cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9480) Egress Firewall: Incorrect use of Allow/Deny for ICMP
Date Thu, 01 Sep 2016 06:22:20 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15454470#comment-15454470
] 

ASF GitHub Bot commented on CLOUDSTACK-9480:
--------------------------------------------

Github user murali-reddy commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1666#discussion_r77119259
  
    --- Diff: systemvm/patches/debian/config/opt/cloud/bin/configure.py ---
    @@ -145,40 +145,41 @@ def add_rule(self, cidr):
                 logging.debug("Current ACL IP direction is ==> %s", self.direction)
                 if self.direction == 'egress':
                     self.fw.append(["filter", "", " -A FW_OUTBOUND -j FW_EGRESS_RULES"])
    +                fwr = " -I FW_EGRESS_RULES"
    +
    +                #In case we have a default rule (accept all or drop all), we have to
evaluate the action again.
    +                if self.rule['cidr'] == ['0.0.0.0/0']:
    --- End diff --
    
    If-else block does exactly that logic. If rule has CIDR 0.0.0.0/0 then rule action is
set to that of default egress policy in the network offering. If rule has a CIDR other than
0.0.0.0/0 then reverse action (as that of default egress policy in the network offering) is
set for the rule


> Egress Firewall: Incorrect use of Allow/Deny for ICMP
> -----------------------------------------------------
>
>                 Key: CLOUDSTACK-9480
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9480
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.9.0
>            Reporter: Murali Reddy
>            Assignee: Murali Reddy
>             Fix For: 4.9.1
>
>
> When 'default egress policy' is set to 'allow' in the network offering, any egress rule
that is added will 'deny' the traffic overriding the default behaviour. 
> Conversely, when 'default egress policy' is set to 'deny' in the network offering, any
egress rule that is added will 'allow' the traffic overriding the default behaviour. 
> While this works for 'tcp', 'udp' as expected, for 'icmp' protocol its always set to
ALLOW.
> Egress firewall rule behaviour should be consistent for all the protocols.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message