cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajani Karuturi (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-9027) In the default egress allow network with existing egress rules to block traffic, restarting the network breaks the egress rules
Date Wed, 04 Nov 2015 10:16:27 GMT
Rajani Karuturi created CLOUDSTACK-9027:
-------------------------------------------

             Summary: In the default egress allow network with existing egress rules to block
traffic, restarting the network breaks the egress rules
                 Key: CLOUDSTACK-9027
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9027
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
    Affects Versions: 4.6.0
            Reporter: Rajani Karuturi
            Priority: Critical


This is found while testing PR #1023 https://github.com/apache/cloudstack/pull/1023#issuecomment-153605360

In the default egress allow network, it has an existing egress rule(created earlier from egress
tab on network page) to block port 22 and restarting it created a new router without egress
chain on the VR.
when I deleted the rule(from the egress tab on network page) and restarted network, it created
new router with egress chain properly configured in the iptables.

to clear the confusion, I was able to reproduce it with the following steps
1. create a new network with default egress allow (network name: egress2_allow)
2. launch a vm in the network.
3. check that VR came up and running
4. ssh to VR and check the iptables.
5. verified that iptables FW_EGRESS_RULES chain is present and configured properly.
6. test outgoing traffic from user vm created in this network. (ssh and ping were working
fine)
7. create a egress rule to block port 22 (from the egress rules tab on networks page in UI)
8. verified that iptables drop rule is added in FW_EGRESS_RULES chain on VR
9. verified that ssh from user vm doesnt work
10. restart network and wait till a new VR is created and running
11. observe that FW_EGRESS_RULES chain is missing in the iptables on the new VR
12. also, ping google.com and ssh doesnt work from user vm



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message