From 7322d60610764f728ce58d4e8a39a6c54c652643 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Thu, 6 Oct 2016 11:18:14 -0400
Subject: Enable firewalling by default on compute nodes

- Move VXLAN and VRRP rules from Neutron Server to the right services.
- Enable Firewall by default on Compute nodes.

Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1
---
 puppet/services/neutron-ovs-agent.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'puppet/services/neutron-ovs-agent.yaml')

diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml
index cbe65638..cca0deee 100644
--- a/puppet/services/neutron-ovs-agent.yaml
+++ b/puppet/services/neutron-ovs-agent.yaml
@@ -117,5 +117,11 @@ outputs:
             # internal_api_subnet - > IP/CIDR
             neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
             neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver}
+            tripleo.neutron_ovs_agent.firewall_rules:
+              '118 neutron vxlan networks':
+                proto: 'udp'
+                dport: 4789
+              '136 neutron gre networks':
+                proto: 'gre'
       step_config: |
         include ::tripleo::profile::base::neutron::ovs
-- 
cgit 1.2.3-korg