From 313ea1085f37ad4a1bc86ba13a32c24843f26378 Mon Sep 17 00:00:00 2001 From: toby Date: Wed, 1 May 2019 04:37:44 +0000 Subject: [PATCH] adding local connections for zebra/frr to the individual services. I can't believe I have not yet noticed this. seems like-frr reload is however relying on this --- debian/postinst | 2 +- files/firewall | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/debian/postinst b/debian/postinst index 321fd58..c96044a 100755 --- a/debian/postinst +++ b/debian/postinst @@ -418,7 +418,7 @@ case "$1" in systemctl enable strongswan || true ## in case we kick-start or done have it enabled for some reason systemctl enable firewall systemctl restart firewall - systemctl reload frr + ## systemctl reload frr ## still too dangerous? failed heavy on last attempt ## END services section diff --git a/files/firewall b/files/firewall index f1c7b01..ab9e94f 100755 --- a/files/firewall +++ b/files/firewall @@ -23,6 +23,10 @@ case $1 in iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT -m comment --comment "ipsec" iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow pings" + ## frr local service connections + iptables -A INPUT -i lo -m multiport -p tcp --sports 2600:2618 -j ACCEPT -m comment --comment "local ceph osd traffic" + iptables -A INPUT -i lo -m multiport -p tcp --dports 2600:2618 -j ACCEPT -m comment --comment "local ceph osd traffic" + ## local ceph osd services iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic" iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic"