[Questions]: Basic Zone Securiy Group problem?

Jijun Thu, 29 Aug 2013 19:13:07 -0700

i clone branch 4.2 code, package and do a  fresh installation.


hypervisor : xenserver 6.2 change  openvswitch to bridge.

add basic zone ,security group enabeld.

create a new vm , default security group

the previous version document said the ingress will be blocked bydefault. but in my test, the network in and out are all allowed.

so strange.

is it a bug ?

iptable rule in hypervisor :

[root@xenserver-dlghbuxq ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

BRIDGE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match--physdev-is-bridgedACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out eth1 --physdev-is-bridgedACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out eth0 --physdev-is-bridged

DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain BRIDGE-DEFAULT-FIREWALL (1 references)
target     prot opt source               destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 stateRELATED,ESTABLISHEDACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-is-bridged udp spt:68 dpt:67ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-is-bridged udp spt:67 dpt:68


Chain BRIDGE-FIREWALL (1 references)
target     prot opt source               destination
BRIDGE-DEFAULT-FIREWALL  all  --  0.0.0.0/0 0.0.0.0/0

i-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif21.0 --physdev-is-bridgedi-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif20.0 --physdev-is-bridgedr-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif19.0 --physdev-is-bridgedr-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif19.1 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.2 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.0 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.1 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.3 --physdev-is-bridgedv-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif17.2 --physdev-is-bridgedv-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif17.0 --physdev-is-bridgedv-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif17.1 --physdev-is-bridgedv-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif17.1 --physdev-is-bridgedv-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif17.0 --physdev-is-bridgedv-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif17.2 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif18.3 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif18.1 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif18.0 --physdev-is-bridgeds-6-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif18.2 --physdev-is-bridgedr-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif19.1 --physdev-is-bridgedr-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif19.0 --physdev-is-bridgedi-3-8-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif20.0 --physdev-is-bridgedi-2-7-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif21.0 --physdev-is-bridged


Chain L (0 references)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination

Chain i-2-7-VM (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain i-2-7-VM-eg (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain i-2-7-def (2 references)
target     prot opt source               destination

RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM src udp dpt:53DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif21.0 --physdev-is-bridged !set i-2-7-VM srcDROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif21.0 --physdev-is-bridged !set i-2-7-VM dsti-2-7-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match--physdev-in vif21.0 --physdev-is-bridged set i-2-7-VM srci-2-7-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif21.0 --physdev-is-bridged


Chain i-3-8-VM (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain i-3-8-VM-eg (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain i-3-8-def (2 references)
target     prot opt source               destination

RETURN udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM src udp dpt:53DROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif20.0 --physdev-is-bridged !set i-3-8-VM srcDROP all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif20.0 --physdev-is-bridged !set i-3-8-VM dsti-3-8-VM-eg all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match--physdev-in vif20.0 --physdev-is-bridged set i-3-8-VM srci-3-8-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-out vif20.0 --physdev-is-bridged


Chain r-4-VM (4 references)
target     prot opt source               destination

RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif19.0 --physdev-is-bridgedRETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif19.1 --physdev-is-bridged

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain s-6-VM (8 references)
target     prot opt source               destination

RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.2 --physdev-is-bridgedRETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.0 --physdev-is-bridgedRETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.1 --physdev-is-bridgedRETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif18.3 --physdev-is-bridged

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain v-2-VM (6 references)
target     prot opt source               destination

RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif17.2 --physdev-is-bridgedRETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif17.0 --physdev-is-bridgedRETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEVmatch --physdev-in vif17.1 --physdev-is-bridged

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0


*[root@xenserver-dlghbuxq ~]# ebtables -L*
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 5, policy: ACCEPT
-j DEFAULT_EBTABLES
-i vif21.0 -j i-2-7-VM
-i vif20.0 -j i-3-8-VM
-o vif20.0 -j i-3-8-VM
-o vif21.0 -j i-2-7-VM

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: DEFAULT_EBTABLES, entries: 12, policy: ACCEPT
-p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport 68 -j ACCEPT
-p ARP --arp-op Request -j ACCEPT
-p ARP --arp-op Reply -j ACCEPT
-p IPv4 -d Broadcast -j DROP
-p IPv4 -d Multicast -j DROP
-p IPv4 --ip-dst 255.255.255.255 -j DROP
-p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-p IPv4 -j RETURN
-p IPv6 -j DROP
-p 802_1Q -j DROP
-j DROP

Bridge chain: i-3-8-VM, entries: 2, policy: ACCEPT
-p IPv4 -i vif20.0 --ip-proto udp --ip-dport 68 -j DROP
-p IPv4 -o vif20.0 --ip-proto udp --ip-dport 67 -j DROP

Bridge chain: i-2-7-VM, entries: 2, policy: ACCEPT
-p IPv4 -i vif21.0 --ip-proto udp --ip-dport 68 -j DROP
-p IPv4 -o vif21.0 --ip-proto udp --ip-dport 67 -j DROP


*[root@xenserver-dlghbuxq ~]# ipset -L*
Name: i-3-8-VM
Type: iphash
References: 4
Header: hashsize: 1024 probes: 8 resize: 50
Members:
192.168.253.66

Name: i-2-7-VM
Type: iphash
References: 4
Header: hashsize: 1024 probes: 8 resize: 50
Members:
192.168.253.68







--
Thanks,
Jijun

[Questions]: Basic Zone Securiy Group problem?

Reply via email to