Re: [libvirt] [PATCH v2 4/7] configure: selectively install a firewalld 'libvirt' zone

On 2/1/19 8:28 AM, Eric Garver wrote: > On Thu, Jan 31, 2019 at 10:10:43PM -0500, Laine Stump wrote: >> On 1/31/19 8:24 PM, Laine Stump wrote: >>> Changes from V1: >>> [...] >>> * make the <reject/> rule's priority 32767 instead of 127. >>> [...] >>> + >>> +<rule priority='32767'> >>> +  <reject/> >>> +</rule> >> >> I found out after sending this that when I make the priority of the >> reject >> rule 32767 instead of 127, it's apparently ignored (in my example, I >> was >> able to ssh to port 222 of the host even though the zone doesn't allow >> that). >> >> >> Eric, any idea why this might be happening? > What build are you testing against? At one point the limit was 127, but > I increased it before pushing it upstream. You can check the firewalld > logs - there may be an error reporting the above priority is out of > range. > Ah, maybe you haven't backported that change to RHEL? I was testing on my RHEL8 beta system. If that's the case, then either we need that change backported to RHEL too, or I need to change the priority back to 127.