[jira] [Commented] (CLOUDSTACK-8925) Default allow for Egress rules is not being configured properly in VR iptables rules

Tue, 03 Nov 2015 22:36:01 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14989000#comment-14989000
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8925:
--------------------------------------------

Github user wilderrodrigues commented on the pull request:

    https://github.com/apache/cloudstack/pull/1023#issuecomment-153596954
  
    Hi @karuturi,
    
    Sorry, perhaps too earlier here, but I don't follow completely. :)
    
    How did you setup your environment in order to test the case you explained 
above? You mentioned that the rules were not there, and you had to set them up 
manually. However, in the next comment, you said that is might have been caused 
by restarting the network.
    
    Did you run the tests in an isolated environment with a new built 
systemvm.iso?
    
    I just want to understand how you got that scenario - no rules. Based on 
the new code and test, the only issue we got was the UDP/53 on the RVR.
    
    If it was all caused by the network restart, then it's clear. And by the 
way, that is another issue and I will have a look at.
    
    Thanks again for the tests.
    
    Cheers,
    Wilder


> Default allow for Egress rules is not being configured properly in VR 
> iptables rules
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8925
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8925
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.6.0
>            Reporter: Pavan Kumar Bandarupally
>            Assignee: Wilder Rodrigues
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> When we create a network with Egress rules set to default allow, the rules 
> created in FW_OUTBOUND table should have a reference to FW_EGRESS_RULES chain 
> which has a rule to accept NEW packets from the guest instances. Without that 
> rule only RELATED , ESTABLISHED rule in FW_OUTBOUND chain will result in Drop 
> of packets.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>    44  2832 NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state NEW
>     4   336 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED
>    40  2496 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 20 packets, 1888 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  2498  369K NETWORK_STATS  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0
> Chain FIREWALL_EGRESS_RULES (0 references)
>  pkts bytes target     prot opt in     out     source               
> destination
> Chain FW_OUTBOUND (1 references)
>  pkts bytes target     prot opt in     out     source               
> destination
>     3   252 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
>            state RELATED,ESTABLISHED



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to