[jira] [Created] (CLOUDSTACK-10200) ACL not applied for PrivateGateway inside ACL_INBOUND/OUTBOUND chains. Traffic blocked by next DROP rule

Tue, 19 Dec 2017 16:34:09 -0800 

IGOR VOLOSHANENKO created CLOUDSTACK-10200:
----------------------------------------------

             Summary: ACL not applied for PrivateGateway inside 
ACL_INBOUND/OUTBOUND chains. Traffic blocked by next DROP rule
                 Key: CLOUDSTACK-10200
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10200
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Virtual Router
    Affects Versions: 4.10.0.0, 4.9.0, 4.11.0.0
         Environment: CloudStack with advanced network installation
            Reporter: IGOR VOLOSHANENKO
             Fix For: Future, 4.11.0.0


We found bug in ACL rules for PrivateGateway for VPC

At a glance - rules not applied - switching Allow All or Deny All (default ACL) 
- showed as completed - but rules missed.
Result - traffic via PrivateGateway blocked by next DROP rule in next chains

How to reproduce:
1. Enable PrivateGateway for Cloudstack
2. Create VPC
3. Provision new PrivateGateway inside VPC with some VLAN
4. Change ACL (optional step to show that problem not in initial configuration 
but in config itself)

Expected:
ACL rules applied (inserted) into correspondig ACL_INBOUND/OUTBOUND chanins for 
PrivateGateway interface (ethX) based on ACL which user choose 

Current:
No rules inserted. ACL_INBOUND/OUTBOUND_ethX - empty. Traffic blocked by next 
DROP rule in FORWARD chain

Affect - all our corporate customers blocked with access to their own nets via 
PG and vice-versa.

Root cause:
Issue happened because of CsNetFilter.py logic for inserting rules for 
ACL_INBOUND/OUTBOUND chains.

We choose rule numebr to isnert right before last DROP rule - but forget about 
fact - that if chain empty - we also return 0 as insert position. Which not 
true for iptables - numeration started from 0.

So we need very small patch to handle this special case - if number of rules 
inside chain equal to zero - return 1, else - return count of rules inside 
chain.

It's found only one - just because be default for PrivateGateway - we didn't 
insert any "service rules" (if SourceNat for PrivateGteway not ticked) - and we 
have by default empty ACL_INBOUND/OUTBOUND chains. Because same insert happened 
for all VPC networks (but when we call this insert - we already have at least 1 
rule inside chains - and we successfully can process)




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to