Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9442F200BA4 for ; Fri, 9 Sep 2016 11:20:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 930C7160ACE; Fri, 9 Sep 2016 09:20:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1774E160AD6 for ; Fri, 9 Sep 2016 11:20:21 +0200 (CEST) Received: (qmail 80614 invoked by uid 500); 9 Sep 2016 09:20:21 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 80561 invoked by uid 500); 9 Sep 2016 09:20:20 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 80549 invoked by uid 99); 9 Sep 2016 09:20:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Sep 2016 09:20:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id C1CF22C1B83 for ; Fri, 9 Sep 2016 09:20:20 +0000 (UTC) Date: Fri, 9 Sep 2016 09:20:20 +0000 (UTC) From: "Murali Reddy (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CLOUDSTACK-9495) Egress rules functionalty broken when protocol=all specificed from 4.6 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 09 Sep 2016 09:20:22 -0000 Murali Reddy created CLOUDSTACK-9495: ---------------------------------------- Summary: Egress rules functionalty broken when protocol=all specificed from 4.6 Key: CLOUDSTACK-9495 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9495 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Affects Versions: 4.9.0, 4.8.0, 4.7.1, 4.6.2 Reporter: Murali Reddy Egress rules handling in systemvm/patches/debian/config/opt/cloud/bin/configure.py, class CsAcl, add_rule() has below logic for handling protocol if rule['protocol'] != "all": fwr += " -s %s " % cidr + \ " -p %s " % rule['protocol'] + \ " -m %s " % rule['protocol'] + \ " --dport %s" % rnge there is no else block to handle case when protocol in 'all' in which case CIDR never gets passed to the iptables command, hence resulting in accept all rule FW_EGRESS_RULES chain. To reproduce the issue just give any cidr in the guest subnet, for e.g. 10.1.1.27/31 and protocol all and see the result in FW_EGRESS_RULES of the filter table, you will see accept all rule. -- This message was sent by Atlassian JIRA (v6.3.4#6332)