cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules
Date Tue, 03 Nov 2015 07:15:27 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14986823#comment-14986823
] 

ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------

Github user karuturi commented on the pull request:

    https://github.com/apache/cloudstack/pull/1023#issuecomment-153274765
  
    did the following to test it on an existing XenServer setup (It has two networks egress_allow
with default egress allow and isolated2 with default egress DENY):
    1. merge pr locally on the latest master. # git pr 1023
    2. # mvn clean install -Pdeveloper,systemvm -DskipTests=true
    3. clear tags on xenserver to get the latest systemvm.iso # xe host-param-clear param-name=tags
uuid=53480c43-9c2c-481f-8bab-170535e21954
    4. start jetty # mvn  -pl client jetty:run -o
    5. restart networks to recreate the routers. (two routers came up 	r-74-VM - isolated2,
r-73-VM - egress_allow)
    6. verified that egress-allow router has target accept
    ```
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0        
   state NEW
        0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 418 packets, 58785 bytes)
     pkts bytes target     prot opt in     out     source               destination
      524 73372 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain FW_OUTBOUND (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    ```
    
    7. verified that egress-deny router has target DROP
    ```
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
        0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0        
   state NEW
        0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 260 packets, 45505 bytes)
     pkts bytes target     prot opt in     out     source               destination
      695  101K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain FW_EGRESS_RULES (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain FW_OUTBOUND (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0        
   state RELATED,ESTABLISHED
        0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    ```
    8. launch a VM in egress-allow network and ping google.com succeeded
    ```
    [root@egress-allow-vm ~]# ping google.com
    PING google.com (216.58.192.78) 56(84) bytes of data.
    64 bytes from mia07s34-in-f14.1e100.net (216.58.192.78): icmp_seq=1 ttl=44 time=291 ms
    
    --- google.com ping statistics ---
    2 packets transmitted, 1 received, 50% packet loss, time 1000ms
    rtt min/avg/max/mdev = 291.554/291.554/291.554/0.000 ms
    ```
    8. launch a VM in egress-deny network and ping google.com failed.
    ```
    [root@egress-deny-vm ~]# ping google.com
    PING google.com (216.58.192.78) 56(84) bytes of data.
    
    --- google.com ping statistics ---
    72 packets transmitted, 0 received, 100% packet loss, time 71013ms
    ```
    
    working as expected
    LGTM :+1: 
    
    
    
    
    



> Default allow for Egress rules is not being configured properly in VR iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules created in
FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain which has a rule to accept
NEW packets from the guest instances. Without that rule only RELATED , ESTABLISHED rule in
FW_OUTBOUND chain will result in Drop of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message