By the way, I’ve used your slightly modified code in Shorewall’s
/etc/shorewall/started post script:
#!/bin/sh for ip in $(/usr/local/bin/oc-metadata | sed -nE 's/VOLUMES_[0-9]+_EXPORT_URI=.*nbd:\/\/([^:]+):.*/\1/p'); do iptables -I INPUT 1 -i eth0 -s $ip -j ACCEPT done
chmod +x /etc/shorewall/started to make it executable).
I had to ensure that this was at the top of the INPUT chain, so used -I instead of -A. I’m sure someone can come up with a more elegant Perl version that makes use of Shorwall’s functions directly, but this was sufficient for me.
Hopefully that’ll help someone, and will also put an end to the /nbd0 IO / RO errors I seem to be generating (did see the post regarding 3.2.34 kernel, which I am using).