Sanjeev N created CLOUDSTACK-1292:
-------------------------------------
Summary: [F5-SRX-InlineMode] Update network from SRX,F5 as service
provideds to VR as service provider does not delete firewall rules from SRX
Key: CLOUDSTACK-1292
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1292
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Network Controller
Affects Versions: 4.1.0
Environment: ASF 4.1 latest build
Reporter: Sanjeev N
Assignee: Sheng Yang
Priority: Critical
Fix For: 4.1.0
[F5-SRX-InlineMode] Update network from SRX,F5 as service provideds to VR as
service provider does not delete firewall rules from SRX
Reproduction method:
=================
1. . Create a NO1 using SRX for PF,Static NAT, Source Nat (Zone wide) and F5
for LB(inline mode) and rest of the services are provided by VR.
2. Add SRX device.
3. Add F5 device
4. Add a user account.
5. Deploy the few VMs using the above created NO.
6. Acquire an Ip addresses.
7. Create Pf rule.Open firewall.
8. Create LB rule.Open firewall.
9. Create Static NAT.Open firewall.
Steps:
1. Create a NO2 using VR as service provider for all services.
2. Update NO1 to NO2.
Test Result:
=========
Firewall rules from SRX are not deleted after update network from network
offering NO1 to NO2
Expected Result:
=============
Firewall rules in untrust filter should be deleted from SRX
Observations:
==========
When network was implemented with network offering NO1, firewall rules were
created on SRX to allow traffic from untrust zone.
IPs allocated in this network are:
mysql> select public_ip_address , network_id from user_ip_address where
network_id=204;
+-------------------+------------+
| public_ip_address | network_id |
+-------------------+------------+
| 10.147.48.21 | 204 |
| 10.147.48.26 | 204 |
| 10.147.48.28 | 204 |
| 10.147.48.29 | 204 |
+-------------------+------------+
4 rows in set (0.21 sec)
Output from SRX after network update from NO1 to NO2(All other configuration
related to this netowrk was erased from SRX except the below firewall rules
after network update):
root# show firewall filter untrust term 10-147-48-21-10
from {
source-address {
0.0.0.0/0;
}
destination-address {
10.147.48.21/32;
}
protocol tcp;
destination-port 1-65535;
}
then {
count 10-147-48-21-i;
accept;
}
[edit]
root# show firewall filter untrust term 10-147-48-26-7
from {
source-address {
0.0.0.0/0;
}
destination-address {
10.147.48.26/32;
}
protocol tcp;
destination-port 1-65535;
}
then {
count 10-147-48-26-i;
accept;
}
[edit]
root# show firewall filter untrust term 10-147-48-28-9
from {
source-address {
0.0.0.0/0;
}
destination-address {
10.147.48.28/32;
}
protocol tcp;
destination-port 1-65535;
}
then {
count 10-147-48-28-i;
accept;
}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
