Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-9495

Egress rules functionalty broken when protocol=all specified

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 4.6.2, 4.7.1, 4.8.0, 4.9.0
    • 4.10.0.0, 4.9.1.0
    • None
    • Security Level: Public (Anyone can view this level - this is the default.)
    • None

    Description

      Egress rules handling in systemvm/patches/debian/config/opt/cloud/bin/configure.py, class CsAcl, add_rule() has below logic for handling protocol

      if rule['protocol'] != "all":
         fwr += " -s %s " % cidr + \
         " -p %s " % rule['protocol'] + \
         " -m %s " % rule['protocol'] + \
         " --dport %s" % rnge
      

      There is no else block to handle case when protocol in 'all' in which case CIDR never gets passed to the iptables command, hence resulting in accept all rule FW_EGRESS_RULES chain.

      To reproduce the issue just give any cidr in the guest subnet, for e.g. 10.1.1.27/31 and protocol all and see the result in FW_EGRESS_RULES of the filter table, you will see accept all rule.

      Attachments

        Issue Links

          Activity

            People

              murali.reddy Murali Reddy
              murali.reddy Murali Reddy
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: