bwsw commented on issue #3088: VM restart with 'rebootVirtualMachine' causes SGs broken with KVM URL: https://github.com/apache/cloudstack/issues/3088#issuecomment-445577291 ## Upon creation, before reboot Network info ``` root@cs2-tsk-c1-n02:~# virsh domiflist i-3022-5294-vm Interface Type Source Model MAC ------------------------------------------------------- vnet30 bridge cloudbr1 virtio 1e:00:c6:00:02:2a ``` Iptables info ``` root@cs2-tsk-c1-n02:~# iptables-save | grep i-3022-5294 :i-3022-5294-def - [0:0] :i-3022-5294-vm - [0:0] :i-3022-5294-vm-eg - [0:0] -A BF-cloudbr1-IN -m physdev --physdev-in vnet30 --physdev-is-bridged -j i-3022-5294-def -A BF-cloudbr1-OUT -m physdev --physdev-out vnet30 --physdev-is-bridged -j i-3022-5294-def -A i-3022-5294-def -m state --state RELATED,ESTABLISHED -j ACCEPT -A i-3022-5294-def -p udp -m physdev --physdev-in vnet30 --physdev-is-bridged -m udp --sport 68 --dport 67 -j ACCEPT -A i-3022-5294-def -p udp -m physdev --physdev-out vnet30 --physdev-is-bridged -m udp --sport 67 --dport 68 -j ACCEPT -A i-3022-5294-def -m physdev --physdev-in vnet30 --physdev-is-bridged -m set ! --match-set i-3022-5294-vm src -j DROP -A i-3022-5294-def -p udp -m physdev --physdev-in vnet30 --physdev-is-bridged -m set --match-set i-3022-5294-vm src -m udp --dport 53 -j RETURN -A i-3022-5294-def -p tcp -m physdev --physdev-in vnet30 --physdev-is-bridged -m set --match-set i-3022-5294-vm src -m tcp --dport 53 -j RETURN -A i-3022-5294-def -m physdev --physdev-in vnet30 --physdev-is-bridged -m set --match-set i-3022-5294-vm src -j i-3022-5294-vm-eg -A i-3022-5294-def -m physdev --physdev-out vnet30 --physdev-is-bridged -j i-3022-5294-vm -A i-3022-5294-vm -p udp -m udp --dport 1:65535 -m state --state NEW -j ACCEPT -A i-3022-5294-vm -p tcp -m tcp --dport 1:65535 -m state --state NEW -j ACCEPT -A i-3022-5294-vm -p icmp -m icmp --icmp-type any -j ACCEPT -A i-3022-5294-vm -j DROP -A i-3022-5294-vm-eg -p udp -m udp --dport 1:65535 -m state --state NEW -j RETURN -A i-3022-5294-vm-eg -p tcp -m tcp --dport 1:65535 -m state --state NEW -j RETURN -A i-3022-5294-vm-eg -p icmp -m icmp --icmp-type any -j RETURN -A i-3022-5294-vm-eg -j DROP ``` Ip6 tables info: ``` root@cs2-tsk-c1-n02:~# ip6tables-save | grep i-3022-5294 :i-3022-5294-def - [0:0] :i-3022-5294-vm - [0:0] :i-3022-5294-vm-eg - [0:0] -A BF-cloudbr1-IN -m physdev --physdev-in vnet30 --physdev-is-bridged -j i-3022-5294-def -A BF-cloudbr1-OUT -m physdev --physdev-out vnet30 --physdev-is-bridged -j i-3022-5294-def -A i-3022-5294-def -m state --state RELATED,ESTABLISHED -j ACCEPT -A i-3022-5294-def -s fe80::/64 -d ff02::1/128 -p ipv6-icmp -m physdev --physdev-out vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT -A i-3022-5294-def -d ff02::2/128 -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j RETURN -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 134 -j DROP -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j RETURN -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-out vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 136 -m set --match-set i-3022-5294-vm-6 src -m hl --hl-eq 255 -j RETURN -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-out vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 2 -m set --match-set i-3022-5294-vm-6 src -j RETURN -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-out vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 2 -j ACCEPT -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 1 -m set --match-set i-3022-5294-vm-6 src -j RETURN -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-out vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 1 -j ACCEPT -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 3 -m set --match-set i-3022-5294-vm-6 src -j RETURN -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-out vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 3 -j ACCEPT -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 4 -m set --match-set i-3022-5294-vm-6 src -j RETURN -A i-3022-5294-def -p ipv6-icmp -m physdev --physdev-out vnet30 --physdev-is-bridged -m icmp6 --icmpv6-type 4 -j ACCEPT -A i-3022-5294-def -d ff02::16/128 -p ipv6-icmp -m physdev --physdev-in vnet30 --physdev-is-bridged -j RETURN -A i-3022-5294-def -s fe80::1c00:c6ff:fe00:22a/128 -d ff02::1:2/128 -p udp -m physdev --physdev-in vnet30 --physdev-is-bridged -m udp --sport 546 -j RETURN -A i-3022-5294-def -s fe80::/64 -d fe80::1c00:c6ff:fe00:22a/128 -p udp -m physdev --physdev-out vnet30 --physdev-is-bridged -m udp --dport 546 -j ACCEPT -A i-3022-5294-def ! -d fe80::/64 -p udp -m physdev --physdev-in vnet30 --physdev-is-bridged -m udp --sport 547 -j DROP -A i-3022-5294-def -p udp -m physdev --physdev-in vnet30 --physdev-is-bridged -m udp --dport 53 -m set --match-set i-3022-5294-vm-6 src -j RETURN -A i-3022-5294-def -p tcp -m physdev --physdev-in vnet30 --physdev-is-bridged -m tcp --dport 53 -m set --match-set i-3022-5294-vm-6 src -j RETURN -A i-3022-5294-def -m physdev --physdev-in vnet30 --physdev-is-bridged -m set ! --match-set i-3022-5294-vm-6 src -j DROP -A i-3022-5294-def -m physdev --physdev-in vnet30 --physdev-is-bridged -m set --match-set i-3022-5294-vm-6 src -j i-3022-5294-vm-eg -A i-3022-5294-def -m physdev --physdev-out vnet30 --physdev-is-bridged -j i-3022-5294-vm -A i-3022-5294-vm -p udp -m udp --dport 1:65535 -m state --state NEW -j ACCEPT -A i-3022-5294-vm -p tcp -m tcp --dport 1:65535 -m state --state NEW -j ACCEPT -A i-3022-5294-vm -p ipv6-icmp -j ACCEPT -A i-3022-5294-vm -j DROP -A i-3022-5294-vm-eg -p udp -m udp --dport 1:65535 -m state --state NEW -j RETURN -A i-3022-5294-vm-eg -p tcp -m tcp --dport 1:65535 -m state --state NEW -j RETURN -A i-3022-5294-vm-eg -p ipv6-icmp -j RETURN -A i-3022-5294-vm-eg -j DROP ``` Ebtables info: ``` Bridge chain: i-3022-5294-vm-in, entries: 7, policy: ACCEPT -s ! 1e:0:c6:0:2:2a -j DROP -p ARP -s ! 1e:0:c6:0:2:2a -j DROP -p ARP --arp-mac-src ! 1e:0:c6:0:2:2a -j DROP -p ARP -j i-3022-5294-vm-in-ips -p ARP --arp-op Request -j ACCEPT -p ARP --arp-op Reply -j ACCEPT -p ARP -j DROP Bridge chain: i-3022-5294-vm-out, entries: 5, policy: ACCEPT -p ARP --arp-op Reply --arp-mac-dst ! 1e:0:c6:0:2:2a -j DROP -p ARP -j i-3022-5294-vm-out-ips -p ARP --arp-op Request -j ACCEPT -p ARP --arp-op Reply -j ACCEPT -p ARP -j DROP Bridge chain: i-3022-5294-vm-in-ips, entries: 2, policy: ACCEPT -p ARP --arp-ip-src 176.120.29.45 -j RETURN -j DROP Bridge chain: i-3022-5294-vm-out-ips, entries: 2, policy: ACCEPT -p ARP --arp-ip-dst 176.120.29.45 -j RETURN -j DROP ``` IPSET: ``` root@cs2-tsk-c1-n02:~# ipset -L i-3022-5294-vm-6 Name: i-3022-5294-vm-6 Type: hash:net Revision: 6 Header: family inet6 hashsize 1024 maxelem 65536 Size in memory: 1376 References: 9 Members: fe80::1c00:c6ff:fe00:22a 2001:67c:20dc:1c00:1c00:c6ff:fe00:22a ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
