cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: POLL: ACL default egress policy rule in VPC
Date Thu, 16 Nov 2017 10:14:03 GMT
4. I think Jayapal's reply deserves more attention.

See below.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Jayapal Uradi" <jayapal.uradi@accelerite.com>
> To: "dev" <dev@cloudstack.apache.org>
> Sent: Tuesday, 14 November, 2017 05:12:52
> Subject: Re: POLL: ACL default egress policy rule in VPC

> Hi Rene,
> 
> Please look at my inline comments.
> Let me add some context for the VPC egress/ingress rules behavior.
> 
> Pre 4.5 (subject to correction) the behavior of VPC acl is as follows.
> 
> 1. Default egress is ALLOW and ingress is DROP.
>   a.  When a rule is added to egress then that particular rule traffic is allowed
>   and rest is blocked in egress.
>   b.  When a rule is added to ingress then that particular rule traffic is allowed
>   and rest is blocked in egress.
> 
> After 4.5 ACL lists and ACL items feature is introduced there we have ‘default
> allow’ and ‘default deny’ ACLs. User can also
> create a custom acl. In ACL feature we can add mix of allow and deny rules and
> the ordering of rules is maintained.
> 
> 1.  when ‘default allow’ is selected while creating the vpc tier
>    By default traffic is ALLOWED and rules can be added to ALLOW/DENY the traffic
>   After adding the rules there will be ACCEPT at the end
> 2.  when ‘default deny’ is selected while creating the vpc tier
>    By default traffic is DENY and rules can be added to DENY/ALLOW the traffic.
>      After adding the rules there will be DROP at the end
> 3. If no ACL selected for the ACL then Pre 4.5 behavior will be there.
> 4. With custom acl default ingress is DROP and egress is ALLOW. User can add
> rules for allow/deny rules.
> 
> If you see behavior other than above then there will be bug.
> 
> Currently in VPC egress behavior is controlled from the ACLs. If include
> ‘egressdefaultpolicy’ then there will be confusion.
> 
> What I feel is that current VPC ACLs are flexible enough  to configure the
> required behavior.
> 
> Thanks,
> Jayapal
> 
> 
> 
> 
> 
>> On Nov 13, 2017, at 11:17 PM, Rene Moser <mail@renemoser.net> wrote:
>> 
>> Hi Devs
>> 
>> The last days I fought with the ACL egress rule behaviour and I would
>> like to make a poll in which direction the fix should go.
>> 
>> Short Version:
>> 
>> We need to define a better default behaviour for acl default egress
>> rule. I see 3 different options:
>> 
>> 1. always add a default deny all egress rule.
>> 
>> This would be super easy to do (should probably also the intermediate
>> fix for 4.9, see https://github.com/apache/cloudstack/pull/2323)
>> 
>> 
>> 2. add a deny all egress rule in case if have at least one egress allow
>> rule.
>> 
>> A bit intransparent to the user, but doable. This seems to be the
>> behaviour how it was designed and should have been implemented.
>> 
> Currently we can configure the ACLs to get this behavior.
>> 
>> 3. use the default setting in the network offering "egressdefaultpolicy"
>> to specify the default behavior.
>> 
>> There is already a setting which specifies this behaviour but is not
>> used in VPC. Why not use it?
>> 
>> As a consequence when using this setting, the user should get more infos
>> about the policy of the network offering while choosing it for the tier.
>> 
>> 
>> Poll:
>> 
>> 1. []
>> 2. []
>> 3. []
>> 4. [] Other? What?
>> 
>> 
>> Long Version:
>> 
>> First, let's have a look of the issue:
>> 
>> In version 4.5, creating a new acl with no egress (ACL_OUTBOUND) rule
>> would result in a "accept egress all":
>> 
>> -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state
>> NEW -j ACL_OUTBOUND_eth2
>> -A ACL_OUTBOUND_eth2 -j ACCEPT
>> 
>> When an egress (here deny 25 egress) rule (no mather if deny or allow)
>> gets added the result is a "deny all" appended:
>> 
>> -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state
>> NEW -j ACL_OUTBOUND_eth2
>> -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 25 -j DROP
>> -A ACL_OUTBOUND_eth2 -j DROP
> This is seen because default egress is drop and user added rule to deny port 25
> traffic.
> User has choice of adding allow/deny rules with priority number.
>> 
>> This does not make any sense and is a bug IMHO.
>> 
>> 
>> In 4.9 the behaviour is different:
>> 
>> (note there is a bug in the ordering of egress rules which is fixed by
>> https://github.com/apache/cloudstack/pull/2313)
>> 
>> The default policy is kept accept egress all.
>> 
>> -A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state --state
>> NEW -j ACL_OUTBOUND_eth2
>> -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
>> -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
>> -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT
> 
> In 4.9 it is a bug. After accept rules there supposed to DROP all at the end.
>> 
>> 
>> To me it looks like the wanted behavior was "egress all as default. If
>> we have allow rules, append deny all". This would make sense but is
>> quite instransparent.
>> 
>> But let's poll
>> 
>> 
> 
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the
> property of Accelerite, a Persistent Systems business. It is intended only for
> the use of the individual or entity to which it is addressed. If you are not
> the intended recipient, you are not authorized to read, retain, copy, print,
> distribute or use this message. If you have received this communication in
> error, please notify the sender and delete all copies of this message.
> Accelerite, a Persistent Systems business does not accept any liability for
> virus infected mails.

Mime
View raw message