cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kishan Kavala (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-2489) NTier: Incorrect Programming of Ingress Rules on the VPC VR
Date Wed, 15 May 2013 08:35:16 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13658170#comment-13658170
] 

Kishan Kavala commented on CLOUDSTACK-2489:
-------------------------------------------

Please provide more info on the ACL items added.
What are the ACL items added, what is their rule number?
Are they not showing up on the VR?
                
> NTier: Incorrect Programming of Ingress Rules on the VPC VR
> -----------------------------------------------------------
>
>                 Key: CLOUDSTACK-2489
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2489
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>            Reporter: Chandan Purushothama
>            Priority: Blocker
>             Fix For: 4.2.0
>
>
> ================
> Steps to Reproduce:
> ================
> 1. Create a VPC.
> 2. Create a Network Tier
> 3. Create an ACL rule on the Network Tier
> 4. Deploy a VM in the Network Tier
> ===========
> Observations:
> ===========
> ------------------------------------------------------------------------------------------------
> During the Creation of Ingress Rule on the Iptables of the VPC VR:
> ------------------------------------------------------------------------------------------------
> root@r-3-NTIER:~# iptables-save
> # Generated by iptables-save v1.4.14 on Tue May 14 13:34:57 2013
> *mangle
> :PREROUTING ACCEPT [8:512]
> :INPUT ACCEPT [8:512]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [6:840]
> :POSTROUTING ACCEPT [6:840]
> :ACL_OUTBOUND_eth2 - [0:0]
> :VPN_STATS_eth1 - [0:0]
> -A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark 0x1/0xffffffff
> -A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark
--nfmask 0xffffffff --ctmask 0xffffffff
> -A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
> -A FORWARD -j VPN_STATS_eth1
> -A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
> -A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
> COMMIT
> # Completed on Tue May 14 13:34:57 2013
> # Generated by iptables-save v1.4.14 on Tue May 14 13:34:57 2013
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [40:4688]
> :ACL_INBOUND_eth2 - [0:0]
> :NETWORK_STATS_eth1 - [0:0]
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -d 192.168.10.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
> -A FORWARD -j NETWORK_STATS_eth1
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j ACCEPT
> -A FORWARD -d 192.168.10.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -j DROP
> -A NETWORK_STATS_eth1 -s 192.168.0.0/16 -o eth1
> -A NETWORK_STATS_eth1 -d 192.168.0.0/16 -i eth1
> COMMIT
> # Completed on Tue May 14 13:34:57 2013
> # Generated by iptables-save v1.4.14 on Tue May 14 13:34:57 2013
> *nat
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth1 -j SNAT --to-source 10.223.136.132
> -A POSTROUTING -s 192.168.10.0/24 -o eth2 -j SNAT --to-source 192.168.10.1
> COMMIT
> # Completed on Tue May 14 13:34:57 2013
> ------------------------------------------------------------------------------------------------
> After the Creation of Ingress Rule on the Iptables of the VPC VR:
> ------------------------------------------------------------------------------------------------
> **Observe the duplicate ACL OUTBOUND Rules**
> **Observe the ACL_INBOUND Rules**
> root@r-3-NTIER:~# iptables-save
> # Generated by iptables-save v1.4.14 on Tue May 14 13:35:21 2013
> *mangle
> :PREROUTING ACCEPT [1395:225904]
> :INPUT ACCEPT [1395:225904]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1351:251228]
> :POSTROUTING ACCEPT [1351:251228]
> :ACL_OUTBOUND_eth2 - [0:0]
> :VPN_STATS_eth1 - [0:0]
> -A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark 0x1/0xffffffff
> -A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark
--nfmask 0xffffffff --ctmask 0xffffffff
> -A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
> -A FORWARD -j VPN_STATS_eth1
> -A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> -A ACL_OUTBOUND_eth2 -j DROP
> -A ACL_OUTBOUND_eth2 -j DROP
> -A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
> -A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
> COMMIT
> # Completed on Tue May 14 13:35:21 2013
> # Generated by iptables-save v1.4.14 on Tue May 14 13:35:21 2013
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [1361:252356]
> :ACL_INBOUND_eth2 - [0:0]
> :NETWORK_STATS_eth1 - [0:0]
> -A INPUT -d 224.0.0.18/32 -j ACCEPT
> -A INPUT -d 225.0.0.50/32 -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -d 192.168.10.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
> -A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080 -j
ACCEPT
> -A FORWARD -j NETWORK_STATS_eth1
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j ACCEPT
> -A FORWARD -d 192.168.10.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth2 -s 10.223.195.44/32 -p tcp -m tcp --dport 22:23 -j ACCEPT
> -A ACL_INBOUND_eth2 -j DROP
> -A NETWORK_STATS_eth1 -s 192.168.0.0/16 -o eth1
> -A NETWORK_STATS_eth1 -d 192.168.0.0/16 -i eth1
> COMMIT
> # Completed on Tue May 14 13:35:21 2013
> # Generated by iptables-save v1.4.14 on Tue May 14 13:35:21 2013
> *nat
> :PREROUTING ACCEPT [80:4872]
> :INPUT ACCEPT [80:4872]
> :OUTPUT ACCEPT [1:76]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth1 -j SNAT --to-source 10.223.136.132
> -A POSTROUTING -s 192.168.10.0/24 -o eth2 -j SNAT --to-source 192.168.10.1
> COMMIT
> # Completed on Tue May 14 13:35:21 2013
> root@r-3-NTIER:~#

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message