cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: egress fw problems in 4.10?
Date Tue, 21 Nov 2017 11:37:18 GMT
Hi Lucian,


It looks like a legit bug: https://bugzilla.redhat.com/show_bug.cgi?id=1297092


When you add 0.0.0.0/0 as destination cidr, this execute on VR and fails:

# ipset add destCidrIpset-4 1.0.0.0/0
ipset v6.30: The value of the CIDR parameter of the IP address is invalid


The workaround are to use these destination cidrs, split in two egress traffic rules:

0.0.0.0/1 and 128.0.0.0/1.


Regards.

________________________________
From: Nux! <nux@li.nux.ro>
Sent: Tuesday, November 21, 2017 3:16:00 PM
To: dev
Subject: Re: egress fw problems in 4.10?

Rohit,

I see it accepts 0.0.0.0/0 on the source CIDR, but then transforms that into 10.1.1.0/24 (or
whatever), I'd imagine it could do the same with the destination CIDR and just "rename" 0.0.0.0/0
into 0.0.0.0/1.
However this is not a Cloudstack problem as I see it, it's an ipset bug/feature, so we should
just "deal with it", perhaps update the documentation at least.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro


rohit.yadav@shapeblue.comĀ 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

----- Original Message -----
> From: "Rohit Yadav" <rohit.yadav@shapeblue.com>
> To: "dev" <dev@cloudstack.apache.org>
> Sent: Tuesday, 21 November, 2017 09:23:00
> Subject: Re: egress fw problems in 4.10?

> I hit the same issue with the debian9-systemvmtemplate PR. Earlier, the egress
> traffic option used to accept 0.0.0.0/0.
>
>
> - Rohit
>
> ________________________________
> From: Nux! <nux@li.nux.ro>
> Sent: Friday, November 17, 2017 11:09:26 PM
> To: dev
> Subject: Re: egress fw problems in 4.10?
>
> Thanks Jayapal,
>
> Indeed, I checked and 0.0.0.0/0 is not there. When I tried to add it manually I
> got an error:
> ipset v6.12.1: The value of the CIDR parameter of the IP address is invalid
>
>
> Hash:net types will not accept 0 prefix, it's happy to accept 0.0.0.0/1 though,
> however I still can't do any egress except for ICMP ping for some reason.
>
> If I omit specifying a a dest CIDR, then I get trully unrestricted egress.
>
> I need to investigate some more when I get time, something's fishy.
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> ----- Original Message -----
>> From: "Jayapal Uradi" <jayapal.uradi@accelerite.com>
>> To: "dev" <dev@cloudstack.apache.org>
>> Sent: Friday, 17 November, 2017 04:02:13
>> Subject: Re: egress fw problems in 4.10?
>
>> Hi Nux,
>>
>> I think the the ipset for destination cidr is not configured with 0.0.0.0/0 due
>> this you might see this issue.
>> Please check the ipset and iptables rules once.
>>
>> iptables -L -nv
>> ipset -L
>>
>> Thanks,
>> Jayapal
>>
>>
>>> On Nov 17, 2017, a t 6:55 AM, Nux! <nux@li.nux.ro> wrote:
>>>
>>> Hi,
>>>
>>> Just installed 4.10 today for a demo, but seems there are some problems with
the
>>> egress rules in isolated networks.
>>> Is there anything wrong with this rule? ACS allows me to add it, but no outbound
>>> traffic is allowed at all.
>>>
>>> 10.1.1.0/24  0.0.0.0/0       All     All     All
>>>
>>> http://img.nux.ro/gL3-Selection_002.png
>>>
>>> If I replace 0.0.0.0/0 with a certain IP/32, then traffic works.
>>>
>>>
>>> Also, if I don't mention a destination cidr at all, outbound traffic also works,
>>> but the docs state 0.0.0.0/0 should be honoured as valid destination cidr.
>>>
>>> Any ideas? I know there was recent work done on egress recently, maybe related
>>> to that?
>>>
>>> Lucian
>>>
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>>
>>> Nux!
>>> www.nux.ro
>>
>> DISCLAIMER
>> ==========
>> This e-mail may contain privileged and confidential information which is the
>> property of Accelerite, a Persistent Systems business. It is intended only for
>> the use of the individual or entity to which it is addressed. If you are not
>> the intended recipient, you are not authorized to read, retain, copy, print,
>> distribute or use this message. If you have received this communication in
>> error, please notify the sender and delete all copies of this message.
>> Accelerite, a Persistent Systems business does not accept any liability for
> > virus infected mails.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message