cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajani Karuturi (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-8681) [Egress_Rules] CS does not honor the default deny egress policy in isolated network
Date Thu, 24 Sep 2015 06:25:04 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-8681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rajani Karuturi resolved CLOUDSTACK-8681.
-----------------------------------------
    Resolution: Cannot Reproduce

> [Egress_Rules] CS does not honor the default deny egress policy in isolated network
> -----------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8681
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8681
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.6.0
>         Environment: Latest build from master with commit ac9c2a224a78f413945e25fd7cf23364fbef00b5

> Zone: Advanced
>            Reporter: Sanjeev N
>            Priority: Critical
>
> [Egress_Rules] CS does not honor the default deny egress policy in isolated network
> Steps to reproduce:
> =================
> 1.Bring up CS in advanced zone with any of the supported hypervisors
> 2.Create an isolated network with network offering "DefaultIsolatedNetworkOfferingWithSourceNatService"
so that defaul egress policy would be "deny all"
> 3.Deploy one guest vm in that network
> Expected Result:
> =============
> VR forward chain in filter table should have the defualt DROP policy.
> Actual Result:
> ===========
> Following is the FORWARD chain from the VR:
> Chain FORWARD (policy ACCEPT 10282 packets, 1743K bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 46405   27M NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state NEW
> 27468   25M ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     2   104 ACCEPT     tcp  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    tcp dpt:22 state NEW
> It should be in the following way:
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination 
>         
>     0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/
> 0           
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
>          state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
>          state NEW
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
>          state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
>          state RELATED,ESTABLISHED
>     0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0 
>           
> Chain FW_EGRESS_RULES (1 references)
>  pkts bytes target     prot opt in     out     source               destination 
>         
>     0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
>         
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination 
>         
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
>          state RELATED,ESTABLISHED
>     0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.
> 0/0           
> Looks like now we are loading ip tables from "/etc/iptables/router_rules.v4" . But the
base for this file should be "/etc/iptables/rules.v4" to persist the default behavior.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message