Bug 1416748

Summary: punch iptables holes on OVN hosts during installation
Product: [oVirt] ovirt-engine Reporter: Mor <mkalfon>
Component: BLL.NetworkAssignee: Marcin Mirecki <mmirecki>
Status: CLOSED CURRENTRELEASE QA Contact: Meni Yakove <myakove>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.1.0CC: aloughla, atragler, bugs, danken, fleitner, mmirecki, nusiddiq, ovs-qe, rbryant, ylavi
Target Milestone: ovirt-4.1.1Flags: rule-engine: ovirt-4.1+
Target Release: 4.1.1.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
For OVN central to work properly with firewalld enabled, ports must be opened up in firewalld. The fix will add the firewalld service: ovirt-provider-ovn-central.xml to /etc/firewalld/services This service must be added manually to the active firewalld service: firewall-cmd --zone=<zone to add service to> --add-service=ovirt-provider-ovn-central --permanent firewall-cmd --reload Note that if OVN-central is installed on a different host than the provider, the firewall service must be copied to that host and firewalld-cmd be run there. This is an interim solution until OVN ships the firewall scripts itself.
Story Points: ---
Clone Of: 1390938 Environment:
Last Closed: 2017-04-21 09:49:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1390938    
Bug Blocks: 1366899, 1411730    

Comment 1 Mor 2017-02-19 12:55:29 UTC
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54322 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 2223 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5900:6923 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
-A INPUT -p udp -m udp --dport 6081 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --dport 6081 -j ACCEPT

Rules applied after host installation, verified on version: Red Hat Virtualization Manager Version: 4.1.1.2-0.1.el7.