Allow reset (!8) · Merge requests · nova / router_services

Merged Sigmund Augdal requested to merge allow-reset into master Sep 14, 2015
Untested proposal for how to fix dropping RST packets between nodes in instance net. Differences in generated output is as follows:
diff -ur a/generated_ip6tables b/generated_ip6tables
--- a/generated_ip6tables	2015-09-14 14:36:30.858554062 +0200
+++ b/generated_ip6tables	2015-09-14 14:39:25.267693618 +0200
@@ -25,14 +25,22 @@
 -A INPUT -i eth3.900 -p tcp -m tcp --dport 1936 -j DROP
 -A INPUT ! -s 2001:700:1::/64 -i eth1 -p tcp -m tcp --dport 1936 -j DROP
 -A NOVAFORWARD -m set --match-set rls_from_any_inet6_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set rls_from_any_inet6_0 src,src -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_from_cidr_inet6_0 dst,dst,src -j ACCEPT
+-A NOVAFORWARD -m set --match-set rls_from_cidr_inet6_0 src,src,dst -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_from_any_to_ip_inet6_0 dst -j ACCEPT
 -A NOVAFORWARD -m set --match-set source36_inet6_0 src -m set --match-set rls_by_src140_inet6_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source36_inet6_0 dst -m set --match-set rls_by_src140_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source66_inet6_0 src -m set --match-set rls_by_src67_inet6_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source66_inet6_0 dst -m set --match-set rls_by_src67_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source94_inet6_0 src -m set --match-set rls_by_src231_inet6_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source94_inet6_0 dst -m set --match-set rls_by_src231_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source164_inet6_0 src -m set --match-set rls_by_src165_inet6_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source164_inet6_0 dst -m set --match-set rls_by_src165_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source186_inet6_0 src -m set --match-set rls_by_src126_inet6_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source186_inet6_0 dst -m set --match-set rls_by_src126_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source230_inet6_0 src -m set --match-set rls_by_src69_inet6_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source230_inet6_0 dst -m set --match-set rls_by_src69_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_cidr_to_ip61_inet6_0 src -m set --match-set source60_inet6_0 dst -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_cidr_to_ip78_inet6_0 src -m set --match-set source77_inet6_0 dst -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_cidr_to_ip81_inet6_0 src -m set --match-set source80_inet6_0 dst -j ACCEPT
diff -ur a/generated_iptables b/generated_iptables
--- a/generated_iptables	2015-09-14 14:36:30.858554062 +0200
+++ b/generated_iptables	2015-09-14 14:39:25.267693618 +0200
@@ -34,14 +34,22 @@
 -A INPUT -i eth3.900 -p tcp -m tcp --dport 1936 -j DROP
 -A INPUT ! -s 158.38.62.0/23 -i eth1 -p tcp -m tcp --dport 1936 -j DROP
 -A NOVAFORWARD -m set --match-set rls_from_any_inet_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set rls_from_any_inet_0 src,src -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_from_cidr_inet_0 dst,dst,src -j ACCEPT
+-A NOVAFORWARD -m set --match-set rls_from_cidr_inet_0 src,src,dst -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_from_any_to_ip_inet_0 dst -j ACCEPT
 -A NOVAFORWARD -m set --match-set source36_inet_0 src -m set --match-set rls_by_src140_inet_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source36_inet_0 dst -m set --match-set rls_by_src140_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source66_inet_0 src -m set --match-set rls_by_src67_inet_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source66_inet_0 dst -m set --match-set rls_by_src67_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source94_inet_0 src -m set --match-set rls_by_src231_inet_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source94_inet_0 dst -m set --match-set rls_by_src231_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source164_inet_0 src -m set --match-set rls_by_src165_inet_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source164_inet_0 dst -m set --match-set rls_by_src165_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source186_inet_0 src -m set --match-set rls_by_src126_inet_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source186_inet_0 dst -m set --match-set rls_by_src126_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set source230_inet_0 src -m set --match-set rls_by_src69_inet_0 dst,dst -j ACCEPT
+-A NOVAFORWARD -m set --match-set source230_inet_0 dst -m set --match-set rls_by_src69_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_cidr_to_ip8_inet_0 src -m set --match-set source7_inet_0 dst -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_cidr_to_ip17_inet_0 src -m set --match-set source16_inet_0 dst -j ACCEPT
 -A NOVAFORWARD -m set --match-set rls_cidr_to_ip43_inet_0 src -m set --match-set source42_inet_0 dst -j ACCEPT