cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: egress fw problems in 4.10?
Date Fri, 17 Nov 2017 17:39:26 GMT
Thanks Jayapal,

Indeed, I checked and 0.0.0.0/0 is not there. When I tried to add it manually I got an error:
ipset v6.12.1: The value of the CIDR parameter of the IP address is invalid


Hash:net types will not accept 0 prefix, it's happy to accept 0.0.0.0/1 though, however I
still can't do any egress except for ICMP ping for some reason.

If I omit specifying a a dest CIDR, then I get trully unrestricted egress.

I need to investigate some more when I get time, something's fishy.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Jayapal Uradi" <jayapal.uradi@accelerite.com>
> To: "dev" <dev@cloudstack.apache.org>
> Sent: Friday, 17 November, 2017 04:02:13
> Subject: Re: egress fw problems in 4.10?

> Hi Nux,
> 
> I think the the ipset for destination cidr is not configured with 0.0.0.0/0 due
> this you might see this issue.
> Please check the ipset and iptables rules once.
> 
> iptables -L -nv
> ipset -L
> 
> Thanks,
> Jayapal
> 
> 
>> On Nov 17, 2017, a t 6:55 AM, Nux! <nux@li.nux.ro> wrote:
>> 
>> Hi,
>> 
>> Just installed 4.10 today for a demo, but seems there are some problems with the
>> egress rules in isolated networks.
>> Is there anything wrong with this rule? ACS allows me to add it, but no outbound
>> traffic is allowed at all.
>> 
>> 10.1.1.0/24	0.0.0.0/0	All	All	All
>> 
>> http://img.nux.ro/gL3-Selection_002.png
>> 
>> If I replace 0.0.0.0/0 with a certain IP/32, then traffic works.
>> 
>> 
>> Also, if I don't mention a destination cidr at all, outbound traffic also works,
>> but the docs state 0.0.0.0/0 should be honoured as valid destination cidr.
>> 
>> Any ideas? I know there was recent work done on egress recently, maybe related
>> to that?
>> 
>> Lucian
>> 
>> --
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
>> www.nux.ro
> 
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the
> property of Accelerite, a Persistent Systems business. It is intended only for
> the use of the individual or entity to which it is addressed. If you are not
> the intended recipient, you are not authorized to read, retain, copy, print,
> distribute or use this message. If you have received this communication in
> error, please notify the sender and delete all copies of this message.
> Accelerite, a Persistent Systems business does not accept any liability for
> virus infected mails.

Mime
View raw message