The 'iptables' module needs to have a 'less strict' setting

Description

In systems running large substacks, such as Kubernetes, that need to directly manipulate large parts of the iptables rule sets.

Additionally, restarting the entirety of iptables may take upwards of a minute for large rulesets.

To this end, we need to come up with a 'less strict' setting for the iptables module that will do the following:

  • Ignore all rules that are not explicitly managed by SIMP (ones that have 'SIMP:' comments)

  • Purge all SIMP rules and re-add them at the bottom of the affected chains being careful to apply all rules possible in an atomic fashion so users don't get locked out of their systems accidentally.

This should allow for 'near instant' application of the SIMP managed rulesets while leaving room for the container management tools to run wild.

Acceptance Criteria

None

Activity

Show:
Trevor Vaughan
December 31, 2019, 6:01 PM

This has been accomplished through the integration with firewalld

Labels

None

Epic Link

None

Story Points

None

Components

Affects versions

Priority

Medium
Configure