Please review the PR. https://github.com/apache/cloudstack/pull/2334
-Jayapal On Nov 21, 2017, at 5:37 PM, Rohit Yadav <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> wrote: Jayapal - nice, can you send a PR please? - Rohit ________________________________ From: Jayapal Uradi <jayapal.ur...@accelerite.com<mailto:jayapal.ur...@accelerite.com>> Sent: Tuesday, November 21, 2017 5:33:19 PM To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org> Subject: Re: egress fw problems in 4.10? Hi, When there is 0.0.0.0/0 for dest cidr, while adding iptables do not include ' -m set --match-set destCidrIpset-4 dst’ . For 0.0.0.0/0 no need to add this in ipset. This should be fixed in VR code. Thanks, Jayapal rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> www.shapeblue.com<http://www.shapeblue.com/> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Nov 21, 2017, at 5:22 PM, Rohit Yadav <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> wrote: Jayapal - I tried that, that leaves the ipset empty and egress traffic does not work for guest VMs. This is seen in iptables (filter): [..snipped..] -A FW_EGRESS_RULES -m set --match-set destCidrIpset-4 dst -j ACCEPT -A FW_EGRESS_RULES -j DROP [..snipped..] And no members are seen: root@r-4-VM:/var/cache/cloud/processed# ipset list destCidrIpset-4 Name: destCidrIpset-4 Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 352 References: 1 Members: At this point from a guest VM, egress traffic won't be allowed. However, with the workaround I mentioned (see the bugzilla discussion for reference) egress works: root@r-4-VM:/var/cache/cloud/processed# ipset list destCidrIpset-4 Name: destCidrIpset-4 Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 480 References: 1 Members: 0.0.0.0/1 128.0.0.0/1 - Rohit ________________________________ From: Jayapal Uradi <jayapal.ur...@accelerite.com<mailto:jayapal.ur...@accelerite.com>> Sent: Tuesday, November 21, 2017 5:15:57 PM To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org> Subject: Re: egress fw problems in 4.10? When there is 0.0.0.0/0 for dest cidr do not add/skip the ipset match option in iptables. This will fix the issue. -Jayapal rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> www.shapeblue.com<http://www.shapeblue.com/><http://www.shapeblue.com<http://www.shapeblue.com/>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Nov 21, 2017, at 5:07 PM, Rohit Yadav <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> wrote: Hi Lucian, It looks like a legit bug: https://bugzilla.redhat.com/show_bug.cgi?id=1297092 When you add 0.0.0.0/0 as destination cidr, this execute on VR and fails: # ipset add destCidrIpset-4 1.0.0.0/0 ipset v6.30: The value of the CIDR parameter of the IP address is invalid The workaround are to use these destination cidrs, split in two egress traffic rules: 0.0.0.0/1 and 128.0.0.0/1. Regards. ________________________________ From: Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> Sent: Tuesday, November 21, 2017 3:16:00 PM To: dev Subject: Re: egress fw problems in 4.10? Rohit, I see it accepts 0.0.0.0/0 on the source CIDR, but then transforms that into 10.1.1.0/24 (or whatever), I'd imagine it could do the same with the destination CIDR and just "rename" 0.0.0.0/0 into 0.0.0.0/1. However this is not a Cloudstack problem as I see it, it's an ipset bug/feature, so we should just "deal with it", perhaps update the documentation at least. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro<http://www.nux.ro> rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> www.shapeblue.com<http://www.shapeblue.com/> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue ----- Original Message ----- From: "Rohit Yadav" <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> To: "dev" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Sent: Tuesday, 21 November, 2017 09:23:00 Subject: Re: egress fw problems in 4.10? I hit the same issue with the debian9-systemvmtemplate PR. Earlier, the egress traffic option used to accept 0.0.0.0/0. - Rohit ________________________________ From: Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> Sent: Friday, November 17, 2017 11:09:26 PM To: dev Subject: Re: egress fw problems in 4.10? Thanks Jayapal, Indeed, I checked and 0.0.0.0/0 is not there. When I tried to add it manually I got an error: ipset v6.12.1: The value of the CIDR parameter of the IP address is invalid Hash:net types will not accept 0 prefix, it's happy to accept 0.0.0.0/1 though, however I still can't do any egress except for ICMP ping for some reason. If I omit specifying a a dest CIDR, then I get trully unrestricted egress. I need to investigate some more when I get time, something's fishy. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro<http://www.nux.ro> rohit.ya...@shapeblue.com www.shapeblue.com<http://www.shapeblue.com/><http://www.shapeblue.com<http://www.shapeblue.com/>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue ----- Original Message ----- From: "Jayapal Uradi" <jayapal.ur...@accelerite.com> To: "dev" <dev@cloudstack.apache.org> Sent: Friday, 17 November, 2017 04:02:13 Subject: Re: egress fw problems in 4.10? Hi Nux, I think the the ipset for destination cidr is not configured with 0.0.0.0/0 due this you might see this issue. Please check the ipset and iptables rules once. iptables -L -nv ipset -L Thanks, Jayapal On Nov 17, 2017, a t 6:55 AM, Nux! <n...@li.nux.ro> wrote: Hi, Just installed 4.10 today for a demo, but seems there are some problems with the egress rules in isolated networks. Is there anything wrong with this rule? ACS allows me to add it, but no outbound traffic is allowed at all. 10.1.1.0/24 0.0.0.0/0 All All All http://img.nux.ro/gL3-Selection_002.png If I replace 0.0.0.0/0 with a certain IP/32, then traffic works. Also, if I don't mention a destination cidr at all, outbound traffic also works, but the docs state 0.0.0.0/0 should be honoured as valid destination cidr. Any ideas? I know there was recent work done on egress recently, maybe related to that? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
