cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9480) Egress Firewall: Incorrect use of Allow/Deny for ICMP
Date Wed, 14 Sep 2016 11:56:20 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15490245#comment-15490245
] 

ASF GitHub Bot commented on CLOUDSTACK-9480:
--------------------------------------------

Github user karuturi commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1666#discussion_r78733924
  
    --- Diff: systemvm/patches/debian/config/opt/cloud/bin/configure.py ---
    @@ -145,40 +145,41 @@ def add_rule(self, cidr):
                 logging.debug("Current ACL IP direction is ==> %s", self.direction)
                 if self.direction == 'egress':
                     self.fw.append(["filter", "", " -A FW_OUTBOUND -j FW_EGRESS_RULES"])
    +                fwr = " -I FW_EGRESS_RULES"
    +
    +                #In case we have a default rule (accept all or drop all), we have to
evaluate the action again.
    +                if rule['type'] == 'all' and not rule['source_cidr_list']:
    +                    fwr = " -A FW_EGRESS_RULES"
    +                    # For default egress ALLOW or DENY, the logic is inverted.
    +                    # Having default_egress_policy == True, means that the default rule
should have ACCEPT,
    +                    # otherwise DROP. The rule should be appended, not inserted.
    +                    if self.rule['default_egress_policy']:
    +                        self.rule['action'] = "ACCEPT"
    +                    else:
    +                        self.rule['action'] = "DROP"
    +                else:
    +                    # For other rules added, if default_egress_policy == True, following
rules should be DROP,
    +                    # otherwise ACCEPT
    +                    if self.rule['default_egress_policy']:
    +                        self.rule['action'] = "DROP"
    +                    else:
    +                        self.rule['action'] = "ACCEPT"
    +
                     if rule['protocol'] == "icmp":
                         self.fw.append(["filter", "front",
                                         " -A FW_EGRESS_RULES" +
                                         " -s %s " % cidr +
                                         " -p %s " % rule['protocol'] +
                                         " -m %s " % rule['protocol'] +
                                         " --icmp-type %s -j %s" % (icmp_type, self.rule['action'])])
    -                else:
    -                    fwr = " -I FW_EGRESS_RULES"
    -                    #In case we have a default rule (accept all or drop all), we have
to evaluate the action again.
    -                    if rule['type'] == 'all' and not rule['source_cidr_list']:
    -                        fwr = " -A FW_EGRESS_RULES"
    -                        # For default egress ALLOW or DENY, the logic is inverted.
    -                        # Having default_egress_policy == True, means that the default
rule should have ACCEPT,
    -                        # otherwise DROP. The rule should be appended, not inserted.
    -                        if self.rule['default_egress_policy']:
    -                            self.rule['action'] = "ACCEPT"
    -                        else:
    -                            self.rule['action'] = "DROP"
    -                    else:
    -                        # For other rules added, if default_egress_policy == True, following
rules should be DROP,
    -                        # otherwise ACCEPT
    -                        if self.rule['default_egress_policy']:
    -                            self.rule['action'] = "DROP"
    -                        else:
    -                            self.rule['action'] = "ACCEPT"
    -
    -                    if rule['protocol'] != "all":
    -                        fwr += " -s %s " % cidr + \
    -                               " -p %s " % rule['protocol'] + \
    -                               " -m %s " % rule['protocol'] + \
    -                               " --dport %s" % rnge
    -
    -                    self.fw.append(["filter", "", "%s -j %s" % (fwr, rule['action'])])
    +
    +                if rule['protocol'] != "all":
    --- End diff --
    
    This if should be if(protocol != all and protocol != icmp) to avoid executing again incase
of icmp


> Egress Firewall: Incorrect use of Allow/Deny for ICMP
> -----------------------------------------------------
>
>                 Key: CLOUDSTACK-9480
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9480
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.9.0
>            Reporter: Murali Reddy
>            Assignee: Murali Reddy
>             Fix For: 4.9.1.0
>
>
> When 'default egress policy' is set to 'allow' in the network offering, any egress rule
that is added will 'deny' the traffic overriding the default behaviour. 
> Conversely, when 'default egress policy' is set to 'deny' in the network offering, any
egress rule that is added will 'allow' the traffic overriding the default behaviour. 
> While this works for 'tcp', 'udp' as expected, for 'icmp' protocol its always set to
ALLOW.
> Egress firewall rule behaviour should be consistent for all the protocols.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message