Description of problem: RHEV docs suggest users to enable ICMP on hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5-Beta/html/Installation_Guide/Virtualization_Host_Firewall_Requirements1.html but IPTablesConfig key that contains iptables configuration that is actually deployed on hosts misses the icmp bit: # engine-config -g IPTablesConfig | grep "icmp.*ACCEPT" # IMO the automatic configuration should match the default and if there is security concern, only the problematic icmp types should be disabled (redirects) or somehow limited (so that v6 router advertisements are accepted only from legitimate routers) Version-Release number of selected component (if applicable): ever since "Configure host firewall" was introduced 3.5 / vt9 How reproducible: always Steps to Reproduce: 1. check default IPTablesConfig key value 2. 3. Actual results: icmp is not allowed at all Expected results: icmp should be allowed Additional info: this bug can lead to inefficient operation such as oVirt bug 1028669.
Hi Alon, I noticed you removed this in [65c096c98767bf3469820e135e7b1666d36f7f78], what was the reasoning and shouldn't this be reflected in the documentation as well?
(In reply to Lior Vernia from comment #1) > Hi Alon, I noticed you removed this in > [65c096c98767bf3469820e135e7b1666d36f7f78], what was the reasoning and > shouldn't this be reflected in the documentation as well? what was removed?
this is since: commit 0b40c5a39fd8058c5deafd1ace8aa24937261868 Author: Selvasundaram <sesubram> Date: Fri Sep 7 18:02:50 2012 +0530 engine: Firewall configuration modified to support virt and gluster iptable rules. - Added a place holder to support additional iptable rules for supported services (e.g. virt, gluster etc.,) in Generic iptables config. - virt and gluster iptables rules are added in config. Change-Id: I5a5958e870d3315316a59e1038101b2511bf8815 Signed-off-by: Selvasundaram <sesubram> not that I mind if we fix it... notice the evil change between the fn_db_update_config_value and the fn_db_add_config_value, this is the config subsystem mess we have of storing defaults in database.
ok, vt13.7 engine=# select option_value from vdc_options where option_name ilike 'IPTablesConfig'; option_value ------------------------------------------------------------------------------------------- # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # vdsm -A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT # SSH -A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT # snmp -A INPUT -p udp --dport 161 -j ACCEPT @CUSTOM_RULES@ # Reject any other input traffic -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited COMMIT (1 row) engine=# \q -bash-4.1$ logout [root@jb-rhevm35 ~]# iptables-save | grep icmp -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.