Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 478D4DECB for ; Fri, 14 Sep 2012 06:36:32 +0000 (UTC) Received: (qmail 68730 invoked by uid 500); 14 Sep 2012 06:36:31 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 68633 invoked by uid 500); 14 Sep 2012 06:36:30 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 68601 invoked by uid 99); 14 Sep 2012 06:36:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Sep 2012 06:36:30 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of shadowsor@gmail.com designates 209.85.212.171 as permitted sender) Received: from [209.85.212.171] (HELO mail-wi0-f171.google.com) (209.85.212.171) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Sep 2012 06:36:25 +0000 Received: by wibhq4 with SMTP id hq4so5656334wib.0 for ; Thu, 13 Sep 2012 23:36:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Slu+zoyJrTd2rmtTM20EbGoUZAFMsdFoo7HEv2D2TJs=; b=SX5dUznC0hQN3tKfGg7YMAKCMRjlHG/fxDp8MqXdwrx7ZKl6WhoL7/8mpN82J96nVy HhpU6OokD057CzEMzP+21vAfBIE/tmxJiW/uEQfLLhQ7++CMWddEwwo52P34RGn+5FTi 7gWhcljPCPdQCcneqSEMU5skiBo7Qt49ADI5LBxW21X+uK73wulMguTZ3131PuJ7fuB5 8WYOO7mHVB4Q5LfvKUwBeHX36WmAsPKI5NgU2RWBO5j6Ehl1egk05wtzs+gFd9b1iECV L7mNtdwB3Ij7jBtgrx3TP1Z1vmPo3VGbep+ZtF/7mNDfni/3AbmVLU7e3H4CaYl8VFMH XNyA== MIME-Version: 1.0 Received: by 10.216.136.203 with SMTP id w53mr1024950wei.63.1347604239607; Thu, 13 Sep 2012 23:30:39 -0700 (PDT) Received: by 10.216.137.211 with HTTP; Thu, 13 Sep 2012 23:30:39 -0700 (PDT) Received: by 10.216.137.211 with HTTP; Thu, 13 Sep 2012 23:30:39 -0700 (PDT) In-Reply-To: <488A7BD3-461D-4CEA-9E3C-6F06173F80C3@citrix.com> References: <488A7BD3-461D-4CEA-9E3C-6F06173F80C3@citrix.com> Date: Fri, 14 Sep 2012 00:30:39 -0600 Message-ID: Subject: Re: iptables rules on hosts From: Marcus Sorensen To: cloudstack-dev@incubator.apache.org Content-Type: multipart/alternative; boundary=0016e6d97610ffe97504c9a38f65 X-Virus-Checked: Checked by ClamAV on apache.org --0016e6d97610ffe97504c9a38f65 Content-Type: text/plain; charset=ISO-8859-1 Yes, it should be set to 0 if not using security groups, right? Unless I didn't understand something and security_group.py is called to fix things up even when you are not using security groups, but I didn't see that behavior. I just got an empty FORWARD table that rejected all bridge traffic due to that setting being 1. On Sep 14, 2012 12:25 AM, "Edison Su" wrote: > Security_group.py -> addfwframework will set bridge-nf-call-iptables to 1. > It should be called when agent starts. > > Sent from my iPhone > > On Sep 13, 2012, at 11:10 PM, "Marcus Sorensen" > wrote: > > > Now that I'm not running security groups (VPC), I was running into > > issues with iptables filtering bridged traffic. I know the easy fixes > > (iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT or > > echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables), but in > > looking through the documentation and the code it doesn't seem like > > there's any provisions to help. Is there something in the advanced > > network code that should be doing this if security groups are > > disabled, or should it be in the install guide? > --0016e6d97610ffe97504c9a38f65--