Routed 32: add chain OUTPUT and more rules

- fix the issue 80/443/8080 is not reachable from VR itself ``` 2024-06-27 10:21:52,121 INFO Executing: systemctl start cloud-password-server@172.31.1.1 2024-06-27 10:21:52,128 INFO Service cloud-password-server@172.31.1.1 start 2024-06-27 10:21:52,129 INFO Executing: ps aux 2024-06-27 10:24:02,175 ERROR Failed to update password server due to: <urlopen error [Errno 110] Connection timed out> ```
apache · weizhouapache · Apr 29, 2024 · May 24, 2024 · May 25, 2024 · May 28, 2024
commit db9dea33a778711af21ada48ea0e2305bc76087d
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -622,6 +622,10 @@ def fw_router_routing(self):
             return
         if self.get_type() in ["guest"]:
             guestNetworkCidr = self.address['network']
+            self.nft_ipv4_fw.append({'type': "", 'chain': 'INPUT',
+                                     'rule': "iifname lo counter accept"})
+            self.nft_ipv4_fw.append({'type': "", 'chain': 'INPUT',
+                                     'rule': "iifname %s ct state related,established counter accept" % self.dev})
             self.nft_ipv4_fw.append({'type': "", 'chain': 'INPUT',
                                      'rule': "iifname %s udp dport 67 counter accept" % self.dev})
             self.nft_ipv4_fw.append({'type': "", 'chain': 'INPUT',
@@ -640,6 +644,10 @@ def fw_vpcrouter_routing(self):
             return
         if self.get_type() in ["guest"]:
             guestNetworkCidr = self.address['network']
+            self.nft_ipv4_acl.append({'type': "", 'chain': 'INPUT',
+                                      'rule': "iifname lo counter accept"})
+            self.nft_ipv4_acl.append({'type': "", 'chain': 'INPUT',
+                                      'rule': "iifname %s ct state related,established counter accept" % self.dev})
             self.nft_ipv4_acl.append({'type': "", 'chain': 'INPUT',
                                       'rule': "iifname %s udp dport 67 counter accept" % self.dev})
             self.nft_ipv4_acl.append({'type': "", 'chain': 'INPUT',

diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
@@ -251,13 +251,15 @@ def apply_nft_ipv4_rules(self, rules, type):
         table = 'ip4_firewall'
         default_chains = [
             {"chain": "INPUT", "hook": "input", "action": "drop"},
-            {"chain": "FORWARD", "hook": "forward", "action": "accept"}
+            {"chain": "FORWARD", "hook": "forward", "action": "accept"},
+            {"chain": "OUTPUT", "hook": "output", "action": "accept"}
         ]
         if type == "acl":
             table = 'ip4_acl'
             default_chains = [
                 {"chain": "INPUT", "hook": "input", "action": "drop"},
-                {"chain": "FORWARD", "hook": "forward", "action": "accept"}
+                {"chain": "FORWARD", "hook": "forward", "action": "accept"},
+                {"chain": "OUTPUT", "hook": "output", "action": "accept"}
             ]
         tables = CsHelper.execute("nft list tables %s | grep %s" % (address_family, table))
         if any(table in t for t in tables):

diff --git a/test/integration/smoke/test_ipv4_routing.py b/test/integration/smoke/test_ipv4_routing.py
@@ -275,9 +275,10 @@ def verifyNftablesRulesInRouter(self, router, rules):
             else:
                 exists = False
             if exists and not rule["rule"] in res:
-                self.fail("The nftables rule (%s) should exist but is not found in the VR" % rule["rule"])
+                self.fail("The nftables rule (%s) should exist but is not found in the VR !!!" % rule["rule"])
             if not exists and rule["rule"] in res:
-                self.fail("The nftables rule (%s) should not exist but is found in the VR" % rule["rule"])
+                self.fail("The nftables rule (%s) should not exist but is found in the VR !!!" % rule["rule"])
+            self.message("The nftables rules look good so far.")
 
     def verifyPingFromRouter(self, router, vm, expected=True, retries=1):
         while retries > 0:
@@ -295,9 +296,9 @@ def verifyPingFromRouter(self, router, vm, expected=True, retries=1):
             except Exception as ex:
                 self.fail("Failed to ping vm from router: %s" % ex)
         if retries == 0 and expected:
-            self.message("Failed to ping vm from router, which is expected to work.")
+            self.message("Failed to ping vm from router, which is expected to work !!!")
         if retries > 0 and not expected:
-            self.message("ping vm from router works, however it is unexpected.")
+            self.message("ping vm from router works, however it is unexpected !!!")
 
     @attr(tags=['advanced', 'basic', 'sg'], required_hardware=False)
     def test_01_zone_subnet(self):