adding local connections for zebra/frr to the individual services. I can't believe I have not yet noticed this. seems like-frr reload is however relying on this

2019-05-01 04:37:44 +00:00 · 2019-05-01 04:37:44 +00:00 · 313ea1085f
parent 05bc412860
commit 313ea1085f
2 changed files with 5 additions and 1 deletions
--- a/debian/postinst
+++ b/debian/postinst
@ -418,7 +418,7 @@ case "$1" in
        systemctl enable strongswan || true       ## in case we kick-start or done have it enabled for some reason
        systemctl enable firewall
        systemctl restart firewall
-        systemctl reload frr
+        ## systemctl reload frr  ## still too dangerous? failed heavy on last attempt

    ## END services section

--- a/files/firewall
+++ b/files/firewall
@ -23,6 +23,10 @@ case $1 in
        iptables -A INPUT                                                   -p udp   --dport   4500 --sport 4500                     -j ACCEPT   -m comment --comment "ipsec"
        iptables -A INPUT                                                   -p icmp                                                  -j ACCEPT   -m comment --comment "allow pings"

+       ## frr local service connections
+        iptables -A INPUT -i lo                           -m multiport      -p tcp   --sports  2600:2618                             -j ACCEPT   -m comment --comment "local ceph osd traffic"
+        iptables -A INPUT -i lo                           -m multiport      -p tcp   --dports  2600:2618                             -j ACCEPT   -m comment --comment "local ceph osd traffic"
+
       ## local ceph osd services
        iptables -A INPUT -i lo                           -m multiport      -p tcp   --sports  6800:7300                             -j ACCEPT   -m comment --comment "local ceph osd traffic"
        iptables -A INPUT -i lo                           -m multiport      -p tcp   --dports  6800:7300                             -j ACCEPT   -m comment --comment "local ceph osd traffic"