Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 25197C507 for ; Wed, 26 Jun 2013 09:02:25 +0000 (UTC) Received: (qmail 17567 invoked by uid 500); 26 Jun 2013 09:02:24 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 17553 invoked by uid 500); 26 Jun 2013 09:02:23 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 17497 invoked by uid 500); 26 Jun 2013 09:02:21 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 17490 invoked by uid 99); 26 Jun 2013 09:02:20 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Jun 2013 09:02:20 +0000 Date: Wed, 26 Jun 2013 09:02:19 +0000 (UTC) From: "ASF subversion and git services (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-3199) NTier: Adding New Network ACL Rule Items in a Network ACL Container doesnt apply the rules to the Private Gateway on the VPC Virtual Router MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-3199?page=3Dcom.atla= ssian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId= =3D13693844#comment-13693844 ]=20 ASF subversion and git services commented on CLOUDSTACK-3199: ------------------------------------------------------------- Commit 8eeefad97f6e7c71eb3f9b70211129c11221364e in branch refs/heads/master= -6-17-stable from [~jayapal] [ https://git-wip-us.apache.org/repos/asf?p=3Dcloudstack.git;h=3D8eeefad ] CLOUDSTACK-3199 apply acl item to private gateway when added to acl list =20 > NTier: Adding New Network ACL Rule Items in a Network ACL Container doesn= t apply the rules to the Private Gateway on the VPC Virtual Router > -------------------------------------------------------------------------= ------------------------------------------------------------------ > > Key: CLOUDSTACK-3199 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-319= 9 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the defa= ult.)=20 > Components: Management Server > Affects Versions: 4.2.0 > Reporter: Chandan Purushothama > Assignee: Jayapal Reddy > Priority: Blocker > Fix For: 4.2.0 > > > Observe from the Information given below that the Newly added Network ACL= Items are getting applied to the Guest Network Tier but are not applied to= the Private Gateway present on the Virtual Router. Both the network tier a= nd the private gateway use the same Network ACL Container. > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > On VPC Virtual Router: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > root@r-3-NTIERAGN:~# iptables-save | grep ACL > :ACL_OUTBOUND_eth2 - [0:0] > :ACL_OUTBOUND_eth3 - [0:0] > -A PREROUTING -i eth3 -m state --state NEW -j ACL_OUTBOUND_eth3 > -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --= state NEW -j ACL_OUTBOUND_eth2 > -A ACL_OUTBOUND_eth2 -j ACCEPT > -A ACL_OUTBOUND_eth3 -j ACCEPT > :ACL_INBOUND_eth2 - [0:0] > :ACL_INBOUND_eth3 - [0:0] > -A FORWARD -o eth3 -j ACL_INBOUND_eth3 > -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2 > -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j A= CCEPT > -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j D= ROP > -A ACL_INBOUND_eth2 -s 10.223.131.0/24 -p tcp -m tcp --dport 45:85 -j ACC= EPT > -A ACL_INBOUND_eth2 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j D= ROP > -A ACL_INBOUND_eth2 -s 10.216.133.50/32 -p tcp -m tcp --dport 50:99 -j AC= CEPT > -A ACL_INBOUND_eth2 -s 10.223.131.192/26 -p tcp -m tcp --dport 105:145 -j= DROP > -A ACL_INBOUND_eth2 -j DROP > -A ACL_INBOUND_eth3 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j A= CCEPT > -A ACL_INBOUND_eth3 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j D= ROP > -A ACL_INBOUND_eth3 -j DROP > root@r-3-NTIERAGN:~# > root@r-3-NTIERAGN:~# ifconfig eth2 | grep Bcast > inet addr:192.168.11.1 Bcast:192.168.11.255 Mask:255.255.255.= 0 > root@r-3-NTIERAGN:~# ifconfig eth3 | grep Bcast > inet addr:10.223.57.160 Bcast:10.223.57.191 Mask:255.255.255.= 192 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > On the Database: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > mysql> select * from vpc_gateways where id=3D2 \G > *************************** 1. row *************************** > id: 2 > uuid: cf8e69db-620c-4b61-a1d3-4f595b6c6050 > ip4_address: 10.223.57.160 > netmask: 255.255.255.192 > gateway: 10.223.57.129 > vlan_tag: 572 > type: Private > network_id: 210 > vpc_id: 1 > zone_id: 1 > created: 2013-06-24 23:06:20 > account_id: 3 > domain_id: 1 > state: Ready > removed: NULL > source_nat: 1 > network_acl_id: 4 > 1 row in set (0.00 sec) > mysql> select * from networks where id in (208,210); > +-----+--------------------------------+---------------------------------= -----+--------------------------------+--------------+---------------------= --+---------------+---------------+------------------+--------+------------= ---------+---------------------+----------------+--------------------------= +-------------+---------+-----------+------------+------+------+-----------= +------------+----------+----------------------------+---------------------= -----------------+------------+------------------+---------------------+---= ------+-------------------+--------+-------------+----------+--------------= +-----------------+----------------+ > | id | name | uuid = | display_text | traffic_type | broadcast_domain_typ= e | broadcast_uri | gateway | cidr | mode | network_off= ering_id | physical_network_id | data_center_id | guru_name = | state | related | domain_id | account_id | dns1 | dns2 | guru_data = | set_fields | acl_type | network_domain | reservation_id = | guest_type | restart_required | created | re= moved | specify_ip_ranges | vpc_id | ip6_gateway | ip6_cidr | network_cidr = | display_network | network_acl_id | > +-----+--------------------------------+---------------------------------= -----+--------------------------------+--------------+---------------------= --+---------------+---------------+------------------+--------+------------= ---------+---------------------+----------------+--------------------------= +-------------+---------+-----------+------------+------+------+-----------= +------------+----------+----------------------------+---------------------= -----------------+------------+------------------+---------------------+---= ------+-------------------+--------+-------------+----------+--------------= +-----------------+----------------+ > | 208 | Atoms-VPC-Net-2 | c81066f7-f3ed-4aab-8f86-be8d3bab= 32ed | Atoms-VPC-Net-2 | Guest | Vlan = | vlan://2580 | 192.168.11.1 | 192.168.11.0/24 | Dhcp | = 12 | 200 | 1 | ExternalGuestNetworkGuru = | Implemented | 208 | 1 | 3 | NULL | NULL | NULL = | 0 | Account | atomsvpcnet1.lab.vmops.com | 175f7abb-a55b-4932-b= 394-24137ee1203b | Isolated | 0 | 2013-06-21 21:24:45 | NU= LL | 0 | 1 | NULL | NULL | NULL = | 1 | 4 | > | 210 | vpc-Atoms-VPC-1-privateNetwork | 42919011-267e-4eed-9af8-241e3dc7= 8df0 | vpc-Atoms-VPC-1-privateNetwork | Guest | Vlan = | vlan://572 | 10.223.57.129 | 10.223.57.128/26 | Static | = 5 | 200 | 1 | PrivateNetworkGuru = | Setup | 210 | 1 | 1 | NULL | NULL | NULL = | 0 | Account | NULL | NULL = | Isolated | 0 | 2013-06-24 23:06:20 | NU= LL | 0 | 1 | NULL | NULL | NULL = | 1 | NULL | > +-----+--------------------------------+---------------------------------= -----+--------------------------------+--------------+---------------------= --+---------------+---------------+------------------+--------+------------= ---------+---------------------+----------------+--------------------------= +-------------+---------+-----------+------------+------+------+-----------= +------------+----------+----------------------------+---------------------= -----------------+------------+------------------+---------------------+---= ------+-------------------+--------+-------------+----------+--------------= +-----------------+----------------+ > 2 rows in set (0.00 sec) > mysql> select id,acl_id,start_port,end_port,state,protocol,created,traffi= c_type,cidr,number from network_acl_item where acl_id=3D4; > +----+--------+------------+----------+--------+----------+--------------= -------+--------------+-------------------+--------+ > | id | acl_id | start_port | end_port | state | protocol | created = | traffic_type | cidr | number | > +----+--------+------------+----------+--------+----------+--------------= -------+--------------+-------------------+--------+ > | 11 | 4 | 20 | 40 | Active | tcp | 2013-06-24 21= :54:51 | Ingress | 10.223.131.172/32 | 1 | > | 12 | 4 | 21 | 51 | Active | tcp | 2013-06-24 21= :57:20 | Ingress | 10.223.195.103/32 | 2 | > | 13 | 4 | 20 | 40 | Active | tcp | 2013-06-25 23= :22:12 | Ingress | 10.223.131.172/32 | 3 | > | 14 | 4 | 50 | 99 | Active | tcp | 2013-06-25 23= :24:19 | Ingress | 10.216.133.50/32 | 4 | > | 15 | 4 | 45 | 85 | Active | tcp | 2013-06-25 23= :36:05 | Ingress | 10.223.131.193/24 | 5 | > | 17 | 4 | 105 | 145 | Active | tcp | 2013-06-25 23= :39:40 | Ingress | 10.223.131.193/26 | 6 | > +----+--------+------------+----------+--------+----------+--------------= -------+--------------+-------------------+--------+ > 6 rows in set (0.00 sec) > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > On the Management Server: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > 2013-06-25 16:39:40,957 DEBUG [agent.transport.Request] (Job-Executor-30:= job-89) Seq 1-1278678427: Executing: { Cmd , MgmtId: 7471666038533, via: 1,= Ver: v1, Flags: 100001, [{"routing.SetNetworkACLCommand":{"rules":[{"id":0= ,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alr= eadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","a= ction":"ACCEPT","number":1},{"id":0,"vlanTag":"2580","protocol":"tcp","port= Range":[21,51],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.195.= 103/32"],"trafficType":"Ingress","action":"DROP","number":2},{"id":0,"vlanT= ag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdd= ed":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":= "DROP","number":3},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[5= 0,99],"revoked":false,"alreadyAdded":true,"cidrList":["10.216.133.50/32"],"= trafficType":"Ingress","action":"ACCEPT","number":4},{"id":0,"vlanTag":"258= 0","protocol":"tcp","portRange":[45,85],"revoked":false,"alreadyAdded":true= ,"cidrList":["10.223.131.193/24"],"trafficType":"Ingress","action":"ACCEPT"= ,"number":5},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[105,145= ],"revoked":false,"alreadyAdded":false,"cidrList":["10.223.131.193/26"],"tr= afficType":"Ingress","action":"DROP","number":6}],"nic":{"deviceId":3,"netw= orkRateMbps":200,"defaultNic":false,"uuid":"6b89e7c9-6eb1-4598-8a6d-66f3798= 0f321","ip":"192.168.11.1","netmask":"255.255.255.0","gateway":"192.168.11.= 1","mac":"02:00:51:de:00:02","broadcastType":"Vlan","type":"Guest","broadca= stUri":"vlan://2580","isolationUri":"vlan://2580","isSecurityGroupEnabled":= false},"accessDetails":{"router.guest.ip":"192.168.11.1","guest.vlan.tag":"= 2580","zone.network.type":"Advanced","router.ip":"169.254.0.161","router.na= me":"r-3-NTIERAGN"},"wait":0}}] }=20 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs For more information on JIRA, see: http://www.atlassian.com/software/jira