Hi I've been randomly seeing this issue for over a year now. At least I think it might be related.
I am currently on 4.7.1.1, but a few previous releases had this issue too on some of the networks. I've got a half a dozen of networks or so, which are broken and do not allow outgoing traffic despite having the egress rule that allows all traffic out with cidr 0.0.0.0/0. These networks are always broken. Restarting the network with and without the Clean Up option doesnt help nor does removing and adding the Egress rule. In order to fix the outgoing traffic I have to login to the VR in question and manually run: iptables -A FW_OUTBOUND -j ACCEPT Only after this command the egress traffic starts to flow. This procedure has to be repeated EVERY time the router is restarted or recreated for EVERY network which is broken. The rest of the networks are not affected by this issue. I definitely didn't have this issue on the early 4.X releases and this issue probably happened around version 4.4 or 4.5. Andrei ----- Original Message ----- > From: "Rohit Yadav" <rohit.ya...@shapeblue.com> > To: "Simon Weller" <swel...@ena.com>, "dev" <dev@cloudstack.apache.org> > Sent: Thursday, 21 July, 2016 21:13:52 > Subject: Re: 4.9.0 RC2 Status > Hi Will, > > > The issue is that after upgrading the VR from a pre-4.6 environment, the > outbound traffic for guest VMs stop working (where their egress rule was allow > all for 0.0.0.0/0). Along with this, I found that removing allow all 0.0.0.0/0 > egress rule does not remove the rule from VR's filter table. This could be > minor security issue for guest VMs. > > > I think it's a blocker, please help review and test it: > > https://github.com/apache/cloudstack/pull/1614 > > > Regards. > > ________________________________ > From: williamstev...@gmail.com <williamstev...@gmail.com> on behalf of Will > Stevens <wstev...@cloudops.com> > Sent: 21 July 2016 21:43:42 > To: Simon Weller > Cc: dev@cloudstack.apache.org > Subject: Re: 4.9.0 RC2 Status > > I am waiting on pdube's PR to fix some issues with VPCs (not introduced in > 4.9, but should be fixed in 4.9). > > I am also testing #1613 because I had added #1594 and had to revert it > because I was running into an error consistently ever since. Hopefully > #1613 will run cleanly and I can merge it as well for 4.9. > > Sorry for the delay. Since this release is so huge, it makes sense to fix > as many issues as possible before it ships (especially if we will LTS this > release). > > *Will STEVENS* > Lead Developer > > *CloudOps* *| *Cloud Solutions Experts > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > w cloudops.com *|* tw @CloudOps_ > > > rohit.ya...@shapeblue.com > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > > > On Thu, Jul 21, 2016 at 12:04 PM, Simon Weller <swel...@ena.com> wrote: > >> John, >> >> >> I think we're pending a PR from pdube related to broken VPCs. It sounds >> very much like what we found in our QA environment a few weeks ago. >> >> - Si >> >> ------------------------------ >> *From:* John Burwell <john.burw...@shapeblue.com> >> *Sent:* Thursday, July 21, 2016 10:55 AM >> *To:* dev@cloudstack.apache.org >> *Cc:* Will Stevens >> *Subject:* 4.9.0 RC2 Status >> >> Will, >> >> I am inquiring as to the status of 4.9.0 RC2. Are there issues we can >> help resolve in order to get it out? If not, do you have an ETA on when it >> will be cut? >> >> Thanks, >> -John >> john.burw...@shapeblue.com >> www.shapeblue.com<http://www.shapeblue.com> >> 53 Chandos Place, Covent Garden, London VA WC2N 4HSUK >> @shapeblue >> >> >>
