cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules
Date Wed, 04 Nov 2015 06:54:27 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14989027#comment-14989027
] 

ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------

Github user karuturi commented on the pull request:

    https://github.com/apache/cloudstack/pull/1023#issuecomment-153605360
  
    I upgraded an existing xenserver setup with the changes in this PR. (clear the tags on
xenserver and restarted the networks to recreated VRs with new systemvm.iso) I also manually
checked it has the latest configure.py file
    (added details about setup on my first comment https://github.com/apache/cloudstack/pull/1023#issuecomment-153274765
)
    
    In the default egress allow network, it has an existing egress rule to block port 22 and
restarting it created a new router without egress chain.
    when I deleted the rule and restarted network, it created new router with egress chain
properly configured. 
    
    to clear the confusion, I was able to reproduce it with the following steps
    1. create a new network with default egress allow (network name: egress2_allow)
    2. launch a vm in the network.
    3. check that VR came up and running
    4. ssh to VR and check the iptables. 
    5. verified that iptables FW_EGRESS_RULES is present. 
    6. test outgoing traffic from user vm created in this network. (ssh and ping were working
fine)
    7. create a egress rule to block port 22
    8. verified that iptables drop rule is added in egress chain on VR
    9. verified that ssh from user vm doesnt work
    10. restart network and wait till a new VR  is created and running
    11. observe that FW_EGRESS_RULES is missing in the iptables on the new VR
    12. also, ping google.com and ssh doesnt work from user vm


> Default allow for Egress rules is not being configured properly in VR iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules created in
FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain which has a rule to accept
NEW packets from the guest instances. Without that rule only RELATED , ESTABLISHED rule in
FW_OUTBOUND chain will result in Drop of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message