cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayapal Reddy (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-3199) NTier: Adding New Network ACL Rule Items in a Network ACL Container doesnt apply the rules to the Private Gateway on the VPC Virtual Router
Date Wed, 26 Jun 2013 09:14:21 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jayapal Reddy resolved CLOUDSTACK-3199.
---------------------------------------

    Resolution: Fixed
    
> NTier: Adding New Network ACL Rule Items in a Network ACL Container doesnt apply the
rules to the Private Gateway on the VPC Virtual Router
> -------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3199
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3199
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>            Reporter: Chandan Purushothama
>            Assignee: Jayapal Reddy
>            Priority: Blocker
>             Fix For: 4.2.0
>
>
> Observe from the Information given below that the Newly added Network ACL Items are getting
applied to the Guest Network Tier but are not applied to the Private Gateway present on the
Virtual Router. Both the network tier and the private gateway use the same Network ACL Container.
> ==================
> On VPC Virtual Router:
> ==================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -i eth3 -m state --state NEW -j ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j DROP
> -A ACL_INBOUND_eth2 -s 10.223.131.0/24 -p tcp -m tcp --dport 45:85 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j DROP
> -A ACL_INBOUND_eth2 -s 10.216.133.50/32 -p tcp -m tcp --dport 50:99 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.192/26 -p tcp -m tcp --dport 105:145 -j DROP
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j ACCEPT
> -A ACL_INBOUND_eth3 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> root@r-3-NTIERAGN:~# ifconfig eth2 | grep Bcast
>           inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
> root@r-3-NTIERAGN:~# ifconfig eth3 | grep Bcast
>           inet addr:10.223.57.160  Bcast:10.223.57.191  Mask:255.255.255.192
> ==============
> On the Database:
> ==============
> mysql> select * from vpc_gateways where id=2 \G
> *************************** 1. row ***************************
>             id: 2
>           uuid: cf8e69db-620c-4b61-a1d3-4f595b6c6050
>    ip4_address: 10.223.57.160
>        netmask: 255.255.255.192
>        gateway: 10.223.57.129
>       vlan_tag: 572
>           type: Private
>     network_id: 210
>         vpc_id: 1
>        zone_id: 1
>        created: 2013-06-24 23:06:20
>     account_id: 3
>      domain_id: 1
>          state: Ready
>        removed: NULL
>     source_nat: 1
> network_acl_id: 4
> 1 row in set (0.00 sec)
> mysql> select * from networks where id in (208,210);
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> | id  | name                           | uuid                                 | display_text
                  | traffic_type | broadcast_domain_type | broadcast_uri | gateway       |
cidr             | mode   | network_offering_id | physical_network_id | data_center_id | guru_name
               | state       | related | domain_id | account_id | dns1 | dns2 | guru_data
| set_fields | acl_type | network_domain             | reservation_id                    
  | guest_type | restart_required | created             | removed | specify_ip_ranges | vpc_id
| ip6_gateway | ip6_cidr | network_cidr | display_network | network_acl_id |
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> | 208 | Atoms-VPC-Net-2                | c81066f7-f3ed-4aab-8f86-be8d3bab32ed | Atoms-VPC-Net-2
               | Guest        | Vlan                  | vlan://2580   | 192.168.11.1  | 192.168.11.0/24
 | Dhcp   |                  12 |                 200 |              1 | ExternalGuestNetworkGuru
| Implemented |     208 |         1 |          3 | NULL | NULL | NULL      |          0 |
Account  | atomsvpcnet1.lab.vmops.com | 175f7abb-a55b-4932-b394-24137ee1203b | Isolated  
|                0 | 2013-06-21 21:24:45 | NULL    |                 0 |      1 | NULL   
    | NULL     | NULL         |               1 |              4 |
> | 210 | vpc-Atoms-VPC-1-privateNetwork | 42919011-267e-4eed-9af8-241e3dc78df0 | vpc-Atoms-VPC-1-privateNetwork
| Guest        | Vlan                  | vlan://572    | 10.223.57.129 | 10.223.57.128/26
| Static |                   5 |                 200 |              1 | PrivateNetworkGuru
      | Setup       |     210 |         1 |          1 | NULL | NULL | NULL      |       
  0 | Account  | NULL                       | NULL                                 | Isolated
  |                0 | 2013-06-24 23:06:20 | NULL    |                 0 |      1 | NULL 
      | NULL     | NULL         |               1 |           NULL |
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> 2 rows in set (0.00 sec)
> mysql> select id,acl_id,start_port,end_port,state,protocol,created,traffic_type,cidr,number
from network_acl_item where acl_id=4;
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | id | acl_id | start_port | end_port | state  | protocol | created             | traffic_type
| cidr              | number |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | 11 |      4 |         20 |       40 | Active | tcp      | 2013-06-24 21:54:51 | Ingress
     | 10.223.131.172/32 |      1 |
> | 12 |      4 |         21 |       51 | Active | tcp      | 2013-06-24 21:57:20 | Ingress
     | 10.223.195.103/32 |      2 |
> | 13 |      4 |         20 |       40 | Active | tcp      | 2013-06-25 23:22:12 | Ingress
     | 10.223.131.172/32 |      3 |
> | 14 |      4 |         50 |       99 | Active | tcp      | 2013-06-25 23:24:19 | Ingress
     | 10.216.133.50/32  |      4 |
> | 15 |      4 |         45 |       85 | Active | tcp      | 2013-06-25 23:36:05 | Ingress
     | 10.223.131.193/24 |      5 |
> | 17 |      4 |        105 |      145 | Active | tcp      | 2013-06-25 23:39:40 | Ingress
     | 10.223.131.193/26 |      6 |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> 6 rows in set (0.00 sec)
> =====================
> On the Management Server:
> =====================
> 2013-06-25 16:39:40,957 DEBUG [agent.transport.Request] (Job-Executor-30:job-89) Seq
1-1278678427: Executing: { Cmd , MgmtId: 7471666038533, via: 1, Ver: v1, Flags: 100001, [{"routing.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"ACCEPT","number":1},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[21,51],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.195.103/32"],"trafficType":"Ingress","action":"DROP","number":2},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"DROP","number":3},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[50,99],"revoked":false,"alreadyAdded":true,"cidrList":["10.216.133.50/32"],"trafficType":"Ingress","action":"ACCEPT","number":4},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[45,85],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.193/24"],"trafficType":"Ingress","action":"ACCEPT","number":5},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[105,145],"revoked":false,"alreadyAdded":false,"cidrList":["10.223.131.193/26"],"trafficType":"Ingress","action":"DROP","number":6}],"nic":{"deviceId":3,"networkRateMbps":200,"defaultNic":false,"uuid":"6b89e7c9-6eb1-4598-8a6d-66f37980f321","ip":"192.168.11.1","netmask":"255.255.255.0","gateway":"192.168.11.1","mac":"02:00:51:de:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2580","isolationUri":"vlan://2580","isSecurityGroupEnabled":false},"accessDetails":{"router.guest.ip":"192.168.11.1","guest.vlan.tag":"2580","zone.network.type":"Advanced","router.ip":"169.254.0.161","router.name":"r-3-NTIERAGN"},"wait":0}}]
} 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message