cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-3198) NTier: Network ACL Rules Sequence on the Virtual Router does not match the Rule Priority mentioned on CloudStack
Date Tue, 02 Jul 2013 13:25:23 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13697777#comment-13697777
] 

ASF subversion and git services commented on CLOUDSTACK-3198:
-------------------------------------------------------------

Commit df2b3d0ed8f2eebb3e8d2b8b14da0e404503507c in branch refs/heads/master-6-17-stable from
[~kishan]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=df2b3d0 ]

CLOUDSTACK-3198: HashSet used for storing ACL rules doesn't maintain the order. Added rules
directly to result string array after sorting.

                
> NTier: Network ACL Rules Sequence on the Virtual Router does not match the Rule Priority
mentioned on CloudStack
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3198
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3198
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server
>    Affects Versions: 4.2.0
>            Reporter: Chandan Purushothama
>            Assignee: Kishan Kavala
>             Fix For: 4.2.0
>
>
> ==================
> On VPC Virtual Router:
> ==================
> :ACL_INBOUND_eth2 - [0:0]
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j DROP
> -A ACL_INBOUND_eth2 -s 10.223.131.0/24 -p tcp -m tcp --dport 45:85 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j DROP
> -A ACL_INBOUND_eth2 -s 10.216.133.50/32 -p tcp -m tcp --dport 50:99 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.192/26 -p tcp -m tcp --dport 105:145 -j DROP
> -A ACL_INBOUND_eth2 -j DROP
> ==============
> On the Database:
> ==============
> mysql> select id,acl_id,start_port,end_port,state,protocol,created,traffic_type,cidr,number
from network_acl_item where acl_id=4;
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | id | acl_id | start_port | end_port | state  | protocol | created             | traffic_type
| cidr              | number |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | 11 |      4 |         20 |       40 | Active | tcp      | 2013-06-24 21:54:51 | Ingress
     | 10.223.131.172/32 |      1 |
> | 12 |      4 |         21 |       51 | Active | tcp      | 2013-06-24 21:57:20 | Ingress
     | 10.223.195.103/32 |      2 |
> | 13 |      4 |         20 |       40 | Active | tcp      | 2013-06-25 23:22:12 | Ingress
     | 10.223.131.172/32 |      3 |
> | 14 |      4 |         50 |       99 | Active | tcp      | 2013-06-25 23:24:19 | Ingress
     | 10.216.133.50/32  |      4 |
> | 15 |      4 |         45 |       85 | Active | tcp      | 2013-06-25 23:36:05 | Ingress
     | 10.223.131.193/24 |      5 |
> | 17 |      4 |        105 |      145 | Active | tcp      | 2013-06-25 23:39:40 | Ingress
     | 10.223.131.193/26 |      6 |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> 6 rows in set (0.00 sec)
> =====================
> On the Management Server:
> =====================
> 2013-06-25 16:39:40,957 DEBUG [agent.transport.Request] (Job-Executor-30:job-89) Seq
1-1278678427: Executing:  { Cmd , MgmtId: 7471666038533, via: 1, Ver: v1, Flags: 100001, [{"routing.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"ACCEPT","number":1},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[21,51],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.195.103/32"],"trafficType":"Ingress","action":"DROP","number":2},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"DROP","number":3},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[50,99],"revoked":false,"alreadyAdded":true,"cidrList":["10.216.133.50/32"],"trafficType":"Ingress","action":"ACCEPT","number":4},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[45,85],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.193/24"],"trafficType":"Ingress","action":"ACCEPT","number":5},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[105,145],"revoked":false,"alreadyAdded":false,"cidrList":["10.223.131.193/26"],"trafficType":"Ingress","action":"DROP","number":6}],"nic":{"deviceId":3,"networkRateMbps":200,"defaultNic":false,"uuid":"6b89e7c9-6eb1-4598-8a6d-66f37980f321","ip":"192.168.11.1","netmask":"255.255.255.0","gateway":"192.168.11.1","mac":"02:00:51:de:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2580","isolationUri":"vlan://2580","isSecurityGroupEnabled":false},"accessDetails":{"router.guest.ip":"192.168.11.1","guest.vlan.tag":"2580","zone.network.type":"Advanced","router.ip":"169.254.0.161","router.name":"r-3-NTIERAGN"},"wait":0}}]
}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message