-
Bug
-
Resolution: Done
-
Major
-
None
-
rhos-18.0 FR 2 (Mar 2025)
-
None
-
8
-
False
-
-
False
-
?
-
openstack-ansible-ee-container-1.0.8-1
-
None
-
-
-
2025Q1
-
Important
To Reproduce Steps to reproduce the behavior:
- Create the OpenStackDataPlaneDeployment and observe that the default policy for the INPUT chain is set to drop:
[cloud-admin@edpm-compute-1 ~]$ sudo nft list chain inet filter "INPUT"
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump EDPM_INPUT
jump EDPM_INPUT
jump EDPM_INPUT
jump EDPM_INPUT
}
}
- Run a subsequent deployment and observe that the policy is now changed to `accept`:
[cloud-admin@edpm-compute-1 ~]$ sudo nft list chain inet filter "INPUT"
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
jump EDPM_INPUT
jump EDPM_INPUT
jump EDPM_INPUT
jump EDPM_INPUT
}
}
Expected behavior
- Default policy should remain "drop" at the completion of each deployment
Bug impact
- Firewall is defaulting to accept anything by default which is undesirable.
Known workaround
- Reload the nftables service on EDPM nodes to restore the default drop policy
[cloud-admin@edpm-compute-1 ~]$ sudo systemctl reload nftables [cloud-admin@edpm-compute-1 ~]$ sudo nft list chain inet filter "INPUT" table inet filter { chain INPUT { type filter hook input priority filter; policy drop; jump EDPM_INPUT } }
Additional context
This happens because we always load the iptables compatibility rules: Here we always do this: https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm_nftables/tasks/configure.yml#L40-L55
But only sometimes do we load the custom nftables rules: https://github.com/openstack-k8s-operators/edpm-ansible/blob/main/roles/edpm_nftables/tasks/run.yml#L39
Our options are:
- Conditionally run the iptables.nft compatibility step; or,
- Always run the loading of the custom rules
