Yes, it seems RHEL/CentOS sets up the FORWARD chain to reject by default. They also include net.bridge.bridge-nf-call-iptables = 0 in the sysctl.conf by default.
If I'm reading this right, security_group.py only adds those rules on the default_network_* calls. It looks like the default rules are only called when starting a vm if there's an isolation method that's of the ec2 scheme. Does this mean the isolation URI in the database will say 'ec2'? If so I don't see how this is being triggered. It's also called in 'handleVmMigrated', but that seems to check the VM to see if security groups are enabled. On Fri, Sep 14, 2012 at 2:00 AM, Edison Su <[email protected]> wrote: > On your system, is the default policy to reject everything? If that's the > case, then we should not set nf-bridge to 1. Btw, I think current KVM code > always trying to setup iptables rules for vms in basic zone, even security > group is disabled on the mgt server. We'd better fix it. > > Sent from my iPhone > > On Sep 13, 2012, at 11:36 PM, "Marcus Sorensen" <[email protected]> wrote: > >> Yes, it should be set to 0 if not using security groups, right? Unless I >> didn't understand something and security_group.py is called to fix things >> up even when you are not using security groups, but I didn't see that >> behavior. I just got an empty FORWARD table that rejected all bridge >> traffic due to that setting being 1. >> On Sep 14, 2012 12:25 AM, "Edison Su" <[email protected]> wrote: >> >>> Security_group.py -> addfwframework will set bridge-nf-call-iptables to 1. >>> It should be called when agent starts. >>> >>> Sent from my iPhone >>> >>> On Sep 13, 2012, at 11:10 PM, "Marcus Sorensen" <[email protected]> >>> wrote: >>> >>>> Now that I'm not running security groups (VPC), I was running into >>>> issues with iptables filtering bridged traffic. I know the easy fixes >>>> (iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT or >>>> echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables), but in >>>> looking through the documentation and the code it doesn't seem like >>>> there's any provisions to help. Is there something in the advanced >>>> network code that should be doing this if security groups are >>>> disabled, or should it be in the install guide? >>>
