You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Francois Scheurer (JIRA)" <ji...@apache.org> on 2017/08/09 15:17:00 UTC

[jira] [Created] (CLOUDSTACK-10043) Egress Rule in VPC ACL broken

Francois Scheurer created CLOUDSTACK-10043:
----------------------------------------------

             Summary:  Egress Rule in VPC ACL broken
                 Key: CLOUDSTACK-10043
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10043
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Virtual Router, VPC
    Affects Versions: 4.9.2.0
         Environment: CS 4.9.2 with XenServer 6.5SP1
            Reporter: Francois Scheurer
            Priority: Blocker


The Network Offering of the VPC Tier has a Default Egress Policy = Deny.

Some Allow Rules exist in the ACL, but _ALL_ egress connections are possible.

Creating a Deny All rule explicit at the end of the rules is actually blocking ALL traffic (should not, because of the Allow rules).

The Iptables in the VR are wrong:
1)the allow rules are in wrong order.
2)some rules are in mangle table instead of filter


Thank you for your help

Francois Scheurer



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)