incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edison Su <Edison...@citrix.com>
Subject Re: iptables rules on hosts
Date Fri, 14 Sep 2012 08:00:33 GMT
On your system, is the default policy to reject everything? If that's the case, then we should
not set nf-bridge to 1. Btw, I think current KVM code always trying to setup iptables rules
for vms in basic zone, even security group is disabled on the mgt server. We'd better fix
it.

Sent from my iPhone

On Sep 13, 2012, at 11:36 PM, "Marcus Sorensen" <shadowsor@gmail.com> wrote:

> Yes, it should be set to 0 if not using security groups, right? Unless I
> didn't understand something and security_group.py is called to fix things
> up even when you are not using security groups, but I didn't see that
> behavior. I just got an empty FORWARD table that rejected all bridge
> traffic due to that setting being 1.
> On Sep 14, 2012 12:25 AM, "Edison Su" <Edison.su@citrix.com> wrote:
> 
>> Security_group.py -> addfwframework will set bridge-nf-call-iptables to 1.
>> It should be called when agent starts.
>> 
>> Sent from my iPhone
>> 
>> On Sep 13, 2012, at 11:10 PM, "Marcus Sorensen" <shadowsor@gmail.com>
>> wrote:
>> 
>>> Now that I'm not running security groups (VPC), I was running into
>>> issues with iptables filtering bridged traffic. I know the easy fixes
>>> (iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT  or
>>> echo 1 >  /proc/sys/net/bridge/bridge-nf-call-iptables), but in
>>> looking through the documentation and the code it doesn't seem like
>>> there's any provisions to help. Is there something in the advanced
>>> network code that should be doing this if security groups are
>>> disabled, or should it be in the install guide?
>> 

Mime
View raw message