You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2019/12/03 09:19:04 UTC
[GitHub] [cloudstack] rakgenius opened a new pull request #3736: Add
protocol number support for security group rules
rakgenius opened a new pull request #3736: Add protocol number support for security group rules
URL: https://github.com/apache/cloudstack/pull/3736
## Description
Currently while creating ingress/egress rule for a security group,
we can specify only TCP/UDP/ICMP. Sometimes we need to add rules
for different protocol numbers or rules for all the above three
mentioned protocols.
In this new feature, users can specify the protocol number or select
"ALL" option which will apply rules for TCP/UDP/ICMP in one shot
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
## Screenshots (if appropriate):
Navigate to "Networks" and select "Security groups" from the drop-down menu on the top left
Select any security group name and click on either "ingress" or "egress" tab
## How Has This Been Tested?
Adding a rule for a particular protocol number
1. Create a VM and note down the security group name to which it belongs to
2. Navigate to "Network" and select "Security groups" from the drop-down menu on the top left.
3. Select the security group which is obtained from step 1.
4. Click on either ingress or egress tab
5. Try to create a new rule by selecting "Protocol number" from the drop-down list.
For ex: Enter protocol number as 47 and cidr as "99.99.99.99/32"
6. Now get the hostname on which the VM is running and ssh to it.
7. Run the iptables-save command to ensure that there is a new rule for the protocol number you mentioned above.
The output should be as shown below
```
# iptables-save | grep 99.99.99
-A i-2-118-VM -s 99.99.99.99/32 -p gre -j ACCEPT
```
Adding a rule to all TCP/UDP/ICMP at a time
1. Create a VM and note down the security group name to which it belongs to
2. By default, there will be a drop action for the three protocols.
2. Navigate to "Network" and select "Security groups" from the drop-down menu on the top left.
3. Select the security group which is obtained from step 1.
4. Click on either ingress or egress tab
5. Try to create a new rule by selecting "ALL" from the drop-down list.
6. Now get the hostname on which the VM is running and ssh to it.
7. Run the iptables-save command to ensure that the below rule should be applied.
```
# iptables-save | grep i-2-118-VM
-A i-2-118-VM -s 88.88.88.88/32 -m state --state NEW -j ACCEPT
```
New integration test has been added in ```test/integration/component/test_protocol_number_security_group.py```
Integration test can be run using
```nosetests --with-marvin --marvin-config=<config file> test/integration/component/test_protocol_number_security_group.py```
<!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/master/CONTRIBUTING.md) document -->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services