i just made some test regarding the commit Mechanism when applying or removing new Rules on secgroup when i just saw a behavior which, with my understanding, shouldn’t happen.
The Applying of a new rule (for example allow icmp Packages) are working almost instantly.
BUT when i try to remove a rule from the secgroup, it doesn’t work for already running VM. I had to remove the NIC, attach it again and reboot the VM.
In both cases i can see the new rule is popping up and disappear in the VM/Network section of the NIC on the VM but the rule is not going to be removed.
Setup:
1 Testnetwork called :Testnet
1 security rule applied to Testnet (this is also the only secgroup for Testnet)
1 VM within Testnet
1 Physical machine which is also wired up into Testnet
How i tested it:
Drop all rules in the Secgroup so nothing is allowed.
Start the VM within this environment
Ping the IP of the VM from Physical Machine -> no ping possible as expected
Apply inbound icmp Rule into Secgroup.
Ping VM again -> Ping works as expected
Remove icmp Rule from point 4. (also checked that the rule disappear on the VM NIC)
Ping once again -> Ping still works -> not as i expect.
From your message I assume that you commit the changes after each update, is this right?. Also is there any relevant message in the VirtualMachine log, or in oned.log?
If we speak about Linux-KVM - You can check if secgoups work correctly.
look at ouput of iptables -S
before step 6 and after step 6. (command should be executed on “Physical Machine”)
If rule for icmp traffic disappears after step 6 then secroups works correctly and reason of that behavior is linux connection tracker. Wait 60 sec and try to ping again (you should stop pinging before removing rule).
Looks like that i was just to impatient. But at the end, i would expect to have the security rules to be applied instantly when i remove them. So some kind of cut the wires the hard way.
I would say that this Topic is solved.
Thank you a lot for those ideas.