[Ovirt-devel] [PATCH]: Don't reject FORWARD chain on the managed node

Mark McLoughlin markmc at redhat.com
Mon Aug 11 14:47:24 UTC 2008

On Mon, 2008-08-11 at 15:17 +0200, Chris Lalancette wrote:
> Duh.  We can't reject everything on the FORWARD chain, since we are basically
>     forwarding all packets through from the guests.  Remove the rule from the
>     chain completely; we might be able to do better later, but at least things
>     work this way.
>     Signed-off-by: Chris Lalancette <clalance at redhat.com>
> diff --git a/ovirt-host-creator/common-post.ks b/ovirt-host-creator/common-post.ks
> index 37e2f43..a91a0c1 100644
> --- a/ovirt-host-creator/common-post.ks
> +++ b/ovirt-host-creator/common-post.ks
> @@ -31,7 +31,6 @@ cat > /etc/sysconfig/iptables << \EOF
>  -A INPUT -p tcp --dport 22 -j ACCEPT
>  -A INPUT -p tcp --dport 49152 -j ACCEPT
>  -A INPUT -j REJECT --reject-with icmp-host-prohibited
> --A FORWARD -j REJECT --reject-with icmp-host-prohibited

I'd like the default rule in Fedora to be:

  -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-admin-prohibited



That should work here too.


More information about the ovirt-devel mailing list