You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2015/09/24 13:39:04 UTC
[jira] [Commented] (CLOUDSTACK-8905) [Blocker] Egress rules are not
configured in VR
[ https://issues.apache.org/jira/browse/CLOUDSTACK-8905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14906228#comment-14906228 ]
ASF GitHub Bot commented on CLOUDSTACK-8905:
--------------------------------------------
GitHub user jayapalu opened a pull request:
https://github.com/apache/cloudstack/pull/881
CLOUDSTACK-8905: Fixed hooking egress rules
Added hooking the FIREWALL_EGRESS_RULES chain into FW_OUTBOUND chain.
With this egress rules will effective.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/jayapalu/cloudstack CLOUDSTACK-8905
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/881.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #881
----
commit 2bf7fb4b63932d80f641462073c751f07ab0c3ea
Author: Jayapal <ja...@apache.org>
Date: 2015-09-24T11:36:11Z
CLOUDSTACK-8905: Fixed hooking egress rules
----
> [Blocker] Egress rules are not configured in VR
> -----------------------------------------------
>
> Key: CLOUDSTACK-8905
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8905
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Affects Versions: 4.6.0
> Reporter: Raja Pullela
> Priority: Blocker
> Fix For: 4.6.0
>
>
> 1. Deployed CS Advanced zone.
> 2. Created an isolated network.
> 3. Navigate to Egress rule:
> Observing a pop up message:
> "Configure the rules to allow Traffic"
> Inside VR :
> root@r-9-VM:~# iptables-save
> 1.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [65:7867]
> :FW_OUTBOUND - [0:0]
> :NETWORK_STATS - [0:0]
> -A INPUT -j NETWORK_STATS
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
> -A FORWARD -j NETWORK_STATS
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
> -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -A OUTPUT -j NETWORK_STATS
> -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A NETWORK_STATS -i eth0 -o eth2
> -A NETWORK_STATS -i eth2 -o eth0
> -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
> -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
> COMMIT
> 2.Completed on Wed Sep 23 10:46:46 2015
> 3.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
> *nat
> :PREROUTING ACCEPT [21:1428]
> :INPUT ACCEPT [21:1428]
> :OUTPUT ACCEPT [2:152]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth2 -j SNAT --to-source 10.147.47.9
> COMMIT
> 4.Completed on Wed Sep 23 10:46:46 2015
> 5.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
> *mangle
> :PREROUTING ACCEPT [331:33456]
> :INPUT ACCEPT [352:35052]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [331:44643]
> :POSTROUTING ACCEPT [331:44643]
> :FIREWALL_10.147.47.9 - [0:0]
> :VPN_10.147.47.9 - [0:0]
> -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
> -A PREROUTING -d 10.147.47.9/32 -j FIREWALL_10.147.47.9
> -A PREROUTING -d 10.147.47.9/32 -j VPN_10.147.47.9
> -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
> -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark 0x2/0xffffffff
> -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark 0x0/0xffffffff
> -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -A FIREWALL_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FIREWALL_10.147.47.9 -j DROP
> -A VPN_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A VPN_10.147.47.9 -j RETURN
> COMMIT
> 6.Completed on Wed Sep 23 10:46:46 2015
> root@r-9-VM:~#
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)