weizhouapache commented on PR #13173: URL: https://github.com/apache/cloudstack/pull/13173#issuecomment-4485065064
> @agronaught thanks for the pull request. The code looks good. > > I think that we can restore the changes removed in the 2nd commit of #10970 to accept IPv6 packets from related/established connections going to the virtual router even for non-routed networks. I only removed the rule from the INPUT chain because it was not required to address the issue I was facing at the time, but can't think of a reason for not having it. @winterhazel @agronaught In most cases, CloudStack VRs simply forward traffic to guest VMs and do not expose public services themselves. That is why we originally did not add the rule `ct state established,related accept` to the input chain. It was my suggestion to apply the changes introduced in the 2nd commit of PR #10970. At that time, I did not consider BGP sessions as a use case. I agree that we could revert the changes introduced here: https://github.com/apache/cloudstack/pull/10970/changes/145f4febb1ca74d709ae66d0ff4f83bda0c7419b#diff-105798cff64ba9131433182777feb6bfc8084e93808f736d61da95387eabc1fe That might resolve the issue without requiring the changes proposed in this PR. The IPv4 rules are correct. When I developed the Dynamic Routing feature, I explicitly added the rules for routed networks and routed VPCs: ``` self.nft_ipv4_fw.append({'type': "", 'chain': 'INPUT', 'rule': "iifname eth2 ct state related,established counter accept"}) ... self.nft_ipv4_acl.append({'type': "", 'chain': 'INPUT', 'rule': "iifname eth1 ct state related,established counter accept"}) ``` So the issue appears to be specific to the IPv6 rules. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
