[
https://issues.apache.org/jira/browse/CLOUDSTACK-9480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15490241#comment-15490241
]
ASF GitHub Bot commented on CLOUDSTACK-9480:
--------------------------------------------
Github user karuturi commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/1666#discussion_r78733780
--- Diff: systemvm/patches/debian/config/opt/cloud/bin/configure.py ---
@@ -145,40 +145,41 @@ def add_rule(self, cidr):
logging.debug("Current ACL IP direction is ==> %s",
self.direction)
if self.direction == 'egress':
self.fw.append(["filter", "", " -A FW_OUTBOUND -j
FW_EGRESS_RULES"])
+ fwr = " -I FW_EGRESS_RULES"
+
+ #In case we have a default rule (accept all or drop all),
we have to evaluate the action again.
+ if rule['type'] == 'all' and not rule['source_cidr_list']:
+ fwr = " -A FW_EGRESS_RULES"
+ # For default egress ALLOW or DENY, the logic is
inverted.
+ # Having default_egress_policy == True, means that the
default rule should have ACCEPT,
+ # otherwise DROP. The rule should be appended, not
inserted.
+ if self.rule['default_egress_policy']:
+ self.rule['action'] = "ACCEPT"
+ else:
+ self.rule['action'] = "DROP"
+ else:
+ # For other rules added, if default_egress_policy ==
True, following rules should be DROP,
+ # otherwise ACCEPT
+ if self.rule['default_egress_policy']:
+ self.rule['action'] = "DROP"
+ else:
+ self.rule['action'] = "ACCEPT"
+
if rule['protocol'] == "icmp":
self.fw.append(["filter", "front",
" -A FW_EGRESS_RULES" +
--- End diff --
I think this should be -I FW_EGRESS_RULES.
> Egress Firewall: Incorrect use of Allow/Deny for ICMP
> -----------------------------------------------------
>
> Key: CLOUDSTACK-9480
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9480
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.6.2, 4.7.1, 4.8.0, 4.9.0
> Reporter: Murali Reddy
> Assignee: Murali Reddy
> Fix For: 4.9.1.0
>
>
> When 'default egress policy' is set to 'allow' in the network offering, any
> egress rule that is added will 'deny' the traffic overriding the default
> behaviour.
> Conversely, when 'default egress policy' is set to 'deny' in the network
> offering, any egress rule that is added will 'allow' the traffic overriding
> the default behaviour.
> While this works for 'tcp', 'udp' as expected, for 'icmp' protocol its always
> set to ALLOW.
> Egress firewall rule behaviour should be consistent for all the protocols.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
