Pavan Kumar Bandarupally created CLOUDSTACK-8925:
----------------------------------------------------
Summary: Default allow for Egress rules is not being configured
properly in VR iptables rules
Key: CLOUDSTACK-8925
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Virtual Router
Affects Versions: 4.6.0
Reporter: Pavan Kumar Bandarupally
Priority: Critical
Fix For: 4.6.0
When we create a network with Egress rules set to default allow, the rules
created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain
which has a rule to accept NEW packets from the guest instances. Without that
rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop
of packets.
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
44 2832 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
state NEW
4 336 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
40 2496 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
pkts bytes target prot opt in out source destination
2498 369K NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FIREWALL_EGRESS_RULES (0 references)
pkts bytes target prot opt in out source destination
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
