After having several bug reports of various netcf initialization failures related to this code, and an IRC discussion of the appropriateness of automatically tweaking firewall policy when examining interface configuration, we decided it was best to eliminate the code in netcf that modifies the iptables config to add this rule:
-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT (see PATCH 2/2 for detailed reasons). Note that, even with this code removed, there is still one other related problem - if there are no bridges defined on the system at boot time (in /etc/sysconfig/network-scripts/ifcfg-*), the setting of net.bridge.bridge-nf-call-iptablesin sysctl.conf will not take effect, leaving the bridge module default setting of "1" in place. The result will be that (since the aforementioned iptables rule won't be added) that traffic will not pass on any newly defined bridges until 1) the network service is restarted (or some other procedure that causes "sysctl -a -p" to be run), or 2) the system is rebooted. Fixing that is beyond the scope of netcf, though. _______________________________________________ netcf-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/netcf-devel
