Network ACL check is bypassed on Load balancing rules in VPC

[weizhouapache]

This issue was found duing the investigation on #9053 .
This sounds like a critical/major issue.

steps the reproduce the issue

• create a VPC
• create a VPC tier with ACL "default_deny"
• create a VM in the VPC tier
• acquire the public IP
• create load balancing rule with public port=2222 and private port=22
• acquire another public IP (it may be not needed in 4.19/4.20 as vpc supports conserved mode)
• create port forwarding rule with public port=2223 and private port=22

Expected result

• both LB and PF ports (2222/2223) are unreachable as the ACL is "default_deny"

Actual result

• PF port (2223) is unreachable (as expected)
• LB port (2222) is reachable (bug/unexpected behavior)

ISSUE TYPE

• Bug Report

COMPONENT NAME

CLOUDSTACK VERSION

4.19/4.20, it impacts probably other versions as well

CONFIGURATION

OS / ENVIRONMENT

SUMMARY

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS

[weizhouapache]

there is a related but different issue: #7483

[GutoVeronezi]

Hello @weizhouapache

You can check PR #6460 that explains why the LB traffic is not blocked with ACL rules and how to achieve that.

[weizhouapache]

Hello @weizhouapache

You can check PR #6460 that explains why the LB traffic is not blocked with ACL rules and how to achieve that.

thanks @GutoVeronezi for sharing
yes, it is a good workaround

let's see if we can find a permanent solution for it.
If not, we could create a doc pr to describe the issue and the workaround for it.
cc @sureshanaparti

[GutoVeronezi]

Implementing the ACL rules in the FORWARD chain is the feature's design. We have some limitations with it for sure; why it was designed that way I cannot tell; however, we can discuss about how to improve it.