CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…#2313
Conversation
|
LGTM, pending testing. |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1234 |
|
Related https://issues.apache.org/jira/browse/CLOUDSTACK-10043 we are verifying |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
There was a problem hiding this comment.
I was able to reproduce and verify
source of the network_acl.json
{
"eth2": {
"device": "eth2",
"egress_rules": [
{
"allowed": true,
"cidr": "0.0.0.0/0",
"first_port": 443,
"last_port": 443,
"type": "tcp"
},
{
"allowed": true,
"cidr": "0.0.0.0/0",
"first_port": 81,
"last_port": 81,
"type": "tcp"
},
{
"allowed": true,
"cidr": "0.0.0.0/0",
"first_port": 80,
"last_port": 80,
"type": "tcp"
}
],
"ingress_rules": [
{
"allowed": true,
"cidr": "0.0.0.0/0",
"first_port": 443,
"last_port": 443,
"type": "tcp"
},
{
"allowed": true,
"cidr": "0.0.0.0/0",
"first_port": 80,
"last_port": 80,
"type": "tcp"
}
],
"mac_address": "02:00:34:85:00:02",
"nic_ip": "10.11.1.1",
"nic_netmask": "24",
"private_gateway_acl": false,
"type": "networkacl"
},
"id": "networkacl"
}...
:ACL_OUTBOUND_eth2 - [0:0]
-A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 81 -j ACCEPT
-A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 443 -j ACCEPT
-A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT
...
after run /opt/cloud/bin/configure.py network_acl.json the rules ordering looks fine
:ACL_OUTBOUND_eth2 - [0:0]
-A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 443 -j ACCEPT
-A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 81 -j ACCEPT
-A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT
However, I noticed that the default egress policy It seems that egressdefaultpolicy=false of the network offering was still not applied. I would expect to have a -A ACL_OUTBOUND_eth2 DROPat the end of the rules. But this may be a different bug.egressdefaultpolicy hasn't been used in the past, but instead a default drop to egress rules was added.
LGTM
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
LGTM |
|
cherry-picking to 4.9 and 4.10 |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1254 |
…n VPC VR
Repro steps
1.Create a vpc with super cidr(172.16.0.0/16)
2. created a custom acl with at least 3 ACL_OUTBOUND rules with number oder like 15, 10, 20
3. Create a tier with the above ACL
4.Deploy an instance in the tier
5.In router the ACL rules wont be as per the sequence number order