Fabrice Brazier created CLOUDSTACK-9924:
-------------------------------------------
Summary: ACL egress rule doesn't take care of the rule number
Key: CLOUDSTACK-9924
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9924
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: VPC
Affects Versions: 4.9.2.0
Environment: ACS 4.9.2 with 4.6.0 system template
Reporter: Fabrice Brazier
Priority: Critical
Fix For: 4.10.0.0, 4.9.3.0
Attachments: 2017-05-18_16-31-39.png, 2017-05-18_16-32-20.png
Adding new egress rule in the ACL list is always added in the same order and
does not take into account the rule number. For instance, if we add the
following rule from CloudStack GUI:
10 8.8.8.8/32 Allow ICMP -1 -1
Egress
11 8.8.4.4/32 Allow ICMP -1 -1
Egress
12 8.8.8.8/32 Deny ICMP -1 -1
Egress
On the virtual router, we can see that the drop rule is on the top:
root@r-72-VM:~# iptables -S -t mangle
....
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
.....
That mean is this scenario, I won't be able to ping 8.8.8.8/32 because the drop
rule is before the accept rule.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
