Bug 893680 - Get rejected with an ICMP network prohibited message in IPTables after adding a new host to environment
Get rejected with an ICMP network prohibited message in IPTables after adding...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: vdsm (Show other bugs)
6.4
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Alon Bar-Lev
vvyazmin@redhat.com
infra
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-09 12:06 EST by vvyazmin@redhat.com
Modified: 2013-02-06 06:22 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-06 06:22:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description vvyazmin@redhat.com 2013-01-09 12:06:07 EST
Description of problem:
Rejected with an ICMP network prohibited message in IPTables after adding a new host to environment

Version-Release number of selected component (if applicable):
RHEVM 3.2 - SF03 environment 

RHEVM: rhevm-3.2.0-4.el6ev.noarch
VDSM: vdsm-4.10.2-3.0.el6ev.x86_64
LIBVIRT: libvirt-0.10.2-13.el6.x86_64
QEMU & KVM: qemu-kvm-rhev-0.12.1.2-2.348.el6.x86_64
SANLOCK: sanlock-2.6-2.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Add a new host to your environment (if nedded reinstall it)
2. 
3. 
  
Actual results:
In IPTables a get Rejected with an ICMP network prohibited message 

Expected results:
No need reject ICMP protocol right after installation a new host.

Additional info:

[root@green-vdsb ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:16514 
ACCEPT     tcp  --  anywhere             anywhere            multiport dports xprtld:6166 
ACCEPT     tcp  --  anywhere             anywhere            multiport dports 49152:49216 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            PHYSDEV match ! --physdev-is-bridged reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         


/var/log/ovirt-engine/engine.log

/var/log/vdsm/vdsm.log
Comment 2 vvyazmin@redhat.com 2013-01-10 03:12:40 EST
Regression - Yes

Test Blocker - No
Comment 4 Michal Skrivanek 2013-01-13 12:20:57 EST
this is infra

ACCEPT     all  --  anywhere             anywhere 
is that manual? doesn't make much sense to me...

Alon,related to bootstrap?
Comment 5 Alon Bar-Lev 2013-01-13 12:29:03 EST
(In reply to comment #4)
> this is infra
> 
> ACCEPT     all  --  anywhere             anywhere 
> is that manual? doesn't make much sense to me...
> 
> Alon,related to bootstrap?

Need the exact /etc/sysconfig/iptables of host.
Need the database configuration of IPTablesConfig, IPTablesConfigForVirt, IPTablesConfigForGluster.

Thanks!
Comment 6 vvyazmin@redhat.com 2013-01-14 03:02:45 EST
[root@green-vdsa ~]# cat /etc/sysconfig/iptables

# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i lo -j ACCEPT
# vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT


# libvirt tls
-A INPUT -p tcp --dport 16514 -j ACCEPT

# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT

# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT


# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
COMMIT


-- DB Tables --

[root@kipi-rhevm ~]# echo " select * from vdc_options where option_name='IPTablesConfig'; " | psql -d engine -U postgres
Password for user postgres: 
 option_id |  option_name   |                                       option_value                                        | version 
-----------+----------------+-------------------------------------------------------------------------------------------+---------
       102 | IPTablesConfig |                                                                                           | general
                            : # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.   
                            : *filter                                                                                     
                            : :INPUT ACCEPT [0:0]                                                                         
                            : :FORWARD ACCEPT [0:0]                                                                       
                            : :OUTPUT ACCEPT [0:0]                                                                        
                            : -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT                                     
                            :                                                                                             
                            : -A INPUT -i lo -j ACCEPT                                                                    
                            : # vdsm                                                                                      
                            : -A INPUT -p tcp --dport 54321 -j ACCEPT                                                     
                            : # SSH                                                                                       
                            : -A INPUT -p tcp --dport 22 -j ACCEPT                                                        
                            : # snmp                                                                                      
                            : -A INPUT -p udp --dport 161 -j ACCEPT                                                       
                            :                                                                                             
                            : @CUSTOM_RULES@                                                                              
                            :                                                                                             
                            : # Reject any other input traffic                                                            
                            : -A INPUT -j REJECT --reject-with icmp-host-prohibited                                       
                            : -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited   
                            : COMMIT                                                                                      
                            :                                                                                             
(1 row)


[root@kipi-rhevm ~]# echo " select * from vdc_options where option_name='IPTablesConfigForVirt'; " | psql -d engine -U postgres
Password for user postgres: 
 option_id |      option_name      |                        option_value                         | version 
-----------+-----------------------+-------------------------------------------------------------+---------
       104 | IPTablesConfigForVirt |                                                             | general
                                   : # libvirt tls                                                 
                                   : -A INPUT -p tcp --dport 16514 -j ACCEPT                       
                                   :                                                               
                                   : # guest consoles                                              
                                   : -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT     
                                   :                                                               
                                   : # migration                                                   
                                   : -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT   
                                   :                                                               
(1 row)


[root@kipi-rhevm ~]# echo " select * from vdc_options where option_name='IPTablesConfigForGluster'; " | psql -d engine -U postgres
Password for user postgres: 
 option_id |       option_name        |                     option_value                      | version 
-----------+--------------------------+-------------------------------------------------------+---------
       103 | IPTablesConfigForGluster |                                                       | general
                                      : # glusterd                                              
                                      : -A INPUT -p tcp -m tcp --dport 24007 -j ACCEPT          
                                      :                                                         
                                      : # portmapper                                            
                                      : -A INPUT -p udp -m udp --dport 111   -j ACCEPT          
                                      : -A INPUT -p tcp -m tcp --dport 38465 -j ACCEPT          
                                      : -A INPUT -p tcp -m tcp --dport 38466 -j ACCEPT          
                                      :                                                         
                                      : # nfs                                                   
                                      : -A INPUT -p tcp -m tcp --dport 38467 -j ACCEPT          
                                      :                                                         
                                      : # status                                                
                                      : -A INPUT -p tcp -m tcp --dport 39543 -j ACCEPT          
                                      : -A INPUT -p tcp -m tcp --dport 55863 -j ACCEPT          
                                      :                                                         
                                      : # nlockmgr                                              
                                      : -A INPUT -p tcp -m tcp --dport 38468 -j ACCEPT          
                                      : -A INPUT -p udp -m udp --dport 963   -j ACCEPT          
                                      : -A INPUT -p tcp -m tcp --dport 965   -j ACCEPT          
                                      :                                                         
                                      : # ctdbd                                                 
                                      : -A INPUT -p tcp -m tcp --dport 4379  -j ACCEPT          
                                      :                                                         
                                      : # smbd                                                  
                                      : -A INPUT -p tcp -m tcp --dport 139   -j ACCEPT          
                                      : -A INPUT -p tcp -m tcp --dport 445   -j ACCEPT          
                                      :                                                         
                                      : # Ports for gluster volume bricks (default 100 ports)   
                                      : -A INPUT -p tcp -m tcp --dport 24009:24108 -j ACCEPT    
                                      :                                                         
(1 row)
Comment 7 Alon Bar-Lev 2013-01-14 03:53:31 EST
As you can see in /etc/sysconfig/iptables there is the exact content that is sent by the engine.

There must be some manual usage of iptables or some other component that configures iptables at that host.

If that host is fedora-18 make sure you have firewalld installed and disabled, this what the host deploy process should do.
Comment 8 vvyazmin@redhat.com 2013-01-14 04:43:55 EST
(In reply to comment #7)
> As you can see in /etc/sysconfig/iptables there is the exact content that is
> sent by the engine.
> 
> There must be some manual usage of iptables or some other component that
> configures iptables at that host.
> 
> If that host is fedora-18 make sure you have firewalld installed and
> disabled, this what the host deploy process should do.



It's clean and new installation of all environment
OS Hosts: RHEL 6.4

This role created with installation of RHEVM
Comment 9 Alon Bar-Lev 2013-01-14 04:56:04 EST
Please execute:

# service iptables restart
# iptables -L

And see if you got anything different from what in /etc/sysconfig/iptables

If you do, please seek what altering iptables on that system, or there is a bug in iptables (unlikely).

If you don't, please try to reproduce or understand which other component used iptables.

Thanks.
Comment 11 Alon Bar-Lev 2013-01-14 10:49:23 EST
Tested on designated host.

1. The iptables -S provides correct format.
2. Using nc listening to ports not in configuration - no external connections can be made.

So as far as I see behavior was not changed since 3.1, and is correct, whatever in engine database is pushed correctly to host.

Please describe what you think is incorrect.

Thanks,
Comment 12 vvyazmin@redhat.com 2013-02-06 06:22:04 EST
Not a bug

Note You need to log in before you can comment on or make changes to this bug.