[jira] [Commented] (CLOUDSTACK-9480) Egress Firewall: Incorrect use of Allow/Deny for ICMP

Wed, 14 Sep 2016 04:54:32 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15490241#comment-15490241
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9480:
--------------------------------------------

Github user karuturi commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1666#discussion_r78733780
  
    --- Diff: systemvm/patches/debian/config/opt/cloud/bin/configure.py ---
    @@ -145,40 +145,41 @@ def add_rule(self, cidr):
                 logging.debug("Current ACL IP direction is ==> %s", 
self.direction)
                 if self.direction == 'egress':
                     self.fw.append(["filter", "", " -A FW_OUTBOUND -j 
FW_EGRESS_RULES"])
    +                fwr = " -I FW_EGRESS_RULES"
    +
    +                #In case we have a default rule (accept all or drop all), 
we have to evaluate the action again.
    +                if rule['type'] == 'all' and not rule['source_cidr_list']:
    +                    fwr = " -A FW_EGRESS_RULES"
    +                    # For default egress ALLOW or DENY, the logic is 
inverted.
    +                    # Having default_egress_policy == True, means that the 
default rule should have ACCEPT,
    +                    # otherwise DROP. The rule should be appended, not 
inserted.
    +                    if self.rule['default_egress_policy']:
    +                        self.rule['action'] = "ACCEPT"
    +                    else:
    +                        self.rule['action'] = "DROP"
    +                else:
    +                    # For other rules added, if default_egress_policy == 
True, following rules should be DROP,
    +                    # otherwise ACCEPT
    +                    if self.rule['default_egress_policy']:
    +                        self.rule['action'] = "DROP"
    +                    else:
    +                        self.rule['action'] = "ACCEPT"
    +
                     if rule['protocol'] == "icmp":
                         self.fw.append(["filter", "front",
                                         " -A FW_EGRESS_RULES" +
    --- End diff --
    
    I think this should be -I FW_EGRESS_RULES.


> Egress Firewall: Incorrect use of Allow/Deny for ICMP
> -----------------------------------------------------
>
>                 Key: CLOUDSTACK-9480
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9480
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Network Controller
>    Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.9.0
>            Reporter: Murali Reddy
>            Assignee: Murali Reddy
>             Fix For: 4.9.1.0
>
>
> When 'default egress policy' is set to 'allow' in the network offering, any 
> egress rule that is added will 'deny' the traffic overriding the default 
> behaviour. 
> Conversely, when 'default egress policy' is set to 'deny' in the network 
> offering, any egress rule that is added will 'allow' the traffic overriding 
> the default behaviour. 
> While this works for 'tcp', 'udp' as expected, for 'icmp' protocol its always 
> set to ALLOW.
> Egress firewall rule behaviour should be consistent for all the protocols.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to