[node-patches] Change in ovirt-node[master]: comment out firewalld sections until engine can support it

jboggs at redhat.com jboggs at redhat.com
Thu Aug 8 21:02:27 UTC 2013 

Joey Boggs has uploaded a new change for review.

Change subject: comment out firewalld sections until engine can support it
......................................................................

comment out firewalld sections until engine can support it

Change-Id: I3ae2f336eddfd6daee0e22039fb761029126f940
Signed-off-by: Joey Boggs <jboggs at redhat.com>
---
M recipe/ovirt18-minimizer.ks
M recipe/ovirt19-post.ks
2 files changed, 71 insertions(+), 18 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/52/17852/1

diff --git a/recipe/ovirt18-minimizer.ks b/recipe/ovirt18-minimizer.ks
index 8b112da..8866255 100644
--- a/recipe/ovirt18-minimizer.ks
+++ b/recipe/ovirt18-minimizer.ks
@@ -34,3 +34,4 @@
 droprpm xorg-x11-font-utils
 droprpm man-db
 droprpm zerofree
+droprpm firewalld
diff --git a/recipe/ovirt19-post.ks b/recipe/ovirt19-post.ks
index f60d419..ab2ae18 100644
--- a/recipe/ovirt19-post.ks
+++ b/recipe/ovirt19-post.ks
@@ -30,27 +30,79 @@
 
 echo "Configuring IPTables"
 # here, we need to punch the appropriate holes in the firewall
-cat > /usr/lib/firewalld/services/ovirt.xml << \EOF
-<?xml version="1.0" encoding="utf-8"?>
-<service>
-  <short>ovirt-node</short>
-  <description>This service opens necessary ports for ovirt-node operations</description>
-  <!-- libvirt tls -->
-  <port protocol="tcp" port="16514"/>
-  <!-- guest consoles -->
-  <port protocol="tcp" port="5634-6166"/>
-  <!-- migration -->
-  <port protocol="tcp" port="49152-49216"/>
-  <!-- snmp -->
-  <port protocol="udp" port="161"/>
-</service>
-EOF
+# disabled until ovirt-engine supports firewalld
+
+#cat > /usr/lib/firewalld/services/ovirt.xml << \EOF
+#<?xml version="1.0" encoding="utf-8"?>
+#<service>
+#  <short>ovirt-node</short>
+#  <description>This service opens necessary ports for ovirt-node operations</description>
+#  <!-- libvirt tls -->
+#  <port protocol="tcp" port="16514"/>
+#  <!-- guest consoles -->
+#  <port protocol="tcp" port="5634-6166"/>
+#  <!-- migration -->
+#  <port protocol="tcp" port="49152-49216"/>
+#  <!-- snmp -->
+#  <port protocol="udp" port="161"/>
+#</service>
+#EOF
 
 # enable required services
-firewall-offline-cmd -s ssh
-firewall-offline-cmd -s ovirt
-firewall-offline-cmd -s dhcpv6-client
+#firewall-offline-cmd -s ssh
+#firewall-offline-cmd -s ovirt
+#firewall-offline-cmd -s dhcpv6-client
 
+cat > /etc/sysconfig/iptables << \EOF
+# oVirt automatically generated firewall configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+#vdsm
+-A INPUT -p tcp --dport 54321 -j ACCEPT
+# libvirt tls
+-A INPUT -p tcp --dport 16514 -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# guest consoles
+-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
+# migration
+-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
+# snmp
+-A INPUT -p udp --dport 161 -j ACCEPT
+#
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+# configure IPv6 firewall, default is all ACCEPT
+cat > /etc/sysconfig/ip6tables << \EOF
+# oVirt automatically generated firewall configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# guest consoles
+-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
+# migration
+-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
+# snmp
+-A INPUT -p udp --dport 161 -j ACCEPT
+# unblock ipv6 dhcp response
+-A INPUT -p udp --dport 546 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
+EOF
 echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
 
 # Workaround for packages needing /etc/ovirt-node-image-release


-- 
To view, visit http://gerrit.ovirt.org/17852
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3ae2f336eddfd6daee0e22039fb761029126f940
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Joey Boggs <jboggs at redhat.com>

More information about the node-patches mailing list