cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajani Karuturi (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules
Date Mon, 02 Nov 2015 12:28:27 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14985137#comment-14985137
] 

Rajani Karuturi edited comment on CLOUDSTACK-8925 at 11/2/15 12:27 PM:
-----------------------------------------------------------------------

In the latest router, FW_OUTBOUND has reference to FW_EGRESS_RULES. But, I see a new bug.
VR doesnt respect the EGRESS rules. It always allows whether the default is to allow or deny
in service offerings.

Default EGRESS allow router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
NEW
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 99 packets, 15063 bytes)
 pkts bytes target     prot opt in     out     source               destination
  411 59694 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
{noformat}

Default Egress DENY router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3910 3473K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
NEW
 2471 3395K ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
 1439 77572 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2477 packets, 192K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3311  315K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
   22  1344 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1417 76228 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
   22  1344 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
{noformat}


was (Author: rajanik):
In the latest router, FW_OUTBOUND has reference to FW_EGRESS_RULES. But, I see a new bug.
VR doesnt respect the EGRESS rules. Its always allow whether the default is to allow or deny
in service offerings.

Default EGRESS allow router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
NEW
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 99 packets, 15063 bytes)
 pkts bytes target     prot opt in     out     source               destination
  411 59694 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
{noformat}

Default Egress DENY router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3910 3473K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
NEW
 2471 3395K ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
 1439 77572 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2477 packets, 192K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3311  315K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
   22  1344 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1417 76228 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state
RELATED,ESTABLISHED
   22  1344 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
{noformat}

> Default allow for Egress rules is not being configured properly in VR iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Critical
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules created in
FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain which has a rule to accept
NEW packets from the guest instances. Without that rule only RELATED , ESTABLISHED rule in
FW_OUTBOUND chain will result in Drop of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message