It should be noted that my tests use a single IP per VM.
I believe NUX mentioned using multiple IP's.
When SG in advanced zone is enabled, only one NIC can be assigned per VM.
/Ove
On 03/14/2014 02:41 PM, Ove Ewerlid wrote:
On 03/14/2014 01:57 PM, Nux! wrote:
On 14.03.2014 12:06, Nux! wrote:
It looks like the traffic doesn't go in the right chains, all traffic
is accepted as FORWARD is set to ACCEPT.
There are zero packets going through BF-breth0-109.
Here's outputs from:
iptables-save: http://paste.fedoraproject.org/85337/47982321/raw/
ebatables-save: http://paste.fedoraproject.org/85338/79831713/raw/
ipset -L: http://paste.fedoraproject.org/85339/79832613/raw/
I will install 4.2.1 as that one was working and try to compare the
outputs.
Ok, reinstalled with 4.2.1 and this one works as expected, all ingress
is blocked unless stated otherwise. Here's the same outputs as earlier:
iptables http://paste.fedoraproject.org/85350/1356139/raw/
ebtables http://paste.fedoraproject.org/85351/80136613/raw/
ipset -L http://paste.fedoraproject.org/85352/13948013/raw/
Kindly look into this, it breaks a major feature.
Lucian
I can confirm this observation.
The test was to install ACS42 and ACS43 in the same environment;
- OEL65 (Oracle's variant of CentOS v65)
- KVM hypervisor
- Advanced with 3 shared networks (3 VLAN's)
- ACS421; official KVM system VM template
- ACS43; latest 64 bit KVM system VM template
- 24 hypervisors; 144Gbyte RAM / 24 Cores / 4TB local disk
SG works as expected in ACS42.
In ACS43, the iptables forward chain on hypervisors is empty and in
policy ACCEPT, hence all traffic goes through.
The same set of automated install scripts were used in both cases so the
installs are virtually identical.
/Ove
--
Ove Everlid
System Administrator / Architect / SDN- & Automation- & Linux-hacker
Mobile: +46706662363 (dedicated work mobile)
Country: Sweden, timezone; Middle Europan Time (MET or GMT+1)
