[jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules

ASF GitHub Bot (JIRA) Tue, 03 Nov 2015 06:49:12 -0800

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14987397#comment-14987397
 ]


ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------

Github user wilderrodrigues commented on the pull request:

    https://github.com/apache/cloudstack/pull/1023#issuecomment-153376651
  
    The last test failed because the connection timed out without printing 
"Giving up.", as I expected in the test. You can see the output below:
    
    ```
    {Cmd: wget -t 1 -T 1 www.google.com via Host: 192.168.23.6} {returns: 
[u'--2015-11-03 14:44:03--  http://www.google.com/', u'Resolving 
www.google.com... failed: Connection timed out.', u"wget: unable to resolve 
host address 'www.google.com'"]}
    {Cmd: wget -t 1 -T 1 www.google.com via Host: 192.168.23.6} {returns: 
[u'--2015-11-03 14:44:03--  http://www.google.com/', u'Resolving 
www.google.com... failed: Connection timed out.', u"wget: unable to resolve 
host address 'www.google.com'"]}
    {Cmd: wget -t 1 -T 1 www.google.com via Host: 192.168.23.6} {returns: 
[u'--2015-11-03 14:44:03--  http://www.google.com/', u'Resolving 
www.google.com... failed: Connection timed out.', u"wget: unable to resolve 
host address 'www.google.com'"]}
    {Cmd: wget -t 1 -T 1 www.google.com via Host: 192.168.23.6} {returns: 
[u'--2015-11-03 14:44:03--  http://www.google.com/', u'Resolving 
www.google.com... failed: Connection timed out.', u"wget: unable to resolve 
host address 'www.google.com'"]}
    ```
    
    I will push another time and will rely on a better test string. But no 
worries, the fix is fine!
    
    * Test results:
    
    ```
    Test redundant router internals ... === TestName: 
test_01_isolate_network_FW_PF_default_routes_egress_true | Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: 
test_02_isolate_network_FW_PF_default_routes_egress_false | Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: 
test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true | Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: 
test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false | Status : FAILED ===
    FAIL
    
    ======================================================================
    FAIL: Test redundant router internals
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File 
"/data/git/cs1/cloudstack/test/integration/component/test_routers_network_ops.py",
 line 473, in test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false
        "Attempt to retrieve google.com index page should NOT be successful"
    AssertionError: Attempt to retrieve google.com index page should NOT be 
successful
    ```


> Default allow for Egress rules is not being configured properly in VR 
> iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules 
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain 
> which has a rule to accept NEW packets from the guest instances. Without that 
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop 
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               
> destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules

Reply via email to