> -----Original Message----- > From: Marcus Sorensen [mailto:[email protected]] > Sent: Friday, September 14, 2012 9:43 AM > To: [email protected] > Subject: Re: iptables rules on hosts > > Yes, it seems RHEL/CentOS sets up the FORWARD chain to reject by > default. They also include net.bridge.bridge-nf-call-iptables = 0 in > the sysctl.conf by default. > > If I'm reading this right, security_group.py only adds those rules on > the default_network_* calls. It looks like the default rules are only > called when starting a vm if there's an isolation method that's of the > ec2 scheme. Does this mean the isolation URI in the database will say
Ec2 scheme means the basic zone. There is a bug: On the agent/resource side, in start command , we need to check security group is enabled or not, by checking the isSecurityGroupEnabled in nicTO, instead of isolation uri. Because, security group can be enabled or disabled in basic zone. If isSecurityGroupEnabled is false, we should not set default iptables rules at all, or just explicitly turn off bridge_nf_call_iptables. > 'ec2'? If so I don't see how this is being triggered. It's also > called in 'handleVmMigrated', but that seems to check the VM to see if > security groups are enabled. > > On Fri, Sep 14, 2012 at 2:00 AM, Edison Su <[email protected]> wrote: > > On your system, is the default policy to reject everything? If that's > the case, then we should not set nf-bridge to 1. Btw, I think current > KVM code always trying to setup iptables rules for vms in basic zone, > even security group is disabled on the mgt server. We'd better fix it. > > > > Sent from my iPhone > > > > On Sep 13, 2012, at 11:36 PM, "Marcus Sorensen" <[email protected]> > wrote: > > > >> Yes, it should be set to 0 if not using security groups, right? > Unless I > >> didn't understand something and security_group.py is called to fix > things > >> up even when you are not using security groups, but I didn't see > that > >> behavior. I just got an empty FORWARD table that rejected all bridge > >> traffic due to that setting being 1. > >> On Sep 14, 2012 12:25 AM, "Edison Su" <[email protected]> wrote: > >> > >>> Security_group.py -> addfwframework will set bridge-nf-call- > iptables to 1. > >>> It should be called when agent starts. > >>> > >>> Sent from my iPhone > >>> > >>> On Sep 13, 2012, at 11:10 PM, "Marcus Sorensen" > <[email protected]> > >>> wrote: > >>> > >>>> Now that I'm not running security groups (VPC), I was running into > >>>> issues with iptables filtering bridged traffic. I know the easy > fixes > >>>> (iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT or > >>>> echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables), but in > >>>> looking through the documentation and the code it doesn't seem > like > >>>> there's any provisions to help. Is there something in the advanced > >>>> network code that should be doing this if security groups are > >>>> disabled, or should it be in the install guide? > >>>
