Page History

1. Making egress default policy configurable.
Currently the default behaviour for  egress firewall rules is it BLOCKS all the egress traffic when there are no user configured egress rules.
There is ticket CLOUDSTACK-1578 : Egress Firewall Rules - Ability to change the default 
To implement the egress configurable below is my proposal
 
Proposal:
The egress default behaviour ALLOW/DENY  can be configured for a guest network using 'Network Offering'. 
While creating network offering, for firewall service providers the egress policy ALLOW or DENY can be configured.
When no egress policy is passed for network offering then default DENY will be selected for the network.
Allow:
 1. For Network offering when egress default policy 'Allow' is selected then by default egress traffic for the guest network is allowed. That is when there are no user configured egress rules for the network then the egress traffic is accepted.
  
2. When user configures egress rules for guest network using createEgressFirewallRule API, rules are added to BLOCK the specified rule configuration.
Deny:
 1. For Network offering when egress default policy 'DENY' is selected then by default egress traffic for the guest network is BLOCKED.
2. When user configures egress rules for isolated guest network using createEgressFirewallRule API, rules are added to ALLOW the specified rule configuration.
While implementing guest network, cloudstack will add the firewall egress rule specific to default egress policy for the guest network.

Introduction:

Currently the default behaviour for  egress firewall rules is it BLOCKS all the egress traffic when there are no user configured egress rules.

...