nftables policy is set to accept
Issue
-
After upgrade to OSP17.1, compute nodes have now nftables instead of iptables but in some of the servers the policy of input table is set to accept instead of drop.
-
In the file "/etc/nftables/iptables.nft" it configures the policy to "accept" and in the file "/etc/nftables/tripleo-rules.nft" to drop.
-
Both files look the same in all the servers, but the active nft policy is different in some of them with "accept" as INPUT policy:
[root@overcloud-test-compute-1 ~]# grep -A 2 "table inet filter" /etc/nftables/iptables.nft
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
[root@overcloud-test-compute-1 ~]#
[root@overcloud-test-compute-1 ~]# grep policy /etc/nftables/tripleo-rules.nft
add chain inet filter INPUT { policy drop; }
- The configuration is identical in all the controllers/computes:
$ ansible -i inventory.yaml -m shell -a 'md5sum /etc/nftables/iptables.nft /etc/nftables/tripleo-rules.nft' -b overcloud
overcloud-test-computeamd-0 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
e5a51473dd1462a1e91c387d6a1f30e1 /etc/nftables/tripleo-rules.nft
overcloud-test-compute-3 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
e5a51473dd1462a1e91c387d6a1f30e1 /etc/nftables/tripleo-rules.nft
overcloud-test-compute-1 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
e5a51473dd1462a1e91c387d6a1f30e1 /etc/nftables/tripleo-rules.nft
overcloud-test-compute-0 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
e5a51473dd1462a1e91c387d6a1f30e1 /etc/nftables/tripleo-rules.nft
overcloud-test-compute-2 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
e5a51473dd1462a1e91c387d6a1f30e1 /etc/nftables/tripleo-rules.nft
overcloud-test-controller-1 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
f8e7028101dc004d48df959bd40881ce /etc/nftables/tripleo-rules.nft
overcloud-test-controller-0 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
f8e7028101dc004d48df959bd40881ce /etc/nftables/tripleo-rules.nft
overcloud-test-controller-2 | CHANGED | rc=0 >>
ad1095d99e0a016baf7c971079fb001b /etc/nftables/iptables.nft
f8e7028101dc004d48df959bd40881ce /etc/nftables/tripleo-rules.nft
- This is the active configuration:
$ ansible -i inventory.yaml -m shell -a 'nft list chain inet filter INPUT' -b overcloud
overcloud-test-compute-3 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
overcloud-test-computeamd-0 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
jump TRIPLEO_INPUT
}
}
overcloud-test-compute-0 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
jump TRIPLEO_INPUT
}
}
overcloud-test-compute-1 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
overcloud-test-compute-2 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
overcloud-test-controller-0 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
overcloud-test-controller-1 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
overcloud-test-controller-2 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
-
Both computes have been freshly installed ("overcloud node provision") after the upgrade to OSP17.
-
In another system that we have with OSP17 we see the same behaviour, but there they are two controllers they ones that have "accept" in the INPUT policy (be aware of the different "dev" in the hostnames instead of "test"):
$ ansible -i inventory.yaml -m shell -a 'nft list chain inet filter INPUT' -b overcloud
overcloud-dev002-controller-0 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
jump TRIPLEO_INPUT
}
}
overcloud-dev002-controller-1 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
jump TRIPLEO_INPUT
}
}
overcloud-dev002-compute-0 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
overcloud-dev002-controller-2 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
overcloud-dev002-compute-1 | CHANGED | rc=0 >>
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
jump TRIPLEO_INPUT
}
}
Environment
- Red Hat OpenStack Platform 17.1 (RHOSP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
