[jira] [Created] (CLOUDSTACK-8688) Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table

Wed, 29 Jul 2015 21:42:41 -0700 

Sanjeev N created CLOUDSTACK-8688:
-------------------------------------

             Summary: Defualt policy for INPUT and FORWARD chain is ACCEPT in 
VR filter table
                 Key: CLOUDSTACK-8688
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Virtual Router
    Affects Versions: 4.6.0
         Environment: Latest build from ACS master.
Zone type: Advanced
            Reporter: Sanjeev N
            Priority: Blocker


Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table

Steps to reproduce the issue:
=======================
1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver)
2.Create an isolated network with Network Offering 
"DefaultIsolatedNetworkOfferingWithSourceNatService"
3.Deploy one guest vm within that network

Result:
=======
IP tables rules on the VR created are as follows:
root@r-7-VM:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
NETWORK_STATS  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             vrrp.mcast.net
ACCEPT     all  --  anywhere             225.0.0.50
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             vrrp.mcast.net
ACCEPT     all  --  anywhere             225.0.0.50
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http 
state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt 
state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
NETWORK_STATS  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
NETWORK_STATS  all  --  anywhere             anywhere

Chain NETWORK_STATS (3 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere
           tcp  --  anywhere             anywhere
           tcp  --  anywhere             anywhere

But the Default policy for INPUT and FORWARD chain should be DROP instead of 
ACCEPT. Otherwise all the traffic would be allowed to VR.

Same is the case with VPC and Shared network as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to