Did you test on fresh 4.2.1, or upgraded platform?
2014-03-14 14:51 GMT+01:00 Ove Ewerlid <ove.ewer...@oracle.com>: > It should be noted that my tests use a single IP per VM. > I believe NUX mentioned using multiple IP's. > When SG in advanced zone is enabled, only one NIC can be assigned per VM. > /Ove > > > On 03/14/2014 02:41 PM, Ove Ewerlid wrote: > >> On 03/14/2014 01:57 PM, Nux! wrote: >> >>> On 14.03.2014 12:06, Nux! wrote: >>> >>>> It looks like the traffic doesn't go in the right chains, all traffic >>>> is accepted as FORWARD is set to ACCEPT. >>>> There are zero packets going through BF-breth0-109. >>>> >>>> Here's outputs from: >>>> iptables-save: http://paste.fedoraproject.org/85337/47982321/raw/ >>>> ebatables-save: http://paste.fedoraproject.org/85338/79831713/raw/ >>>> ipset -L: http://paste.fedoraproject.org/85339/79832613/raw/ >>>> >>>> I will install 4.2.1 as that one was working and try to compare the >>>> outputs. >>>> >>> >>> Ok, reinstalled with 4.2.1 and this one works as expected, all ingress >>> is blocked unless stated otherwise. Here's the same outputs as earlier: >>> iptables http://paste.fedoraproject.org/85350/1356139/raw/ >>> ebtables http://paste.fedoraproject.org/85351/80136613/raw/ >>> ipset -L http://paste.fedoraproject.org/85352/13948013/raw/ >>> >>> Kindly look into this, it breaks a major feature. >>> >>> Lucian >>> >>> >> I can confirm this observation. >> The test was to install ACS42 and ACS43 in the same environment; >> >> - OEL65 (Oracle's variant of CentOS v65) >> - KVM hypervisor >> - Advanced with 3 shared networks (3 VLAN's) >> - ACS421; official KVM system VM template >> - ACS43; latest 64 bit KVM system VM template >> - 24 hypervisors; 144Gbyte RAM / 24 Cores / 4TB local disk >> >> SG works as expected in ACS42. >> In ACS43, the iptables forward chain on hypervisors is empty and in >> policy ACCEPT, hence all traffic goes through. >> >> The same set of automated install scripts were used in both cases so the >> installs are virtually identical. >> >> /Ove >> >> >> > > -- > Ove Everlid > System Administrator / Architect / SDN- & Automation- & Linux-hacker > Mobile: +46706662363 (dedicated work mobile) > Country: Sweden, timezone; Middle Europan Time (MET or GMT+1) >
