Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhos-18.0.8
Affects Version/s: rhos-18.0 FR 2 (Mar 2025)
Component/s: edpm-ansible
Labels:
None

Story Points:
4
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Docs Approval:
?
Fixed in Build:
openstack-ansible-ee-container-1.0.10-3
Regression:
None
Release Note Text:

Hide
.Default policy ensures nftables reload at the end of deployment

Before this update, iptables default tables were added to nftables to ensure backwards compatibility. However, there was a default ALLOW INPUT rule instead of a default DROP rule, and nftables were not reloaded at the end of the deployment. With this update, the correct rules are applied to ensure that nftables are reloaded at the end of the deployment.

Show
.Default policy ensures nftables reload at the end of deployment Before this update, iptables default tables were added to nftables to ensure backwards compatibility. However, there was a default ALLOW INPUT rule instead of a default DROP rule, and nftables were not reloaded at the end of the deployment. With this update, the correct rules are applied to ensure that nftables are reloaded at the end of the deployment.
Release Note Type:
Bug Fix
Release Note Status:
Done
Intelligence Requested:
Market:
Errata Link:
https://errata.engineering.redhat.com/advisory/148724
Target Version:

rhos-18.0.8

Sprint:
EDPM Sprint 1
sprint_count:
1
Planning Target:

2025Q2
Severity:
Important

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Since nftables switch, input policy is ACCEPT instead of DROP up until nftables service is reloaded or server is rebooted.

This is the difference between nft list ruleset before and after restarting nftables.

@@ -1,6 +1,6 @@
 table inet filter {
        chain INPUT {
-               type filter hook input priority filter; policy accept;
+               type filter hook input priority filter; policy drop;
                jump TRIPLEO_INPUT
         }

RHOSP17.1.4

clones

OSPRH-15158 Since nftables switch, input policy is ACCEPT instead of DROP up until nftables services is reloaded or server is rebooted

Closed

links to

KCS

openstack-k8s-operators/edpm-ansible#927: Nftables reload

RHBA-2025:148724 Release of containers for RHOSO OpenStack EDPM images

mentioned on

Merge request - Remove all readale permissions for rndc key related files

Assignee:: Brendan Shephard (Inactive)

Reporter:: Dave Hill

Team:: rhos-dfg-df

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/04/06 3:02 AM

Updated:: 2025/09/13 5:12 AM

Resolved:: 2025/05/21 5:41 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty