You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2020/10/13 07:51:17 UTC
[GitHub] [cloudstack] rvalle opened a new issue #4402: ACL default behaviour not honoured in VPC tiers
rvalle opened a new issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and master branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
VPC
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on master branch.
-->
~~~
4.14
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise
-->
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
Ubuntu 18.04, KVM, Advanced Networking, Local Storage
##### SUMMARY
<!-- Explain the problem/feature briefly -->
According to the documentation: "By default, all incoming traffic to the guest networks is blocked and all outgoing traffic from guest networks is allowed, once you add an ACL rule for outgoing traffic, then only outgoing traffic specified in this ACL rule is allowed, the rest is blocked."
ACLs on VPC tiers do not block the rest of the traffic even if an Egress rule is added.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
- create a VPC with 2 tiers, Management and Service
- create a custom ACL for each tier with the same name as the tier
- Create an ACL Egress rule on Management that allows accessing Service Tier (for example on port 22)
- Create a VM on Management Tier
- Test accessing the Service tier from the VM
- Test accessing the Internet from the VM
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
The VM should have access to the Service tier as specified.
However, Since there is already an Egress rule specified the the rest of outgoing traffic should be blocked.
The VM should not be able to access the Interenet.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
The VM can access the internet:
ping www.google.com works
wget http://www.google.com works.
~~~
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland closed issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
DaanHoogland closed issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-709984706
@andrijapanicsb I check the API spec and they take a list.
Also, Ansible modules have been built matching the API, taking lists is been tested too.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-708404385
after discussing the multiple CIDRs issue with @resmo we think that it is related to this issue. Rules are also not working when they take multiple CIDRs as parameters.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] andrijapanicsb commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
andrijapanicsb commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-717884136
Please see docs before confirming an issue @Spaceman1984
http://docs.cloudstack.apache.org/en/latest/adminguide/networking/virtual_private_cloud_config.html?highlight=acl#about-network-acl-lists
Specifically:
`The default Network ACL is used when no ACL is associated. Default behavior is all the incoming traffic is blocked and outgoing traffic is allowed from the tiers...:`
With this in mind ^^^, conduct the testing... - it is expected that your noACL tier was able to ping anything outside
But the other "blocked by default..." egress issue:
I think the documentaion is not correct - i.e. for VPC networks, I don't recall that there was ever an implementation that will by default block outgoing traffic (egress) on ACLS where some Egress rules allow some access - i.e. you would always want to add 0.0.0.0/0 deny rule - it's an EMPTY ALC that you want to populate your way - just like on any other router - you will explicitely add deny to 0.0.0.0:0 as the last rule in the ACL.
I would prefer that we update the documentation on VPC ALC, instead of chaning the behaviour, unless some of you can confirm that this worked differently in previous ACS versions @rvalle ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle edited a comment on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle edited a comment on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-707596192
Further testing: Traffic is going out from the VPC tiers despite adding an 9999 Egress 0.0.0.0/0 deny all rule.
Something here seems fundamentally broken.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle edited a comment on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle edited a comment on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-707596192
Further testing: seems like can be mitigated by adding an specific 9999 Egress 0.0.0.0/0 deny all rule.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-707596192
Further testing: Traffic is going out from the VPC tiers despite the 9999 deny all rule.
Something here seems fundamentally broken.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-733028309
@rvalle closing this one. can you work on the description and title if you want to re-open? thanks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-717881202
Thanks @Spaceman1984.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-717941578
@Spaceman1984 yes, @andrijapanicsb is right.
You can add a single egress rule to your setup, which should imply that the allow all out by default stops. then you can validate.
@andrijapanicsb I cannot comment on previous ACS versions, I joined the party late !
I agree with you in which I do not like the original specification: i.e. after adding one rule the default policy changes. I don't like it.
But I guess it would be good to know if this issue is also in pre 4.14 just in case it turns out that it works as specified in previous releases.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] Spaceman1984 commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
Spaceman1984 commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-717789416
Tested the original issue -
I created a VPC with 3 tiers - Management, Service and NoACL - The third one had no ACL list specified.
I was able to ping google.com from VMs running on all 3 tiers. ( This is the bug )
Adding a deny rule on 0.0.0.0/0 blocked outgoing traffic.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-948385864
linked to https://github.com/apache/cloudstack-documentation/pull/246
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rvalle commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
rvalle commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-708352361
I am also experiencing issues with ACLs Egress which use multiple CIDRs, although I still could not asses if the issue is with Ansible Modules or ACS. see https://github.com/ngine-io/ansible-collection-cloudstack/issues/41
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] andrijapanicsb commented on issue #4402: Egress Broken in VPC Tiers
Posted by GitBox <gi...@apache.org>.
andrijapanicsb commented on issue #4402:
URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-709922580
rules can't take multiple CIDRs as parameter value - please see the UI/API - at least - afaik
The original issue described here should be confirmed by someone else as well - it's a serious one IMO, even would consider it a blocked issue myself if true.
cc @Spaceman1984 @rhtyd
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org