Sanjeev N created CLOUDSTACK-8681: ------------------------------------- Summary: [Egress_Rules] CS does not honor the default deny egress policy in isolated network Key: CLOUDSTACK-8681 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8681 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Network Controller Affects Versions: 4.6.0 Environment: Latest build from master with commit ac9c2a224a78f413945e25fd7cf23364fbef00b5 Zone: Advanced Reporter: Sanjeev N Priority: Critical
[Egress_Rules] CS does not honor the default deny egress policy in isolated network Steps to reproduce: ================= 1.Bring up CS in advanced zone with any of the supported hypervisors 2.Create an isolated network with network offering "DefaultIsolatedNetworkOfferingWithSourceNatService" so that defaul egress policy would be "deny all" 3.Deploy one guest vm in that network Expected Result: ============= VR forward chain in filter table should have the defualt DROP policy. Actual Result: =========== Following is the FORWARD chain from the VR: Chain FORWARD (policy ACCEPT 10282 packets, 1743K bytes) pkts bytes target prot opt in out source destination 46405 27M NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 27468 25M ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 104 ACCEPT tcp -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW It should be in the following way: Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/ 0 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0 0.0.0.0/0 Chain FW_EGRESS_RULES (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FW_OUTBOUND (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0 0.0.0. 0/0 Looks like now we are loading ip tables from "/etc/iptables/router_rules.v4" . But the base for this file should be "/etc/iptables/rules.v4" to persist the default behavior. -- This message was sent by Atlassian JIRA (v6.3.4#6332)