[jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules

ASF GitHub Bot (JIRA) Mon, 02 Nov 2015 22:26:39 -0800

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14986767#comment-14986767
 ]


ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------

GitHub user wilderrodrigues opened a pull request:

    https://github.com/apache/cloudstack/pull/1023

    CLOUDSTACK-8925 - Default allow for Egress rules is not being configured 
properly in VR iptables rules

    This PR fixes the router default policy for egress. When the default is 
DENY, the router still allows outgoing connections.
    
    The test component/test_routers_network_ops.py was improved to cover that 
case as well. The results were:
    
    Test redundant router internals ... === TestName: 
test_01_isolate_network_FW_PF_default_routes_egress_true | Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: 
test_02_isolate_network_FW_PF_default_routes_egress_false | Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: 
test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true | Status : SUCCESS ===
    ok
    Test redundant router internals ... === TestName: 
test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false | Status : SUCCESS ===
    ok
    
    ----------------------------------------------------------------------
    Ran 4 tests in 3636.656s
    
    OK
    /tmp//MarvinLogs/test_routers_network_ops_QDL429/results.txt (END)


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ekholabs/cloudstack 
fix/egress_state-CLOUDSTACK-8925

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1023.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1023
    
----
commit caa0b4071c024b6672519ab811be733344a05086
Author: Wilder Rodrigues <wrodrig...@schubergphilis.com>
Date:   2015-11-02T11:00:22Z

    CLOUDSTACK-8925 - Drop the traffic when default egress is set to false
    
      - The DROP rule should be appended and the other rules inserted.

commit 9861e997ee81a6aa69e911d0087ad9c60b48f2e3
Author: Wilder Rodrigues <wrodrig...@schubergphilis.com>
Date:   2015-11-02T16:15:46Z

    CLOUDSTACK-8925 - Add tests to cover default egress DENY as well
    
       - Tests cover Redundant and Non-Redundant isolated networks.

----


> Default allow for Egress rules is not being configured properly in VR 
> iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules 
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain 
> which has a rule to accept NEW packets from the guest instances. Without that 
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop 
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               
> destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules

Reply via email to