phsm commented on PR #10594: URL: https://github.com/apache/cloudstack/pull/10594#issuecomment-3660941563
For those who're wiling to test: This script can be placed on one of the nodes in `/usr/share/cloudstack-common/scripts/vm/network/security_group.py`, overwriting the existing one. Key points to test: 1. The securitygroup-enabled VM shall not be able to spoof the IPv4 or IPv6 addresses. Try assigning some other address to the VM from the same subnet (not the one that Cloudstack given to it), and try to send some traffic from it / to it. 2. The conntrack table shall not show entries for the traffic for this VM: Ensure you have an Ingress security group rule that allows "ALL from 0.0.0.0/0", and "ALL from ::/0" (Ipv6 is handled separately). For example, install Nginx on the test VM, and run "apache benchmark" against it. It will produce a lot of connections. During the test, running `conntrack -L` on the host machine shall now show tons and tons of connections to the VM IP. 3. The conntrack is used when its needed Then, you may change the security group to allow only TCP port 80 from 0.0.0.0/0, ::/0, and remove "allow all" rule. In this configuration, the conntrack is required, so the `conntrack -L` shall show these connections. The outgoing connections from the VM, e.g. "apt update" shall still work -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
