> -Original Message-
> From: Marcus Sorensen [mailto:shadow...@gmail.com]
> Sent: Friday, September 14, 2012 9:43 AM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: iptables rules on hosts
>
> Yes, it seems RHEL/CentOS sets up the FORWARD chain to reject by
Yes, it seems RHEL/CentOS sets up the FORWARD chain to reject by
default. They also include net.bridge.bridge-nf-call-iptables = 0 in
the sysctl.conf by default.
If I'm reading this right, security_group.py only adds those rules on
the default_network_* calls. It looks like the default rules are o
On your system, is the default policy to reject everything? If that's the case,
then we should not set nf-bridge to 1. Btw, I think current KVM code always
trying to setup iptables rules for vms in basic zone, even security group is
disabled on the mgt server. We'd better fix it.
Sent from my i
Yes, it should be set to 0 if not using security groups, right? Unless I
didn't understand something and security_group.py is called to fix things
up even when you are not using security groups, but I didn't see that
behavior. I just got an empty FORWARD table that rejected all bridge
traffic due t
Security_group.py -> addfwframework will set bridge-nf-call-iptables to 1. It
should be called when agent starts.
Sent from my iPhone
On Sep 13, 2012, at 11:10 PM, "Marcus Sorensen" wrote:
> Now that I'm not running security groups (VPC), I was running into
> issues with iptables filtering bri
Now that I'm not running security groups (VPC), I was running into
issues with iptables filtering bridged traffic. I know the easy fixes
(iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT or
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables), but in
looking through the documentati