On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nico...@ecarnot.net> wrote: > Hello, > > On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing > since years with engine-config --set IPTablesConfigSiteCustom="blah blah > blah". > > On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain > the correct custom rules I added, but when manually checking with iptables > -L, I don't see my rules active. > > On my hosts, I see that the iptables services is stopped and disabled, and > that the firewalld service is up and running. > > That explains why iptables customization has no effect.
Indeed. IIRC the type of firewall is now set per cluster or something like that, not sure about the details - adding Ondra. > > In the engine setup, I see that > /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains : > OVESETUP_CONFIG/firewallManager=none:None > > I'm confused about this setting : when running engine-setup, I'm not sure to > understand if answering yes to the question about the firewall will modify > the engine, the hosts, or all of them? Only the engine. > > Actually, I'd like my engine to stay with a disabled firewall, but my hosts > with an active one. So you should reply 'No' as you did in 'engine-setup', and handle iptables/firewalld on the engine after it's set up (upgraded), I think from the ui. > > Is it true to say that this is not an option and I have to answer yes, > enable the firewall on the engine, allowing the > OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or > iptables), thus allowing the spread of this setup towards the hosts? No, they are unrelated. Best regards, -- Didi _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users