dfg-df

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/02/13 8:28 PM

Updated:: 2025/09/13 5:11 PM

Resolved:: 2025/05/07 4:00 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty