cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dmabry <...@git.apache.org>
Subject [GitHub] cloudstack issue #1581: CLOUDSTACK-9404 Fixed ordering of network ACL rules ...
Date Thu, 09 Jun 2016 20:51:33 GMT
Github user dmabry commented on the issue:

    https://github.com/apache/cloudstack/pull/1581
  
    I tested this in our lab with advanced networking verified the patch is working as expected.
 I used the following test process.
    
    1. Created an acl and applied it to 1 VPC Network Tier.
    ``` 
    10	192.168.10.0/24	Allow	ALL		Ingress		 
    20	192.168.20.0/24	Allow	ALL		Ingress		
    30	192.168.30.0/24	Allow	ALL		Ingress		
    ```
    2. iptables looked like the following on the VPC VR
    ```
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            225.0.0.50          
    ACCEPT     all  --  0.0.0.0/0            224.0.0.18          
    ACCEPT     all  --  192.168.10.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.20.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.30.0/24      0.0.0.0/0           
    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
    ```
    3. I added an additional rule of:
    ```
    40	192.168.40.0/24	Allow	TCP		80	80			Ingress	
    ```
    4. iptables looked like the following on the VPC VR
    ```
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            225.0.0.50          
    ACCEPT     all  --  0.0.0.0/0            224.0.0.18          
    ACCEPT     all  --  192.168.10.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.20.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.30.0/24      0.0.0.0/0           
    ACCEPT     tcp  --  192.168.40.0/24      0.0.0.0/0            tcp dpt:80
    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
    ```
    
    In summary, it looks like this patch works verified by manual testing in my lab.
    
    In short, LGTM based on testing.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message