Jayapal Reddy created CLOUDSTACK-9702:
-----------------------------------------
Summary: VR iptables configuration issues
Key: CLOUDSTACK-9702
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9702
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Reporter: Jayapal Reddy
1. If there is a exception in configure.py while adding the iptables rule the
error is not reported back to API, API response shows success.
- If there is failure in delete (due to iptables rule is incorrectly framed)
then this rule stays in VR till VR reboots.
a. In CsNetfilter.py: __convert_to_dict() method is inefficient. With this
method it is not possible to include the option if it is there multiple times.
b. Second thing is it rely on the key value pair of iptable option and value.
It will not work for iptables.
Example rule for the a and b
iptables -A FW_EGRESS_RULES -p tcp -m set --match-set sourceCidrIpset src -m
set --match-set destCidrIpset dst -m tcp --dport 22 -j DROP
In the above example -m option is present multiple times.
If we slit key value for the dictionary then you will get destCidrIpset will
get as key which is a variable (not a iptables option)
With the existing code of CsNetfilter it will not frame the exact rule for the
deletion.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
