Return-Path: <issues-return-73506-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 1BAAA200B89
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 21 Sep 2016 11:26:23 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 1A488160ADE; Wed, 21 Sep 2016 09:26:23 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 515D6160AE1
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 21 Sep 2016 11:26:22 +0200 (CEST)
Received: (qmail 87070 invoked by uid 500); 21 Sep 2016 09:26:21 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 86963 invoked by uid 500); 21 Sep 2016 09:26:21 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 86917 invoked by uid 99); 21 Sep 2016 09:26:21 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Sep 2016 09:26:21 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id E0C4E2C2A61
	for <cloudstack-issues@incubator.apache.org>; Wed, 21 Sep 2016 09:26:20 +0000 (UTC)
Date: Wed, 21 Sep 2016 09:26:20 +0000 (UTC)
From: "ASF subversion and git services (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.13003798.1473412776000.625069.1474449980917@Atlassian.JIRA>
In-Reply-To: <JIRA.13003798.1473412776000@Atlassian.JIRA>
References: <JIRA.13003798.1473412776000@Atlassian.JIRA> <JIRA.13003798.1473412776314@arcas>
Subject: [jira] [Commented] (CLOUDSTACK-9495) Egress rules functionalty
 broken when protocol=all specified
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 21 Sep 2016 09:26:23 -0000


    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15509340#comment-15509340 ] 

ASF subversion and git services commented on CLOUDSTACK-9495:
-------------------------------------------------------------

Commit cc043e9f8f834c4bc7dcf7a3a04fce63f2a8480d in cloudstack's branch refs/heads/4.9 from [~rajanik]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=cc043e9 ]

Merge pull request #1666 from murali-reddy/egress_rules

CLOUDSTACK-9480,  CLOUDSTACK-9495 fix egress rule incorrect behaviorWhen 'default egress policy' is set to 'allow' in the network offering, any egress rule that is added will 'deny' the traffic overriding the default behaviour.

Conversely, when 'default egress policy' is set to 'deny' in the network offering, any egress rule that is added will 'allow' the traffic overriding the default behaviour.

While this works for 'tcp', 'udp' as expected, for 'icmp' protocol its always set to ALLOW. This patch keeps all protocols behaviour consistent.

Results of running test/integration/component/test_egress_fw_rules.py.  With out the patch test_02_egress_fr2 test was failing. This patch fixes the test_02_egress_fr2  scenario.
-----------------------------------------------------------------------------------------------------
Test By-default the communication from guest n/w to public n/w is NOT allowed. ... === TestName: test_01_1_egress_fr1 | Status : SUCCESS ===
ok
Test By-default the communication from guest n/w to public n/w is allowed. ... === TestName: test_01_egress_fr1 | Status : SUCCESS ===
ok
Test Allow Communication using Egress rule with CIDR + Port Range + Protocol. ... === TestName: test_02_1_egress_fr2 | Status : SUCCESS ===
ok
Test Allow Communication using Egress rule with CIDR + Port Range + Protocol. ... === TestName: test_02_egress_fr2 | Status : SUCCESS ===
ok
Test Communication blocked with network that is other than specified ... === TestName: test_03_1_egress_fr3 | Status : SUCCESS ===
ok
Test Communication blocked with network that is other than specified ... === TestName: test_03_egress_fr3 | Status : SUCCESS ===
ok
Test Create Egress rule and check the Firewall_Rules DB table ... === TestName: test_04_1_egress_fr4 | Status : SUCCESS ===
ok
Test Create Egress rule and check the Firewall_Rules DB table ... === TestName: test_04_egress_fr4 | Status : SUCCESS ===
ok
Test Create Egress rule and check the IP tables ... SKIP: Skip
Test Create Egress rule and check the IP tables ... SKIP: Skip
Test Create Egress rule without CIDR ... === TestName: test_06_1_egress_fr6 | Status : SUCCESS ===
ok
Test Create Egress rule without CIDR ... === TestName: test_06_egress_fr6 | Status : SUCCESS ===
ok
Test Create Egress rule without End Port ... === TestName: test_07_1_egress_fr7 | Status : EXCEPTION ===
ERROR
Test Create Egress rule without End Port ... === TestName: test_07_egress_fr7 | Status : SUCCESS ===
ok
Test Port Forwarding and Egress Conflict ... SKIP: Skip
Test Port Forwarding and Egress Conflict ... SKIP: Skip
Test Delete Egress rule ... === TestName: test_09_1_egress_fr9 | Status : SUCCESS ===
ok
Test Delete Egress rule ... === TestName: test_09_egress_fr9 | Status : SUCCESS ===
ok
Test Invalid CIDR and Invalid Port ranges ... === TestName: test_10_1_egress_fr10 | Status : SUCCESS ===
ok
Test Invalid CIDR and Invalid Port ranges ... === TestName: test_10_egress_fr10 | Status : SUCCESS ===
ok
Test Regression on Firewall + PF + LB + SNAT ... === TestName: test_11_1_egress_fr11 | Status : SUCCESS ===
ok
Test Regression on Firewall + PF + LB + SNAT ... === TestName: test_11_egress_fr11 | Status : SUCCESS ===
ok
Test Reboot Router ... === TestName: test_12_1_egress_fr12 | Status : SUCCESS ===
ok
Test Reboot Router ... === TestName: test_12_egress_fr12 | Status : EXCEPTION ===
ERROR
Test Redundant Router : Master failover ... === TestName: test_13_1_egress_fr13 | Status : SUCCESS ===
ok
Test Redundant Router : Master failover ... === TestName: test_13_egress_fr13 | Status : SUCCESS ===
ok
-----------------------------------------------------------------------------------------------------

* pr/1666:
  fix egress rule incorrect behavior

Signed-off-by: Rajani Karuturi <rajani.karuturi@accelerite.com>


> Egress rules functionalty broken when protocol=all specified
> ------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9495
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9495
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.9.0
>            Reporter: Murali Reddy
>            Assignee: Murali Reddy
>            Priority: Critical
>             Fix For: 4.10.0.0, 4.9.1.0, 4.8.2.0
>
>
> Egress rules handling in systemvm/patches/debian/config/opt/cloud/bin/configure.py, class CsAcl, add_rule() has below logic for handling protocol
> {code}
> if rule['protocol'] != "all":
>    fwr += " -s %s " % cidr + \
>    " -p %s " % rule['protocol'] + \
>    " -m %s " % rule['protocol'] + \
>    " --dport %s" % rnge
> {code}
> There is no else block to handle case when protocol in 'all' in which case CIDR never gets passed to the iptables command, hence resulting in accept all rule FW_EGRESS_RULES chain.
> To reproduce the issue just give any cidr in the guest subnet, for e.g. 10.1.1.27/31 and protocol all and see the result in FW_EGRESS_RULES of the filter table, you will see accept all rule.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)