wido opened a new issue #3057: Security Grouping is broken with VXLAN on KVM URL: https://github.com/apache/cloudstack/issues/3057 ##### ISSUE TYPE * Bug Report ##### COMPONENT NAME ~~~ KVM Security Group ~~~ ##### CLOUDSTACK VERSION ~~~ master / 4.12 ~~~ ##### CONFIGURATION Advanced Networking with Shared VXLAN networking ##### OS / ENVIRONMENT - Ubuntu 18.04 - KVM ##### SUMMARY When deploying a VM with Security Grouping enabled the rules are not properly set on the hypervisor. ##### STEPS TO REPRODUCE ~~~ root@n01:~# /usr/share/cloudstack-common/scripts/vm/network/security_group.py default_network_rules --vmname i-2-1506-VM --vmid 1506 --vmip 10.0.2.15 --vmip6 2a00:f10:114:1001:1c00:f5ff:fe00:9c3 --vmmac 1e:00:f5:00:09:c3 --vif vnet64 --brname brvx-1001 --nicsecips 0; iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. root@n01:~# ~~~ This causes the proper chains not to be created. Checking security_group.log I see: ~~~ root@n01:~# cat /var/log/cloudstack/agent/security_group.log 2018-11-26 19:19:54,816 - Executing command: default_network_rules 2018-11-26 19:19:54,816 - sysctl -w net.bridge.bridge-nf-call-arptables=1 2018-11-26 19:19:54,824 - sysctl -w net.bridge.bridge-nf-call-iptables=1 2018-11-26 19:19:54,831 - sysctl -w net.bridge.bridge-nf-call-ip6tables=1 2018-11-26 19:19:54,838 - iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w brvx-1001|awk '{print $9}' | head -1 2018-11-26 19:19:54,850 - iptables -L BF-brvx-1001 2018-11-26 19:19:54,858 - iptables -L BF-brvx-1001-OUT 2018-11-26 19:19:54,865 - iptables -L BF-brvx-1001-IN 2018-11-26 19:19:54,874 - ip6tables -L BF-brvx-1001 2018-11-26 19:19:54,882 - ip6tables -L BF-brvx-1001-OUT 2018-11-26 19:19:54,890 - ip6tables -L BF-brvx-1001-IN 2018-11-26 19:19:54,898 - iptables -n -L BF-brvx-1001 | awk '/BF-brvx-1001(.*)references/ {gsub(/\(/, "") ;print $3}' 2018-11-26 19:19:54,910 - iptables -F BF-brvx-1001 2018-11-26 19:19:54,920 - ip6tables -F BF-brvx-1001 root@n01:~# ~~~ The chains are not created and thus rules can't be applied later. This seems like a bug in security_group.py which needs investigating.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services