cloudstack
cloudstack copied to clipboard
apache
IPv6 firewall: accept packets from related and established connections
Description
The VR's firewall service automatically accepts packets from related and established connections when using IPv4. However, it does not for IPv6. Due to this, even if the egress rules allow a VM to send requests to a machine from outside the isolated network, it will not receive the response unless operators have allowed all ingress for the (sometimes dynamically allocated) port.
This PR adds a rule to the VR's IPv6 forward and input chains accepting response traffic (ingress from related and established connections), even if the operator has not explicitly allowed all ingress for the ports, thus matching the IPv4 firewall's behavior.
Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
- [ ] Major
- [X] Minor
How Has This Been Tested?
-
I introduced an IPv6 range to my environment.
-
I created a network offering for IPv6.
-
I created an isolated network with the network offering.
-
I added a VM to the network.
Then, I performed the following tests:
-
I validated that the VR had nftables rules in the forward and input chains allowing the ingress of related packets and packets from established connections.
-
Inside the VM, I tried to download a file from a machine outside the isolated network using IPv6. I validated that the download did not begin, because the egress traffic was not allowed.
-
I allowed the egress for ports 80 and 443.
-
Inside the VM, I tried to download a file from a machine outside the isolated network using IPv6 again. This time, the file was download successfully. Before the changes, the file would not be downloaded, because the VR was rejecting the response traffic.
-
I tried to login into the VM using SSH and IPv6. I validated that it was not possible because the ingress traffic for port 22 was not allowed.
-
I allowed ingress for port 22, and tried to login into the VM using SSH and IPv6 one more time. This time, I was able to access the VM successfully.
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 16.15%. Comparing base (823080c) to head (145f4fe).
:warning: Report is 130 commits behind head on 4.20.
Additional details and impacted files
@@ Coverage Diff @@
## 4.20 #10970 +/- ##
==========================================
Coverage 16.14% 16.15%
- Complexity 13253 13269 +16
==========================================
Files 5656 5657 +1
Lines 497893 497772 -121
Branches 60374 60364 -10
==========================================
+ Hits 80405 80408 +3
+ Misses 408529 408413 -116
+ Partials 8959 8951 -8
| Flag | Coverage Δ | |
|---|---|---|
| uitests | 4.00% <ø> (-0.01%) |
:arrow_down: |
| unittests | 17.00% <ø> (+<0.01%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
- :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
oh, I remember this issue, I had a fix more than one year ago. I thought I have created a PR for it :man_facepalming:
good finding @winterhazel the code is different from mine (4 lines), but the idea is the same
@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14043
@winterhazel a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14105
@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests
[SF] Trillian test result (tid-13739) Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8 Total time taken: 55694 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10970-t13739-kvm-ol8.zip Smoke tests completed. 141 look OK, 0 have errors, 0 did not run Only failed and skipped tests results shown below:
| Test | Result | Time (s) | Test File |
|---|
@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
Packaging result [SF]: ✔️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 14852
@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests
@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 14868
@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests
Tested with Ipv6 network and VPC
SSH did not work prior to this change, it worked with this change
an example of nft rules
chain fw_forward {
type filter hook forward priority filter; policy accept;
ct state established,related accept
ip6 saddr 2025:9:10:e::/64 jump fw_chain_egress
ip6 daddr 2025:9:10:e::/64 jump fw_chain_ingress
}