Fix private gateway ACLs#3316
Conversation
used Also the order of FORWARD rules is fixed so custom chaines are checked. This wasn't the case before. They were created but never reached (like dead code but in iptables)
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-2800 |
|
@blueorangutan test |
|
@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-3595)
|
|
This is still in development. |
|
@DennisKonrad please ping me when you think the PR is ready for testing and review, I'll help kick tests. |
|
@DennisKonrad any progress on this one, or should we move it to 4.15 milestone? |
|
@DennisKonrad this is very sensitive stuff. |
|
@DennisKonrad I've moved it to 4.15, let me know otherwise if this is ready for review/testing. |
|
Courtesy ping - @DennisKonrad |
|
Currently I can make no time to push this PR to a point where we could move on. I will open another PR when this is ready. |
Description
Problem
At the moment ACLs attached to a private gateway are not working. The rules are created on the virtual router but multiple small errors prevent their evaluation.
Fix # 1
This commit changes the ordering of rules in the FORWARD table so the custom chains created are evaluated.
Fix # 2
Also ACLs on private gateways should not only be valid for the VPC CIDR but also for networks that are reached via static routes. This is achieved by considering all traffic that goes through the relevant network interface.
Fix # 3
This commit sets the right interface for the ACL_INBOUND_ethX chains. Before the interface was set on "out" even though the rules states it's inbound. TODO push commit
( self.fw.append(["filter", "", "-A FORWARD -i %s -j ACL_INBOUND_%s" % (self.dev, self.dev)]) )
-> CsAddress.py:444
Fix # 4
ACL_OUTBOUND rules should also be filtered -> Move them to filter
Fix # 5
To allow for correct private gateway ACL evaluation the argument already generated by the java code needed to be evaluated.
Types of changes
How Has This Been Tested?
We tested this by manually applying the changes to the .py files. Also one has to move or delete the .pyc files to experience the changes.