cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules
Date Tue, 03 Nov 2015 06:26:27 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14986767#comment-14986767
] 

ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------

GitHub user wilderrodrigues opened a pull request:

    https://github.com/apache/cloudstack/pull/1023

    CLOUDSTACK-8925 - Default allow for Egress rules is not being configured properly in VR
iptables rules

    This PR fixes the router default policy for egress. When the default is DENY, the router
still allows outgoing connections.
    
    The test component/test_routers_network_ops.py was improved to cover that case as well.
The results were:
    
    Test redundant router internals ... === TestName: test_01_isolate_network_FW_PF_default_routes_egress_true
| Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: test_02_isolate_network_FW_PF_default_routes_egress_false
| Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true
| Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false
| Status : SUCCESS ===
    ok
    
    ----------------------------------------------------------------------
    Ran 4 tests in 3636.656s
    
    OK
    /tmp//MarvinLogs/test_routers_network_ops_QDL429/results.txt (END)


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ekholabs/cloudstack fix/egress_state-CLOUDSTACK-8925

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1023.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1023
    
----
commit caa0b4071c024b6672519ab811be733344a05086
Author: Wilder Rodrigues <wrodrigues@schubergphilis.com>
Date:   2015-11-02T11:00:22Z

    CLOUDSTACK-8925 - Drop the traffic when default egress is set to false
    
      - The DROP rule should be appended and the other rules inserted.

commit 9861e997ee81a6aa69e911d0087ad9c60b48f2e3
Author: Wilder Rodrigues <wrodrigues@schubergphilis.com>
Date:   2015-11-02T16:15:46Z

    CLOUDSTACK-8925 - Add tests to cover default egress DENY as well
    
       - Tests cover Redundant and Non-Redundant isolated networks.

----


> Default allow for Egress rules is not being configured properly in VR iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules created in
FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain which has a rule to accept
NEW packets from the guest instances. Without that rule only RELATED , ESTABLISHED rule in
FW_OUTBOUND chain will result in Drop of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message