3

On Mon, Nov 13, 2017 at 3:51 PM, Daan Hoogland <daan.hoogl...@gmail.com>
wrote:

> 3 of course ;)
>
> On Mon, Nov 13, 2017 at 6:47 PM, Rene Moser <m...@renemoser.net> wrote:
>
> > Hi Devs
> >
> > The last days I fought with the ACL egress rule behaviour and I would
> > like to make a poll in which direction the fix should go.
> >
> > Short Version:
> >
> > We need to define a better default behaviour for acl default egress
> > rule. I see 3 different options:
> >
> > 1. always add a default deny all egress rule.
> >
> > This would be super easy to do (should probably also the intermediate
> > fix for 4.9, see https://github.com/apache/cloudstack/pull/2323)
> >
> >
> > 2. add a deny all egress rule in case if have at least one egress allow
> > rule.
> >
> > A bit intransparent to the user, but doable. This seems to be the
> > behaviour how it was designed and should have been implemented.
> >
> >
> > 3. use the default setting in the network offering "egressdefaultpolicy"
> > to specify the default behavior.
> >
> > There is already a setting which specifies this behaviour but is not
> > used in VPC. Why not use it?
> >
> > As a consequence when using this setting, the user should get more infos
> > about the policy of the network offering while choosing it for the tier.
> >
> >
> > Poll:
> >
> > 1. []
> > 2. []
> > 3. []
> > 4. [] Other? What?
> >
> >
> > Long Version:
> >
> > First, let's have a look of the issue:
> >
> > In version 4.5, creating a new acl with no egress (ACL_OUTBOUND) rule
> > would result in a "accept egress all":
> >
> > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state
> > NEW -j ACL_OUTBOUND_eth2
> > -A ACL_OUTBOUND_eth2 -j ACCEPT
> >
> > When an egress (here deny 25 egress) rule (no mather if deny or allow)
> > gets added the result is a "deny all" appended:
> >
> > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state
> > NEW -j ACL_OUTBOUND_eth2
> > -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 25 -j DROP
> > -A ACL_OUTBOUND_eth2 -j DROP
> >
> > This does not make any sense and is a bug IMHO.
> >
> >
> > In 4.9 the behaviour is different:
> >
> > (note there is a bug in the ordering of egress rules which is fixed by
> > https://github.com/apache/cloudstack/pull/2313)
> >
> > The default policy is kept accept egress all.
> >
> > -A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state --state
> > NEW -j ACL_OUTBOUND_eth2
> > -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
> > -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
> > -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT
> >
> >
> > To me it looks like the wanted behavior was "egress all as default. If
> > we have allow rules, append deny all". This would make sense but is
> > quite instransparent.
> >
> > But let's poll
> >
> >
> >
>
>
> --
> Daan
>



-- 
Rafael Weingärtner

Reply via email to