Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1416748 - punch iptables holes on OVN hosts during installation
Summary: punch iptables holes on OVN hosts during installation
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Network
Version: 4.1.0
Hardware: x86_64
OS: Linux
medium vote
Target Milestone: ovirt-4.1.1
Assignee: Marcin Mirecki
QA Contact: Meni Yakove
Depends On: 1390938
Blocks: 1366899
TreeView+ depends on / blocked
Reported: 2017-01-26 11:04 UTC by Mor
Modified: 2017-04-21 09:49 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
For OVN central to work properly with firewalld enabled, ports must be opened up in firewalld. The fix will add the firewalld service: ovirt-provider-ovn-central.xml to /etc/firewalld/services This service must be added manually to the active firewalld service: firewall-cmd --zone=<zone to add service to> --add-service=ovirt-provider-ovn-central --permanent firewall-cmd --reload Note that if OVN-central is installed on a different host than the provider, the firewall service must be copied to that host and firewalld-cmd be run there. This is an interim solution until OVN ships the firewall scripts itself.
Clone Of: 1390938
Last Closed: 2017-04-21 09:49:08 UTC
oVirt Team: Network
rule-engine: ovirt-4.1+

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
oVirt gerrit 71578 master MERGED engine: open iptables holes on OVN hosts 2017-02-10 14:48:11 UTC
oVirt gerrit 72157 ovirt-engine-4.1 MERGED engine: open iptables holes on OVN hosts 2017-02-14 08:55:26 UTC
oVirt gerrit 72690 ovirt-4.1 MERGED open firewalld holes for OVN databases. 2017-02-22 09:35:01 UTC

Comment 1 Mor 2017-02-19 12:55:29 UTC
iptables -S
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54322 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 2223 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5900:6923 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
-A INPUT -p udp -m udp --dport 6081 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p udp -m udp --dport 6081 -j ACCEPT

Rules applied after host installation, verified on version: Red Hat Virtualization Manager Version:

Note You need to log in before you can comment on or make changes to this bug.