You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Chandan Purushothama (JIRA)" <ji...@apache.org> on 2013/05/14 23:45:16 UTC
[jira] [Created] (CLOUDSTACK-2489) NTier: Incorrect Programming of
Ingress Rules on the VPC VR
Chandan Purushothama created CLOUDSTACK-2489:
------------------------------------------------
Summary: NTier: Incorrect Programming of Ingress Rules on the VPC VR
Key: CLOUDSTACK-2489
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2489
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Affects Versions: 4.2.0
Reporter: Chandan Purushothama
Priority: Blocker
Fix For: 4.2.0
================
Steps to Reproduce:
================
1. Create a VPC.
2. Create a Network Tier
3. Create an ACL rule on the Network Tier
4. Deploy a VM in the Network Tier
===========
Observations:
===========
------------------------------------------------------------------------------------------------
During the Creation of Ingress Rule on the Iptables of the VPC VR:
------------------------------------------------------------------------------------------------
root@r-3-NTIER:~# iptables-save
# Generated by iptables-save v1.4.14 on Tue May 14 13:34:57 2013
*mangle
:PREROUTING ACCEPT [8:512]
:INPUT ACCEPT [8:512]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:840]
:POSTROUTING ACCEPT [6:840]
:ACL_OUTBOUND_eth2 - [0:0]
:VPN_STATS_eth1 - [0:0]
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A FORWARD -j VPN_STATS_eth1
-A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
-A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
COMMIT
# Completed on Tue May 14 13:34:57 2013
# Generated by iptables-save v1.4.14 on Tue May 14 13:34:57 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [40:4688]
:ACL_INBOUND_eth2 - [0:0]
:NETWORK_STATS_eth1 - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -d 192.168.10.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -d 192.168.10.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j DROP
-A NETWORK_STATS_eth1 -s 192.168.0.0/16 -o eth1
-A NETWORK_STATS_eth1 -d 192.168.0.0/16 -i eth1
COMMIT
# Completed on Tue May 14 13:34:57 2013
# Generated by iptables-save v1.4.14 on Tue May 14 13:34:57 2013
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.223.136.132
-A POSTROUTING -s 192.168.10.0/24 -o eth2 -j SNAT --to-source 192.168.10.1
COMMIT
# Completed on Tue May 14 13:34:57 2013
------------------------------------------------------------------------------------------------
After the Creation of Ingress Rule on the Iptables of the VPC VR:
------------------------------------------------------------------------------------------------
**Observe the duplicate ACL OUTBOUND Rules**
**Observe the ACL_INBOUND Rules**
root@r-3-NTIER:~# iptables-save
# Generated by iptables-save v1.4.14 on Tue May 14 13:35:21 2013
*mangle
:PREROUTING ACCEPT [1395:225904]
:INPUT ACCEPT [1395:225904]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1351:251228]
:POSTROUTING ACCEPT [1351:251228]
:ACL_OUTBOUND_eth2 - [0:0]
:VPN_STATS_eth1 - [0:0]
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
-A FORWARD -j VPN_STATS_eth1
-A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A ACL_OUTBOUND_eth2 -j DROP
-A ACL_OUTBOUND_eth2 -j DROP
-A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
-A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
COMMIT
# Completed on Tue May 14 13:35:21 2013
# Generated by iptables-save v1.4.14 on Tue May 14 13:35:21 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1361:252356]
:ACL_INBOUND_eth2 - [0:0]
:NETWORK_STATS_eth1 - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -d 192.168.10.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.10.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/16 ! -d 192.168.0.0/16 -j ACCEPT
-A FORWARD -d 192.168.10.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j DROP
-A ACL_INBOUND_eth2 -s 10.223.195.44/32 -p tcp -m tcp --dport 22:23 -j ACCEPT
-A ACL_INBOUND_eth2 -j DROP
-A NETWORK_STATS_eth1 -s 192.168.0.0/16 -o eth1
-A NETWORK_STATS_eth1 -d 192.168.0.0/16 -i eth1
COMMIT
# Completed on Tue May 14 13:35:21 2013
# Generated by iptables-save v1.4.14 on Tue May 14 13:35:21 2013
*nat
:PREROUTING ACCEPT [80:4872]
:INPUT ACCEPT [80:4872]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.223.136.132
-A POSTROUTING -s 192.168.10.0/24 -o eth2 -j SNAT --to-source 192.168.10.1
COMMIT
# Completed on Tue May 14 13:35:21 2013
root@r-3-NTIER:~#
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira