[Ovirt-devel] [PATCH]: Don't reject FORWARD chain on the managed node
Mark McLoughlin
markmc at redhat.com
Mon Aug 11 14:47:24 UTC 2008
On Mon, 2008-08-11 at 15:17 +0200, Chris Lalancette wrote:
> Duh. We can't reject everything on the FORWARD chain, since we are basically
> forwarding all packets through from the guests. Remove the rule from the
> chain completely; we might be able to do better later, but at least things
> work this way.
>
> Signed-off-by: Chris Lalancette <clalance at redhat.com>
>
> diff --git a/ovirt-host-creator/common-post.ks b/ovirt-host-creator/common-post.ks
> index 37e2f43..a91a0c1 100644
> --- a/ovirt-host-creator/common-post.ks
> +++ b/ovirt-host-creator/common-post.ks
> @@ -31,7 +31,6 @@ cat > /etc/sysconfig/iptables << \EOF
> -A INPUT -p tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp --dport 49152 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> --A FORWARD -j REJECT --reject-with icmp-host-prohibited
I'd like the default rule in Fedora to be:
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-admin-prohibited
see:
https://bugzilla.redhat.com/221828
That should work here too.
Cheers,
Mark.
More information about the ovirt-devel
mailing list