3 of course ;) On Mon, Nov 13, 2017 at 6:47 PM, Rene Moser <m...@renemoser.net> wrote:
> Hi Devs > > The last days I fought with the ACL egress rule behaviour and I would > like to make a poll in which direction the fix should go. > > Short Version: > > We need to define a better default behaviour for acl default egress > rule. I see 3 different options: > > 1. always add a default deny all egress rule. > > This would be super easy to do (should probably also the intermediate > fix for 4.9, see https://github.com/apache/cloudstack/pull/2323) > > > 2. add a deny all egress rule in case if have at least one egress allow > rule. > > A bit intransparent to the user, but doable. This seems to be the > behaviour how it was designed and should have been implemented. > > > 3. use the default setting in the network offering "egressdefaultpolicy" > to specify the default behavior. > > There is already a setting which specifies this behaviour but is not > used in VPC. Why not use it? > > As a consequence when using this setting, the user should get more infos > about the policy of the network offering while choosing it for the tier. > > > Poll: > > 1. [] > 2. [] > 3. [] > 4. [] Other? What? > > > Long Version: > > First, let's have a look of the issue: > > In version 4.5, creating a new acl with no egress (ACL_OUTBOUND) rule > would result in a "accept egress all": > > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state > NEW -j ACL_OUTBOUND_eth2 > -A ACL_OUTBOUND_eth2 -j ACCEPT > > When an egress (here deny 25 egress) rule (no mather if deny or allow) > gets added the result is a "deny all" appended: > > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state > NEW -j ACL_OUTBOUND_eth2 > -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 25 -j DROP > -A ACL_OUTBOUND_eth2 -j DROP > > This does not make any sense and is a bug IMHO. > > > In 4.9 the behaviour is different: > > (note there is a bug in the ordering of egress rules which is fixed by > https://github.com/apache/cloudstack/pull/2313) > > The default policy is kept accept egress all. > > -A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state --state > NEW -j ACL_OUTBOUND_eth2 > -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT > -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT > -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT > > > To me it looks like the wanted behavior was "egress all as default. If > we have allow rules, append deny all". This would make sense but is > quite instransparent. > > But let's poll > > > -- Daan
