José Edson Moreno Junior created CLOUDSTACK-10098: -----------------------------------------------------
Summary: Egress rules doesn't work with rule allow all Key: CLOUDSTACK-10098 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10098 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: SystemVM Affects Versions: 4.10.0.0 Reporter: José Edson Moreno Junior Hi People, I found a problem with egress rule in the systemvm, when I put it to allow access to anything in the cloudstack ("Egress Rules"), in the vrouter (systemvm) is created a rule in the ipset empty, without members, and iptables makes a reference to this rule, and because of this, the rule does not work: In the ipset: Name: destCidrIpset-21 Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16760 References: 1 Members: In the iptables: -A FW_EGRESS_RULES -m set --match-set destCidrIpset-21 dst -j ACCEPT -A FW_EGRESS_RULES -j DROP -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT -A FW_OUTBOUND -j FW_EGRESS_RULE -A FW_EGRESS_RULES -m set --match-set destCidrIpset-21 dst -j ACCEPT -A FW_EGRESS_RULES -j DROP -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT -A FW_OUTBOUND -j FW_EGRESS_RULES My solution for this was change the file configure.py, in /opt/cloud/bin/ in systemvm, with this code: *** configure.py_old 2017-09-28 21:19:37.000000000 +0000 --- configure.py 2017-09-28 21:21:35.000000000 +0000 *************** *** 166,177 **** --- 166,181 ---- CsHelper.execute(srcIpset) CsHelper.execute(dstIpset) for cidr in self.rule['cidr']: + if ( cidr == '0.0.0.0/0' ): + continue ipsetAddCmd = 'ipset add '+ sourceIpsetName + ' '+cidr CsHelper.execute(ipsetAddCmd) sflag = True logging.debug("egress rule ####==> %s", self.rule) for cidr in self.rule['dcidr']: + if ( cidr == '0.0.0.0/0' ): + continue ipsetAddCmd = 'ipset add '+ destIpsetName + ' '+cidr CsHelper.execute(ipsetAddCmd) dflag = True My solution for this was change the file configure.py, in /opt/cloud/bin/ in systemvm, with this code: -- This message was sent by Atlassian JIRA (v6.4.14#64029)