You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Murali Reddy (JIRA)" <ji...@apache.org> on 2016/09/09 09:20:20 UTC

[jira] [Created] (CLOUDSTACK-9495) Egress rules functionalty broken when protocol=all specificed from 4.6

Murali Reddy created CLOUDSTACK-9495:
----------------------------------------

             Summary: Egress rules functionalty broken when protocol=all specificed from 4.6
                 Key: CLOUDSTACK-9495
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9495
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
    Affects Versions: 4.9.0, 4.8.0, 4.7.1, 4.6.2
            Reporter: Murali Reddy


Egress rules handling in systemvm/patches/debian/config/opt/cloud/bin/configure.py, class CsAcl, add_rule() has below logic for handling protocol
                    if rule['protocol'] != "all":
                         fwr += " -s %s " % cidr + \
                                " -p %s " % rule['protocol'] + \
                                " -m %s " % rule['protocol'] + \
                                " --dport %s" % rnge
there is no else block to handle case when protocol in 'all' in which case CIDR never gets passed to the iptables command, hence resulting in accept all rule FW_EGRESS_RULES chain.

To reproduce the issue just give any cidr in the guest subnet, for e.g. 10.1.1.27/31 and protocol all and see the result in FW_EGRESS_RULES of the filter table, you will see accept all rule.
 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)