[node-patches] Change in ovirt-node[master]: move iptables rules to firewalld service rhbz#894061
jboggs at redhat.com
jboggs at redhat.com
Tue Feb 5 18:49:15 UTC 2013
Joey Boggs has uploaded a new change for review.
Change subject: move iptables rules to firewalld service rhbz#894061
......................................................................
move iptables rules to firewalld service rhbz#894061
Change-Id: Id23b9e83e3822066345594a03d693a59a27e7af5
Signed-off-by: Joey Boggs <jboggs at redhat.com>
---
M recipe/ovirt17-post.ks
1 file changed, 21 insertions(+), 49 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/60/11760/1
diff --git a/recipe/ovirt17-post.ks b/recipe/ovirt17-post.ks
index d0a2364..1719c46 100644
--- a/recipe/ovirt17-post.ks
+++ b/recipe/ovirt17-post.ks
@@ -30,56 +30,28 @@
echo "Configuring IPTables"
# here, we need to punch the appropriate holes in the firewall
-cat > /etc/sysconfig/iptables << \EOF
-# oVirt automatically generated firewall configuration
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
-#vdsm
--A INPUT -p tcp --dport 54321 -j ACCEPT
-# libvirt tls
--A INPUT -p tcp --dport 16514 -j ACCEPT
-# SSH
--A INPUT -p tcp --dport 22 -j ACCEPT
-# guest consoles
--A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
-# migration
--A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
-# snmp
--A INPUT -p udp --dport 161 -j ACCEPT
-#
--A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
-COMMIT
+cat > /usr/lib/firewalld/services/ovirt.xml << \EOF
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>ovirt-node</short>
+ <description>This option allo.</description>
+ <!-- vdsm -->
+ <port protocol="tcp" port="54321"/>
+ <!-- libvirt tls -->
+ <port protocol="tcp" port="16514"/>
+ <!-- guest consoles -->
+ <port protocol="tcp" port="5634-6166"/>
+ <!-- migration -->
+ <port protocol="tcp" port="49152-49216"/>
+ <!-- snmp -->
+ <port protocol="udp" port="161"/>
+</service>
EOF
-# configure IPv6 firewall, default is all ACCEPT
-cat > /etc/sysconfig/ip6tables << \EOF
-# oVirt automatically generated firewall configuration
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p ipv6-icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
-# SSH
--A INPUT -p tcp --dport 22 -j ACCEPT
-# guest consoles
--A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
-# migration
--A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
-# snmp
--A INPUT -p udp --dport 161 -j ACCEPT
-# unblock ipv6 dhcp response
--A INPUT -p udp --dport 546 -j ACCEPT
--A INPUT -j REJECT --reject-with icmp6-adm-prohibited
--A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp6-adm-prohibited
-COMMIT
-EOF
+
+# enable required services
+firewall-offline-cmd -s ssh
+firewall-offline-cmd -s ovirt
+firewall-offline-cmd -s dhcpv6-client
python -m compileall /usr/share/virt-manager
--
To view, visit http://gerrit.ovirt.org/11760
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id23b9e83e3822066345594a03d693a59a27e7af5
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Joey Boggs <jboggs at redhat.com>
More information about the node-patches
mailing list