[jira] [Comment Edited] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules

Rajani Karuturi (JIRA) Mon, 02 Nov 2015 04:29:21 -0800

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14985137#comment-14985137
 ]


Rajani Karuturi edited comment on CLOUDSTACK-8925 at 11/2/15 12:27 PM:
-----------------------------------------------------------------------

In the latest router, FW_OUTBOUND has reference to FW_EGRESS_RULES. But, I see 
a new bug. VR doesnt respect the EGRESS rules. It always allows whether the 
default is to allow or deny in service offerings.

Default EGRESS allow router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 99 packets, 15063 bytes)
 pkts bytes target     prot opt in     out     source               destination
  411 59694 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
{noformat}

Default Egress DENY router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3910 3473K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
 2471 3395K ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
 1439 77572 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2477 packets, 192K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3311  315K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
   22  1344 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1417 76228 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
   22  1344 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
{noformat}


was (Author: rajanik):
In the latest router, FW_OUTBOUND has reference to FW_EGRESS_RULES. But, I see 
a new bug. VR doesnt respect the EGRESS rules. Its always allow whether the 
default is to allow or deny in service offerings.

Default EGRESS allow router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 99 packets, 15063 bytes)
 pkts bytes target     prot opt in     out     source               destination
  411 59694 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
{noformat}

Default Egress DENY router iptables
{noformat}
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3910 3473K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
 2471 3395K ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
 1439 77572 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2477 packets, 192K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3311  315K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination
   22  1344 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1417 76228 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
   22  1344 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
{noformat}

> Default allow for Egress rules is not being configured properly in VR 
> iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Critical
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules 
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain 
> which has a rule to accept NEW packets from the guest instances. Without that 
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop 
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               
> destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules

Reply via email to