Bug 450397 - RHEL5.1: Firewall settings for multicast address poorly explained
Summary: RHEL5.1: Firewall settings for multicast address poorly explained
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: doc-Cluster_Administration
Version: 5.1
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Paul Kennedy
QA Contact: Content Services Development
URL:
Whiteboard:
Depends On:
Blocks: 458882 458884
TreeView+ depends on / blocked
 
Reported: 2008-06-07 14:47 UTC by Martin Waite
Modified: 2015-04-20 00:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-13 21:04:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Revised content in PDF and HTML printed to PDF. (202.63 KB, application/zip)
2008-08-12 21:01 UTC, Paul Kennedy
no flags Details

Description Martin Waite 2008-06-07 14:47:07 UTC
Description of problem:

Documentation of the iptables settings are incorrect for cluster in RHEL 5.1.

Version-Release number of selected component (if applicable):

Cluster_Administration RHEL 5.1 (2008-01-10T14:58)

How reproducible:

Follow the instructions for building a cluster using the iptables settings in
chapter 2, and the luci instructions in chapter 3.  The nodes will reboot,etc.
but will not join.  

Steps to Reproduce:
1.  Apply the iptables settings described in chapter 2, section 2.1 and 2.2 -
changing the IP address as appropriate for your nodes. 
2.  Install and start ricci and luci as per chapter 3, section 2.
3.  Create and configure the cluster as per chapter 3, section 3.
  
Actual results:

We see the nodes reboot, etc., but the final join stage times out.

Expected results:

The cluster should start with all nodes joined.

Additional info:

The problem is with the firewall settings for the multicast socket.  The
document gives us:

iptables -A INPUT -i 10.10.10.200 -m multiport -m state --state NEW -p udp
-s 10.10.10.0/24 -d 10.10.10.0/24 --dports 5404,5405 -j ACCEPT

This cannot work:  the multicast socket has to be in the range 224.0.0.0 to
239.255.255.255.   The firewall needs to be set so that the destination is the
multicast address, with the source as the unicast IP address of the interface.

On my configuration, I used the command:

iptables -A INPUT -s 192.168.2.0/255.255.255.0 -d 224.0.0.0/224.0.0.0 -p udp -m
state --state NEW -m multiport --dports 5404,5405 -j ACCEPT

By default, the cluster will be assigned a multicast address that is based on a
hash of the cluster name, and so will not be known in advance (hence the /4
setting on the destination).  Perhaps the example in the manual should use a
fixed multicast address and apply more specific firewalling to it.

Comment 1 Paul Kennedy 2008-08-12 21:01:19 UTC
Created attachment 314141 [details]
Revised content in PDF and HTML printed to PDF.

Revised content in PDF and HTML printed to PDF is included.

Comment 2 Paul Kennedy 2008-08-12 21:03:32 UTC
Revised content is attached in both PDF and HTML output formats. Revised content has been reviewed and approved by subject matter expert. Fixed in 5.3 branch. Will merge with published versions.

Comment 3 Paul Kennedy 2008-08-13 21:04:12 UTC
Problem will be fixed in RHEL 5.3 and RHEL 5.2 versions.


Note You need to log in before you can comment on or make changes to this bug.