[ https://issues.apache.org/jira/browse/CLOUDSTACK-9924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rajani Karuturi updated CLOUDSTACK-9924: ---------------------------------------- Fix Version/s: (was: 4.10.0.0) 4.10.1.0 > ACL egress rule doesn't take care of the rule number > ---------------------------------------------------- > > Key: CLOUDSTACK-9924 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9924 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: VPC > Affects Versions: 4.9.2.0 > Environment: ACS 4.9.2 with 4.6.0 system template > Reporter: Fabrice Brazier > Priority: Critical > Fix For: 4.10.1.0, 4.9.3.0 > > Attachments: 2017-05-18_16-31-39.png, 2017-05-18_16-32-20.png > > > Adding new egress rule in the ACL list is always added in the same order and > does not take into account the rule number. For instance, if we add the > following rule from CloudStack GUI: > 10 8.8.8.8/32 Allow ICMP -1 -1 > Egress > 11 8.8.4.4/32 Allow ICMP -1 -1 > Egress > 12 8.8.8.8/32 Deny ICMP -1 -1 > Egress > On the virtual router, we can see that the drop rule is before the accept > rule: > root@r-72-VM:~# iptables -S -t mangle > .... > -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT > -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT > -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP > -A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT > -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT > ..... > That means in this scenario, I won't be able to ping 8.8.8.8/32 because the > drop rule is before the accept rule. > Is it related to the systemvm template version used with ACS 4.9.2 that is > outdated? > (http://cloudstack.apt-get.eu/systemvm/4.6/systemvm64template-4.6.0-vmware.ova) -- This message was sent by Atlassian JIRA (v6.4.14#64029)