[GitHub] andrijapanicsb commented on issue #3192: Security Group rules not applied at all for XenServer 6.5 / Advanced Zone

Fri, 01 Mar 2019 10:15:56 -0800 

andrijapanicsb commented on issue #3192: Security Group rules not applied at 
all for XenServer 6.5 / Advanced Zone
URL: https://github.com/apache/cloudstack/issues/3192#issuecomment-468759166
 
 
   Nope, not OK (also related to an email on mailing list today/yesterday) :
   
   Migrating a VM from host A to host B, does NOT remove iptable rules on host 
A (source) and does NOT create iptables rules on host B (destination host)
   
   (after VM migration done)
   
   SOURCE HOST (no more VM running here)
   
   iptables-save | grep i-2-3-VM                                                
                                         
   :i-2-3-VM - [0:0]
   :i-2-3-VM-def - [0:0]
   :i-2-3-VM-eg - [0:0]
   -A BRIDGE-FIREWALL -m physdev --physdev-in vif3.0 --physdev-is-bridged -j 
i-2-3-VM-def
   -A BRIDGE-FIREWALL -m physdev --physdev-out vif3.0 --physdev-is-bridged -j 
i-2-3-VM-def
   -A i-2-3-VM -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
   -A i-2-3-VM -j DROP
   -A i-2-3-VM-def -p udp -m physdev --physdev-in vif3.0 --physdev-is-bridged 
-m set --match-set i-2-3-VM src -m udp --dport 53 -j RETURN
   -A i-2-3-VM-def -m physdev --physdev-in vif3.0 --physdev-is-bridged -m set ! 
--match-set i-2-3-VM src -j DROP
   -A i-2-3-VM-def -m physdev --physdev-out vif3.0 --physdev-is-bridged -m set 
! --match-set i-2-3-VM dst -j DROP
   -A i-2-3-VM-def -m physdev --physdev-in vif3.0 --physdev-is-bridged -m set 
--match-set i-2-3-VM src -j i-2-3-VM-eg
   -A i-2-3-VM-def -m physdev --physdev-out vif3.0 --physdev-is-bridged -j 
i-2-3-VM
   -A i-2-3-VM-eg -p tcp -m tcp --dport 88 -m conntrack --ctstate NEW -j RETURN
   -A i-2-3-VM-eg -j DROP
   
   DESTINATION HOST (VM now running here)
   
   iptables-save | grep i-2-3-VM                                                
                                         
   :i-2-3-VM - [0:0]
   :i-2-3-VM-def - [0:0]
   :i-2-3-VM-eg - [0:0]
   
   
   I prefer this is fixed in this PR please, since this is also a blocker thing 
- updating the issue desc with migration thing...

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to