[
https://issues.apache.org/jira/browse/CLOUDSTACK-9924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajani Karuturi updated CLOUDSTACK-9924:
----------------------------------------
Fix Version/s: (was: 4.10.0.0)
4.10.1.0
> ACL egress rule doesn't take care of the rule number
> ----------------------------------------------------
>
> Key: CLOUDSTACK-9924
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9924
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: VPC
> Affects Versions: 4.9.2.0
> Environment: ACS 4.9.2 with 4.6.0 system template
> Reporter: Fabrice Brazier
> Priority: Critical
> Fix For: 4.10.1.0, 4.9.3.0
>
> Attachments: 2017-05-18_16-31-39.png, 2017-05-18_16-32-20.png
>
>
> Adding new egress rule in the ACL list is always added in the same order and
> does not take into account the rule number. For instance, if we add the
> following rule from CloudStack GUI:
> 10 8.8.8.8/32 Allow ICMP -1 -1
> Egress
> 11 8.8.4.4/32 Allow ICMP -1 -1
> Egress
> 12 8.8.8.8/32 Deny ICMP -1 -1
> Egress
> On the virtual router, we can see that the drop rule is before the accept
> rule:
> root@r-72-VM:~# iptables -S -t mangle
> ....
> -A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j DROP
> -A ACL_OUTBOUND_eth2 -d 8.8.4.4/32 -p icmp -m icmp --icmp-type any -j ACCEPT
> -A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
> .....
> That means in this scenario, I won't be able to ping 8.8.8.8/32 because the
> drop rule is before the accept rule.
> Is it related to the systemvm template version used with ACS 4.9.2 that is
> outdated?
> (http://cloudstack.apt-get.eu/systemvm/4.6/systemvm64template-4.6.0-vmware.ova)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
