cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9480) Egress Firewall: Incorrect use of Allow/Deny for ICMP
Date Wed, 28 Sep 2016 09:46:21 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529099#comment-15529099
] 

ASF subversion and git services commented on CLOUDSTACK-9480:
-------------------------------------------------------------

Commit a43abbe47bb88bd6dd727e84a8aa2977fee114ee in cloudstack's branch refs/heads/4.9-bountycastle-daan
from [~muralireddy]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=a43abbe ]

fix egress rule incorrect behavior

CLOUDSTACK-9480: Egress Firewall: Incorrect use of Allow/Deny for ICMP

     fix ensures, ICMP, TCP, UDP are handled similalry w.r.t egress rule action

CLOUDSTACK-9495: Egress rules functionalty broken when protocol=all specified

     when protocol=all specified, CIDR was ignored. Fix ensures if CIDR is specified
     its always used in configuring iptable rules

 2 new test cased to test /32 CIDR


> Egress Firewall: Incorrect use of Allow/Deny for ICMP
> -----------------------------------------------------
>
>                 Key: CLOUDSTACK-9480
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9480
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Controller
>    Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.9.0
>            Reporter: Murali Reddy
>            Assignee: Murali Reddy
>            Priority: Critical
>             Fix For: 4.10.0.0, 4.9.1.0, 4.8.2.0
>
>
> When 'default egress policy' is set to 'allow' in the network offering, any egress rule
that is added will 'deny' the traffic overriding the default behaviour. 
> Conversely, when 'default egress policy' is set to 'deny' in the network offering, any
egress rule that is added will 'allow' the traffic overriding the default behaviour. 
> While this works for 'tcp', 'udp' as expected, for 'icmp' protocol its always set to
ALLOW.
> Egress firewall rule behaviour should be consistent for all the protocols.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message