cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Uradi <jayapal.ur...@accelerite.com>
Subject Re: egress fw problems in 4.10?
Date Tue, 21 Nov 2017 12:03:19 GMT
Hi,

When there is 0.0.0.0/0 for dest cidr, while adding iptables do not include ' -m set --match-set
destCidrIpset-4 dst’ .
For 0.0.0.0/0 no need to add this in  ipset.

This should be fixed in VR code.

Thanks,
Jayapal




> On Nov 21, 2017, at 5:22 PM, Rohit Yadav <rohit.yadav@shapeblue.com> wrote:
> 
> Jayapal - I tried that, that leaves the ipset empty and egress traffic does not work
for guest VMs.
> 
> 
> This is seen in iptables (filter):
> 
> [..snipped..]
> -A FW_EGRESS_RULES -m set --match-set destCidrIpset-4 dst -j ACCEPT
> -A FW_EGRESS_RULES -j DROP
> [..snipped..]
> 
> 
> And no members are seen:
> 
> 
> root@r-4-VM:/var/cache/cloud/processed# ipset list destCidrIpset-4
> Name: destCidrIpset-4
> Type: hash:net
> Revision: 6
> Header: family inet hashsize 1024 maxelem 65536
> Size in memory: 352
> References: 1
> Members:
> 
> At this point from a guest VM, egress traffic won't be allowed.
> 
> 
> However, with the workaround I mentioned (see the bugzilla discussion for reference)
egress works:
> 
> 
> root@r-4-VM:/var/cache/cloud/processed# ipset list destCidrIpset-4
> Name: destCidrIpset-4
> Type: hash:net
> Revision: 6
> Header: family inet hashsize 1024 maxelem 65536
> Size in memory: 480
> References: 1
> Members:
> 0.0.0.0/1
> 128.0.0.0/1
> 
> 
> - Rohit
> 
> ________________________________
> From: Jayapal Uradi <jayapal.uradi@accelerite.com>
> Sent: Tuesday, November 21, 2017 5:15:57 PM
> To: dev@cloudstack.apache.org
> Subject: Re: egress fw problems in 4.10?
> 
> When there is 0.0.0.0/0 for dest cidr do not add/skip the ipset match option in iptables.
This will fix the issue.
> 
> -Jayapal
> 
> 
> 
> rohit.yadav@shapeblue.com 
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
> 
> 
> 
> On Nov 21, 2017, at 5:07 PM, Rohit Yadav <rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>>
wrote:
> 
> Hi Lucian,
> 
> 
> It looks like a legit bug: https://bugzilla.redhat.com/show_bug.cgi?id=1297092
> 
> 
> When you add 0.0.0.0/0 as destination cidr, this execute on VR and fails:
> 
> # ipset add destCidrIpset-4 1.0.0.0/0
> ipset v6.30: The value of the CIDR parameter of the IP address is invalid
> 
> 
> The workaround are to use these destination cidrs, split in two egress traffic rules:
> 
> 0.0.0.0/1 and 128.0.0.0/1.
> 
> 
> Regards.
> 
> ________________________________
> From: Nux! <nux@li.nux.ro<mailto:nux@li.nux.ro>>
> Sent: Tuesday, November 21, 2017 3:16:00 PM
> To: dev
> Subject: Re: egress fw problems in 4.10?
> 
> Rohit,
> 
> I see it accepts 0.0.0.0/0 on the source CIDR, but then transforms that into 10.1.1.0/24
(or whatever), I'd imagine it could do the same with the destination CIDR and just "rename"
0.0.0.0/0 into 0.0.0.0/1.
> However this is not a Cloudstack problem as I see it, it's an ipset bug/feature, so we
should just "deal with it", perhaps update the documentation at least.
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro<http://www.nux.ro>
> 
> 
> rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
> www.shapeblue.com<http://www.shapeblue.com/>
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
> 
> 
> 
> ----- Original Message -----
> From: "Rohit Yadav" <rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>>
> To: "dev" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
> Sent: Tuesday, 21 November, 2017 09:23:00
> Subject: Re: egress fw problems in 4.10?
> 
> I hit the same issue with the debian9-systemvmtemplate PR. Earlier, the egress
> traffic option used to accept 0.0.0.0/0.
> 
> 
> - Rohit
> 
> ________________________________
> From: Nux! <nux@li.nux.ro<mailto:nux@li.nux.ro>>
> Sent: Friday, November 17, 2017 11:09:26 PM
> To: dev
> Subject: Re: egress fw problems in 4.10?
> 
> Thanks Jayapal,
> 
> Indeed, I checked and 0.0.0.0/0 is not there. When I tried to add it manually I
> got an error:
> ipset v6.12.1: The value of the CIDR parameter of the IP address is invalid
> 
> 
> Hash:net types will not accept 0 prefix, it's happy to accept 0.0.0.0/1 though,
> however I still can't do any egress except for ICMP ping for some reason.
> 
> If I omit specifying a a dest CIDR, then I get trully unrestricted egress.
> 
> I need to investigate some more when I get time, something's fishy.
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro<http://www.nux.ro>
> 
> 
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com/><http://www.shapeblue.com<http://www.shapeblue.com/>>
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
> 
> 
> 
> ----- Original Message -----
> From: "Jayapal Uradi" <jayapal.uradi@accelerite.com>
> To: "dev" <dev@cloudstack.apache.org>
> Sent: Friday, 17 November, 2017 04:02:13
> Subject: Re: egress fw problems in 4.10?
> 
> Hi Nux,
> 
> I think the the ipset for destination cidr is not configured with 0.0.0.0/0 due
> this you might see this issue.
> Please check the ipset and iptables rules once.
> 
> iptables -L -nv
> ipset -L
> 
> Thanks,
> Jayapal
> 
> 
> On Nov 17, 2017, a t 6:55 AM, Nux! <nux@li.nux.ro> wrote:
> 
> Hi,
> 
> Just installed 4.10 today for a demo, but seems there are some problems with the
> egress rules in isolated networks.
> Is there anything wrong with this rule? ACS allows me to add it, but no outbound
> traffic is allowed at all.
> 
> 10.1.1.0/24  0.0.0.0/0       All     All     All
> 
> http://img.nux.ro/gL3-Selection_002.png
> 
> If I replace 0.0.0.0/0 with a certain IP/32, then traffic works.
> 
> 
> Also, if I don't mention a destination cidr at all, outbound traffic also works,
> but the docs state 0.0.0.0/0 should be honoured as valid destination cidr.
> 
> Any ideas? I know there was recent work done on egress recently, maybe related
> to that?
> 
> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the
> property of Accelerite, a Persistent Systems business. It is intended only for
> the use of the individual or entity to which it is addressed. If you are not
> the intended recipient, you are not authorized to read, retain, copy, print,
> distribute or use this message. If you have received this communication in
> error, please notify the sender and delete all copies of this message.
> Accelerite, a Persistent Systems business does not accept any liability for
> virus infected mails.
> 
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property
of Accelerite, a Persistent Systems business. It is intended only for the use of the individual
or entity to which it is addressed. If you are not the intended recipient, you are not authorized
to read, retain, copy, print, distribute or use this message. If you have received this communication
in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent
Systems business does not accept any liability for virus infected mails.

Mime
View raw message