cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fabrice Brazier (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-9924) ACL egress rule doesn't take care of the rule number
Date Thu, 18 May 2017 14:35:04 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-9924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Fabrice Brazier updated CLOUDSTACK-9924:
----------------------------------------
    Description: 
Adding new egress rule in the ACL list is always added in the same order and does not take
into account the rule number. For instance, if we add the following rule from CloudStack GUI:

10	8.8.8.8/32	Allow	ICMP				-1	-1	Egress		
11	8.8.4.4/32	Allow	ICMP				-1	-1	Egress		
12	8.8.8.8/32	Deny	ICMP				-1	-1	Egress	

On the virtual router, we can see that the drop rule is before the accept rule:

root@r-72-VM:~# iptables -S -t mangle
....
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
.....

That means in this scenario, I won't be able to ping 8.8.8.8/32 because the drop rule is before
the accept rule.

  was:
Adding new egress rule in the ACL list is always added in the same order and does not take
into account the rule number. For instance, if we add the following rule from CloudStack GUI:

10	8.8.8.8/32	Allow	ICMP				-1	-1	Egress		
11	8.8.4.4/32	Allow	ICMP				-1	-1	Egress		
12	8.8.8.8/32	Deny	ICMP				-1	-1	Egress	

On the virtual router, we can see that the drop rule is on the top:

root@r-72-VM:~# iptables -S -t mangle
....
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
.....

That means in this scenario, I won't be able to ping 8.8.8.8/32 because the drop rule is before
the accept rule.


> ACL egress rule doesn't take care of the rule number
> ----------------------------------------------------
>
>                 Key: CLOUDSTACK-9924
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9924
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: VPC
>    Affects Versions: 4.9.2.0
>         Environment: ACS 4.9.2 with 4.6.0 system template 
>            Reporter: Fabrice Brazier
>            Priority: Critical
>             Fix For: 4.10.0.0, 4.9.3.0
>
>         Attachments: 2017-05-18_16-31-39.png, 2017-05-18_16-32-20.png
>
>
> Adding new egress rule in the ACL list is always added in the same order and does not
take into account the rule number. For instance, if we add the following rule from CloudStack
GUI:
> 10	8.8.8.8/32	Allow	ICMP				-1	-1	Egress		
> 11	8.8.4.4/32	Allow	ICMP				-1	-1	Egress		
> 12	8.8.8.8/32	Deny	ICMP				-1	-1	Egress	
> On the virtual router, we can see that the drop rule is before the accept rule:
> root@r-72-VM:~# iptables -S -t mangle
> ....
> -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
> -A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
> .....
> That means in this scenario, I won't be able to ping 8.8.8.8/32 because the drop rule
is before the accept rule.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message