Return-Path: 
 <dev-return-33669-apmail-cloudstack-dev-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-dev-archive@www.apache.org
Delivered-To: apmail-cloudstack-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 5F4B7D25B
	for <apmail-cloudstack-dev-archive@www.apache.org>;
 Tue, 21 May 2013 21:10:46 +0000 (UTC)
Received: (qmail 82751 invoked by uid 500); 21 May 2013 21:10:46 -0000
Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org
Received: (qmail 82563 invoked by uid 500); 21 May 2013 21:10:46 -0000
Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:dev@cloudstack.apache.org>
List-Id: <dev.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list dev@cloudstack.apache.org
Received: (qmail 82547 invoked by uid 500); 21 May 2013 21:10:46 -0000
Delivered-To: apmail-incubator-cloudstack-dev@incubator.apache.org
Received: (qmail 82538 invoked by uid 99); 21 May 2013 21:10:46 -0000
Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 May 2013 21:10:46 +0000
Received: from reviews.apache.org (localhost [127.0.0.1])
	by reviews.apache.org (Postfix) with ESMTP id EE2991CA5F1;
	Tue, 21 May 2013 21:10:40 +0000 (UTC)
Content-Type: multipart/alternative;
 boundary="===============7095054381869862772=="
MIME-Version: 1.0
Subject: Re: Review Request: Fixed SRX icmp firewall rule configuration issue
From: "Sheng Yang" <sheng@yasker.org>
To: "Murali Reddy" <muralimmreddy@gmail.com>,
 "Abhinandan Prateek" <aprateek@apache.org>, "Sheng Yang" <sheng@yasker.org>
Cc: "cloudstack" <cloudstack-dev@incubator.apache.org>,
 "Jayapal Reddy" <jayapalreddy.uradi@citrix.com>
Date: Tue, 21 May 2013 21:10:40 -0000
Message-ID: <20130521211040.13726.71071@reviews.apache.org>
X-ReviewBoard-URL: https://reviews.apache.org
Auto-Submitted: auto-generated
Sender: "Sheng Yang" <noreply@reviews.apache.org>
X-ReviewGroup: cloudstack
X-ReviewRequest-URL: https://reviews.apache.org/r/11224/
X-Sender: "Sheng Yang" <noreply@reviews.apache.org>
References: <20130520190006.13726.88880@reviews.apache.org>
In-Reply-To: <20130520190006.13726.88880@reviews.apache.org>
Reply-To: "Sheng Yang" <sheng@yasker.org>

--===============7095054381869862772==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable



> On May 20, 2013, 7 p.m., Sheng Yang wrote:
> > plugins/network-elements/juniper-srx/src/com/cloud/network/resource/Jun=
iperSrxResource.java, line 854
> > <https://reviews.apache.org/r/11224/diff/2/?file=3D293966#file293966lin=
e854>
> >
> >     I think it's wrong here. Firewall is only firewall, it won't and sh=
ouldn't response to the ICMP or other request, unless port forwarding or st=
atic nat rule configured.
> =

> Jayapal Reddy wrote:
>     In firewall when ICMP rule is configured and there is no static NAT o=
r PF
>       - In this case public interface IP will give the response.
>     Static NAT + Firewall ICMP
>       - In this case VM will give the response.
>     =

>     This behaviour is also same in VR

In the past, VR didn't associate IP address when apply firewall rules. But =
it's complex to deal with firewall rules differently from static nat and po=
rt forwarding/load balancing rules, so we change it to today's behavior. Bu=
t it's still uncommon to have different entity response to the same IP. We =
need document this behavior.


> On May 20, 2013, 7 p.m., Sheng Yang wrote:
> > plugins/network-elements/juniper-srx/src/com/cloud/network/resource/Jun=
iperSrxResource.java, line 845
> > <https://reviews.apache.org/r/11224/diff/2/?file=3D293966#file293966lin=
e845>
> >
> >     Why ICMP's getSrcPortRange is null(then need the min/max default va=
lue)?
> =

> Jayapal Reddy wrote:
>     For ICMP protocol we are not passing the port range. We are only pass=
ing the icml type and code. So for ICMP protocol we are getting getSrcPortR=
ange() as null because there are ports passed for icml.

Yes, seems you also assume TCP/UDP port can have null port range, in order =
to get 0~65535 port all open.


- Sheng


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11224/#review20784
-----------------------------------------------------------


On May 20, 2013, 5:55 a.m., Jayapal Reddy wrote:
> =

> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/11224/
> -----------------------------------------------------------
> =

> (Updated May 20, 2013, 5:55 a.m.)
> =

> =

> Review request for cloudstack, Abhinandan Prateek, Sheng Yang, and Murali=
 Reddy.
> =

> =

> Description
> -------
> =

> 1. Updated to configure the firewall filter for the icmp protocol
> 2. Proxy arp is required for icmp response on SRX public IP. So adding pr=
oxy arp along with firewall rules
> =

> =

> This addresses bug CLOUDSTACK-2386.
> =

> =

> Diffs
> -----
> =

>   plugins/network-elements/juniper-srx/src/com/cloud/network/element/Juni=
perSRXExternalFirewallElement.java a429306 =

>   plugins/network-elements/juniper-srx/src/com/cloud/network/resource/Jun=
iperSrxResource.java a0068c3 =

>   server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java 4a9=
0a77 =

>   utils/src/com/cloud/utils/net/NetUtils.java 9551c26 =

> =

> Diff: https://reviews.apache.org/r/11224/diff/
> =

> =

> Testing
> -------
> =

> 1. Added icmp firewall rule and tested ping to public ip from the public =
subnet
> 2. Tested configuring Static NAT and PF
> =

> =

> Thanks,
> =

> Jayapal Reddy
> =

>


--===============7095054381869862772==--