cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Burwell (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-9495) Egress rules functionalty broken when protocol=all specificed from 4.6
Date Thu, 15 Sep 2016 15:10:24 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-9495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

John Burwell updated CLOUDSTACK-9495:
-------------------------------------
    Description: 
Egress rules handling in systemvm/patches/debian/config/opt/cloud/bin/configure.py, class
CsAcl, add_rule() has below logic for handling protocol

{code}
if rule['protocol'] != "all":
   fwr += " -s %s " % cidr + \
   " -p %s " % rule['protocol'] + \
   " -m %s " % rule['protocol'] + \
   " --dport %s" % rnge
{code}

There is no else block to handle case when protocol in 'all' in which case CIDR never gets
passed to the iptables command, hence resulting in accept all rule FW_EGRESS_RULES chain.

To reproduce the issue just give any cidr in the guest subnet, for e.g. 10.1.1.27/31 and protocol
all and see the result in FW_EGRESS_RULES of the filter table, you will see accept all rule.

  was:
Egress rules handling in systemvm/patches/debian/config/opt/cloud/bin/configure.py, class
CsAcl, add_rule() has below logic for handling protocol
                    if rule['protocol'] != "all":
                         fwr += " -s %s " % cidr + \
                                " -p %s " % rule['protocol'] + \
                                " -m %s " % rule['protocol'] + \
                                " --dport %s" % rnge
there is no else block to handle case when protocol in 'all' in which case CIDR never gets
passed to the iptables command, hence resulting in accept all rule FW_EGRESS_RULES chain.

To reproduce the issue just give any cidr in the guest subnet, for e.g. 10.1.1.27/31 and protocol
all and see the result in FW_EGRESS_RULES of the filter table, you will see accept all rule.
 


> Egress rules functionalty broken when protocol=all specificed from 4.6
> ----------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9495
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9495
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.9.0
>            Reporter: Murali Reddy
>             Fix For: 4.10.0.0, 4.9.1.0
>
>
> Egress rules handling in systemvm/patches/debian/config/opt/cloud/bin/configure.py, class
CsAcl, add_rule() has below logic for handling protocol
> {code}
> if rule['protocol'] != "all":
>    fwr += " -s %s " % cidr + \
>    " -p %s " % rule['protocol'] + \
>    " -m %s " % rule['protocol'] + \
>    " --dport %s" % rnge
> {code}
> There is no else block to handle case when protocol in 'all' in which case CIDR never
gets passed to the iptables command, hence resulting in accept all rule FW_EGRESS_RULES chain.
> To reproduce the issue just give any cidr in the guest subnet, for e.g. 10.1.1.27/31
and protocol all and see the result in FW_EGRESS_RULES of the filter table, you will see accept
all rule.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message