[
https://issues.apache.org/jira/browse/CLOUDSTACK-3129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chandan Purushothama closed CLOUDSTACK-3129.
--------------------------------------------
Closing the bug based on Kishan's comment
> NTier: All Outgoing Traffic between Tiers and various gateways/tiers is
> currently allowed by default contrary to behavior mentioned in the Design
> Document
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3129
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3129
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Reporter: Chandan Purushothama
> Assignee: Kishan Kavala
> Priority: Critical
> Fix For: 4.2.0
>
>
> ======================
> On The VPC Virtual Router:
> ======================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth3 -m state
> --state NEW -j ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state
> --state NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -d 192.168.10.0/24 -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> ========================
> Network Information of eth3 NIC:
> ========================
> mysql> select * from networks where id=208 \G
> *************************** 1. row ***************************
> id: 208
> name: Atoms-VPC-Net-2
> uuid: c81066f7-f3ed-4aab-8f86-be8d3bab32ed
> display_text: Atoms-VPC-Net-2
> traffic_type: Guest
> broadcast_domain_type: Vlan
> broadcast_uri: vlan://2580
> gateway: 192.168.11.1
> cidr: 192.168.11.0/24
> mode: Dhcp
> network_offering_id: 12
> physical_network_id: 200
> data_center_id: 1
> guru_name: ExternalGuestNetworkGuru
> state: Implemented
> related: 208
> domain_id: 1
> account_id: 3
> dns1: NULL
> dns2: NULL
> guru_data: NULL
> set_fields: 0
> acl_type: Account
> network_domain: atomsvpcnet1.lab.vmops.com
> reservation_id: 175f7abb-a55b-4932-b394-24137ee1203b
> guest_type: Isolated
> restart_required: 0
> created: 2013-06-21 21:24:45
> removed: NULL
> specify_ip_ranges: 0
> vpc_id: 1
> ip6_gateway: NULL
> ip6_cidr: NULL
> network_cidr: NULL
> display_network: 1
> network_acl_id: NULL
> 1 row in set (0.00 sec)
> mysql>
> ==============================================================
> As per the FS at
> https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html:
> ==============================================================
> ACL Deny Rules
> Currently only ACL allow rules are supported as part of Network ACLs. Default
> is to block all incoming and all outgoing traffic between tiers and between
> tiers and various gateways (including Public). ACL deny rules will be
> supported through this feature. New fields "number" and "action"will be
> added to rules to resolve conflicting rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
