Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-5263

Virtual router stop/start modifies firewall rules allowing additional access

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.2.1, 4.3.0
    • Component/s: Virtual Router
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Labels:

      Description

      Say a user created a firewall rule to allow all access to port 22 from 172.16.40.0/24 it would be correctly processed by the VRouter and stored in the database. If the Vrouter instance would be stopped and started, the source cidr (172.16.40.0/24) would become null and consequently set to 0.0.0.0/0. Allowing free access to this port from the internet when the router finished restarting. Changing a rule on the firewall would send the correct information again including the sourceCids until the next stop start.

      This behavior was observed in version 4.1.1 and confirmed to still exist in the current master build.

      Considering that a stop/start of the router vms is part of our standard upgrade procedure, this is a serious issue.

        Attachments

          Activity

            People

            • Assignee:
              jayapal Jayapal Reddy
              Reporter:
              jlkinsel John Kinsella
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: