stackhpc · jovial · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
@@ -0,0 +1,52 @@
+---
+
+# This playbook flushes iptables-legacy rules in the neutron_openvswitch_agent
+# container on overcloud hosts.  It is intended to be used in scenarios where
+# neutron_openvswitch_agent was updated to a version without iptables-nft.
+
+# NOTE(wszumski): Also had to run a rabbitmq reset after flushing. Potentially
+# we could do a more targetted restart of containers.
+
+- name: Flushes legacy iptables rules on ML2/OVS deployments
+  hosts: overcloud
+  gather_facts: false
+  become: true
+  tasks:
+    - name: Gather service facts
+      ansible.builtin.service_facts:
+
+    - name: End play for hosts without openvswitch agent
+      ansible.builtin.meta: end_host
+      when: "'kolla-neutron_openvswitch_agent-container.service' not in ansible_facts.services"
+
+    - name: Check if neutron legacy iptables rules exist
+      ansible.builtin.shell: |
+        set -euo pipefail
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy-save | grep neutron
+      register: save_result
+      failed_when: false
+      args:
+        executable: /bin/bash
+
+    - name: End play for hosts where legacy-iptables is not in use by neutron
+      ansible.builtin.meta: end_host
+      when: save_result.rc != 0
+
+    - name: Flush iptables-legacy in neutron_openvswitch_agent container
+      ansible.builtin.shell: |
+        set -euo pipefail
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P INPUT ACCEPT
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P FORWARD ACCEPT
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -P OUTPUT ACCEPT
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t nat -F
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t nat -X
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t mangle -F
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t mangle -X
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t raw -F
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t raw -X
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t filter -F
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -t filter -X
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -F
+        {{ container_engine }} exec -u root neutron_openvswitch_agent iptables-legacy -X
+      args:
+        executable: /bin/bash
@@ -27,8 +27,8 @@ kolla_image_tags:
     rocky-9: 2025.1-rocky-9-20260413T112937
     ubuntu-noble: 2025.1-ubuntu-noble-20260413T112937
   neutron:
-    rocky-9: 2025.1-rocky-9-20260403T083425
-    ubuntu-noble: 2025.1-ubuntu-noble-20260403T083425
+    rocky-9: 2025.1-rocky-9-20260409T132248
+    ubuntu-noble: 2025.1-ubuntu-noble-20260409T132248
   nova:
     rocky-9: 2025.1-rocky-9-20260226T161930
     ubuntu-noble: 2025.1-ubuntu-noble-20260220T102812

@@ -0,0 +1,27 @@
+---
+fixes:
+  - |
+    Fixed an issue where Neutron security group rules were being created as
+    legacy iptables rules instead of nftables rules. The expected behaviour is
+    that these rules are created using the iptables-nft compatibility package,
+    matching the behaviour introduced in the ``2024.1`` release.
+
+upgrade:
+  - |
+    In ML2/OVS deployments, Neutron security group rules will now be installed
+    in nftables to align with the behaviour from the ``2024.1`` release. If you
+    are running a ``2025.1`` release older than this one, please run the
+    following commands **after upgrading the Neutron containers** to avoid
+    conflicts between iptables-legacy and iptables-nft rules (this operation
+    will cause downtime)::
+
+        kayobe playbook run \
+          $KAYOBE_CONFIG_PATH/ansible/fixes/flush-iptables-legacy.yml \
+          $KAYOBE_CONFIG_PATH/ansible/fixes/rabbitmq-reset.yml
+
+    You can check if Neutron has installed legacy iptables rules by running::
+
+        iptables-save-legacy | grep neutron
+
+    If you are upgrading directly to this release or a newer one, no action is
+    required.