Add a role to configure masquerading on hypervisor #1880
Conversation
|
Thanks for the PR! ❤️ |
hjensas
force-pushed
the
masquerade-external
branch
from
a2a31f5 to
e0007fa
Compare
hjensas
force-pushed
the
masquerade-external
branch
from
e0007fa to
0d22ed0
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/23a2b39b84ed44ff8dd3d0d3542afb37 ❌ openstack-k8s-operators-content-provider FAILURE in 4m 51s |
hjensas
force-pushed
the
masquerade-external
branch
from
0d22ed0 to
47bc92e
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/fc6f59ddd2c7410b9493686f54212bf2 ❌ openstack-k8s-operators-content-provider FAILURE in 4m 58s |
hjensas
force-pushed
the
masquerade-external
branch
from
47bc92e to
7bd7e0c
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/a896b29f12934b60b71f28726db441f2 ❌ openstack-k8s-operators-content-provider FAILURE in 4m 42s |
hjensas
force-pushed
the
masquerade-external
branch
from
7bd7e0c to
7ccf82c
Compare
hjensas
force-pushed
the
masquerade-external
branch
from
7ccf82c to
6ddcc60
Compare
hjensas
force-pushed
the
masquerade-external
branch
from
6ddcc60 to
2235736
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/ce0ffd98617a48fe99633761841312d4 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 48m 21s |
|
recheck |
|
/approve though I really don't like having two ways to manage the firewall :(. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjeanner The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Using *nat* type networks in libvirt causes firewall rules to be
inserted by libvirt - these rules block traffic between libvirt
networks. In some scenarios this is not desired, we want traffic between
internal networks and still enable NAT (masquerading) of the traffic
going to the external (internet/intranet).
This role's task is to insert these firewall rules to masquerade traffic
where the `src` is a libvirt network and the `dst`is external
(internet/intranet).
Also enable it in the reproducer. For example:
```yaml
cifmw_masquerade_networks: true
cifmw_masquerade_external_source_ranges:
- "{{ cifmw_networking_definition.networks.ironic.network }}"
- "{{ cifmw_networking_definition.networks.ctlplane.network }}"
```
hjensas
force-pushed
the
masquerade-external
branch
from
2235736 to
181224e
Compare
|
Moving this to draft - after reading https://discussion.fedoraproject.org/t/f41-change-proposal-libvirt-virtual-network-nftables-self-contained/120329, I think there may be a way to do this with firewalld. |
|
Closing this, superseeded by #1928 which is using firewalld. |
Using nat type networks in libvirt causes firewall rules to be inserted by libvirt - these rules block traffic between libvirt networks. In some scenarios this is not desired, we want traffic between internal networks and still enable NAT (masquerading) of the traffic going to the external (internet/intranet).
This role's task is to insert these firewall rules to masquerade traffic where the
srcis a libvirt network and thedstis external (internet/intranet).Also enable it in the reproducer. For example:
As a pull request owner and reviewers, I checked that: