You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Chandan Purushothama (JIRA)" <ji...@apache.org> on 2013/07/12 01:17:48 UTC
[jira] [Closed] (CLOUDSTACK-3129) NTier: All Outgoing Traffic
between Tiers and various gateways/tiers is currently allowed by default
contrary to behavior mentioned in the Design Document
[ https://issues.apache.org/jira/browse/CLOUDSTACK-3129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chandan Purushothama closed CLOUDSTACK-3129.
--------------------------------------------
Closing the bug based on Kishan's comment
> NTier: All Outgoing Traffic between Tiers and various gateways/tiers is currently allowed by default contrary to behavior mentioned in the Design Document
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3129
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3129
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Reporter: Chandan Purushothama
> Assignee: Kishan Kavala
> Priority: Critical
> Fix For: 4.2.0
>
>
> ======================
> On The VPC Virtual Router:
> ======================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.1/32 -i eth3 -m state --state NEW -j ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -d 192.168.10.0/24 -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> ========================
> Network Information of eth3 NIC:
> ========================
> mysql> select * from networks where id=208 \G
> *************************** 1. row ***************************
> id: 208
> name: Atoms-VPC-Net-2
> uuid: c81066f7-f3ed-4aab-8f86-be8d3bab32ed
> display_text: Atoms-VPC-Net-2
> traffic_type: Guest
> broadcast_domain_type: Vlan
> broadcast_uri: vlan://2580
> gateway: 192.168.11.1
> cidr: 192.168.11.0/24
> mode: Dhcp
> network_offering_id: 12
> physical_network_id: 200
> data_center_id: 1
> guru_name: ExternalGuestNetworkGuru
> state: Implemented
> related: 208
> domain_id: 1
> account_id: 3
> dns1: NULL
> dns2: NULL
> guru_data: NULL
> set_fields: 0
> acl_type: Account
> network_domain: atomsvpcnet1.lab.vmops.com
> reservation_id: 175f7abb-a55b-4932-b394-24137ee1203b
> guest_type: Isolated
> restart_required: 0
> created: 2013-06-21 21:24:45
> removed: NULL
> specify_ip_ranges: 0
> vpc_id: 1
> ip6_gateway: NULL
> ip6_cidr: NULL
> network_cidr: NULL
> display_network: 1
> network_acl_id: NULL
> 1 row in set (0.00 sec)
> mysql>
> ==============================================================
> As per the FS at https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html:
> ==============================================================
> ACL Deny Rules
> Currently only ACL allow rules are supported as part of Network ACLs. Default is to block all incoming and all outgoing traffic between tiers and between tiers and various gateways (including Public). ACL deny rules will be supported through this feature. New fields "number" and "action"will be added to rules to resolve conflicting rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira