[
https://issues.apache.org/jira/browse/CLOUDSTACK-9924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fabrice Brazier updated CLOUDSTACK-9924:
----------------------------------------
Description:
Adding new egress rule in the ACL list is always added in the same order and
does not take into account the rule number. For instance, if we add the
following rule from CloudStack GUI:
10 8.8.8.8/32 Allow ICMP -1 -1
Egress
11 8.8.4.4/32 Allow ICMP -1 -1
Egress
12 8.8.8.8/32 Deny ICMP -1 -1
Egress
On the virtual router, we can see that the drop rule is before the accept rule:
root@r-72-VM:~# iptables -S -t mangle
....
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
.....
That means in this scenario, I won't be able to ping 8.8.8.8/32 because the
drop rule is before the accept rule.
Is it related to the systemvm template version used with ACS 4.9.2 that is
outdated?
(http://cloudstack.apt-get.eu/systemvm/4.6/systemvm64template-4.6.0-vmware.ova)
was:
Adding new egress rule in the ACL list is always added in the same order and
does not take into account the rule number. For instance, if we add the
following rule from CloudStack GUI:
10 8.8.8.8/32 Allow ICMP -1 -1
Egress
11 8.8.4.4/32 Allow ICMP -1 -1
Egress
12 8.8.8.8/32 Deny ICMP -1 -1
Egress
On the virtual router, we can see that the drop rule is before the accept rule:
root@r-72-VM:~# iptables -S -t mangle
....
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
.....
That means in this scenario, I won't be able to ping 8.8.8.8/32 because the
drop rule is before the accept rule.
> ACL egress rule doesn't take care of the rule number
> ----------------------------------------------------
>
> Key: CLOUDSTACK-9924
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9924
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: VPC
> Affects Versions: 4.9.2.0
> Environment: ACS 4.9.2 with 4.6.0 system template
> Reporter: Fabrice Brazier
> Priority: Critical
> Fix For: 4.10.0.0, 4.9.3.0
>
> Attachments: 2017-05-18_16-31-39.png, 2017-05-18_16-32-20.png
>
>
> Adding new egress rule in the ACL list is always added in the same order and
> does not take into account the rule number. For instance, if we add the
> following rule from CloudStack GUI:
> 10 8.8.8.8/32 Allow ICMP -1 -1
> Egress
> 11 8.8.4.4/32 Allow ICMP -1 -1
> Egress
> 12 8.8.8.8/32 Deny ICMP -1 -1
> Egress
> On the virtual router, we can see that the drop rule is before the accept
> rule:
> root@r-72-VM:~# iptables -S -t mangle
> ....
> -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
> -A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
> .....
> That means in this scenario, I won't be able to ping 8.8.8.8/32 because the
> drop rule is before the accept rule.
> Is it related to the systemvm template version used with ACS 4.9.2 that is
> outdated?
> (http://cloudstack.apt-get.eu/systemvm/4.6/systemvm64template-4.6.0-vmware.ova)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
