You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Sanjeev N (JIRA)" <ji...@apache.org> on 2013/02/15 12:15:13 UTC
[jira] [Created] (CLOUDSTACK-1292) [F5-SRX-InlineMode] Update
network from SRX,F5 as service provideds to VR as service provider does not
delete firewall rules from SRX
Sanjeev N created CLOUDSTACK-1292:
-------------------------------------
Summary: [F5-SRX-InlineMode] Update network from SRX,F5 as service provideds to VR as service provider does not delete firewall rules from SRX
Key: CLOUDSTACK-1292
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1292
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Network Controller
Affects Versions: 4.1.0
Environment: ASF 4.1 latest build
Reporter: Sanjeev N
Assignee: Sheng Yang
Priority: Critical
Fix For: 4.1.0
[F5-SRX-InlineMode] Update network from SRX,F5 as service provideds to VR as service provider does not delete firewall rules from SRX
Reproduction method:
=================
1. . Create a NO1 using SRX for PF,Static NAT, Source Nat (Zone wide) and F5 for LB(inline mode) and rest of the services are provided by VR.
2. Add SRX device.
3. Add F5 device
4. Add a user account.
5. Deploy the few VMs using the above created NO.
6. Acquire an Ip addresses.
7. Create Pf rule.Open firewall.
8. Create LB rule.Open firewall.
9. Create Static NAT.Open firewall.
Steps:
1. Create a NO2 using VR as service provider for all services.
2. Update NO1 to NO2.
Test Result:
=========
Firewall rules from SRX are not deleted after update network from network offering NO1 to NO2
Expected Result:
=============
Firewall rules in untrust filter should be deleted from SRX
Observations:
==========
When network was implemented with network offering NO1, firewall rules were created on SRX to allow traffic from untrust zone.
IPs allocated in this network are:
mysql> select public_ip_address , network_id from user_ip_address where network_id=204;
+-------------------+------------+
| public_ip_address | network_id |
+-------------------+------------+
| 10.147.48.21 | 204 |
| 10.147.48.26 | 204 |
| 10.147.48.28 | 204 |
| 10.147.48.29 | 204 |
+-------------------+------------+
4 rows in set (0.21 sec)
Output from SRX after network update from NO1 to NO2(All other configuration related to this netowrk was erased from SRX except the below firewall rules after network update):
root# show firewall filter untrust term 10-147-48-21-10
from {
source-address {
0.0.0.0/0;
}
destination-address {
10.147.48.21/32;
}
protocol tcp;
destination-port 1-65535;
}
then {
count 10-147-48-21-i;
accept;
}
[edit]
root# show firewall filter untrust term 10-147-48-26-7
from {
source-address {
0.0.0.0/0;
}
destination-address {
10.147.48.26/32;
}
protocol tcp;
destination-port 1-65535;
}
then {
count 10-147-48-26-i;
accept;
}
[edit]
root# show firewall filter untrust term 10-147-48-28-9
from {
source-address {
0.0.0.0/0;
}
destination-address {
10.147.48.28/32;
}
protocol tcp;
destination-port 1-65535;
}
then {
count 10-147-48-28-i;
accept;
}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira