-
Bug
-
Resolution: Done-Errata
-
Major
-
rhos-17.1.z
-
None
-
4
-
False
-
-
False
-
?
-
tripleo-ansible-3.3.1-17.1.20250228030959.8debef3.el9ost
-
None
-
-
Bug Fix
-
Done
-
-
-
EDPM Sprint 1
-
1
-
Critical
To Reproduce Steps to reproduce the behavior: check nftables rules on any overcloud node
Expected behavior chains with firewall rules should either have a rule at the end to drop all traffic that wasn't matched by allow rules or should have a drop policy
Bug impact: firewall doesn't work anymore after update to RHOSP 17.1.4 and above
Known workaround: to manually add a drop rule
Additional context
- at first we dropped a separate drop rule and merged it with log rule here https://gitlab.cee.redhat.com/eng/openstack/tripleo-ansible/-/commit/512a543b1e600b2df4d860424548cf82f71e503a
- then we made logging rule optional to limit output to serial console https://gitlab.cee.redhat.com/eng/openstack/tripleo-ansible/-/commit/a3f4b4063eb7a8cf1b69319b21dd6a34dde527c3
IMO we need to return a separate drop rule and keep logging rule optional
- links to
-
RHBA-2025:148328 Red Hat OpenStack Platform 17.1 bug fix and enhancement advisory