Hello All,

thanks for the replies.

As far as I can tell with limited experience, Firewalld is supported on both engine-setup and

when adding a Centos7 host.

I made a first attempt to translate the resulting Firewalld rules to a Shorewalld setup, this failed.

I will look into this further.

Greetings, J.

2015-11-01 10:20 GMT+01:00 Yedidyah Bar David <didi@redhat.com>:

On Fri, Oct 30, 2015 at 7:03 PM, Jiri Belka <jbelka@redhat.com> wrote:
>> From: "Johan Vermeulen" <jameslast29@gmail.com>
>> To: "users" <users@ovirt.org>
>> Sent: Wednesday, October 28, 2015 4:13:49 PM
>> Subject: [ovirt-users] Ovirt and Shorewall
>
>> Hello All,
>
>> I'm still experimenting with Ovirt-setup.
>> Because Centos/Rhel7 now have Firewalld, and because I still have some
>> Centos6
>> machines with Iptables, I was kinda hoping to use Shorewall on both.
>
>> Is there any support/documentation for this in the Ovirt-world?
>
> On RHEL 7, ovirt 3.6 puts vdsm ("hypervisor" host) firewall rules
> as xml file into firewalld directory.
>
> It is open-source, check engine-setup source and maybe you can propose
> diffs for another fw frontend support.

engine-setup supports firewalld, and the code is designed to be
extensible so that we can add support for other firewall managers,
even with an external plugin packaged separately. Never tried this
myself, though.

engine-setup affects only the firewall on the machine running the engine
itself.

Support for the engine, so that it properly populates the firewall on
the hosts, is a different matter. There is [1] to track this for
firewalld.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=995362

Best,
--
Didi