Comments (13)
After gaining some background knowledge, I think the standard security group simply don't allow "all" protocol work with port range. Since "ICMP" isn't related to any port.
from kube-ovn.
could you please show the telnet ip:8000
?
from kube-ovn.
apiVersion: kubeovn.io/v1
kind: SecurityGroup
metadata:
creationTimestamp: "2024-04-16T03:10:32Z"
generation: 29
name: user-2355-i-njwpuvj7k528-firewall-sg
resourceVersion: "558092262"
uid: 53d72488-993e-4c73-ad44-6a13421f2559
spec:
ingressRules:
- ipVersion: ipv4
policy: allow
portRangeMax: 8000
portRangeMin: 8000
priority: 101
protocol: all
remoteAddress: 0.0.0.0/0
remoteType: address - ipVersion: ipv4
policy: deny
priority: 161
protocol: ALL
remoteAddress: 0.0.0.0/0
remoteType: address - ipVersion: ipv4
policy: allow
priority: 160
protocol: ALL
remoteAddress: 172.16.0.0/11
remoteType: address - ipVersion: ipv4
policy: allow
priority: 160
protocol: ALL
remoteAddress: 10.0.0.0/8
remoteType: address
status:
allowSameGroupTraffic: false
egressLastSyncSuccess: true
egressMd5: d751713988987e9331980363e24189ce
ingressLastSyncSuccess: true
ingressMd5: e4fc8be826456f64c73f9a848abb560f
portGroup: ovn.sg.user.2355.i.njwpuvj7k528.firewall.sg
from kube-ovn.
The same time I can ssh connect to 22 port, which should be blocked by the ingress rules.
However, if you change "all" to "tcp", the ssh will be disconnected immediately.
from kube-ovn.
could you please show the
telnet ip:8000
?
your image means the 8000 port is ok , which is works, do i miss something ?
from kube-ovn.
could you please show the
telnet ip:8000
?your image means the 8000 port is ok , which is works, do i miss something ?
The real problem is if you set a server listen to port 7000, it works either. I just do telnet ip 8000 as you demand.
from kube-ovn.
could you please show the
telnet ip:8000
?your image means the 8000 port is ok , which is works, do i miss something ?
The real problem is if you set a server listen to port 7000, it works either. I just do telnet ip 8000 as you demand.
ok, i get it.
from kube-ovn.
if you do not set the 8000 allow ingressRules
, do ip:8000 could be accessed?
from kube-ovn.
if you do not set the
8000 allow ingressRules
, do ip:8000 could be accessed?
No. Because I have a rule with lower priority to deny all ingress traffic.
ipVersion: ipv4
policy: deny
priority: 161
protocol: ALL
remoteAddress: 0.0.0.0/0
remoteType: address
I wish to only allow port 8000 ingress traffic by set another rule, however, it seems to allow all ports. But if you set "udp" or "tcp", it will work as expected.
from kube-ovn.
it looks like it is a OVN bug
from kube-ovn.
Interesting. So shall we open an issue to OVN? Is there any way to fix it temprorally?
BTW, if there are some interested issue you think I can help, you can assign it to me. I would like to help. Recently, I'm hoping to get more familiar with kube-ovn.
from kube-ovn.
Is there any way to fix it temprorally?
use TCP or udp, not all, as you said.
from kube-ovn.
you can try to attach this issue in ovn GitHub issues for some help.
from kube-ovn.
Related Issues (20)
- [BUG] IP conflict when kube-ovn-controller restart
- [BUG] VPC NatGateway not working HOT 10
- [Feature Request] Use pod as subnet gateway HOT 15
- [BUG] ovn-ovs pod 内部或可能存在网络NS文件目录同步延迟,且重启后也没有同步
- [BUG] packets received at pod LSP interface but not forwarded to VXLAN port HOT 1
- [BUG] 跨节点pod之间无法互相ping通 HOT 5
- [Feature Request] Restructuring and introducion best practices for the helm chart HOT 1
- [BUG] TPROXY fails to add iptables rules if probe use a named port HOT 2
- 多组VPC对等连接互联计划什么时候支持?
- [BUG] Performance about NetworkPolicy HOT 9
- [Feature Request] HOT 2
- [BUG] load-balancer for dnat will be cleaned after restarting kube-ovn-controller HOT 1
- [BUG] failed to handle eip add on CentOS 7 HOT 9
- 自定义vpc下面的ipatbles 类型的nat网关中的dnat规则支持全映射吗? HOT 2
- [BUG] slr无法正常使用 HOT 1
- [BUG] kube-ovn部署之后卸载,卸载之后再部署无法正常运行 HOT 1
- [BUG] Inactivity probe not working at all
- [BUG] kube-ovn underlay模式下无法正常创建pod HOT 3
- [BUG] when docker run time, kube-ovn-cni will get err "failed to open netns /prox/xxxxx/ns/net": failed to Statfs "/proc/xxxxx/ns/net": permission denied
- [Feature Request] High Availability for vpc nat gateway HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-ovn.