[Ovirt-devel] [PATCH]: Don't reject FORWARD chain on the managed node
Steve Linabery
slinabery at redhat.com
Mon Aug 11 14:47:03 UTC 2008
On Mon, Aug 11, 2008 at 03:17:00PM +0200, Chris Lalancette wrote:
> Duh. We can't reject everything on the FORWARD chain, since we are basically
> forwarding all packets through from the guests. Remove the rule from the
> chain completely; we might be able to do better later, but at least things
> work this way.
>
> Signed-off-by: Chris Lalancette <clalance at redhat.com>
>
> diff --git a/ovirt-host-creator/common-post.ks b/ovirt-host-creator/common-post.ks
> index 37e2f43..a91a0c1 100644
> --- a/ovirt-host-creator/common-post.ks
> +++ b/ovirt-host-creator/common-post.ks
> @@ -31,7 +31,6 @@ cat > /etc/sysconfig/iptables << \EOF
> -A INPUT -p tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp --dport 49152 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> --A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> EOF
>
>
> _______________________________________________
> Ovirt-devel mailing list
> Ovirt-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/ovirt-devel
ACK. Not sure what the better solution is, but I agree that we need to let the guests' packets through :)
More information about the ovirt-devel
mailing list