[
https://issues.apache.org/jira/browse/CLOUDSTACK-9437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15388327#comment-15388327
]
ASF GitHub Bot commented on CLOUDSTACK-9437:
--------------------------------------------
GitHub user rhtyd opened a pull request:
https://github.com/apache/cloudstack/pull/1614
CLOUDSTACK-9437: Fix egress chain and cleanup for allow all traffic
- Fixes use of rules.v4/rules instead of router_rules.v4 file, this makes
sure
that FW_EGRESS_RULE chain gets created on router systemvms
- Adds an explicit removal of allow all 0.0.0.0/0 (all protocol) egress rule
when adding the default egress rule (CLOUDSTACK-9437)
/cc @swill @jburwell @PaulAngus
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shapeblue/cloudstack vr-fix-egress
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1614.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1614
----
commit 7cde8edb833037cb247136f7c41a2d5242aa7864
Author: Rohit Yadav <[email protected]>
Date: 2016-07-21T19:54:32Z
CLOUDSTACK-9437: Fix egress chain and cleanup for allow all traffic
- Fixes use of rules.v4/rules instead of router_rules.v4 file, this makes
sure
that FW_EGRESS_RULE chain gets created on router systemvms
- Adds an explicit removal of allow all 0.0.0.0/0 (all protocol) egress rule
when adding the default egress rule (CLOUDSTACK-9437)
Signed-off-by: Rohit Yadav <[email protected]>
----
> Outbound traffic fails to work after VR is upgraded to post 4.6+ release
> ------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9437
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9437
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.8.1
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Priority: Blocker
>
> When CloudStack is upgraded to 4.6+ version, due to changes in script. The
> default iptables rules are saved at /etc/iptables/router_rules.{v4,v6}
> instead of the rules.{v4,v6} files. The cloud-early-config file uses the
> rules.v4 and rules file, which are copied from iptables-{router, etc.}
> templates.
> When CloudStack was upgrade from 4.3 to 4.6+ version, and VR template
> upgraded to a 4.6 template -- the rules.v4 file was copied from
> iptables-router template though the configure.py uses router_rules.v4 file
> which does not have the FW_EGRESS_RULES chain declared. Because of this the
> CsNetFilters fails to add the chain.
> Workaround that works -- after upgrading the router, restarting the network
> (without cleanup selected) fixes the issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
