Details
Major Description
Hi People,
I found a problem with egress rule in the systemvm, when I put it to allow access to anything in the cloudstack ("Egress Rules"), in the vrouter (systemvm) is created a rule in the ipset empty, without members, and iptables makes a reference to this rule, and because of this, the rule does not work:
In the ipset:
Name: destCidrIpset-21
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16760
References: 1
Members:
In the iptables:
-A FW_EGRESS_RULES -m set --match-set destCidrIpset-21 dst -j ACCEPT
-A FW_EGRESS_RULES -j DROP
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FW_OUTBOUND -j FW_EGRESS_RULE
-A FW_EGRESS_RULES -m set --match-set destCidrIpset-21 dst -j ACCEPT
-A FW_EGRESS_RULES -j DROP
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FW_OUTBOUND -j FW_EGRESS_RULES
My solution for this was change the file configure.py, in /opt/cloud/bin/ in systemvm, with this code:
-
-
- configure.py_old 2017-09-28 21:19:37.000000000 +0000
- configure.py 2017-09-28 21:21:35.000000000 +0000
***************
- 166,177 ****
- 166,181 ----
CsHelper.execute(srcIpset)
CsHelper.execute(dstIpset)
for cidr in self.rule['cidr']:
+ if ( cidr == '0.0.0.0/0' ):
+ continue
ipsetAddCmd = 'ipset add '+ sourceIpsetName + ' '+cidr
CsHelper.execute(ipsetAddCmd)
sflag = True
-
logging.debug("egress rule ####==> %s", self.rule)
for cidr in self.rule['dcidr']:
+ if ( cidr == '0.0.0.0/0' ):
+ continue
ipsetAddCmd = 'ipset add '+ destIpsetName + ' '+cidr
CsHelper.execute(ipsetAddCmd)
dflag = True
My solution for this was change the file configure.py, in /opt/cloud/bin/ in systemvm, with this code: