From f9ee9dcb378f460741989f60fadfb3ed53a320c6 Mon Sep 17 00:00:00 2001 From: Gurucharan Shetty Date: Fri, 12 Apr 2013 12:58:27 -0700 Subject: [PATCH] rhel: Remove the firewall hole that we create for GRE. Till now, by default, we add firewall holes for gre traffic. There may be users that do not use GRE tunnels and they may be surprised with this behavior. So, don't add the firewall rules by default and update the documentation to mention the same. This patch does not remove the default GRE firewall rule for xenserver because xenserver has a feature called "Cross-Host Internal Networks" (CHIN) that uses GRE. Signed-off-by: Gurucharan Shetty --- INSTALL.RHEL | 6 ++++++ NEWS | 5 ++++- rhel/etc_init.d_openvswitch | 2 -- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/INSTALL.RHEL b/INSTALL.RHEL index eaa2e7c73..a698faece 100644 --- a/INSTALL.RHEL +++ b/INSTALL.RHEL @@ -101,6 +101,12 @@ RHEL. On RHEL 5, the default RPM source directory is in this example: "kmod-openvswitch", "kmod-openvswitch-debug", and "kmod-openvswitch-kdump". +A RHEL host has default firewall rules that prevent any Open vSwitch tunnel +traffic from passing through. If a user configures Open vSwitch tunnels like +GRE, VXLAN, LISP etc., they will either have to manually add iptables firewall +rules to allow the tunnel traffic or add it through a startup script (Please +refer to the "enable-protocol" command in the ovs-ctl(8) manpage). + Red Hat Network Scripts Integration ----------------------------------- diff --git a/NEWS b/NEWS index 39e6e5d8c..f23b36651 100644 --- a/NEWS +++ b/NEWS @@ -13,7 +13,10 @@ post-v1.10.0 - ovs-dpctl: * New debugging commands "add-flow", "mod-flow", "del-flow". - New syslog format, prefixed with "ovs|", to be easier to filter. - + - RHEL: Removes the default firewall rule that allowed GRE traffic to + pass through. Any users that relied on this automatic firewall hole + will have to manually configure it. The ovs-ctl(8) manpage documents + the "enable-protocol" command that can be used as an alternative. v1.10.0 - xx xxx xxxx --------------------- diff --git a/rhel/etc_init.d_openvswitch b/rhel/etc_init.d_openvswitch index 55a13a7ed..7e6413256 100755 --- a/rhel/etc_init.d_openvswitch +++ b/rhel/etc_init.d_openvswitch @@ -48,8 +48,6 @@ start () { set "$@" $OVS_CTL_OPTS "$@" - ovs_ctl --protocol=gre enable-protocol - touch /var/lock/subsys/openvswitch } -- 2.43.0