cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayapal Reddy (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-9702) VR iptables configuration issues
Date Fri, 23 Dec 2016 08:46:58 GMT
Jayapal Reddy created CLOUDSTACK-9702:
-----------------------------------------

             Summary: VR iptables configuration issues
                 Key: CLOUDSTACK-9702
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9702
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
            Reporter: Jayapal Reddy


1. If there is a exception in configure.py while adding the iptables rule the error is not
reported back to API, API response shows success.

- If there is failure in delete (due to iptables rule is incorrectly framed) then this rule
stays in VR till VR reboots.

a. In CsNetfilter.py: __convert_to_dict() method is inefficient. With this method it is not
possible to include the option if it is there multiple times.
b. Second thing is it rely on the key value pair of iptable option and value. It will not
work for iptables.
Example rule for the a and b
iptables -A FW_EGRESS_RULES -p tcp -m set --match-set sourceCidrIpset  src -m set --match-set
destCidrIpset dst -m tcp --dport 22 -j DROP

In the above example -m option is present multiple times.
If we slit key value for the dictionary then you will get destCidrIpset will get as key which
is a variable (not a iptables option)

With the existing code of CsNetfilter it will not frame the exact rule for the deletion.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message