RodrigoDLopez opened a new pull request, #7081:
URL: https://github.com/apache/cloudstack/pull/7081
### Description
When a guest network is created, ACS allows the configuration of the
firewall and port forwarding, load balancing, and VPN rules for all IPs
associated with the network (including the source NAT). However, when creating
a VPC, firewall configurations are possible only via ACLs; port forwarding and
load balancing rules are only possible for other public IPs assigned to the
network. Thus, situations, where it is necessary to combine firewall rules and
port forwarding/load balancing in VPCs, are not possible.
To work around the situation, this PR implements an extension to allow the
definition of source CIDR when creating port forwarding rules. If the
`cidrlist` parameter is not informed, the current behavior is maintained. This
attribute will only be used when creating port forwarding rules in VPCs, since
in guest networks it is possible to combine firewall and port forwarding/load
balancing rules directly on the public IPs allocated to that network.
```
(scc) > create portforwardingrule protocol=tcp privateport=22 publicport=22
openfirewall=false vmguestip=10.1.1.248
virtualmachineid=334d4279-a0e6-4c0a-a999-37aabda08acd
ipaddressid=5cca136d-5425-44fa-b6af-aafc29df269e
networkid=b61abc91-ee24-4578-bae6-fa2d06cf9370 cidrlist=192.168.200.170/32
{
"portforwardingrule": {
"cidrlist": "192.168.200.170/32",
"fordisplay": true,
"id": "210bab98-91f3-4911-8680-5189387a7135",
"ipaddress": "172.16.200.51",
"ipaddressid": "5cca136d-5425-44fa-b6af-aafc29df269e",
"networkid": "b61abc91-ee24-4578-bae6-fa2d06cf9370",
"privateendport": "22",
"privateport": "22",
"protocol": "tcp",
"publicendport": "22",
"publicport": "22",
"state": "Active",
"tags": [],
"virtualmachinedisplayname": "pf-01",
"virtualmachineid": "334d4279-a0e6-4c0a-a999-37aabda08acd",
"virtualmachinename": "pf-01",
"vmguestip": "10.1.1.248"
}
}
```
Furthermore, it was observed that when removing a port forwarding rule, even
if the ACS confirmed the removal of said rule, it remained active in the VR.
This behavior has changed so that the rule is removed properly.
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
#### Feature/Enhancement Scale
- [ ] Major
- [x] Minor
### How Has This Been Tested?
For testing purposes, I created a VPC: `vpc-01` and a Tier:
`vpc-01-tier-01`. Using this tier three instances `PF01`, `PF02`, `PF03` was
created and the port forward and ACL rules described below were created.
**Firewall Rules Applied (ACL)**
| Origin | Start Port | End Port | Protocolo |
|------------------|---------------|-----------------|----------------|
| 0.0.0.0/0 | 22 | 22 | TCP (Allow) |
| 172.16.200.170/32| 23 | 23 | TCP (Allow) |
| 172.16.200.170/32| 24 | 24 | TCP (Allow) |
| 0.0.0.0/0 | ----- | ----- | ALL (Deny) |
**Port forward rules**
| Private port | Public port | Protocol | Source CIDR | VM
|
|------------------|---------------|---------------|---
|----------------|
| 22 - 22 | 22 - 22 | TCP | --- | PF01
|
| 22 - 22 | 23 - 23 | TCP | --- | PF02
|
| 22 - 22 | 24 - 24 | TCP | --- | PF03
|
This way, after applying the ACL rule that authorizes access to port `22`
from any IP (`0.0.0.0/0`); access to other instances (`PF02` and `PF03`) turns
out to be exposed. After applying the port forward rule limiting access to a
list of CIDRs, the observed result was that access to the resources/services of
instances `PF02` and `PF03` was limited to the CIDR informed when creating the
port forward rule
**Regras de port forward**
| Private port | Public port | Protocol | Source CIDR | VM
|
|------------------|---------------|---------------|---
|----------------|
| 22 - 22 | 22 - 22 | TCP | --- | A
|
| 22 - 22 | 23 - 23 | TCP | 172.16.200.170/32| B
|
| 22 - 22 | 24 - 24 | TCP | 172.16.200.170/32 | C
|
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
