Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B3FA4100CF for ; Tue, 9 Jul 2013 08:58:05 +0000 (UTC) Received: (qmail 83098 invoked by uid 500); 9 Jul 2013 08:38:03 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 83073 invoked by uid 500); 9 Jul 2013 08:37:56 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 83061 invoked by uid 500); 9 Jul 2013 08:37:52 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 83052 invoked by uid 99); 9 Jul 2013 08:37:49 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jul 2013 08:37:49 +0000 Date: Tue, 9 Jul 2013 08:37:48 +0000 (UTC) From: "Jayapal Reddy (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (CLOUDSTACK-3352) NTier: Replace Network ACL doesn't remove old ACL rules on the Private Gateway when new empty acl is applied MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-3352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jayapal Reddy resolved CLOUDSTACK-3352. --------------------------------------- Resolution: Fixed Steps to verify: 1. Create a private gateway and and associate with non empty acl. 2. check the router iptables rules for acl rules 3. Edit the private gateway and associate with empty cal 4. Check the router iptables rules. Make sure that the previous acl items got removed. > NTier: Replace Network ACL doesn't remove old ACL rules on the Private Gateway when new empty acl is applied > ------------------------------------------------------------------------------------------------------------ > > Key: CLOUDSTACK-3352 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3352 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Management Server > Affects Versions: 4.2.0 > Reporter: Chandan Purushothama > Assignee: Jayapal Reddy > Priority: Blocker > Fix For: 4.2.0 > > > ======= > ACL List: > ======= > mysql> select * from network_acl where id=3; > +----+-------------+--------------------------------------+--------+-------------+ > | id | name | uuid | vpc_id | description | > +----+-------------+--------------------------------------+--------+-------------+ > | 3 | Atoms-ACL-1 | 593ef61a-09af-43a4-8bb5-7038d3904377 | 1 | Atoms-ACL-1 | > +----+-------------+--------------------------------------+--------+-------------+ > 1 row in set (0.00 sec) > ============= > ACL List Items: > ============= > mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=3; > +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+ > | id | start_port | end_port | state | protocol | created | traffic_type | cidr | number | action | > +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+ > | 5 | 18 | 29 | Active | tcp | 2013-07-02 19:06:47 | Ingress | 10.223.131.172/32 | 3 | Allow | > | 6 | 17 | 37 | Active | tcp | 2013-07-02 19:08:25 | Ingress | 10.223.195.103/32 | 5 | Deny | > | 7 | 16 | 36 | Active | tcp | 2013-07-02 21:27:16 | Egress | 10.223.131.172/32 | 4 | Deny | > | 8 | 15 | 35 | Active | tcp | 2013-07-02 21:28:08 | Egress | 10.223.195.103/32 | 6 | Allow | > +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+ > 4 rows in set (0.00 sec) > ============================== > Private Gateway is assigned this ACL: > ============================== > mysql> select * from vpc_gateways \G > *************************** 1. row *************************** > id: 1 > uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20 > ip4_address: 10.223.60.30 > netmask: 255.255.255.192 > gateway: 10.223.60.1 > vlan_tag: 600 > type: Private > network_id: 206 > vpc_id: 1 > zone_id: 1 > created: 2013-07-02 22:17:02 > account_id: 3 > domain_id: 1 > state: Ready > removed: NULL > source_nat: 1 > network_acl_id: 3 > 1 row in set (0.01 sec) > ===================== > On the VPC Virtual Router: > ===================== > root@r-3-NTIERRR:~# ifconfig eth4 > eth4 Link encap:Ethernet HWaddr 06:04:5a:00:00:22 > inet addr:10.223.60.30 Bcast:10.223.60.63 Mask:255.255.255.192 > inet6 addr: fe80::404:5aff:fe00:22/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:1748 errors:0 dropped:0 overruns:0 frame:0 > TX packets:887 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:80522 (78.6 KiB) TX bytes:37690 (36.8 KiB) > Interrupt:27 > root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4 > :ACL_OUTBOUND_eth4 - [0:0] > -A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4 > -A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT > -A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP > -A ACL_OUTBOUND_eth4 -j DROP > :ACL_INBOUND_eth4 - [0:0] > -A FORWARD -o eth4 -j ACL_INBOUND_eth4 > -A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT > -A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP > -A ACL_INBOUND_eth4 -j DROP > root@r-3-NTIERRR:~# > ** Replace the ACL List to the one mentioned below > mysql> select * from network_acl where id=4; > +----+-------------+--------------------------------------+--------+-------------+ > | id | name | uuid | vpc_id | description | > +----+-------------+--------------------------------------+--------+-------------+ > | 4 | Atoms-ACL-2 | 0bcb8639-9b3b-487b-9b19-6237b3c309b9 | 1 | Atoms-ACL-2 | > +----+-------------+--------------------------------------+--------+-------------+ > 1 row in set (0.00 sec) > mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=4; > Empty set (0.00 sec) > ** Observe the change in the acl id on the private gateway record > mysql> select * from vpc_gateways \G > *************************** 1. row *************************** > id: 1 > uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20 > ip4_address: 10.223.60.30 > netmask: 255.255.255.192 > gateway: 10.223.60.1 > vlan_tag: 600 > type: Private > network_id: 206 > vpc_id: 1 > zone_id: 1 > created: 2013-07-02 22:17:02 > account_id: 3 > domain_id: 1 > state: Ready > removed: NULL > source_nat: 1 > network_acl_id: 4 > 1 row in set (0.00 sec) > **Observe that the VPC Virtual Router still has the old rules on the Private Gateway > root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4 > :ACL_OUTBOUND_eth4 - [0:0] > -A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4 > -A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT > -A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP > -A ACL_OUTBOUND_eth4 -j DROP > :ACL_INBOUND_eth4 - [0:0] > -A FORWARD -o eth4 -j ACL_INBOUND_eth4 > -A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT > -A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP > -A ACL_INBOUND_eth4 -j DROP > root@r-3-NTIERRR:~# -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira