cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kishan Kavala (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (CLOUDSTACK-3129) NTier: All Outgoing Traffic between Tiers and various gateways/tiers is currently allowed by default contrary to behavior mentioned in the Design Document
Date Tue, 02 Jul 2013 07:01:22 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-3129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kishan Kavala reassigned CLOUDSTACK-3129:
-----------------------------------------

    Assignee: Kishan Kavala
    
> NTier: All Outgoing Traffic between Tiers and various gateways/tiers is currently allowed
by default contrary to behavior mentioned in the Design Document
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3129
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3129
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>            Reporter: Chandan Purushothama
>            Assignee: Kishan Kavala
>            Priority: Critical
>             Fix For: 4.2.0
>
>
> ======================
> On The VPC Virtual Router:
> ======================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth3 -m state --state NEW -j
ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -d 192.168.10.0/24 -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> ========================
> Network Information of eth3 NIC:
> ========================
> mysql> select * from networks where id=208 \G
> *************************** 1. row ***************************
>                    id: 208
>                  name: Atoms-VPC-Net-2
>                  uuid: c81066f7-f3ed-4aab-8f86-be8d3bab32ed
>          display_text: Atoms-VPC-Net-2
>          traffic_type: Guest
> broadcast_domain_type: Vlan
>         broadcast_uri: vlan://2580
>               gateway: 192.168.11.1
>                  cidr: 192.168.11.0/24
>                  mode: Dhcp
>   network_offering_id: 12
>   physical_network_id: 200
>        data_center_id: 1
>             guru_name: ExternalGuestNetworkGuru
>                 state: Implemented
>               related: 208
>             domain_id: 1
>            account_id: 3
>                  dns1: NULL
>                  dns2: NULL
>             guru_data: NULL
>            set_fields: 0
>              acl_type: Account
>        network_domain: atomsvpcnet1.lab.vmops.com
>        reservation_id: 175f7abb-a55b-4932-b394-24137ee1203b
>            guest_type: Isolated
>      restart_required: 0
>               created: 2013-06-21 21:24:45
>               removed: NULL
>     specify_ip_ranges: 0
>                vpc_id: 1
>           ip6_gateway: NULL
>              ip6_cidr: NULL
>          network_cidr: NULL
>       display_network: 1
>        network_acl_id: NULL
> 1 row in set (0.00 sec)
> mysql>
> ==============================================================
> As per the FS at https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html:
> ==============================================================
> ACL Deny Rules
> Currently only ACL allow rules are supported as part of Network ACLs. Default is to block
all incoming and all outgoing traffic between tiers and between tiers and various gateways
(including Public).  ACL deny rules will be supported through this feature. New fields "number"
 and "action"will be added to rules to resolve conflicting rules.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message