Description of problem: After installation AIO there are missing these rules: # guest consoles -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT # migration -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT Version-Release number of selected component (if applicable): si18 How reproducible: 100% Steps to Reproduce: 1. install rhevm with a-i-o plugin 2. create VM & try to connect via SPICE 3. Actual results: [root@slot-7 ~]# iptables -L -nv Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 41701 29M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 40903 packets, 22M bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 32774 17M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 8043 13M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 11 660 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 663 39780 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:892 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:892 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:875 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:875 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:662 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:662 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:32803 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769 210 15670 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Expected results: + these: 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5634:6166 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 49152:49216 Additional info:
Hello Pavel, I used the following rules: --- # guest consoles -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m multiport --dports 5634:6166 -j ACCEPT # migration -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m multiport --dports 49152:49216 -j ACCEPT --- I think they should be better than what proposed in comment#0.
commit 11fe6de266b0fb6b64a1f40faa96a9c1edd74363 Author: Alon Bar-Lev <alonbl> Date: Fri Oct 5 01:48:24 2012 +0200 packaging: open up firewall rules for console and migration in aio mode These ports are required for proper application use. Change-Id: Id2fb5346eaf8c800952df28657df701911586faa Signed-off-by: Alon Bar-Lev <alonbl> Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=857496 http://gerrit.ovirt.org/#/c/8374/ commit 6902899c8f0d6376b35e35e01e3f8b5161ec163c Author: Alon Bar-Lev <alonbl> Date: Fri Oct 5 01:55:59 2012 +0200 packaging: cleanup _configIptables 1. use template file, do not search for comments. 2. remove code duplications. 3. handle files correctly. 4. misc cleanups. Change-Id: Ic08891752b537ea04c56e8aef2040cc5e89cbea3 Signed-off-by: Alon Bar-Lev <alonbl> http://gerrit.ovirt.org/#/c/8373/
Merged upstream: http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=8358cd7f5e291344038efefea07f6b8121d6f4e5 http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=7d473cd0ba5ff4f2a03274901e01d0ae7c781bdb
Merged downstream, https://gerrit.eng.lab.tlv.redhat.com/gitweb?p=ovirt-engine.git;a=commit;h=ea85805b2d1366b0be7e826a9f550ab304310d73 https://gerrit.eng.lab.tlv.redhat.com/gitweb?p=ovirt-engine.git;a=commit;h=20ce060af60b1fdcf2685bd576765b817fb61319
ok - si24.2