THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Introduction:
Currently the default behaviour for egress firewall rules is it BLOCKS all the egress traffic when there are no user configured egress rules.
With this feature we can make egress default policy configurable.
BUG:
CLOUDSTACK-1578 : Egress Firewall Rules - Ability to change the default
Design:
The egress default behaviour ALLOW/DENY can be configured for a guest network using 'Network Offering'.
While creating network offering, for firewall service providers the egress policy ALLOW or DENY can be configured.
When no egress policy is passed for network offering then default ALLOW will be selected for then guest networks.
Allow:
1. For Network offering when egress default policy 'Allow' is selected then by default egress traffic for the guest network is allowed. That is when there are no user configured egress rules for the network then the egress traffic is accepted.
2. When user configures egress rules for guest network using createEgressFirewallRule API, rules are added to BLOCK the specified rule configuration.
Deny:
1. For Network offering when egress default policy 'DENY' is selected then by default egress traffic for the guest network is BLOCKED.
2. When user configures egress rules for isolated guest network using createEgressFirewallRule API, rules are added to ALLOW the specified rule configuration.
While implementing guest network, cloudstack will add the firewall egress rule specific to default egress policy for the guest network.
DB Changes:
*Table: *network_offerings
New column:
name: egress_policy
values: true - ALLOW, false - DENY
Default: true
Supported Networks:
1. Advanced isolated networks.
Supported Firewall Elements:
1. Virtual Router
2. Juniper SRX
Upgrade:
On upgrade existing network offerings with firewall service providers will have egress default policy 'DENY'
UI Changes:
In Add Network offering page when user selects supported services Firewall, the egress default drop down should be shown.
The drop down contains ALLOW/DENY. By default the drop down should show ALLOW.
Overview
Content Tools
Apps