3 definitely seems to make the most sense. ________________________________ From: Rafael Weingärtner <rafaelweingart...@gmail.com> Sent: Monday, November 13, 2017 12:02 PM To: dev@cloudstack.apache.org Cc: u...@cloudstack.apache.org Subject: Re: POLL: ACL default egress policy rule in VPC
3 On Mon, Nov 13, 2017 at 3:51 PM, Daan Hoogland <daan.hoogl...@gmail.com> wrote: > 3 of course ;) > > On Mon, Nov 13, 2017 at 6:47 PM, Rene Moser <m...@renemoser.net> wrote: > > > Hi Devs > > > > The last days I fought with the ACL egress rule behaviour and I would > > like to make a poll in which direction the fix should go. > > > > Short Version: > > > > We need to define a better default behaviour for acl default egress > > rule. I see 3 different options: > > > > 1. always add a default deny all egress rule. > > > > This would be super easy to do (should probably also the intermediate > > fix for 4.9, see https://github.com/apache/cloudstack/pull/2323) > > > > > > 2. add a deny all egress rule in case if have at least one egress allow > > rule. > > > > A bit intransparent to the user, but doable. This seems to be the > > behaviour how it was designed and should have been implemented. > > > > > > 3. use the default setting in the network offering "egressdefaultpolicy" > > to specify the default behavior. > > > > There is already a setting which specifies this behaviour but is not > > used in VPC. Why not use it? > > > > As a consequence when using this setting, the user should get more infos > > about the policy of the network offering while choosing it for the tier. > > > > > > Poll: > > > > 1. [] > > 2. [] > > 3. [] > > 4. [] Other? What? > > > > > > Long Version: > > > > First, let's have a look of the issue: > > > > In version 4.5, creating a new acl with no egress (ACL_OUTBOUND) rule > > would result in a "accept egress all": > > > > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state > > NEW -j ACL_OUTBOUND_eth2 > > -A ACL_OUTBOUND_eth2 -j ACCEPT > > > > When an egress (here deny 25 egress) rule (no mather if deny or allow) > > gets added the result is a "deny all" appended: > > > > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state --state > > NEW -j ACL_OUTBOUND_eth2 > > -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 25 -j DROP > > -A ACL_OUTBOUND_eth2 -j DROP > > > > This does not make any sense and is a bug IMHO. > > > > > > In 4.9 the behaviour is different: > > > > (note there is a bug in the ordering of egress rules which is fixed by > > https://github.com/apache/cloudstack/pull/2313) > > > > The default policy is kept accept egress all. > > > > -A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state --state > > NEW -j ACL_OUTBOUND_eth2 > > -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT > > -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT > > -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT > > > > > > To me it looks like the wanted behavior was "egress all as default. If > > we have allow rules, append deny all". This would make sense but is > > quite instransparent. > > > > But let's poll > > > > > > > > > -- > Daan > -- Rafael Weingärtner
