Alon Bar-Lev píše v Čt 30. 08. 2012 v 14:40 -0400:
----- Original Message -----
From: "Andrew Cathrow" <acathrow@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Shireesh Anjal" <sanjal@redhat.com>, engine-devel@ovirt.org, "Selvasundaram" <sesubram@redhat.com> Sent: Thursday, August 30, 2012 9:37:59 PM Subject: Re: [Engine-devel] Gluster IPTable configuration
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Selvasundaram" <sesubram@redhat.com> Cc: "Shireesh Anjal" <sanjal@redhat.com>, engine-devel@ovirt.org Sent: Thursday, August 30, 2012 2:35:16 PM Subject: Re: [Engine-devel] Gluster IPTable configuration
----- Original Message -----
From: "Selvasundaram" <sesubram@redhat.com> To: engine-devel@ovirt.org Cc: "Shireesh Anjal" <sanjal@redhat.com> Sent: Thursday, August 30, 2012 4:30:16 PM Subject: [Engine-devel] Gluster IPTable configuration
Hi,
I want to add gluster specific IPTable configuration in addition to the ovirt IPTable configuration (if it is gluster node).
There are two approaches, 1. Having one more gluster specific IP table config in db and merge with ovirt IPTable config (merging NOT appending) [I have the patch engine: Gluster specific firewall configurations #7244] 2. Having two different IP Table config (ovirt and ovirt+gluster) and use either one.
Please provide your suggestions or improvements on this.
Hello all,
The mentioned patch[1], adds hard coded gluster code into the bootstrap code, manipulate the firewall configuration to be gluster specific. It hardcoded search for "reject", insert before some other rules.
I believe this hardcode approach is obsolete now that we have proper tools for templates.
A more robust solution would be defining generic profiles, each profile as a template, each template can refer to different profiles, and assign profile to a node.
This way the implementation is not gluster [or any] specific and can be reused for more setups, code is cleaner.
or create custom chains ?
Can you please elaborate what is custom chains? Thanks!
iptables -N my_new_chain iptables -A my_new_chain <rule_1> iptables -A my_new_chain ... iptables -A my_new_chain <rule_n> # if this <rule> is matched, packet goes through rules in my_new_chain iptables -A INPUT <rule> -j my_new_chain David
Example:
BASIC.PRE :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] BASIC.IN accept ... accept ... BASIC.POST reject ... reject ...
BASIC ${BASIC.PRE} ${BASIC.IN} ${BASIC.POST}
GLUSTER ${BASIC.PRE} ${BASIC.IN} accept ... ${BASIC.POST} reject ...
Regards, Alon Bar-Lev
[1] http://gerrit.ovirt.org/#/c/7244/ _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
-- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24