apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-03 04:12:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
cloudstack/server
History
Wei Zhou c1691a9e2d
ipv6: set default_egress_policy for ingress rules (#6364) 
The issue is found in the smoke test `test/integration/smoke/test_network_ipv6.py`.
sometimes the test failed with error below
```
FAIL: Test to verify IPv6 network
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/marvin/lib/decoratorGenerators.py", line 30, in test_wrapper
    return test(self, *args, **kwargs)
  File "/marvin/test_network_ipv6.py", line 1215, in test_01_verify_ipv6_network
    self.checkNetworkRouting()
  File "/marvin/test_network_ipv6.py", line 1060, in checkNetworkRouting
    "Ping from VM %s of network %s to VM %s of network %s is unsuccessful" % (self.routing_test_vm.id, self.routing_test_network.id, self.virtual_machine.id, self.network.id))
AssertionError: False is not true : Ping from VM 0aa36a76-09c6-476f-97c5-b9cea27a5b7c of network 27a2b244-e319-46c5-a779-d6ae73eb9ac2 to VM ae13ea17-1f35-4ca7-83c1-e13126f8df79 of network 1f38a686-69f3-41ed-a75e-cd3f822497d8 is unsuccessful
```

After investigation, we found the egress traffic is dropped by `nft`.

a correct nft chain looks like
```
root@r-282-VM:~# nft list chain ip6 ip6_firewall fw_chain_egress
table ip6 ip6_firewall {
	chain fw_chain_egress {
		counter packets 0 bytes 0 accept
	}
}
```

However, some VRs has the following nft chain
```
root@r-280-VM:~# nft list chain ip6 ip6_firewall fw_chain_egress
table ip6 ip6_firewall {
	chain fw_chain_egress {
		counter packets 0 bytes 0 drop
	}
}
```

It is because the ingress rule does not have correct `default_egress_policy`
```
root@r-280-VM:~# cat /etc/cloudstack/ipv6firewallrules.json
{
  "0": {
    "already_added": false,
    "default_egress_policy": true,
    "dest_cidr_list": [],
    "guest_ip6_cidr": "fd17:ac56:1234:1a96::/64",
    "id": 0,
    "protocol": "all",
    "purpose": "Ipv6Firewall",
    "revoked": false,
    "source_cidr_list": [],
    "src_ip": "",
    "traffic_type": "Egress"
  },
  "1263": {
    "already_added": false,
    "default_egress_policy": false,
    "dest_cidr_list": [
      "::/0"
    ],
    "guest_ip6_cidr": "fd17:ac56:1234:1a96::/64",
    "icmp_code": -1,
    "icmp_type": -1,
    "id": 1263,
    "protocol": "icmp",
    "purpose": "Ipv6Firewall",
    "revoked": false,
    "source_cidr_list": [
      "::/0"
    ],
    "traffic_type": "Ingress"
  },
  "id": "ipv6firewallrules"
}
```

in mose time, the Egress rule is processed before Ingress rule.
But when the Ingress rule is processed at first, the nft chain will be wrong.
2022-05-07 09:37:42 -03:00
..
conf
Adding AutoScaling for cks + CKS CoreOS EOL update + systemvmtemplate improvements (#4329)
2021-10-06 21:17:41 +05:30
src
ipv6: set default_egress_policy for ingress rules (#6364)
2022-05-07 09:37:42 -03:00
pom.xml
Mshost stats (#5588)
2022-04-22 08:48:19 -03:00