Github user karuturi commented on the pull request:
https://github.com/apache/cloudstack/pull/1023#issuecomment-153274765
did the following to test it on an existing XenServer setup (It has two
networks egress_allow with default egress allow and isolated2 with default
egress DENY):
1. merge pr locally on the latest master. # git pr 1023
2. # mvn clean install -Pdeveloper,systemvm -DskipTests=true
3. clear tags on xenserver to get the latest systemvm.iso # xe
host-param-clear param-name=tags uuid=53480c43-9c2c-481f-8bab-170535e21954
4. start jetty # mvn -pl client jetty:run -o
5. restart networks to recreate the routers. (two routers came up r-74-VM
- isolated2, r-73-VM - egress_allow)
6. verified that egress-allow router has target accept
```
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 418 packets, 58785 bytes)
pkts bytes target prot opt in out source
destination
524 73372 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0
```
7. verified that egress-deny router has target DROP
```
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth2 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_OUTBOUND all -- eth0 eth2 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 260 packets, 45505 bytes)
pkts bytes target prot opt in out source
destination
695 101K NETWORK_STATS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_EGRESS_RULES (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FW_OUTBOUND (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 FW_EGRESS_RULES all -- * * 0.0.0.0/0
0.0.0.0/0
```
8. launch a VM in egress-allow network and ping google.com succeeded
```
[root@egress-allow-vm ~]# ping google.com
PING google.com (216.58.192.78) 56(84) bytes of data.
64 bytes from mia07s34-in-f14.1e100.net (216.58.192.78): icmp_seq=1 ttl=44
time=291 ms
--- google.com ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1000ms
rtt min/avg/max/mdev = 291.554/291.554/291.554/0.000 ms
```
8. launch a VM in egress-deny network and ping google.com failed.
```
[root@egress-deny-vm ~]# ping google.com
PING google.com (216.58.192.78) 56(84) bytes of data.
--- google.com ping statistics ---
72 packets transmitted, 0 received, 100% packet loss, time 71013ms
```
working as expected
LGTM :+1:
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
