From e3f80e4113c12807e6ca89be3dd6ec0f96850d52 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 16 Mar 2026 13:39:16 +0000 Subject: [PATCH 1/7] Install iptables-nft explicitly We installed this package in previous releases, so to prevent a mixture of legacy and nftables firewall rules, we should explitly install the iptables-nft package. Closes-Bug: #2144562 Change-Id: I2bba43407a10edb283d8605d579667cb8d8e3126 Signed-off-by: Will Szumski --- docker/neutron/neutron-base/Dockerfile.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 1224a2b495..91dcf61f27 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,6 +12,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} + # FIXME(wszumski): iptables-nft is deprecated. We need to advise users + # to migrate to some other firewall driver as we cannot rely on this + # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -21,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', + 'iptables-nft', 'iputils', 'keepalived', 'net-tools', From 1e5d736fcf9816549efbd4fa9bc24dedfe7c897d Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 18 Mar 2026 17:56:16 +0000 Subject: [PATCH 2/7] Revert "Install iptables-nft explicitly" This reverts commit e3f80e4113c12807e6ca89be3dd6ec0f96850d52. --- docker/neutron/neutron-base/Dockerfile.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 91dcf61f27..1224a2b495 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,9 +12,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} - # FIXME(wszumski): iptables-nft is deprecated. We need to advise users - # to migrate to some other firewall driver as we cannot rely on this - # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -24,7 +21,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', - 'iptables-nft', 'iputils', 'keepalived', 'net-tools', From d9f9242a420f158282344044734560434a79cf55 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 16 Mar 2026 13:39:16 +0000 Subject: [PATCH 3/7] Install iptables-nft in Rocky 9 containers There was a regression in 2025.1 where we switched back to using iptables-legacy. Explicitly installing iptables-nft restores the old behaviour. Closes-Bug: #2144562 Change-Id: I2bba43407a10edb283d8605d579667cb8d8e3126 Signed-off-by: Will Szumski --- docker/base/Dockerfile.j2 | 6 +-- docker/neutron/neutron-base/Dockerfile.j2 | 20 +++++++++- ...missing-iptables-nft-fd71eeee04c9345e.yaml | 37 +++++++++++++++++++ 3 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 8eb5dbf9ab..0d3900f8f1 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -160,7 +160,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ {% set base_centos_yum_repos_to_disable = [ 'centos-ceph-squid', 'centos-nfv-openvswitch', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -170,7 +169,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ 'centos-ceph-reef', 'centos-nfv-openvswitch', 'centos-opstools', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -194,8 +192,8 @@ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("cen {% block base_redhat_binary_versionlock %}{% endblock %} -{# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} -{% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} +{# NOTE(mnasiadka): In EL10 we install dumb-init from epel. In EL9 we install iptables-legacy. #} +{% if base_package_type == 'rpm' %} RUN dnf config-manager --enable epel {% endif %} diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 1224a2b495..117b4f03f8 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,6 +12,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} + # FIXME(wszumski): iptables-nft is deprecated. We need to advise users + # to migrate to some other firewall driver as we cannot rely on this + # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -21,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', + 'iptables-nft', 'iputils', 'keepalived', 'net-tools', @@ -33,9 +37,12 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-openvswitch3.5' ] %} {% else %} + # NOTE(wszumski): iptables-legacy lets us check and clear out legacy + # iptables rules due to LP#2144562 {% set neutron_base_packages = neutron_base_packages + [ 'openvswitch', - 'python3-openvswitch' + 'python3-openvswitch', + 'iptables-legacy', ] %} {% endif %} @@ -64,6 +71,17 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(neutron_base_packages | customizable("packages")) }} +{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %} +# NOTE(wszumski): Without this iptables-legacy is selected as default. This +# increases the priority from 10 to 200. +RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \ + --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ + --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ + --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ + --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ + --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save +{% endif %} + ADD neutron-base-archive /neutron-base-source ADD plugins-archive / diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml new file mode 100644 index 0000000000..d6bf64da0f --- /dev/null +++ b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml @@ -0,0 +1,37 @@ +upgrade: + - | + On Rocky9 on CentOS Stream 9 based installations, VMs may be using legacy + iptables rules if you installed or upgraded before this release. You can + check by running ``iptables-legacy-save`` inside of the + ``neutron_openvswitch_agent`` container and looking for neutron rules. + + After upgrading you will need to clear out the old iptables rules to + prevent conflicts:: + + iptables-legacy -P INPUT ACCEPT + iptables-legacy -P FORWARD ACCEPT + iptables-legacy -P OUTPUT ACCEPT + iptables-legacy -t nat -F + iptables-legacy -t nat -X + iptables-legacy -t mangle -F + iptables-legacy -t mangle -X + iptables-legacy -t raw -F + iptables-legacy -t raw -X + iptables-legacy -t filter -F + iptables-legacy -t filter -X + iptables-legacy -F + iptables-legacy -X + + If you are updating to this release or newer, no action is required. + + For more information, please see + `LP#2144562 `__. + +fixes: + - | + Fixes an issue where firewall rules were being implemented via legacy + iptables rules. This differed from the behaviour in previous releases, + where iptables-nft was used to create these as nftables rules. On upgrade, + this could lead to mixture of iptables and nftables rules based on whether + the VM was booted before or after the upgrade. For more information, please + see `LP#2144562 `__. From e074dcc53756d27a30dacc972e4d85a785127f21 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 19 Mar 2026 11:32:13 +0000 Subject: [PATCH 4/7] Revert "Install iptables-nft in Rocky 9 containers" This reverts commit d9f9242a420f158282344044734560434a79cf55. --- docker/base/Dockerfile.j2 | 6 ++- docker/neutron/neutron-base/Dockerfile.j2 | 20 +--------- ...missing-iptables-nft-fd71eeee04c9345e.yaml | 37 ------------------- 3 files changed, 5 insertions(+), 58 deletions(-) delete mode 100644 releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 0d3900f8f1..8eb5dbf9ab 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -160,6 +160,7 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ {% set base_centos_yum_repos_to_disable = [ 'centos-ceph-squid', 'centos-nfv-openvswitch', + 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -169,6 +170,7 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ 'centos-ceph-reef', 'centos-nfv-openvswitch', 'centos-opstools', + 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -192,8 +194,8 @@ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("cen {% block base_redhat_binary_versionlock %}{% endblock %} -{# NOTE(mnasiadka): In EL10 we install dumb-init from epel. In EL9 we install iptables-legacy. #} -{% if base_package_type == 'rpm' %} +{# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} +{% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} RUN dnf config-manager --enable epel {% endif %} diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 117b4f03f8..1224a2b495 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,9 +12,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} - # FIXME(wszumski): iptables-nft is deprecated. We need to advise users - # to migrate to some other firewall driver as we cannot rely on this - # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -24,7 +21,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', - 'iptables-nft', 'iputils', 'keepalived', 'net-tools', @@ -37,12 +33,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-openvswitch3.5' ] %} {% else %} - # NOTE(wszumski): iptables-legacy lets us check and clear out legacy - # iptables rules due to LP#2144562 {% set neutron_base_packages = neutron_base_packages + [ 'openvswitch', - 'python3-openvswitch', - 'iptables-legacy', + 'python3-openvswitch' ] %} {% endif %} @@ -71,17 +64,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(neutron_base_packages | customizable("packages")) }} -{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %} -# NOTE(wszumski): Without this iptables-legacy is selected as default. This -# increases the priority from 10 to 200. -RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \ - --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ - --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ - --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save -{% endif %} - ADD neutron-base-archive /neutron-base-source ADD plugins-archive / diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml deleted file mode 100644 index d6bf64da0f..0000000000 --- a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml +++ /dev/null @@ -1,37 +0,0 @@ -upgrade: - - | - On Rocky9 on CentOS Stream 9 based installations, VMs may be using legacy - iptables rules if you installed or upgraded before this release. You can - check by running ``iptables-legacy-save`` inside of the - ``neutron_openvswitch_agent`` container and looking for neutron rules. - - After upgrading you will need to clear out the old iptables rules to - prevent conflicts:: - - iptables-legacy -P INPUT ACCEPT - iptables-legacy -P FORWARD ACCEPT - iptables-legacy -P OUTPUT ACCEPT - iptables-legacy -t nat -F - iptables-legacy -t nat -X - iptables-legacy -t mangle -F - iptables-legacy -t mangle -X - iptables-legacy -t raw -F - iptables-legacy -t raw -X - iptables-legacy -t filter -F - iptables-legacy -t filter -X - iptables-legacy -F - iptables-legacy -X - - If you are updating to this release or newer, no action is required. - - For more information, please see - `LP#2144562 `__. - -fixes: - - | - Fixes an issue where firewall rules were being implemented via legacy - iptables rules. This differed from the behaviour in previous releases, - where iptables-nft was used to create these as nftables rules. On upgrade, - this could lead to mixture of iptables and nftables rules based on whether - the VM was booted before or after the upgrade. For more information, please - see `LP#2144562 `__. From 7d37ca6a9e74605cc584ff76c559017c35a31bdb Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 16 Mar 2026 13:39:16 +0000 Subject: [PATCH 5/7] Install iptables-nft in Rocky 9 containers There was a regression in 2025.1 where we switched back to using iptables-legacy. Explicitly installing iptables-nft restores the old behaviour. Closes-Bug: #2144562 Change-Id: I2bba43407a10edb283d8605d579667cb8d8e3126 Signed-off-by: Will Szumski --- docker/base/Dockerfile.j2 | 9 +---- docker/neutron/neutron-base/Dockerfile.j2 | 21 ++++++++++- ...missing-iptables-nft-fd71eeee04c9345e.yaml | 37 +++++++++++++++++++ 3 files changed, 59 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 8eb5dbf9ab..dcb945bd13 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -131,12 +131,14 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ ] %} {% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} + {# NOTE(wszumski): In EL9 we install iptables-legacy from epel #} {% set base_centos_yum_repo_packages = [ 'centos-release-ceph-squid', 'centos-release-nfv-openvswitch', 'epel-release', ] %} {% else %} + {# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} {% set base_centos_yum_repo_packages = [ 'centos-release-ceph-reef', 'centos-release-nfv-openvswitch', @@ -160,7 +162,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ {% set base_centos_yum_repos_to_disable = [ 'centos-ceph-squid', 'centos-nfv-openvswitch', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -170,7 +171,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ 'centos-ceph-reef', 'centos-nfv-openvswitch', 'centos-opstools', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -194,11 +194,6 @@ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("cen {% block base_redhat_binary_versionlock %}{% endblock %} -{# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} -{% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} -RUN dnf config-manager --enable epel -{% endif %} - {# NOTE(hrw): CentOS Stream 9 has curl-minimal, Rocky Linux 9 has curl so we do not install any #} {% set base_centos_packages = [ 'ca-certificates', diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 1224a2b495..1c942d9a17 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,6 +12,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} + # FIXME(wszumski): iptables-nft is deprecated. We need to advise users + # to migrate to some other firewall driver as we cannot rely on this + # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -21,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', + 'iptables-nft', 'iputils', 'keepalived', 'net-tools', @@ -33,9 +37,12 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-openvswitch3.5' ] %} {% else %} + # NOTE(wszumski): iptables-legacy lets us check and clear out legacy + # iptables rules due to LP#2144562 {% set neutron_base_packages = neutron_base_packages + [ 'openvswitch', - 'python3-openvswitch' + 'python3-openvswitch', + 'iptables-legacy', ] %} {% endif %} @@ -64,6 +71,18 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(neutron_base_packages | customizable("packages")) }} +{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %} +# NOTE(wszumski): Without this iptables-legacy is selected as default. This +# increases the priority from 10 to 200. +RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \ + --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ + --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ + --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ + --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ + --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save \ + && update-alternatives --auto iptables +{% endif %} + ADD neutron-base-archive /neutron-base-source ADD plugins-archive / diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml new file mode 100644 index 0000000000..d6bf64da0f --- /dev/null +++ b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml @@ -0,0 +1,37 @@ +upgrade: + - | + On Rocky9 on CentOS Stream 9 based installations, VMs may be using legacy + iptables rules if you installed or upgraded before this release. You can + check by running ``iptables-legacy-save`` inside of the + ``neutron_openvswitch_agent`` container and looking for neutron rules. + + After upgrading you will need to clear out the old iptables rules to + prevent conflicts:: + + iptables-legacy -P INPUT ACCEPT + iptables-legacy -P FORWARD ACCEPT + iptables-legacy -P OUTPUT ACCEPT + iptables-legacy -t nat -F + iptables-legacy -t nat -X + iptables-legacy -t mangle -F + iptables-legacy -t mangle -X + iptables-legacy -t raw -F + iptables-legacy -t raw -X + iptables-legacy -t filter -F + iptables-legacy -t filter -X + iptables-legacy -F + iptables-legacy -X + + If you are updating to this release or newer, no action is required. + + For more information, please see + `LP#2144562 `__. + +fixes: + - | + Fixes an issue where firewall rules were being implemented via legacy + iptables rules. This differed from the behaviour in previous releases, + where iptables-nft was used to create these as nftables rules. On upgrade, + this could lead to mixture of iptables and nftables rules based on whether + the VM was booted before or after the upgrade. For more information, please + see `LP#2144562 `__. From c7aea952d7a989d4cb48109e63eaa7f31f18c463 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 20 Mar 2026 09:55:14 +0000 Subject: [PATCH 6/7] Revert "Install iptables-nft in Rocky 9 containers" This reverts commit 7d37ca6a9e74605cc584ff76c559017c35a31bdb. --- docker/base/Dockerfile.j2 | 9 ++++- docker/neutron/neutron-base/Dockerfile.j2 | 21 +---------- ...missing-iptables-nft-fd71eeee04c9345e.yaml | 37 ------------------- 3 files changed, 8 insertions(+), 59 deletions(-) delete mode 100644 releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index dcb945bd13..8eb5dbf9ab 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -131,14 +131,12 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ ] %} {% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} - {# NOTE(wszumski): In EL9 we install iptables-legacy from epel #} {% set base_centos_yum_repo_packages = [ 'centos-release-ceph-squid', 'centos-release-nfv-openvswitch', 'epel-release', ] %} {% else %} - {# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} {% set base_centos_yum_repo_packages = [ 'centos-release-ceph-reef', 'centos-release-nfv-openvswitch', @@ -162,6 +160,7 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ {% set base_centos_yum_repos_to_disable = [ 'centos-ceph-squid', 'centos-nfv-openvswitch', + 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -171,6 +170,7 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ 'centos-ceph-reef', 'centos-nfv-openvswitch', 'centos-opstools', + 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -194,6 +194,11 @@ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("cen {% block base_redhat_binary_versionlock %}{% endblock %} +{# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} +{% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} +RUN dnf config-manager --enable epel +{% endif %} + {# NOTE(hrw): CentOS Stream 9 has curl-minimal, Rocky Linux 9 has curl so we do not install any #} {% set base_centos_packages = [ 'ca-certificates', diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 1c942d9a17..1224a2b495 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,9 +12,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} - # FIXME(wszumski): iptables-nft is deprecated. We need to advise users - # to migrate to some other firewall driver as we cannot rely on this - # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -24,7 +21,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', - 'iptables-nft', 'iputils', 'keepalived', 'net-tools', @@ -37,12 +33,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-openvswitch3.5' ] %} {% else %} - # NOTE(wszumski): iptables-legacy lets us check and clear out legacy - # iptables rules due to LP#2144562 {% set neutron_base_packages = neutron_base_packages + [ 'openvswitch', - 'python3-openvswitch', - 'iptables-legacy', + 'python3-openvswitch' ] %} {% endif %} @@ -71,18 +64,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(neutron_base_packages | customizable("packages")) }} -{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %} -# NOTE(wszumski): Without this iptables-legacy is selected as default. This -# increases the priority from 10 to 200. -RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \ - --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ - --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ - --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save \ - && update-alternatives --auto iptables -{% endif %} - ADD neutron-base-archive /neutron-base-source ADD plugins-archive / diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml deleted file mode 100644 index d6bf64da0f..0000000000 --- a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml +++ /dev/null @@ -1,37 +0,0 @@ -upgrade: - - | - On Rocky9 on CentOS Stream 9 based installations, VMs may be using legacy - iptables rules if you installed or upgraded before this release. You can - check by running ``iptables-legacy-save`` inside of the - ``neutron_openvswitch_agent`` container and looking for neutron rules. - - After upgrading you will need to clear out the old iptables rules to - prevent conflicts:: - - iptables-legacy -P INPUT ACCEPT - iptables-legacy -P FORWARD ACCEPT - iptables-legacy -P OUTPUT ACCEPT - iptables-legacy -t nat -F - iptables-legacy -t nat -X - iptables-legacy -t mangle -F - iptables-legacy -t mangle -X - iptables-legacy -t raw -F - iptables-legacy -t raw -X - iptables-legacy -t filter -F - iptables-legacy -t filter -X - iptables-legacy -F - iptables-legacy -X - - If you are updating to this release or newer, no action is required. - - For more information, please see - `LP#2144562 `__. - -fixes: - - | - Fixes an issue where firewall rules were being implemented via legacy - iptables rules. This differed from the behaviour in previous releases, - where iptables-nft was used to create these as nftables rules. On upgrade, - this could lead to mixture of iptables and nftables rules based on whether - the VM was booted before or after the upgrade. For more information, please - see `LP#2144562 `__. From c3b0e5d582b766bf6171b0dd50db23c035757087 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 16 Mar 2026 13:39:16 +0000 Subject: [PATCH 7/7] Install iptables-nft in Rocky 9 containers There was a regression in 2025.1 where we switched back to using iptables-legacy. Explicitly installing iptables-nft restores the old behaviour. Closes-Bug: #2144562 Change-Id: I2bba43407a10edb283d8605d579667cb8d8e3126 Signed-off-by: Will Szumski (cherry picked from commit 6e77e8a6828a43277a6c24e8565912b0a7782242) --- docker/base/Dockerfile.j2 | 6 +-- docker/neutron/neutron-base/Dockerfile.j2 | 21 ++++++++++- ...missing-iptables-nft-fd71eeee04c9345e.yaml | 37 +++++++++++++++++++ 3 files changed, 59 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2 index 8eb5dbf9ab..0d3900f8f1 100644 --- a/docker/base/Dockerfile.j2 +++ b/docker/base/Dockerfile.j2 @@ -160,7 +160,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ {% set base_centos_yum_repos_to_disable = [ 'centos-ceph-squid', 'centos-nfv-openvswitch', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -170,7 +169,6 @@ RUN rm -f /etc/rpm/macros.image-language-conf \ 'centos-ceph-reef', 'centos-nfv-openvswitch', 'centos-opstools', - 'epel', 'influxdb', 'opensearch-2.x', 'opensearch-dashboards-2.x', @@ -194,8 +192,8 @@ RUN {{ macros.install_packages(base_centos_yum_repo_packages | customizable("cen {% block base_redhat_binary_versionlock %}{% endblock %} -{# NOTE(mnasiadka): In EL10 we install dumb-init from epel #} -{% if base_distro_tag.startswith('10') or base_distro_tag.startswith('stream10') %} +{# NOTE(mnasiadka): In EL10 we install dumb-init from epel. In EL9 we install iptables-legacy. #} +{% if base_package_type == 'rpm' %} RUN dnf config-manager --enable epel {% endif %} diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 1224a2b495..1c942d9a17 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -12,6 +12,9 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% if base_package_type == 'rpm' %} + # FIXME(wszumski): iptables-nft is deprecated. We need to advise users + # to migrate to some other firewall driver as we cannot rely on this + # package forever, see: https://access.redhat.com/solutions/6739041 {% set neutron_base_packages = [ 'conntrack-tools', 'dnsmasq', @@ -21,6 +24,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'iproute-tc', 'ipset', 'iptables', + 'iptables-nft', 'iputils', 'keepalived', 'net-tools', @@ -33,9 +37,12 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build 'python3-openvswitch3.5' ] %} {% else %} + # NOTE(wszumski): iptables-legacy lets us check and clear out legacy + # iptables rules due to LP#2144562 {% set neutron_base_packages = neutron_base_packages + [ 'openvswitch', - 'python3-openvswitch' + 'python3-openvswitch', + 'iptables-legacy', ] %} {% endif %} @@ -64,6 +71,18 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {{ macros.install_packages(neutron_base_packages | customizable("packages")) }} +{% if base_distro_tag.startswith('9') or base_distro_tag.startswith('stream9') %} +# NOTE(wszumski): Without this iptables-legacy is selected as default. This +# increases the priority from 10 to 200. +RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 200 \ + --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ + --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ + --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ + --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ + --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save \ + && update-alternatives --auto iptables +{% endif %} + ADD neutron-base-archive /neutron-base-source ADD plugins-archive / diff --git a/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml new file mode 100644 index 0000000000..d6bf64da0f --- /dev/null +++ b/releasenotes/notes/fixes-missing-iptables-nft-fd71eeee04c9345e.yaml @@ -0,0 +1,37 @@ +upgrade: + - | + On Rocky9 on CentOS Stream 9 based installations, VMs may be using legacy + iptables rules if you installed or upgraded before this release. You can + check by running ``iptables-legacy-save`` inside of the + ``neutron_openvswitch_agent`` container and looking for neutron rules. + + After upgrading you will need to clear out the old iptables rules to + prevent conflicts:: + + iptables-legacy -P INPUT ACCEPT + iptables-legacy -P FORWARD ACCEPT + iptables-legacy -P OUTPUT ACCEPT + iptables-legacy -t nat -F + iptables-legacy -t nat -X + iptables-legacy -t mangle -F + iptables-legacy -t mangle -X + iptables-legacy -t raw -F + iptables-legacy -t raw -X + iptables-legacy -t filter -F + iptables-legacy -t filter -X + iptables-legacy -F + iptables-legacy -X + + If you are updating to this release or newer, no action is required. + + For more information, please see + `LP#2144562 `__. + +fixes: + - | + Fixes an issue where firewall rules were being implemented via legacy + iptables rules. This differed from the behaviour in previous releases, + where iptables-nft was used to create these as nftables rules. On upgrade, + this could lead to mixture of iptables and nftables rules based on whether + the VM was booted before or after the upgrade. For more information, please + see `LP#2144562 `__.