Introduction

Allow ACL service on private gateway feature is part of the nTier Apps 2.0.

Currently we don't have mechanism to filter to/from traffic on the private gateway interface.

Using this feature we can control the traffic by creating Ingress/Egress network ACLs on the VPC private gateway.

The ACLs contains both ALLOW and DENY rules.

Bug Reference: 

CLOUDSTACK-768

Design:

This feature follows the new ACL framework which is proposed as part of deny rules. Please find

the below FS for more information on this.

https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html

Default Network ACL policy:

Ingress : All the ingress traffic to the into the private gateway interface are blocked.

Egress : All the egress traffic out from the private gateway interface are blocked

To add Ingress/Egress rules we can make use of the existing vpc_acl.sh script.

API changes:

API:

replaceNetworkACLList:

replaceNetworkACLList API taken from the support acl  deny rules FS [1].

New parameter to the APIs: gatewaiId

Currently networkId is required parameter. NetworkId will be made optional. New optional parameter gatewaiId will be added to these APIs.

Only one of above parameters is mandatory

API:

While creating private gateway we can map network acl id to the private gateway. For this a new param to createPrivateGateway API is added.

If acl id not passed then private gateway will be associated with default BLOCK acl id.

createPrivateGateway:

New parameter: 

aclid (otional) - Id of the network acl 

createPrivateGateway API Response updated:

API response updated with the aclid of the private gateway it associated.

Note: The list of  aclid's can be obtained using the API 'listNetworkACLLists'

Work Flow:
  1. create private gateway
  2. While creating user can pass acl id to API, if not by default private gateway associated with default BLCOK networkACL
  3. Add network ACL items into networkACL. These networkACL items (ACL rules) get applied to the private gateway.

DB Changes:

A new column 'nework_acl_id' is added to the vpc_gateways table.

itpables rules changes:

When ever private gateway interface get created on the router. we also add the following iptables chains.

Assume eth3 is the private gateway interface on the router.

Filter table:

 -A FORWARD -i eth3 -j ACL_INBOUND_eth3

Mangle table:

-A PREROUTING -o eth3  -j ACL_OUTBOUND_eth3.

ACL_INBOUND_eth3 - This chain contains the all the INGRESS rules on the

ACL_OUTBOUND_eth3 - This chain contains the all the EGRESS rules

UI changes:

1. UI change while creating private gateway.

Network-> Network-VPC -><vpcName> ->ConfigureVPC:<vpcname>PrivateGateway->Add Private Gateway.

1. In Add new Private Gateway pop up add the  "Network ACL" drop down list.

   By default BLOCK acl id should be selected. User can change it by selecting item from the drop down. 

2. Add the 'Network ACL' tab beside the static route tab on the private gateway page.

   - Network ACL tab page shows the network acl associated with the private gateway. User can  also edit

     network acl id from this page. 

     

Upgrade:

On upgrade the for existing private gateways all the Ingress/Egress traffic is allowed which is to pertain the pre upgrade behavior.

References:

https://cwiki.apache.org/CLOUDSTACK/support-acl-deny-rules.html

  • No labels