Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BBE3A2009F8 for ; Fri, 3 Jun 2016 16:47:27 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id BA80A160A49; Fri, 3 Jun 2016 14:47:27 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 103E4160A3B for ; Fri, 3 Jun 2016 16:47:26 +0200 (CEST) Received: (qmail 22289 invoked by uid 500); 3 Jun 2016 14:47:26 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 22265 invoked by uid 99); 3 Jun 2016 14:47:25 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Jun 2016 14:47:25 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 97BCDE07FE; Fri, 3 Jun 2016 14:47:25 +0000 (UTC) From: pdube To: dev@cloudstack.apache.org Reply-To: dev@cloudstack.apache.org References: In-Reply-To: Subject: [GitHub] cloudstack pull request #1581: CLOUDSTACK-9404 Fixed ordering of network ACL... Content-Type: text/plain Message-Id: <20160603144725.97BCDE07FE@git1-us-west.apache.org> Date: Fri, 3 Jun 2016 14:47:25 +0000 (UTC) archived-at: Fri, 03 Jun 2016 14:47:27 -0000 GitHub user pdube reopened a pull request: https://github.com/apache/cloudstack/pull/1581 CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR. The comparator was inverted. Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404 In this example, I created rules with the port numbers the same as the rule numbers. Chain ACL_INBOUND_eth2 (1 references) target prot opt source destination ACCEPT all -- anywhere 225.0.0.50 ACCEPT all -- anywhere vrrp.mcast.net DROP tcp -- anywhere anywhere tcp dpt:netstat DROP tcp -- anywhere anywhere tcp dpt:10 DROP tcp -- anywhere anywhere tcp dpt:5 DROP tcp -- anywhere anywhere tcp dpt:3 DROP tcp -- anywhere anywhere tcp dpt:2 DROP all -- anywhere anywhere We can see above that the rules are inverted. After the fix: Chain ACL_INBOUND_eth2 (1 references) target prot opt source destination ACCEPT all -- anywhere 225.0.0.50 ACCEPT all -- anywhere vrrp.mcast.net DROP tcp -- anywhere anywhere tcp dpt:2 DROP tcp -- anywhere anywhere tcp dpt:3 DROP tcp -- anywhere anywhere tcp dpt:5 DROP tcp -- anywhere anywhere tcp dpt:10 DROP tcp -- anywhere anywhere tcp dpt:netstat DROP all -- anywhere anywhere You can merge this pull request into a Git repository by running: $ git pull https://github.com/pdube/cloudstack network-acl-rules-order Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/1581.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1581 ---- commit caf4a48075e0f59b5d101efdd3ac6b1bee8f4f39 Author: Patrick Dube Date: 2016-06-02T17:15:38Z Fixed ordering of network ACL rules being sent to the VR. The comparator was inverted commit 4c97a3981dc0d543e02f62f2bb4fc2eb805545c6 Author: Patrick Dube Date: 2016-06-02T17:44:39Z Added unit test to verify ordering commit 9cdd23fdc77e643d886c3af8cb0a60f9c4ddf84f Author: Patrick Dube Date: 2016-06-03T12:48:47Z Added ASF license to unit test file ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastructure@apache.org or file a JIRA ticket with INFRA. ---