We are deprecating iptables in favor of firewalld. It will still be possible to use iptables in 4.2 but we need to warn it won't be supported in future releases.
Please clarify whether we want to keep the current modular code that allows having different managers, or drop this intention. Latter doesn't have to mean actively changing lots of code, but it does change how we do future changes to do the code, including current bug but definitely not limited to it. Also please clarify if we want to keep full support for iptables in 4.2, or if it's ok to allow new additions to the firewall to work only with firewalld. This affects e.g. bug 1432354. Also, whether we want to keep the current detailed instructions provided if the user does not want to, or cannot have (e.g. dev env) automatic firewall configuration. Please note that these are currently provided by all available providers - iptables, firewalld, and the always-available "human" (list of protocols/ports). Last point, in particular, implies we might need to basically keep everything working as-is, and current bug can be as little as some notification to the user plus setting 'OVESETUP_CONFIG/validFirewallManagers' to be only 'firewalld' - perhaps only downstream - same way we set it to only 'iptables' in RHEL6 days - see bug 1023316.
In 4.2 we need to tell people iptables will be dropped but it still needs to work. So I think we should keep current modular code, keeping full support for it, just warning we'll drop in next version.
Verified in ovirt version 4.2.1.2-0.1.el7. Info during upgrade/installation: --== NETWORK CONFIGURATION ==-- ... NOTICE: iptables is deprecated and will be removed in future releases ...
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017. Since the problem described in this bug report should be resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.