Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

private gateway ACLs are not applied correctly #9838

Open
weizhouapache opened this issue Oct 22, 2024 · 1 comment · May be fixed by #10268
Open

private gateway ACLs are not applied correctly #9838

weizhouapache opened this issue Oct 22, 2024 · 1 comment · May be fixed by #10268
Assignees
@weizhouapache
Labels
component:networking component:vpc
Milestone
4.19.2

Comments

@weizhouapache
Copy link
Member

Steps to reproduce the issue

  • add a vpc
  • add a vpc tier and deploy a vm
  • add a private gateway with ACL default_deny

expected:

  • vm to private gw is blocked
  • private gw to vm is blocked

actual:

  • vm to private gw is allowed
  • private gw to vm is blocked
ISSUE TYPE
  • Bug Report
COMPONENT NAME
VPC VR
CLOUDSTACK VERSION
4.19
CONFIGURATION
OS / ENVIRONMENT
SUMMARY
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
@weizhouapache weizhouapache added this to the 4.19.2.0 milestone Oct 22, 2024
@weizhouapache weizhouapache self-assigned this Jan 20, 2025
@weizhouapache weizhouapache moved this from Todo to Dev In Progress in Apache CloudStack BugFest - Issues Jan 22, 2025
@vishesh92 vishesh92 linked a pull request Jan 24, 2025 that will close this issue
Fix private gateway acl on static routes #10262
Open
14 tasks
@vishesh92 vishesh92 moved this from Dev In Progress to ready for Review in Apache CloudStack BugFest - Issues Jan 24, 2025
@vishesh92 vishesh92 moved this from ready for Review to Dev In Progress in Apache CloudStack BugFest - Issues Jan 24, 2025
@vishesh92 vishesh92 removed a link to a pull request Jan 24, 2025
Fix private gateway acl on static routes #10262
Open
14 tasks
@weizhouapache
Copy link
Member Author

it looks the issue is because of the order of rules

root@r-10-VM:~#iptables-save |grep FORWARD
:FORWARD ACCEPT [97:8028]
-A FORWARD -j VPN_STATS_eth1
-A FORWARD -j VPN_STATS_eth2
:FORWARD DROP [95:7876]
-A FORWARD -j NETWORK_STATS_eth2
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.18.0.0/20 ! -d 172.18.0.0/20 -j ACCEPT
-A FORWARD -d 10.200.0.0/24 -o eth2 -j ACL_INBOUND_eth2
-A FORWARD -d 172.18.1.0/24 -o eth3 -j ACL_INBOUND_eth3

because of

-A FORWARD -s 172.18.0.0/20 ! -d 172.18.0.0/20 -j ACCEPT

the packet from vm to private gateway is accepted, so that the next rule becomes useless

-A FORWARD -d 10.200.0.0/24 -o eth2 -j ACL_INBOUND_eth2

@weizhouapache weizhouapache linked a pull request Jan 24, 2025 that will close this issue
Open
14 tasks
@weizhouapache weizhouapache linked a pull request Jan 24, 2025 that will close this issue
VPC VR: fix ACL between tier and private gateway #10268
Open
14 tasks
@weizhouapache weizhouapache moved this from Dev In Progress to ready for Review in Apache CloudStack BugFest - Issues Jan 24, 2025
@weizhouapache weizhouapache mentioned this issue Jan 24, 2025
Open
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weizhouapache weizhouapache

Labels
component:networking component:vpc
Projects
Apache CloudStack BugFest - Issues
Status: ready for Review
Milestone
4.19.2
Development

Successfully merging a pull request may close this issue.

VPC VR: fix ACL between tier and private gateway weizhouapache/cloudstack
2 participants
@DaanHoogland @weizhouapache