You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2015/09/24 13:39:04 UTC

[jira] [Commented] (CLOUDSTACK-8905) [Blocker] Egress rules are not configured in VR

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14906228#comment-14906228 ] 

ASF GitHub Bot commented on CLOUDSTACK-8905:
--------------------------------------------

GitHub user jayapalu opened a pull request:

    https://github.com/apache/cloudstack/pull/881

    CLOUDSTACK-8905: Fixed hooking egress rules

    Added hooking the FIREWALL_EGRESS_RULES chain into FW_OUTBOUND chain.
    With this egress rules will effective.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/jayapalu/cloudstack CLOUDSTACK-8905

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/881.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #881
    
----
commit 2bf7fb4b63932d80f641462073c751f07ab0c3ea
Author: Jayapal <ja...@apache.org>
Date:   2015-09-24T11:36:11Z

    CLOUDSTACK-8905: Fixed hooking egress rules

----


> [Blocker] Egress rules are not configured in VR
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-8905
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8905
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.6.0
>            Reporter: Raja Pullela
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> 1. Deployed CS Advanced zone.
>  2. Created an isolated network.
>  3. Navigate to Egress rule:
>  Observing a pop up message:
>  "Configure the rules to allow Traffic"
> Inside VR :
> root@r-9-VM:~# iptables-save
> 1.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
>  *filter
>  :INPUT DROP [0:0]
>  :FORWARD DROP [0:0]
>  :OUTPUT ACCEPT [65:7867]
>  :FW_OUTBOUND - [0:0]
>  :NETWORK_STATS - [0:0]
>  -A INPUT -j NETWORK_STATS
>  -A INPUT -d 224.0.0.18/32 -j ACCEPT
>  -A INPUT -d 225.0.0.50/32 -j ACCEPT
>  -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A INPUT -p icmp -j ACCEPT
>  -A INPUT -i lo -j ACCEPT
>  -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
>  -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
>  -A INPUT -d 224.0.0.18/32 -j ACCEPT
>  -A INPUT -d 225.0.0.50/32 -j ACCEPT
>  -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A INPUT -p icmp -j ACCEPT
>  -A INPUT -i lo -j ACCEPT
>  -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
>  -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>  -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
>  -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
>  -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
>  -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
>  -A FORWARD -j NETWORK_STATS
>  -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
>  -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
>  -A OUTPUT -j NETWORK_STATS
>  -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A NETWORK_STATS -i eth0 -o eth2
>  -A NETWORK_STATS -i eth2 -o eth0
>  -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
>  -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
>  COMMIT
> 2.Completed on Wed Sep 23 10:46:46 2015
> 3.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
>  *nat
>  :PREROUTING ACCEPT [21:1428]
>  :INPUT ACCEPT [21:1428]
>  :OUTPUT ACCEPT [2:152]
>  :POSTROUTING ACCEPT [0:0]
>  -A POSTROUTING -o eth2 -j SNAT --to-source 10.147.47.9
>  COMMIT
> 4.Completed on Wed Sep 23 10:46:46 2015
> 5.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
>  *mangle
>  :PREROUTING ACCEPT [331:33456]
>  :INPUT ACCEPT [352:35052]
>  :FORWARD ACCEPT [0:0]
>  :OUTPUT ACCEPT [331:44643]
>  :POSTROUTING ACCEPT [331:44643]
>  :FIREWALL_10.147.47.9 - [0:0]
>  :VPN_10.147.47.9 - [0:0]
>  -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
>  -A PREROUTING -d 10.147.47.9/32 -j FIREWALL_10.147.47.9
>  -A PREROUTING -d 10.147.47.9/32 -j VPN_10.147.47.9
>  -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
>  -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0x2/0xffffffff
>  -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark 0x0/0xffffffff
>  -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
>  -A FIREWALL_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FIREWALL_10.147.47.9 -j DROP
>  -A VPN_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A VPN_10.147.47.9 -j RETURN
>  COMMIT
> 6.Completed on Wed Sep 23 10:46:46 2015
>  root@r-9-VM:~#



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)