You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "José Edson Moreno Junior (JIRA)" <ji...@apache.org> on 2017/09/28 22:07:00 UTC

[jira] [Created] (CLOUDSTACK-10098) Egress rules doesn't work with rule allow all

José Edson Moreno Junior created CLOUDSTACK-10098:
-----------------------------------------------------

             Summary: Egress rules doesn't work with rule allow all
                 Key: CLOUDSTACK-10098
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10098
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: SystemVM
    Affects Versions: 4.10.0.0
            Reporter: José Edson Moreno Junior


Hi People,

I found a problem with egress rule in the systemvm, when I put it to allow access to anything in the cloudstack ("Egress Rules"), in the vrouter (systemvm) is created a rule in the ipset empty, without members, and iptables makes a reference to this rule, and because of this, the rule does not work:

In the ipset:

Name: destCidrIpset-21
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16760
References: 1
Members:

In the iptables:

-A FW_EGRESS_RULES -m set --match-set destCidrIpset-21 dst -j ACCEPT
-A FW_EGRESS_RULES -j DROP
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FW_OUTBOUND -j FW_EGRESS_RULE
-A FW_EGRESS_RULES -m set --match-set destCidrIpset-21 dst -j ACCEPT
-A FW_EGRESS_RULES -j DROP
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FW_OUTBOUND -j FW_EGRESS_RULES

My solution for this was change the file configure.py, in /opt/cloud/bin/ in systemvm, with this code:

*** configure.py_old	2017-09-28 21:19:37.000000000 +0000
--- configure.py	2017-09-28 21:21:35.000000000 +0000
***************
*** 166,177 ****
--- 166,181 ----
                  CsHelper.execute(srcIpset)
                  CsHelper.execute(dstIpset)
                  for cidr in self.rule['cidr']:
+                     if ( cidr == '0.0.0.0/0' ):
+                         continue
                      ipsetAddCmd = 'ipset add '+ sourceIpsetName + ' '+cidr
                      CsHelper.execute(ipsetAddCmd)
                      sflag = True
  
                  logging.debug("egress   rule  ####==> %s", self.rule)
                  for cidr in self.rule['dcidr']:
+                     if ( cidr == '0.0.0.0/0' ):
+                         continue
                      ipsetAddCmd = 'ipset add '+ destIpsetName + ' '+cidr
                      CsHelper.execute(ipsetAddCmd)
                      dflag = True

My solution for this was change the file configure.py, in /opt/cloud/bin/ in systemvm, with this code:



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)