iptables: don't enable arptables firewall

Ihar Hrachyshka · Ihar Hrachyshka · commit 3f771b7bcb04 · 2016-12-17T04:14:42.000Z
Neutron doesn't use any arptables based firewall rules. This should somewhat optimize kernel packet processing performance. I think the setting came from: http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf but does not apply to the way we use iptables. Change-Id: I41796c76172f5243e4f9c4902363abb1f19d0d12 Closes-Bug: #1651765
diff --git a/functions b/functions
@@ -658,7 +658,7 @@ function enable_kernel_bridge_firewall {
     # Enable bridge firewalling in case it's disabled in kernel (upstream
     # default is enabled, but some distributions may decide to change it).
     # This is at least needed for RHEL 7.2 and earlier releases.
-    for proto in arp ip ip6; do
+    for proto in ip ip6; do
         sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1
     done
 }

Original file line number	Diff line number	Diff line change
`@@ -658,7 +658,7 @@ function enable_kernel_bridge_firewall {`
`658`	`658`	`# Enable bridge firewalling in case it's disabled in kernel (upstream`
`659`	`659`	`# default is enabled, but some distributions may decide to change it).`
`660`	`660`	`# This is at least needed for RHEL 7.2 and earlier releases.`
`661`		`- for proto in arp ip ip6; do`
	`661`	`+ for proto in ip ip6; do`
`662`	`662`	`sudo sysctl -w net.bridge.bridge-nf-call-${proto}tables=1`
`663`	`663`	`done`
`664`	`664`	`}`