[jira] [Resolved] (CLOUDSTACK-10200) ACL not applied for PrivateGateway inside ACL_INBOUND/OUTBOUND chains. Traffic blocked by next DROP rule

Thu, 21 Dec 2017 03:50:22 -0800 

     [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

IGOR VOLOSHANENKO resolved CLOUDSTACK-10200.
--------------------------------------------
    Resolution: Fixed

> ACL not applied for PrivateGateway inside ACL_INBOUND/OUTBOUND chains. 
> Traffic blocked by next DROP rule
> --------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10200
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10200
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.9.0, 4.10.0.0, 4.11.0.0
>         Environment: CloudStack with advanced network installation
>            Reporter: IGOR VOLOSHANENKO
>              Labels: pull-request-available
>             Fix For: Future, 4.11.0.0
>
>
> We found bug in ACL rules for PrivateGateway for VPC
> At a glance - rules not applied - switching Allow All or Deny All (default 
> ACL) - showed as completed - but rules missed.
> Result - traffic via PrivateGateway blocked by next DROP rule in next chains
> How to reproduce:
> 1. Enable PrivateGateway for Cloudstack
> 2. Create VPC
> 3. Provision new PrivateGateway inside VPC with some VLAN
> 4. Change ACL (optional step to show that problem not in initial 
> configuration but in config itself)
> Expected:
> ACL rules applied (inserted) into correspondig ACL_INBOUND/OUTBOUND chanins 
> for PrivateGateway interface (ethX) based on ACL which user choose 
> Current:
> No rules inserted. ACL_INBOUND/OUTBOUND_ethX - empty. Traffic blocked by next 
> DROP rule in FORWARD chain
> Affect - all our corporate customers blocked with access to their own nets 
> via PG and vice-versa.
> Root cause:
> Issue happened because of CsNetFilter.py logic for inserting rules for 
> ACL_INBOUND/OUTBOUND chains.
> We choose rule numebr to isnert right before last DROP rule - but forget 
> about fact - that if chain empty - we also return 0 as insert position. Which 
> not true for iptables - numeration started from 0.
> So we need very small patch to handle this special case - if number of rules 
> inside chain equal to zero - return 1, else - return count of rules inside 
> chain.
> It's found only one - just because be default for PrivateGateway - we didn't 
> insert any "service rules" (if SourceNat for PrivateGteway not ticked) - and 
> we have by default empty ACL_INBOUND/OUTBOUND chains. Because same insert 
> happened for all VPC networks (but when we call this insert - we already have 
> at least 1 rule inside chains - and we successfully can process)
> https://github.com/apache/cloudstack/pull/2367



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to