THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Introduction
Allow ACL service on private gateway feature is part of the nTier Apps 2.0.
Currently we don't have mechanism to filter to/from traffic on the private gateway interface.
Using this feature we can control the traffic by creating Ingress/Egress network ACLs on the VPC private gateway.
The ACLs contains both ALLOW and DENY rules.
Bug Reference:
Design:
This feature follows the new ACL framework which is proposed as part of deny rules. Please find
the below FS for more information on this.
https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html
Default Network ACL policy:
Ingress : All the ingress traffic to the into the private gateway interface are blocked.
Egress : All the egress traffic out from the private gateway interface are blocked
To add Ingress/Egress rules we can make use of the existing vpc_acl.sh script.
API changes:
API:
replaceNetworkACLList:
replaceNetworkACLList API taken from the support acl deny rules FS [1].
New parameter to the APIs: gatewaiId
Currently networkId is required parameter. NetworkId will be made optional. New optional parameter gatewaiId will be added to these APIs.
Only one of above parameters is mandatory
API:
While creating private gateway we can map network acl id to the private gateway. For this a new param to createPrivateGateway API is added.
If acl id not passed then private gateway will be associated with default BLOCK acl id.
createPrivateGateway:
New parameter:
aclid (otional) - Id of the network acl
createPrivateGateway API Response updated:
API response updated with the aclid of the private gateway it associated.
Note: The list of aclid's can be obtained using the API 'listNetworkACLLists'
Work Flow:
- create private gateway
- While creating user can pass acl id to API, if not by default private gateway associated with default BLCOK networkACL
- Add network ACL items into networkACL. These networkACL items (ACL rules) get applied to the private gateway.
DB Changes:
A new column 'nework_acl_id' is added to the vpc_gateways table.
itpables rules changes:
When ever private gateway interface get created on the router. we also add the following iptables chains.
Assume eth3 is the private gateway interface on the router.
Filter table:
-A FORWARD -i eth3 -j ACL_INBOUND_eth3
Mangle table:
-A PREROUTING -o eth3 -j ACL_OUTBOUND_eth3.
ACL_INBOUND_eth3 - This chain contains the all the INGRESS rules on the
ACL_OUTBOUND_eth3 - This chain contains the all the EGRESS rules
UI changes:
1. UI change while creating private gateway.
Network-> Network-VPC -><vpcName> ->ConfigureVPC:<vpcname>PrivateGateway->Add Private Gateway.
1. In Add new Private Gateway pop up add the "Network ACL" drop down list.
By default BLOCK acl id should be selected. User can change it by selecting item from the drop down.
2. Add the 'Network ACL' tab beside the static route tab on the private gateway page.
- Network ACL tab page shows the network acl associated with the private gateway. User can also edit
network acl id from this page.
Upgrade:
On upgrade the for existing private gateways all the Ingress/Egress traffic is allowed which is to pertain the pre upgrade behavior.
References:
https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html
Overview
Content Tools
Apps