You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Sanjeev N (JIRA)" <ji...@apache.org> on 2013/02/15 12:15:13 UTC

[jira] [Created] (CLOUDSTACK-1292) [F5-SRX-InlineMode] Update network from SRX,F5 as service provideds to VR as service provider does not delete firewall rules from SRX

Sanjeev N created CLOUDSTACK-1292:
-------------------------------------

             Summary: [F5-SRX-InlineMode] Update network from SRX,F5 as service provideds to VR as service provider does not delete firewall rules from SRX
                 Key: CLOUDSTACK-1292
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1292
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Network Controller
    Affects Versions: 4.1.0
         Environment: ASF 4.1 latest build
            Reporter: Sanjeev N
            Assignee: Sheng Yang
            Priority: Critical
             Fix For: 4.1.0


[F5-SRX-InlineMode] Update network from SRX,F5 as service provideds to VR as service provider does not delete firewall rules from SRX

Reproduction method:
=================
1. . Create a NO1 using SRX for PF,Static NAT, Source Nat (Zone wide) and F5 for LB(inline mode) and rest of the services are provided by VR.
2. Add SRX device.
3. Add F5 device 
4. Add a user account.
5. Deploy the few VMs using the above created NO.
6. Acquire an Ip addresses.
7. Create Pf rule.Open firewall.
8. Create LB rule.Open firewall.
9. Create Static NAT.Open firewall.
Steps:
 1. Create a NO2 using VR as service provider for all services.
2. Update NO1 to NO2.

Test Result:
=========
Firewall rules from SRX are not deleted after update network from network offering NO1 to NO2

Expected Result:
=============
Firewall rules in untrust filter should be deleted from SRX

Observations:
========== 
When network was implemented with network offering NO1, firewall rules were created on SRX to allow traffic from untrust zone. 

IPs allocated in this network are:

mysql> select public_ip_address , network_id from user_ip_address where network_id=204;
+-------------------+------------+
| public_ip_address | network_id |
+-------------------+------------+
| 10.147.48.21      |        204 |
| 10.147.48.26      |        204 |
| 10.147.48.28      |        204 |
| 10.147.48.29      |        204 |
+-------------------+------------+
4 rows in set (0.21 sec)

Output from SRX after network update from NO1 to NO2(All other configuration related to this netowrk was erased from SRX except the below firewall rules after network update):

root# show firewall filter untrust term 10-147-48-21-10
from {
    source-address {
        0.0.0.0/0;
    }
    destination-address {
        10.147.48.21/32;
    }
    protocol tcp;
    destination-port 1-65535;
}
then {
    count 10-147-48-21-i;
    accept;
}

[edit]
root# show firewall filter untrust term 10-147-48-26-7
from {
    source-address {
        0.0.0.0/0;
    }
    destination-address {
        10.147.48.26/32;
    }
    protocol tcp;
    destination-port 1-65535;
}
then {
    count 10-147-48-26-i;
    accept;
}

[edit]
root# show firewall filter untrust term 10-147-48-28-9
from {
    source-address {
        0.0.0.0/0;
    }
    destination-address {
        10.147.48.28/32;
    }
    protocol tcp;
    destination-port 1-65535;
}
then {
    count 10-147-48-28-i;
    accept;
}



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira