CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking

Allow DNS queries over TCP when egress filtering is configured. When using DNSSEC more and more queries are done over TCP and this requires 53/TCP to be allowed. Signed-off-by: Wido den Hollander <wido@widodh.nl>
2016-10-20 10:14:36 +02:00 · 2016-10-20 10:14:36 +02:00 · 8ea75f1a85
parent fcee71f35b
commit 8ea75f1a85
1 changed files with 1 additions and 0 deletions
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@ -493,6 +493,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips):
        if vm_ip is not None:
            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set ! --set " + vmipsetName + " src -j DROP")
            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN ")
+            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p tcp --dport 53  -j RETURN ")
            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
        execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
        execute("iptables -A " + vmchain + " -j DROP")