[jira] [Created] (CLOUDSTACK-8681) [Egress_Rules] CS does not honor the default deny egress policy in isolated network

Tue, 28 Jul 2015 00:15:55 -0700 

Sanjeev N created CLOUDSTACK-8681:
-------------------------------------

             Summary: [Egress_Rules] CS does not honor the default deny egress 
policy in isolated network
                 Key: CLOUDSTACK-8681
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8681
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Network Controller
    Affects Versions: 4.6.0
         Environment: Latest build from master with commit 
ac9c2a224a78f413945e25fd7cf23364fbef00b5 
Zone: Advanced
            Reporter: Sanjeev N
            Priority: Critical


[Egress_Rules] CS does not honor the default deny egress policy in isolated 
network

Steps to reproduce:
=================
1.Bring up CS in advanced zone with any of the supported hypervisors
2.Create an isolated network with network offering 
"DefaultIsolatedNetworkOfferingWithSourceNatService" so that defaul egress 
policy would be "deny all"
3.Deploy one guest vm in that network

Expected Result:
=============
VR forward chain in filter table should have the defualt DROP policy.

Actual Result:
===========
Following is the FORWARD chain from the VR:
Chain FORWARD (policy ACCEPT 10282 packets, 1743K bytes)
 pkts bytes target     prot opt in     out     source               destination
46405   27M NETWORK_STATS  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
27468   25M ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    2   104 ACCEPT     tcp  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         tcp dpt:22 state NEW

It should be in the following way:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 NETWORK_STATS  all  --  *      *       0.0.0.0/0            0.0.0.0/
0           
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state NEW
    0     0 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth2   eth0    0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_OUTBOUND  all  --  eth0   eth2    0.0.0.0/0            0.0.0.0/0 
          
Chain FW_EGRESS_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        

Chain FW_OUTBOUND (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         state RELATED,ESTABLISHED
    0     0 FW_EGRESS_RULES  all  --  *      *       0.0.0.0/0            0.0.0.
0/0           


Looks like now we are loading ip tables from "/etc/iptables/router_rules.v4" . 
But the base for this file should be "/etc/iptables/rules.v4" to persist the 
default behavior.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to