Bug 1393703

Summary: Iptables rules can be added after terminal DROP or REJECT rule
Product: Red Hat OpenStack Reporter: Leonid Natapov <lnatapov>
Component: opstools-ansibleAssignee: Martin Magr <mmagr>
Status: CLOSED WONTFIX QA Contact: Leonid Natapov <lnatapov>
Severity: high Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: fdinitto, mmagr, oblaut
Target Milestone: ---Keywords: Tracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-24 09:35:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Leonid Natapov 2016-11-10 08:07:25 UTC 
If the target server already has a firewall configured, it may have an existing DROP or REJECT rule in place, as in:

-A INPUT -j REJECT --reject-with icmp-host-prohibited

In this case, if we append additional rules they will effectively be no-ops. This is mostly RHEL's fault, because the iptables service support doesn't really provide a way to do this cleanly, but we should try to figure out a way around it.
Comment 2 Martin Magr 2020-09-24 09:35:00 UTC 
Project is deprecated.