cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pavan Kumar Bandarupally (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules
Date Wed, 30 Sep 2015 09:47:04 GMT
Pavan Kumar Bandarupally created CLOUDSTACK-8925:
----------------------------------------------------

             Summary: Default allow for Egress rules is not being configured properly in VR
iptables rules
                 Key: CLOUDSTACK-8925
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Virtual Router
    Affects Versions: 4.6.0
            Reporter: Pavan Kumar Bandarupally
            Priority: Critical
             Fix For: 4.6.0



When we create a network with Egress rules set to default allow, the rules created in FW_OUTBOUND
table should have a reference to FW_EGRESS_RULES chain which has a rule to accept NEW packets
from the guest instances. Without that rule only RELATED , ESTABLISHED rule in FW_OUTBOUND
chain will result in Drop of packets.


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
NEW
    4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
   40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FIREWALL_EGRESS_RULES (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message