Rajani Karuturi created CLOUDSTACK-9027:
-------------------------------------------
Summary: In the default egress allow network with existing egress
rules to block traffic, restarting the network breaks the egress rules
Key: CLOUDSTACK-9027
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9027
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Affects Versions: 4.6.0
Reporter: Rajani Karuturi
Priority: Critical
This is found while testing PR #1023
https://github.com/apache/cloudstack/pull/1023#issuecomment-153605360
In the default egress allow network, it has an existing egress rule(created
earlier from egress tab on network page) to block port 22 and restarting it
created a new router without egress chain on the VR.
when I deleted the rule(from the egress tab on network page) and restarted
network, it created new router with egress chain properly configured in the
iptables.
to clear the confusion, I was able to reproduce it with the following steps
1. create a new network with default egress allow (network name: egress2_allow)
2. launch a vm in the network.
3. check that VR came up and running
4. ssh to VR and check the iptables.
5. verified that iptables FW_EGRESS_RULES chain is present and configured
properly.
6. test outgoing traffic from user vm created in this network. (ssh and ping
were working fine)
7. create a egress rule to block port 22 (from the egress rules tab on networks
page in UI)
8. verified that iptables drop rule is added in FW_EGRESS_RULES chain on VR
9. verified that ssh from user vm doesnt work
10. restart network and wait till a new VR is created and running
11. observe that FW_EGRESS_RULES chain is missing in the iptables on the new VR
12. also, ping google.com and ssh doesnt work from user vm
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
