Bug 1416748 - punch iptables holes on OVN hosts during installation
Summary: punch iptables holes on OVN hosts during installation
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Network
Version: 4.1.0
Hardware: x86_64
OS: Linux
medium
medium vote
Target Milestone: ovirt-4.1.1
: 4.1.1.2
Assignee: Marcin Mirecki
QA Contact: Meni Yakove
URL:
Whiteboard:
Depends On: 1390938
Blocks: 1366899 1411730
TreeView+ depends on / blocked
 
Reported: 2017-01-26 11:04 UTC by Mor
Modified: 2017-04-21 09:49 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
For OVN central to work properly with firewalld enabled, ports must be opened up in firewalld. The fix will add the firewalld service: ovirt-provider-ovn-central.xml to /etc/firewalld/services This service must be added manually to the active firewalld service: firewall-cmd --zone=<zone to add service to> --add-service=ovirt-provider-ovn-central --permanent firewall-cmd --reload Note that if OVN-central is installed on a different host than the provider, the firewall service must be copied to that host and firewalld-cmd be run there. This is an interim solution until OVN ships the firewall scripts itself.
Clone Of: 1390938
Environment:
Last Closed: 2017-04-21 09:49:08 UTC
oVirt Team: Network
rule-engine: ovirt-4.1+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 71578 master MERGED engine: open iptables holes on OVN hosts 2017-02-10 14:48:11 UTC
oVirt gerrit 72157 ovirt-engine-4.1 MERGED engine: open iptables holes on OVN hosts 2017-02-14 08:55:26 UTC
oVirt gerrit 72690 ovirt-4.1 MERGED open firewalld holes for OVN databases. 2017-02-22 09:35:01 UTC

Comment 1 Mor 2017-02-19 12:55:29 UTC
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54322 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 2223 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5900:6923 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
-A INPUT -p udp -m udp --dport 6081 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --dport 6081 -j ACCEPT

Rules applied after host installation, verified on version: Red Hat Virtualization Manager Version: 4.1.1.2-0.1.el7.


Note You need to log in before you can comment on or make changes to this bug.