On Mon, Feb 26, 2018 at 2:49 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:

Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :

On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:

Hello,

On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
since years with engine-config --set IPTablesConfigSiteCustom="blah blah
blah".

On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain
the correct custom rules I added, but when manually checking with iptables
-L, I don't see my rules active.

On my hosts, I see that the iptables services is stopped and disabled, and
that the firewalld service is up and running.

That explains why iptables customization has no effect.

Indeed.

IIRC the type of firewall is now set per cluster or something like that, not
sure about the details - adding Ondra.

Per cluster, one can indeed choose the firewall type.
I suppose it translates on the hosts into the activation of the adequate service.
But how do we add custom rules in case of firewalld type?

On the hosts, I imagine that could translate into changes in :
/etc/firewalld/zones/public.xml

Please take a look at below RFE introducing firewalld support for host and blog post to read about new possibilities to customize host-deploy process (which also can be used for custom firewalld rules) in oVirt 4.2:

https://bugzilla.redhat.com/show_bug.cgi?id=995362
https://www.ovirt.org/blog/2017/12/host-deploy-customization/

--
Nicolas ECARNOT
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.