cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayapal Reddy (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-5144) [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when there is no ingress rule defined for the security group
Date Tue, 24 Dec 2013 13:14:50 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13856305#comment-13856305
] 

Jayapal Reddy commented on CLOUDSTACK-5144:
-------------------------------------------

Hi Wei zhou,

I have observed in the kvm host the iptables rules failed hook these chains BF-cloudbr0-IN,
BF-cloudbr0-OUT in FORWARD tables. This effects the security group rules.

For below commit you updated the 'getBrfw'  in security_group.py. I can see only this is the
laster commit in that file. 
Can you please see if is it causing any issue ?

commit 258118efa67b426611dc87c66b4891924641772b
Author: Wei Zhou <w.zhou@leaseweb.com>
Date:   Tue Sep 24 08:51:58 2013 +0200

    CLOUDSTACK-4405: additional patch for bridge name and firewall rules issues after KVM
upgrade to 4.2

Chain FORWARD (policy ACCEPT 1357 packets, 69147 bytes)
 pkts bytes target     prot opt in     out     source               destination
39900   13M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
   22  1720 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  em1    *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  em2    *       0.0.0.0/0            0.0.0.0/0



> [Automation]: Basic Zone Security Groups - SSH to VM is allowed even when there is no
ingress rule defined for the security group
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5144
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5144
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.3.0
>            Reporter: Gaurav Aradhye
>            Assignee: Jayapal Reddy
>            Priority: Critical
>              Labels: automation
>             Fix For: 4.3.0
>
>         Attachments: MS-Log.txt, agent.log, ipset-L output.txt, iptables-rules.txt
>
>
> In Basic Zone Setup:
> 1. Create an account
> 2. Deploy a VM in that account
> 3. Verify that any ingress rule is not defined for the security group belonging to the
account
> 4. Try SSH to VM using the nic ipaddress from external client
> SSH is successful to the VM where as it should fail when the ingress rule is not defined.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message