Hi Sai, I was the author of the PR. Let me explain.
In old behavior, it - firstly applies some iptables rules by update_config.py - then restores the iptables rules from rules.v4 file. The rules in first step is gone in step 2, which causes the issue. In the PR, it firstly restores the iptables rules from file and then applies some new rules (including the default rules for system vms and virtual routers). Hope it helps you. -Wei On Tuesday, August 27, 2024, sai <[email protected]> wrote: > Hi All, > > I have hit similar issue as https://github.com/apache/ > cloudstack/issues/8729 > and trying to understand the code fixed in the PR > https://github.com/apache/cloudstack/pull/8787, unfortunately I couldn't > understand. can anyone please try to explain the fix? > > Summary: When having a VPC without associated vms, there are no firewall > rules defined (iptables). And that's a problem because it leaves the > vrouter vulnerable to receiving a packet on port 35999, and if that > happens, HAProxy will start logging in a loop until it fills the vrouter's > disk. > > Thanks, > sai >
