[Engine-devel] Gluster IPTable configuration
David Jaša
djasa at redhat.com
Fri Aug 31 08:57:11 UTC 2012
Alon Bar-Lev píše v Čt 30. 08. 2012 v 14:40 -0400:
>
> ----- Original Message -----
> > From: "Andrew Cathrow" <acathrow at redhat.com>
> > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > Cc: "Shireesh Anjal" <sanjal at redhat.com>, engine-devel at ovirt.org, "Selvasundaram" <sesubram at redhat.com>
> > Sent: Thursday, August 30, 2012 9:37:59 PM
> > Subject: Re: [Engine-devel] Gluster IPTable configuration
> >
> >
> >
> > ----- Original Message -----
> > > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > > To: "Selvasundaram" <sesubram at redhat.com>
> > > Cc: "Shireesh Anjal" <sanjal at redhat.com>, engine-devel at ovirt.org
> > > Sent: Thursday, August 30, 2012 2:35:16 PM
> > > Subject: Re: [Engine-devel] Gluster IPTable configuration
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Selvasundaram" <sesubram at redhat.com>
> > > > To: engine-devel at ovirt.org
> > > > Cc: "Shireesh Anjal" <sanjal at redhat.com>
> > > > Sent: Thursday, August 30, 2012 4:30:16 PM
> > > > Subject: [Engine-devel] Gluster IPTable configuration
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I want to add gluster specific IPTable configuration in addition
> > > > to
> > > > the ovirt IPTable configuration (if it is gluster node).
> > > >
> > > > There are two approaches,
> > > > 1. Having one more gluster specific IP table config in db and
> > > > merge
> > > > with ovirt IPTable config (merging NOT appending)
> > > > [I have the patch engine: Gluster specific firewall
> > > > configurations
> > > > #7244]
> > > > 2. Having two different IP Table config (ovirt and ovirt+gluster)
> > > > and
> > > > use either one.
> > > >
> > > > Please provide your suggestions or improvements on this.
> > > >
> > >
> > > Hello all,
> > >
> > > The mentioned patch[1], adds hard coded gluster code into the
> > > bootstrap code, manipulate the firewall configuration to be gluster
> > > specific. It hardcoded search for "reject", insert before some
> > > other
> > > rules.
> > >
> > > I believe this hardcode approach is obsolete now that we have
> > > proper
> > > tools for templates.
> > >
> > > A more robust solution would be defining generic profiles, each
> > > profile as a template, each template can refer to different
> > > profiles, and assign profile to a node.
> > >
> > > This way the implementation is not gluster [or any] specific and
> > > can
> > > be reused for more setups, code is cleaner.
> >
> >
> > or create custom chains ?
>
> Can you please elaborate what is custom chains?
> Thanks!
iptables -N my_new_chain
iptables -A my_new_chain <rule_1>
iptables -A my_new_chain ...
iptables -A my_new_chain <rule_n>
# if this <rule> is matched, packet goes through rules in my_new_chain
iptables -A INPUT <rule> -j my_new_chain
David
>
> > >
> > > Example:
> > >
> > > BASIC.PRE
> > > :INPUT ACCEPT [0:0]
> > > :FORWARD ACCEPT [0:0]
> > > :OUTPUT ACCEPT [0:0]
> > > BASIC.IN
> > > accept ...
> > > accept ...
> > > BASIC.POST
> > > reject ...
> > > reject ...
> > >
> > > BASIC
> > > ${BASIC.PRE}
> > > ${BASIC.IN}
> > > ${BASIC.POST}
> > >
> > > GLUSTER
> > > ${BASIC.PRE}
> > > ${BASIC.IN}
> > > accept ...
> > > ${BASIC.POST}
> > > reject ...
> > >
> > > Regards,
> > > Alon Bar-Lev
> > >
> > > [1] http://gerrit.ovirt.org/#/c/7244/
> > > _______________________________________________
> > > Engine-devel mailing list
> > > Engine-devel at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > >
> >
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
More information about the Devel
mailing list