Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 28A0BC84E for ; Tue, 2 Jul 2013 13:25:21 +0000 (UTC) Received: (qmail 52420 invoked by uid 500); 2 Jul 2013 13:25:21 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 52385 invoked by uid 500); 2 Jul 2013 13:25:20 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 52360 invoked by uid 500); 2 Jul 2013 13:25:20 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 52356 invoked by uid 99); 2 Jul 2013 13:25:20 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jul 2013 13:25:20 +0000 Date: Tue, 2 Jul 2013 13:25:20 +0000 (UTC) From: "ASF subversion and git services (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-3198) NTier: Network ACL Rules Sequence on the Virtual Router does not match the Rule Priority mentioned on CloudStack MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-3198?page=3Dcom.atla= ssian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId= =3D13697770#comment-13697770 ]=20 ASF subversion and git services commented on CLOUDSTACK-3198: ------------------------------------------------------------- Commit 154618b75f4e86c2edc9719ebca17e78968922c8 in branch refs/heads/4.2 fr= om [~kishan] [ https://git-wip-us.apache.org/repos/asf?p=3Dcloudstack.git;h=3D154618b ] CLOUDSTACK-3198: HashSet used for storing ACL rules doesn't maintain the or= der. Added rules directly to result string array after sorting. =20 > NTier: Network ACL Rules Sequence on the Virtual Router does not match th= e Rule Priority mentioned on CloudStack > -------------------------------------------------------------------------= --------------------------------------- > > Key: CLOUDSTACK-3198 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-319= 8 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the defa= ult.)=20 > Components: Management Server > Affects Versions: 4.2.0 > Reporter: Chandan Purushothama > Assignee: Kishan Kavala > Fix For: 4.2.0 > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > On VPC Virtual Router: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > :ACL_INBOUND_eth2 - [0:0] > -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2 > -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j A= CCEPT > -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j D= ROP > -A ACL_INBOUND_eth2 -s 10.223.131.0/24 -p tcp -m tcp --dport 45:85 -j ACC= EPT > -A ACL_INBOUND_eth2 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j D= ROP > -A ACL_INBOUND_eth2 -s 10.216.133.50/32 -p tcp -m tcp --dport 50:99 -j AC= CEPT > -A ACL_INBOUND_eth2 -s 10.223.131.192/26 -p tcp -m tcp --dport 105:145 -j= DROP > -A ACL_INBOUND_eth2 -j DROP > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > On the Database: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > mysql> select id,acl_id,start_port,end_port,state,protocol,created,traffi= c_type,cidr,number from network_acl_item where acl_id=3D4; > +----+--------+------------+----------+--------+----------+--------------= -------+--------------+-------------------+--------+ > | id | acl_id | start_port | end_port | state | protocol | created = | traffic_type | cidr | number | > +----+--------+------------+----------+--------+----------+--------------= -------+--------------+-------------------+--------+ > | 11 | 4 | 20 | 40 | Active | tcp | 2013-06-24 21= :54:51 | Ingress | 10.223.131.172/32 | 1 | > | 12 | 4 | 21 | 51 | Active | tcp | 2013-06-24 21= :57:20 | Ingress | 10.223.195.103/32 | 2 | > | 13 | 4 | 20 | 40 | Active | tcp | 2013-06-25 23= :22:12 | Ingress | 10.223.131.172/32 | 3 | > | 14 | 4 | 50 | 99 | Active | tcp | 2013-06-25 23= :24:19 | Ingress | 10.216.133.50/32 | 4 | > | 15 | 4 | 45 | 85 | Active | tcp | 2013-06-25 23= :36:05 | Ingress | 10.223.131.193/24 | 5 | > | 17 | 4 | 105 | 145 | Active | tcp | 2013-06-25 23= :39:40 | Ingress | 10.223.131.193/26 | 6 | > +----+--------+------------+----------+--------+----------+--------------= -------+--------------+-------------------+--------+ > 6 rows in set (0.00 sec) > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > On the Management Server: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > 2013-06-25 16:39:40,957 DEBUG [agent.transport.Request] (Job-Executor-30:= job-89) Seq 1-1278678427: Executing: { Cmd , MgmtId: 7471666038533, via: 1= , Ver: v1, Flags: 100001, [{"routing.SetNetworkACLCommand":{"rules":[{"id":= 0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"al= readyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","= action":"ACCEPT","number":1},{"id":0,"vlanTag":"2580","protocol":"tcp","por= tRange":[21,51],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.195= .103/32"],"trafficType":"Ingress","action":"DROP","number":2},{"id":0,"vlan= Tag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAd= ded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action"= :"DROP","number":3},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[= 50,99],"revoked":false,"alreadyAdded":true,"cidrList":["10.216.133.50/32"],= "trafficType":"Ingress","action":"ACCEPT","number":4},{"id":0,"vlanTag":"25= 80","protocol":"tcp","portRange":[45,85],"revoked":false,"alreadyAdded":tru= e,"cidrList":["10.223.131.193/24"],"trafficType":"Ingress","action":"ACCEPT= ","number":5},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[105,14= 5],"revoked":false,"alreadyAdded":false,"cidrList":["10.223.131.193/26"],"t= rafficType":"Ingress","action":"DROP","number":6}],"nic":{"deviceId":3,"net= workRateMbps":200,"defaultNic":false,"uuid":"6b89e7c9-6eb1-4598-8a6d-66f379= 80f321","ip":"192.168.11.1","netmask":"255.255.255.0","gateway":"192.168.11= .1","mac":"02:00:51:de:00:02","broadcastType":"Vlan","type":"Guest","broadc= astUri":"vlan://2580","isolationUri":"vlan://2580","isSecurityGroupEnabled"= :false},"accessDetails":{"router.guest.ip":"192.168.11.1","guest.vlan.tag":= "2580","zone.network.type":"Advanced","router.ip":"169.254.0.161","router.n= ame":"r-3-NTIERAGN"},"wait":0}}] } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs For more information on JIRA, see: http://www.atlassian.com/software/jira