[
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14986823#comment-14986823
]
ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------
Github user karuturi commented on the pull request:
https://github.com/apache/cloudstack/pull/1023#issuecomment-153274765
did the following to test it on an existing XenServer setup (It has two
networks egress_allow with default egress allow and isolated2 with default
egress DENY):
1. merge pr locally on the latest master. # git pr 1023
2. # mvn clean install -Pdeveloper,systemvm -DskipTests=true
3. clear tags on xenserver to get the latest systemvm.iso # xe
host-param-clear param-name=tags uuid=53480c43-9c2c-481f-8bab-170535e21954
4. start jetty # mvn -pl client jetty:run -o
5. restart networks to recreate the routers. (two routers came up r-74-VM
- isolated2, r-73-VM - egress_allow)
6. verified that egress-allow router has target accept
```
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 418 packets, 58785 bytes)
pkts bytes target prot opt in out source
destination
524 73372 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0
```
7. verified that egress-deny router has target DROP
```
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 260 packets, 45505 bytes)
pkts bytes target prot opt in out source
destination
695 101K NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0
```
8. launch a VM in egress-allow network and ping google.com succeeded
```
[root@egress-allow-vm ~]# ping google.com
PING google.com (216.58.192.78) 56(84) bytes of data.
64 bytes from mia07s34-in-f14.1e100.net (216.58.192.78): icmp_seq=1 ttl=44
time=291 ms
--- google.com ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1000ms
rtt min/avg/max/mdev = 291.554/291.554/291.554/0.000 ms
```
8. launch a VM in egress-deny network and ping google.com failed.
```
[root@egress-deny-vm ~]# ping google.com
PING google.com (216.58.192.78) 56(84) bytes of data.
--- google.com ping statistics ---
72 packets transmitted, 0 received, 100% packet loss, time 71013ms
```
working as expected
LGTM :+1:
> Default allow for Egress rules is not being configured properly in VR
> iptables rules
> ------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8925
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.0
> Reporter: Pavan Kumar Bandarupally
> Assignee: Wilder Rodrigues
> Priority: Blocker
> Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain
> which has a rule to accept NEW packets from the guest instances. Without that
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 44 2832 NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state NEW
> 4 336 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
> 40 2496 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
> pkts bytes target prot opt in out source
> destination
> 2498 369K NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
> pkts bytes target prot opt in out source
> destination
> Chain FW_OUTBOUND (1 references)
> pkts bytes target prot opt in out source
> destination
> 3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
