Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 66BF42004F3 for ; Tue, 15 Aug 2017 10:36:05 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 652E8166680; Tue, 15 Aug 2017 08:36:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AAC0A16667F for ; Tue, 15 Aug 2017 10:36:04 +0200 (CEST) Received: (qmail 27926 invoked by uid 500); 15 Aug 2017 08:36:03 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 27917 invoked by uid 500); 15 Aug 2017 08:36:02 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 27914 invoked by uid 99); 15 Aug 2017 08:36:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Aug 2017 08:36:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id D84DEC0118 for ; Tue, 15 Aug 2017 08:36:01 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id vpcigf-jOC_m for ; Tue, 15 Aug 2017 08:36:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id C80725F36D for ; Tue, 15 Aug 2017 08:36:00 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5ECD9E01E5 for ; Tue, 15 Aug 2017 08:36:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1E3D42140C for ; Tue, 15 Aug 2017 08:36:00 +0000 (UTC) Date: Tue, 15 Aug 2017 08:36:00 +0000 (UTC) From: "Francois Scheurer (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (CLOUDSTACK-10043) Egress Rule in VPC ACL broken MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 15 Aug 2017 08:36:05 -0000 [ https://issues.apache.org/jira/browse/CLOUDSTACK-10043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Francois Scheurer updated CLOUDSTACK-10043: ------------------------------------------- Description: The Network Offering of the VPC Tier has a Default Egress Policy = Deny. Some Allow Rules exist in the ACL, but _ALL_ egress connections are possible. Creating a Deny All rule explicit at the end of the rules is actually blocking ALL traffic (should not, because of the Allow rules). The Iptables in the VR are wrong: 1) the allow & deny rules are in wrong order. 2) some rules are in mangle table instead of filter Do you know how to fix this? Thank you for your help. Francois Scheurer was: The Network Offering of the VPC Tier has a Default Egress Policy = Deny. Some Allow Rules exist in the ACL, but _ALL_ egress connections are possible. Creating a Deny All rule explicit at the end of the rules is actually blocking ALL traffic (should not, because of the Allow rules). The Iptables in the VR are wrong: 1)the allow rules are in wrong order. 2)some rules are in mangle table instead of filter Do you know how to fix this? Thank you for your help. Francois Scheurer > Egress Rule in VPC ACL broken > ------------------------------ > > Key: CLOUDSTACK-10043 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10043 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Virtual Router, VPC > Affects Versions: 4.9.2.0 > Environment: CS 4.9.2 with XenServer 6.5SP1 > Reporter: Francois Scheurer > Priority: Blocker > > The Network Offering of the VPC Tier has a Default Egress Policy = Deny. > Some Allow Rules exist in the ACL, but _ALL_ egress connections are possible. > Creating a Deny All rule explicit at the end of the rules is actually blocking ALL traffic (should not, because of the Allow rules). > The Iptables in the VR are wrong: > 1) the allow & deny rules are in wrong order. > 2) some rules are in mangle table instead of filter > Do you know how to fix this? > Thank you for your help. > Francois Scheurer -- This message was sent by Atlassian JIRA (v6.4.14#64029)