Github user karuturi commented on the pull request:
https://github.com/apache/cloudstack/pull/1023#issuecomment-153605360
I upgraded an existing xenserver setup with the changes in this PR. (clear
the tags on xenserver and restarted the networks to recreated VRs with new
systemvm.iso) I also manually checked it has the latest configure.py file
(added details about setup on my first comment
https://github.com/apache/cloudstack/pull/1023#issuecomment-153274765 )
In the default egress allow network, it has an existing egress rule to
block port 22 and restarting it created a new router without egress chain.
when I deleted the rule and restarted network, it created new router with
egress chain properly configured.
to clear the confusion, I was able to reproduce it with the following steps
1. create a new network with default egress allow (network name:
egress2_allow)
2. launch a vm in the network.
3. check that VR came up and running
4. ssh to VR and check the iptables.
5. verified that iptables FW_EGRESS_RULES is present.
6. test outgoing traffic from user vm created in this network. (ssh and
ping were working fine)
7. create a egress rule to block port 22
8. verified that iptables drop rule is added in egress chain on VR
9. verified that ssh from user vm doesnt work
10. restart network and wait till a new VR is created and running
11. observe that FW_EGRESS_RULES is missing in the iptables on the new VR
12. also, ping google.com and ssh doesnt work from user vm
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
