[
https://issues.apache.org/jira/browse/CLOUDSTACK-9027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346301#comment-15346301
]
dsclose commented on CLOUDSTACK-9027:
-------------------------------------
We've verified this on Cloudstack 4.8.0. To reproduce:
1. Create a network with a default egress ALLOW.
2. Add an egress rule to block traffic. Traffic type, source CIDR and port
range is unimportant.
3. Restart the network with a clean-up.
The result is a virtual router without the FW_EGRESS_RULES chain. The following
rules are also missing from the filter table:
{code}-A FW_EGRESS_RULES -j ACCEPT{code}
This prevents any guest VM from initiating an outbound connection.
Related/established traffic is fine.
To resolve this situation we either manually add the above rule, or we remove
any egress rules and restart the network with a clean-up. Of course, what this
really means is that egress firewall rules as a feature are not functioning.
> In the default egress allow network with existing egress rules to block
> traffic, restarting the network breaks the egress rules
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9027
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9027
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.6.0
> Reporter: Rajani Karuturi
> Assignee: Wilder Rodrigues
> Priority: Critical
>
> This is found while testing PR #1023
> https://github.com/apache/cloudstack/pull/1023#issuecomment-153605360
> In the default egress allow network, it has an existing egress rule(created
> earlier from egress tab on network page) to block port 22 and restarting it
> created a new router without egress chain on the VR.
> when I deleted the rule(from the egress tab on network page) and restarted
> network, it created new router with egress chain properly configured in the
> iptables.
> to clear the confusion, I was able to reproduce it with the following steps
> 1. create a new network with default egress allow (network name:
> egress2_allow)
> 2. launch a vm in the network.
> 3. check that VR came up and running
> 4. ssh to VR and check the iptables.
> 5. verified that iptables FW_EGRESS_RULES chain is present and configured
> properly.
> 6. test outgoing traffic from user vm created in this network. (ssh and ping
> were working fine)
> 7. create a egress rule to block port 22 (from the egress rules tab on
> networks page in UI)
> 8. verified that iptables drop rule is added in FW_EGRESS_RULES chain on VR
> 9. verified that ssh from user vm doesnt work
> 10. restart network and wait till a new VR is created and running
> 11. observe that FW_EGRESS_RULES chain is missing in the iptables on the new
> VR
> 12. also, ping google.com and ssh doesnt work from user vm
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
