[ovs-dev] [PATCH 1/2] INSTALL.XenServer, INSTALL.RHEL: Add a note for tunnel firewall rules.

Lori Jakab lojakab at cisco.com
Mon Apr 15 18:13:07 UTC 2013


The wording looks good to me, thanks!

On 04/15/2013 08:18 PM, Gurucharan Shetty wrote:
> Signed-off-by: Gurucharan Shetty <gshetty at nicira.com>
> ---
>  INSTALL.RHEL      |    6 ++++++
>  INSTALL.XenServer |   13 ++++++++++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/INSTALL.RHEL b/INSTALL.RHEL
> index eaa2e7c..a698fae 100644
> --- a/INSTALL.RHEL
> +++ b/INSTALL.RHEL
> @@ -101,6 +101,12 @@ RHEL.  On RHEL 5, the default RPM source directory is
>      in this example: "kmod-openvswitch", "kmod-openvswitch-debug", and
>      "kmod-openvswitch-kdump".
>  
> +A RHEL host has default firewall rules that prevent any Open vSwitch tunnel
> +traffic from passing through. If a user configures Open vSwitch tunnels like
> +GRE, VXLAN, LISP etc., they will either have to manually add iptables firewall
> +rules to allow the tunnel traffic or add it through a startup script (Please
> +refer to the "enable-protocol" command in the ovs-ctl(8) manpage).
> +
>  Red Hat Network Scripts Integration
>  -----------------------------------
>  
> diff --git a/INSTALL.XenServer b/INSTALL.XenServer
> index 7a4dd76..e31788a 100644
> --- a/INSTALL.XenServer
> +++ b/INSTALL.XenServer
> @@ -158,7 +158,10 @@ command.  The plugin script does roughly the following:
>          * If XAPI is configured for a manager, configures the OVS
>            manager to match with "ovs-vsctl set-manager".
>  
> -The Open vSwitch boot sequence only configures an OVS configuration
> +Notes
> +-----
> +
> +* The Open vSwitch boot sequence only configures an OVS configuration
>  database manager.  There is no way to directly configure an OpenFlow
>  controller on XenServer and, as a consequence of the step above that
>  deletes all of the bridges at boot time, controller configuration only
> @@ -166,6 +169,14 @@ persists until XenServer reboot.  The configuration database manager
>  can, however, configure controllers for bridges.  See the BUGS section
>  of ovs-controller(8) for more information on this topic.
>  
> +* The Open vSwitch startup script automatically adds a firewall rule
> +to allow GRE traffic. This rule is needed for the XenServer feature
> +called "Cross-Host Internal Networks" (CHIN) that uses GRE. If a user
> +configures tunnels other than GRE (ex: VXLAN, LISP), they will have
> +to either manually add a iptables firewall rule to allow the tunnel traffic
> +or add it through a startup script (Please refer to the "enable-protocol"
> +command in the ovs-ctl(8) manpage).
> +
>  Reporting Bugs
>  --------------
>  
> 



More information about the dev mailing list