[
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14985228#comment-14985228
]
Wilder Rodrigues edited comment on CLOUDSTACK-8925 at 11/2/15 2:00 PM:
-----------------------------------------------------------------------
Hi [~rajanik],
Just deployed 2 VMs, with default egrees false/true. Both the routers have the
same setup as you said. And in the case of logging messages, got the same:
Router 1:
2015-11-02 13:37:53,105 configure.py add_rule:143 Current ACL IP direction is
==> egress
2015-11-02 13:37:53,105 configure.py add_rule:163 EGRESS rule configured for
protocol ==> all, action ==> ACCEPT
Router 2:
2015-11-02 13:39:59,396 configure.py add_rule:143 Current ACL IP direction is
==> egress
2015-11-02 13:39:59,396 configure.py add_rule:163 EGRESS rule configured for
protocol ==> all, action ==> ACCEPT
But looking on vmops.log I got:
2015-11-02 13:35:17,724 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(Work-Job-Executor-10:ctx-4c95d65e job-33/job-34 ctx-28b12bea) Egress policy
for the Network
207 is already defined as Deny. So, no need to default the rule to Allow.
Will continue investigating.
Cheers,
Wilder
was (Author: wilder.rodrigues):
Hi [~rajanik],
Just deployed 2 VMs, with default egrees false/true. Both the routers have the
same setup as you said. And in the case of logging messages, got the same:
Router 1:
2015-11-02 13:37:53,105 configure.py add_rule:143 Current ACL IP direction is
==> egress
2015-11-02 13:37:53,105 configure.py add_rule:163 EGRESS rule configured for
protocol ==> all, action ==> ACCEPT
Router 2:
2015-11-02 13:39:59,396 configure.py add_rule:143 Current ACL IP direction is
==> egress
2015-11-02 13:39:59,396 configure.py add_rule:163 EGRESS rule configured for
protocol ==> all, action ==> ACCEPT
Will apply a fix.
Cheers,
Wilder
> Default allow for Egress rules is not being configured properly in VR
> iptables rules
> ------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8925
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.0
> Reporter: Pavan Kumar Bandarupally
> Assignee: Wilder Rodrigues
> Priority: Critical
> Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain
> which has a rule to accept NEW packets from the guest instances. Without that
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 44 2832 NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state NEW
> 4 336 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 40 2496 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
> pkts bytes target prot opt in out source
> destination
> 2498 369K NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
> pkts bytes target prot opt in out source
> destination
> Chain FW_OUTBOUND (1 references)
> pkts bytes target prot opt in out source
> destination
> 3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
