[jira] [Created] (CLOUDSTACK-3129) NTier: All Outgoing Traffic between Tiers and various gateways/tiers is currently allowed by default contrary to behavior mentioned in the Design Document

[Chandan Purushothama (JIRA)]

Chandan Purushothama created CLOUDSTACK-3129:
------------------------------------------------

             Summary: NTier: All Outgoing Traffic between Tiers and various 
gateways/tiers is currently allowed by default contrary to behavior mentioned 
in the Design Document
                 Key: CLOUDSTACK-3129
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3129
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Management Server
    Affects Versions: 4.2.0
            Reporter: Chandan Purushothama
            Priority: Critical
             Fix For: 4.2.0



======================
On The VPC Virtual Router:
======================

root@r-3-NTIERAGN:~# iptables-save | grep ACL
:ACL_OUTBOUND_eth2 - [0:0]
:ACL_OUTBOUND_eth3 - [0:0]
-A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth3 -m state --state 
NEW -j ACL_OUTBOUND_eth3
-A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --state 
NEW -j ACL_OUTBOUND_eth2
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A ACL_OUTBOUND_eth3 -j ACCEPT
:ACL_INBOUND_eth2 - [0:0]
:ACL_INBOUND_eth3 - [0:0]
-A FORWARD -d 192.168.10.0/24 -o eth3 -j ACL_INBOUND_eth3
-A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j DROP
-A ACL_INBOUND_eth3 -j DROP
root@r-3-NTIERAGN:~#

========================
Network Information of eth3 NIC:
========================

mysql> select * from networks where id=208 \G
*************************** 1. row ***************************
                   id: 208
                 name: Atoms-VPC-Net-2
                 uuid: c81066f7-f3ed-4aab-8f86-be8d3bab32ed
         display_text: Atoms-VPC-Net-2
         traffic_type: Guest
broadcast_domain_type: Vlan
        broadcast_uri: vlan://2580
              gateway: 192.168.11.1
                 cidr: 192.168.11.0/24
                 mode: Dhcp
  network_offering_id: 12
  physical_network_id: 200
       data_center_id: 1
            guru_name: ExternalGuestNetworkGuru
                state: Implemented
              related: 208
            domain_id: 1
           account_id: 3
                 dns1: NULL
                 dns2: NULL
            guru_data: NULL
           set_fields: 0
             acl_type: Account
       network_domain: atomsvpcnet1.lab.vmops.com
       reservation_id: 175f7abb-a55b-4932-b394-24137ee1203b
           guest_type: Isolated
     restart_required: 0
              created: 2013-06-21 21:24:45
              removed: NULL
    specify_ip_ranges: 0
               vpc_id: 1
          ip6_gateway: NULL
             ip6_cidr: NULL
         network_cidr: NULL
      display_network: 1
       network_acl_id: NULL
1 row in set (0.00 sec)

mysql>

==============================================================
As per the FS at 
https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html:
==============================================================

ACL Deny Rules

Currently only ACL allow rules are supported as part of Network ACLs. Default 
is to block all incoming and all outgoing traffic between tiers and between 
tiers and various gateways (including Public).  ACL deny rules will be 
supported through this feature. New fields "number"  and "action"will be added 
to rules to resolve conflicting rules.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira