Bug Reference: CLOUDSTACK-763

ACL Deny Rules

Currently only ACL allow rules are supported as part of Network ACLs. By default, all incoming traffic to guest networks is blocked. All outgoing traffic from guest networks is allowed, once you add an ACL rule for outgoing traffic, then only outgoing traffic specified in this ACL rule is allowed, the rest is blocked. ACL deny rules will be supported through this feature. New fields "number"  and "action"will be added to rules to resolve conflicting rules.

NetworkACLList will be introduced to manage NetworkACLs (NetworkACLItems).

Terminology

ACL is Access Control List. So ACL container is kind of redundant. Instead we use the below terminology:

NetworkACLItem - Individual ACL Entry (was NetworlACL earlier). Should we call it NetworkAclEntry instead?

NetworkACL - Group of Network ACL Items. API will use the term NetworkACLList to differentiate from the existing NetworkACL APIs

NetworkACL

NetworkACL is a numbered list of NetworkACLItems that are evaluated in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any tier associated with the network ACL.

Instead of adding NetworkACLItems directly to the tier, NetworkACLItems will be added to the NetworkACL. Tier will be associated with a NetworkACL at all times (default NetworkACL will be used when no ACL is associated. Default behavior will be deny all).

ACL is associated with a VPC and can be assigned to multiple VPC tiers within the VPC. Each tier can be associated with only one ACL. 

Add/Remove networkACLItem to NetworkACL

NetworkACLItems can be added or removed from the NetworkACL using APIs createNetworkACLItem and deleteNetworkACLItem APIs. Changes to ACL (add/update/remove aclItems) will be applied to all associated networks.

DefaultNetworkACL

Tier will be associated with default network acl when no ACL is associated. Default network ACL cannot be removed or modified. Contents of default network ACL:

Rule #

protocol

traffic_type

action

cidr

1

all

Ingress

deny

0.0.0.0/0

2

all

Egress

deny

0.0.0.0/0

Sample workflow

Creating Tier with default acl and assigning a custom acl later

  1. Create VPC
  2. Create Tier A - tier is associated with default network ACL
  3. Create custom network ACL
  4. Add ACLItems to the ACL
  5. Assign ACL created in step # 3 to tier A using replaceNetworkACLList API

Create Tier with custom acl in 1 step

  1. Create VPC
  2. Create custom network ACL
  3. Add ACLs to the ACL
  4. Create Tier A with ACL created in step # 2

API changes

Existing API

createNetworkAclItem (Aliased to createNetworkACL) - async

Adds a networkACLItem to the specified ACL.

New parameters

  • action (optional) - allow/deny - default allow
  • number (optional) - rule number. ACL rules are ordered by this number. Default - current max number + 1
  • aclId (optional) - id of the network ACL

For backward compatibility, if network_id is specified instead of acl_id, networkACLItem will added to the ACL assigned to the network.

deleteNetworkACLItem (Aliased to removeNetworkACL) - async

Deletes specifed network acl item from network ACL. No changes to the params. 

createNetwork

In VPC case, createNetwork is used to create a tier within VPC. Tier can be associated with a ACL during creation. If acl_id is not specified default ACL will be used. Network creation with acl_id will fail if ACL service is not present.

New parameters

  • acl_id (optional) - id of the network ACL. Default NetworkACL will be used when not specified. 

new API

updateNetworkACLItem (aliased to updateNetworkACL) - async

Updates an existing NetworkACLItem

Parameters:

  • id (required) - Id of the network ACL Item
  • trafficType (optional) - can be ingress/egress (defaulted to ingress if not specified)
  • cidrlist (optional) - List of the coma separated CIDRs for the rule. If not specified, defaulted to 0.0.0.0/0
  • startPort (optional)
  • endPort (optional)
  • protocol (optional). TCP/UDP/ICMP protocol types are supported
  • icmpType (optional) - type of the icmp message being sent
  • icmpCode (optional) - error code for this icmp message
  • action (optional) - allow/deny
  • number (optional) - rule number

createNetworkAclList - sync

Creates network ACL

Parameters:

  • name - Name of the Network Acl (required)
  • description - Description of the Network ACL (required)
  • vpcId - Id of the VPC (required)

Response:

  • name - Name of the Network Acl Container
  • id - uuid of the Network Acl Container
  • description - Description of the Network ACL Container
  • vpcId - VPC Id

deleteNetworkAclList - sync

Deletes network ACL. If the container is assigned to any network, deletion will fail. ACL should not contain any ACLItems for deletion to succeed.

Parameters:

  • id - uuid of the Network Acl (required)

Response:

  • success - True if Network ACL is successfully removed, false otherwise

listNetworkAclLists - sync

ACLs can be listed by id or tier

Parameters:

  • id - uuid of the Network Acl (optional)
  • network_id - list by network_id (Tier) (optional)
  • vpcId - list ACLs associated with specified vpc (optional)
  • acl_item_id: List ACL containing specified acl_item_id

Response:

  • List of network ACLs

replaceNetworkACLList - async

Assigns specified ACL to a tier (network)

Parameters:

  • network_id - Id of the network (Tier) (required)
  • acl_id: Id of the network ACL to be associated with the network (required)

Response:

  • success -  True when ACL is successfully assigned to network, false otherwise

DB

Network ACL Container ER

New Tables

1. network_acl

  • New Columns
    • id (long): auto-generated id
    • uuid (string): auto-generated uuid
    • account_id: Account to which the ACL belongs
    • vpc_id: Id of the VPC
    • name: name of the network acl
    • description: network acl description

2. network_acl_item

  • New columns
    • id
    • uuid
    • acl_id
    • action
    • number
    • traffic_type
    • start_port
    • end_port
    • protocol
    • state

Changes to existing tables

1. networks

  • New Columns
    • acl_id (long) - network acl associated with this Tier

Scripts

vpc_acl.sh will be modified to support ACL deny rules. iptables rules will ACCEPT or DROP based on the ACL action. iptables rules will added in the order of the number starting from the lowest.

UI

UI changes are required to:

  • Support ACL action and number
  • Create Network ACL
  • Add/Remove ACLItemss to Network ACL
  • Assign Network ACL to a Tier

Upgrade

For each tier, a new network acl is created during the upgrade, All ACLItems that were assigned to this tier, will be part of the newly created network acl. If there are no ACLs for any tier, it'll be associated with the default ACL.

All existing rules in firewall_rules table of type NetworkACL will be moved to network_acl_item table and will have action "allow". Rule number will be sequentially assigned for all rules in each tier.

  • No labels