You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "IGOR VOLOSHANENKO (JIRA)" <ji...@apache.org> on 2017/12/21 11:50:00 UTC

[jira] [Resolved] (CLOUDSTACK-10200) ACL not applied for PrivateGateway inside ACL_INBOUND/OUTBOUND chains. Traffic blocked by next DROP rule

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-10200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

IGOR VOLOSHANENKO resolved CLOUDSTACK-10200.
--------------------------------------------
    Resolution: Fixed

> ACL not applied for PrivateGateway inside ACL_INBOUND/OUTBOUND chains. Traffic blocked by next DROP rule
> --------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10200
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10200
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.9.0, 4.10.0.0, 4.11.0.0
>         Environment: CloudStack with advanced network installation
>            Reporter: IGOR VOLOSHANENKO
>              Labels: pull-request-available
>             Fix For: Future, 4.11.0.0
>
>
> We found bug in ACL rules for PrivateGateway for VPC
> At a glance - rules not applied - switching Allow All or Deny All (default ACL) - showed as completed - but rules missed.
> Result - traffic via PrivateGateway blocked by next DROP rule in next chains
> How to reproduce:
> 1. Enable PrivateGateway for Cloudstack
> 2. Create VPC
> 3. Provision new PrivateGateway inside VPC with some VLAN
> 4. Change ACL (optional step to show that problem not in initial configuration but in config itself)
> Expected:
> ACL rules applied (inserted) into correspondig ACL_INBOUND/OUTBOUND chanins for PrivateGateway interface (ethX) based on ACL which user choose 
> Current:
> No rules inserted. ACL_INBOUND/OUTBOUND_ethX - empty. Traffic blocked by next DROP rule in FORWARD chain
> Affect - all our corporate customers blocked with access to their own nets via PG and vice-versa.
> Root cause:
> Issue happened because of CsNetFilter.py logic for inserting rules for ACL_INBOUND/OUTBOUND chains.
> We choose rule numebr to isnert right before last DROP rule - but forget about fact - that if chain empty - we also return 0 as insert position. Which not true for iptables - numeration started from 0.
> So we need very small patch to handle this special case - if number of rules inside chain equal to zero - return 1, else - return count of rules inside chain.
> It's found only one - just because be default for PrivateGateway - we didn't insert any "service rules" (if SourceNat for PrivateGteway not ticked) - and we have by default empty ACL_INBOUND/OUTBOUND chains. Because same insert happened for all VPC networks (but when we call this insert - we already have at least 1 rule inside chains - and we successfully can process)
> https://github.com/apache/cloudstack/pull/2367



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)