cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8688) Default policy for INPUT and FORWARD chain is ACCEPT in VR filter table
Date Mon, 07 Sep 2015 15:10:46 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14733824#comment-14733824
] 

ASF GitHub Bot commented on CLOUDSTACK-8688:
--------------------------------------------

Github user wilderrodrigues commented on the pull request:

    https://github.com/apache/cloudstack/pull/765#issuecomment-138321248
  
    @miguelaferreira @remibergsma @karuturi @DaanHoogland 
    
    The test is done!
    
    Results:
    
    Test iptables default INPUT/FORWARD policy on RouterVM ... === TestName: test_02_routervm_iptables_policies
| Status : SUCCESS ===
    ok
    Test iptables default INPUT/FORWARD policies on VPC router ... === TestName: test_01_single_VPC_iptables_policies
| Status : SUCCESS ===
    ok
    
    ----------------------------------------------------------------------
    Ran 2 tests in 663.540s
    
    OK
    /tmp//MarvinLogs/test_routers_iptables_default_policy_RC3AMZ/results.txt (END)
    
    
    The tests were done only for single VPC and Isolated Network because the python code executed
is also used by Redundant VPC and Shared Network. We can come back to this test later and
add more cases, I already added some service for the above mentioned networks in the test.
    
    You can run this test by doing so:
    ```
    nosetests --with-marvin --marvin-config=/data/shared/marvin/mct-zone2-kvm2-ISOLATED.cfg
-s -a tags=advanced,required_hardware=true component/test_routers_iptables_default_policy.py
    ```
    
    Make sure you do the following before running the test agains a KVM hypervisor:
    
    * Copy the systemvm.iso:
      * cloudstack/client/target/cloud-client-ui-4.6.0-SNAPSHOT/WEB-INF/classes/vms/systemvm.iso
    * To:
      * /usr/share/cloudstack-common/vms/systemvm.iso
    
    Cheers,
    Wilder


> Default policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> -----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8688
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>         Environment: Latest build from ACS master.
> Zone type: Advanced
>            Reporter: Sanjeev N
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> Steps to reproduce the issue:
> =======================
> 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver)
> 2.Create an isolated network with Network Offering "DefaultIsolatedNetworkOfferingWithSourceNatService"
> 3.Deploy one guest vm within that network
> Result:
> =======
> IP tables rules on the VR created are as follows:
> root@r-7-VM:~# iptables --list
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             vrrp.mcast.net
> ACCEPT     all  --  anywhere             225.0.0.50
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             vrrp.mcast.net
> ACCEPT     all  --  anywhere             225.0.0.50
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
> ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt state
NEW
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state NEW
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> NETWORK_STATS  all  --  anywhere             anywhere
> Chain NETWORK_STATS (3 references)
> target     prot opt source               destination
>            all  --  anywhere             anywhere
>            all  --  anywhere             anywhere
>            tcp  --  anywhere             anywhere
>            tcp  --  anywhere             anywhere
> But the Default policy for INPUT and FORWARD chain should be DROP instead of ACCEPT.
Otherwise all the traffic would be allowed to VR.
> Same is the case with VPC and Shared network as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message