3 sounds like a winner. [I think that (2) is how non-vpc networks work, I guess the thinking was, that if you are adding allow rules, then you want to deny everything else. But if you didn't care (ie didn't add egress rules) then allow all outbound was ok]
Kind regards, Paul Angus paul.an...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -----Original Message----- From: Simon Weller [mailto:swel...@ena.com.INVALID] Sent: 13 November 2017 20:14 To: dev@cloudstack.apache.org Cc: u...@cloudstack.apache.org Subject: Re: POLL: ACL default egress policy rule in VPC 3 definitely seems to make the most sense. ________________________________ From: Rafael Weingärtner <rafaelweingart...@gmail.com> Sent: Monday, November 13, 2017 12:02 PM To: dev@cloudstack.apache.org Cc: u...@cloudstack.apache.org Subject: Re: POLL: ACL default egress policy rule in VPC 3 On Mon, Nov 13, 2017 at 3:51 PM, Daan Hoogland <daan.hoogl...@gmail.com> wrote: > 3 of course ;) > > On Mon, Nov 13, 2017 at 6:47 PM, Rene Moser <m...@renemoser.net> wrote: > > > Hi Devs > > > > The last days I fought with the ACL egress rule behaviour and I > > would like to make a poll in which direction the fix should go. > > > > Short Version: > > > > We need to define a better default behaviour for acl default egress > > rule. I see 3 different options: > > > > 1. always add a default deny all egress rule. > > > > This would be super easy to do (should probably also the > > intermediate fix for 4.9, see > > https://github.com/apache/cloudstack/pull/2323) > > > > > > 2. add a deny all egress rule in case if have at least one egress > > allow rule. > > > > A bit intransparent to the user, but doable. This seems to be the > > behaviour how it was designed and should have been implemented. > > > > > > 3. use the default setting in the network offering "egressdefaultpolicy" > > to specify the default behavior. > > > > There is already a setting which specifies this behaviour but is not > > used in VPC. Why not use it? > > > > As a consequence when using this setting, the user should get more > > infos about the policy of the network offering while choosing it for the > > tier. > > > > > > Poll: > > > > 1. [] > > 2. [] > > 3. [] > > 4. [] Other? What? > > > > > > Long Version: > > > > First, let's have a look of the issue: > > > > In version 4.5, creating a new acl with no egress (ACL_OUTBOUND) > > rule would result in a "accept egress all": > > > > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state > > --state NEW -j ACL_OUTBOUND_eth2 -A ACL_OUTBOUND_eth2 -j ACCEPT > > > > When an egress (here deny 25 egress) rule (no mather if deny or > > allow) gets added the result is a "deny all" appended: > > > > -A PREROUTING -s 10.10.0.0/24 ! -d 10.10.0.1/32 -i eth2 -m state > > --state NEW -j ACL_OUTBOUND_eth2 -A ACL_OUTBOUND_eth2 -p tcp -m tcp > > --dport 25 -j DROP -A ACL_OUTBOUND_eth2 -j DROP > > > > This does not make any sense and is a bug IMHO. > > > > > > In 4.9 the behaviour is different: > > > > (note there is a bug in the ordering of egress rules which is fixed > > by > > https://github.com/apache/cloudstack/pull/2313) > > > > The default policy is kept accept egress all. > > > > -A PREROUTING -s 10.11.1.0/24 ! -d 10.11.1.1/32 -i eth2 -m state > > --state NEW -j ACL_OUTBOUND_eth2 -A ACL_OUTBOUND_eth2 -d > > 224.0.0.18/32 -j ACCEPT -A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j > > ACCEPT -A ACL_OUTBOUND_eth2 -p tcp -m tcp --dport 80 -j ACCEPT > > > > > > To me it looks like the wanted behavior was "egress all as default. > > If we have allow rules, append deny all". This would make sense but > > is quite instransparent. > > > > But let's poll > > > > > > > > > -- > Daan > -- Rafael Weingärtner
