CloudStack
  1. CloudStack
  2. CLOUDSTACK-5263

Virtual router stop/start modifies firewall rules allowing additional access

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.2.1, 4.3.0
    • Component/s: Virtual Router
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Labels:

      Description

      Say a user created a firewall rule to allow all access to port 22 from 172.16.40.0/24 it would be correctly processed by the VRouter and stored in the database. If the Vrouter instance would be stopped and started, the source cidr (172.16.40.0/24) would become null and consequently set to 0.0.0.0/0. Allowing free access to this port from the internet when the router finished restarting. Changing a rule on the firewall would send the correct information again including the sourceCids until the next stop start.

      This behavior was observed in version 4.1.1 and confirmed to still exist in the current master build.

      Considering that a stop/start of the router vms is part of our standard upgrade procedure, this is a serious issue.

        Activity

          People

          • Assignee:
            Jayapal Reddy
            Reporter:
            John Kinsella
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development