wido commented on issue #3568: Security Groups are not properly applied on KVM with multiple NICs URL: https://github.com/apache/cloudstack/issues/3568#issuecomment-524907799 I've been reading the code a bit more and things go horribly wrong here. *security_group.py* is called twice, one time for each NIC. Now, when this is called with the argument *default_network_rules* it creates (and clears existing) a ipset for the VM: - i-2-185-VM - i-2-185-VM-6 When you call this *twice* the ipset will *only* contain the last arguments: <pre> root@hv-138-a05-24:~# ipset list i-2-185-VM Name: i-2-185-VM Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 136 References: 4 Number of entries: 1 Members: 185.109.216.175 root@hv-138-a05-24:~# ipset list i-2-185-VM-6 Name: i-2-185-VM-6 Type: hash:net Revision: 6 Header: family inet6 hashsize 1024 maxelem 65536 Size in memory: 1352 References: 9 Number of entries: 2 Members: 2a05:1500:600::21ff:fe5b:2 fe80::21ff:fe5b:2 root@hv-138-a05-24:~# </pre> As you can see the ips in both the IPv4 and IPv6 ipset are only the IPs of the second NIC. What we should do here is create separate ipsets for *each* NIC. Or we add *all* IPs to the ipset.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
