[Ovirt-devel] [PATCH]: Don't reject FORWARD chain on the managed node

Chris Lalancette clalance at redhat.com
Mon Aug 11 13:17:00 UTC 2008


    Duh.  We can't reject everything on the FORWARD chain, since we are basically
    forwarding all packets through from the guests.  Remove the rule from the
    chain completely; we might be able to do better later, but at least things
    work this way.
    
    Signed-off-by: Chris Lalancette <clalance at redhat.com>

diff --git a/ovirt-host-creator/common-post.ks b/ovirt-host-creator/common-post.ks
index 37e2f43..a91a0c1 100644
--- a/ovirt-host-creator/common-post.ks
+++ b/ovirt-host-creator/common-post.ks
@@ -31,7 +31,6 @@ cat > /etc/sysconfig/iptables << \EOF
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp --dport 49152 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT
 EOF
 




More information about the ovirt-devel mailing list