cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sheng Yang" <sh...@yasker.org>
Subject Re: Review Request: Fixed SRX icmp firewall rule configuration issue
Date Tue, 21 May 2013 21:10:40 GMT


> On May 20, 2013, 7 p.m., Sheng Yang wrote:
> > plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java,
line 854
> > <https://reviews.apache.org/r/11224/diff/2/?file=293966#file293966line854>
> >
> >     I think it's wrong here. Firewall is only firewall, it won't and shouldn't response
to the ICMP or other request, unless port forwarding or static nat rule configured.
> 
> Jayapal Reddy wrote:
>     In firewall when ICMP rule is configured and there is no static NAT or PF
>       - In this case public interface IP will give the response.
>     Static NAT + Firewall ICMP
>       - In this case VM will give the response.
>     
>     This behaviour is also same in VR

In the past, VR didn't associate IP address when apply firewall rules. But it's complex to
deal with firewall rules differently from static nat and port forwarding/load balancing rules,
so we change it to today's behavior. But it's still uncommon to have different entity response
to the same IP. We need document this behavior.


> On May 20, 2013, 7 p.m., Sheng Yang wrote:
> > plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java,
line 845
> > <https://reviews.apache.org/r/11224/diff/2/?file=293966#file293966line845>
> >
> >     Why ICMP's getSrcPortRange is null(then need the min/max default value)?
> 
> Jayapal Reddy wrote:
>     For ICMP protocol we are not passing the port range. We are only passing the icml
type and code. So for ICMP protocol we are getting getSrcPortRange() as null because there
are ports passed for icml.

Yes, seems you also assume TCP/UDP port can have null port range, in order to get 0~65535
port all open.


- Sheng


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11224/#review20784
-----------------------------------------------------------


On May 20, 2013, 5:55 a.m., Jayapal Reddy wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/11224/
> -----------------------------------------------------------
> 
> (Updated May 20, 2013, 5:55 a.m.)
> 
> 
> Review request for cloudstack, Abhinandan Prateek, Sheng Yang, and Murali Reddy.
> 
> 
> Description
> -------
> 
> 1. Updated to configure the firewall filter for the icmp protocol
> 2. Proxy arp is required for icmp response on SRX public IP. So adding proxy arp along
with firewall rules
> 
> 
> This addresses bug CLOUDSTACK-2386.
> 
> 
> Diffs
> -----
> 
>   plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
a429306 
>   plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
a0068c3 
>   server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java 4a90a77 
>   utils/src/com/cloud/utils/net/NetUtils.java 9551c26 
> 
> Diff: https://reviews.apache.org/r/11224/diff/
> 
> 
> Testing
> -------
> 
> 1. Added icmp firewall rule and tested ping to public ip from the public subnet
> 2. Tested configuring Static NAT and PF
> 
> 
> Thanks,
> 
> Jayapal Reddy
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message