Rajani Karuturi created CLOUDSTACK-9027: -------------------------------------------
Summary: In the default egress allow network with existing egress rules to block traffic, restarting the network breaks the egress rules Key: CLOUDSTACK-9027 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9027 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Affects Versions: 4.6.0 Reporter: Rajani Karuturi Priority: Critical This is found while testing PR #1023 https://github.com/apache/cloudstack/pull/1023#issuecomment-153605360 In the default egress allow network, it has an existing egress rule(created earlier from egress tab on network page) to block port 22 and restarting it created a new router without egress chain on the VR. when I deleted the rule(from the egress tab on network page) and restarted network, it created new router with egress chain properly configured in the iptables. to clear the confusion, I was able to reproduce it with the following steps 1. create a new network with default egress allow (network name: egress2_allow) 2. launch a vm in the network. 3. check that VR came up and running 4. ssh to VR and check the iptables. 5. verified that iptables FW_EGRESS_RULES chain is present and configured properly. 6. test outgoing traffic from user vm created in this network. (ssh and ping were working fine) 7. create a egress rule to block port 22 (from the egress rules tab on networks page in UI) 8. verified that iptables drop rule is added in FW_EGRESS_RULES chain on VR 9. verified that ssh from user vm doesnt work 10. restart network and wait till a new VR is created and running 11. observe that FW_EGRESS_RULES chain is missing in the iptables on the new VR 12. also, ping google.com and ssh doesnt work from user vm -- This message was sent by Atlassian JIRA (v6.3.4#6332)