Bypass iptables for bridged traffic by default

User can disable this, but in most cases they will want to bypass the iptables configuration for bridged devices.
2024-11-09 01:36:48 +00:00 · 2012-07-31 02:40:59 -06:00 · 2012-07-31 02:40:59 -06:00 · 789fadbaa1
commit 789fadbaa1
parent 4c81dc6c7a
2 changed files with 19 additions and 2 deletions
--- a/salt/modules/rh_ip.py
+++ b/salt/modules/rh_ip.py
@ -540,6 +540,24 @@ def _parse_settings_eth(opts, iface_type, enabled, iface):

    if iface_type == 'bridge':
        result['devtype'] = 'Bridge'
+        bypassiptables = True
+        valid = _CONFIG_TRUE + _CONFIG_FALSE
+        for opt in ['bypassiptables']:
+            if opt in opts:
+                if opts[opt] in _CONFIG_TRUE:
+                    bypassiptables = True
+                elif opts[opt] in _CONFIG_FALSE:
+                    bypassiptables = False
+                else:
+                    _raise_error_iface(iface, opts[opt], valid)
+        if bypassiptables:
+            __salt__['sysctl.persist']('net.bridge.bridge-nf-call-ip6tables = 0')
+            __salt__['sysctl.persist']('net.bridge.bridge-nf-call-iptables = 0')
+            __salt__['sysctl.persist']('net.bridge.bridge-nf-call-arptables = 0')
+        else:
+            __salt__['sysctl.persist']('net.bridge.bridge-nf-call-ip6tables = 1')
+            __salt__['sysctl.persist']('net.bridge.bridge-nf-call-iptables = 1')
+            __salt__['sysctl.persist']('net.bridge.bridge-nf-call-arptables = 1')
    else:
        if 'bridge' in opts:
            result['bridge'] = opts['bridge']
@ -741,8 +759,6 @@ def build_interface(iface, iface_type, enabled, settings):

    if iface_type == 'bridge':
        __salt__['pkg.install']('bridge-utils')
-        msg = 'Add to firewall: -A RH-Firewall-1-INPUT -i {0} -j ACCEPT'.format(iface)
-        log.warning(msg)

    if iface_type in ['eth', 'bond', 'bridge', 'slave', 'vlan']:
        opts = _parse_settings_eth(settings, iface_type, enabled, iface)
--- a/salt/states/network.py
+++ b/salt/states/network.py
@ -128,6 +128,7 @@ supported. This module will therefore only work on RH/CentOS/Fedora.
        - proto: dhcp
        - bridge: br0
        - delay: 0
+        - bypassiptables: True
        - use:
          - network: eth4
        - require: