cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wilder Rodrigues (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-9213) As a user I want to be able to use multiple ip's/cidrs in an ACL
Date Wed, 06 Jan 2016 08:07:39 GMT
Wilder Rodrigues created CLOUDSTACK-9213:
--------------------------------------------

             Summary: As a user I want to be able to use multiple ip's/cidrs in an ACL
                 Key: CLOUDSTACK-9213
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9213
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Virtual Router
    Affects Versions: 4.7.0, 4.7.1
            Reporter: Wilder Rodrigues
            Assignee: Wilder Rodrigues
            Priority: Critical
             Fix For: 4.7.2


If you add multiple cidrs, separated by comma when adding acl item, this doesn't work. Used
to work in 4.4 and supported by iptables. 

This is an supported command, but CloudStack sends it in the wrong way:

Example:
 "eth3": {
        "device": "eth3",
        "egress_rules": [
            {
                "allowed": true,
                "cidr": "0.0.0.0/0",
                "first_port": 53,
                "last_port": 53,
                "type": "tcp"
            },
            {
                "allowed": true,
                "cidr": "10.136.70.0/26-10.136.128.128/26-10.136.10.128/26-10.136.3.0/26-10.137.69.0/24-10.136.196.64/26-10.136.224.0/24-10.136.128.64/26-10.136.66.0/26-10.136.5.64/26-10.136.128.0/26-10.137.128.0/24-10.136.69.64/26-10.136.96.0/
24-10.136.132.0/26-10.136.75.64/26-10.136.4.0/26-10.136.12.64/26-10.136.10.0/26-10.136.1.0/26-10.136.9.128/26-10.136.226.0/24-10.136.196.0/26-10.136.11.64/26-10.136.32.0/24-10.136.75.0/26-10.136.161.0/24-10.136.98.0/24-10.136.65.128/26-10.136.7
2.0/26-10.136.72.128/26-10.136.68.0/26-10.136.65.192/26-10.137.4.0/24-10.136.6.64/26-10.136.67.0/26-10.136.133.64/26-10.136.2.64/26-10.136.102.0/24-10.136.9.64/26-10.136.225.0/24-10.136.101.0/24-10.137.68.0/24-10.136.2.0/26-10.136.5.0/26-10.136
.11.0/26-10.136.65.64/26-10.137.129.0/24-10.135.6.0/26-10.136.129.0/26-10.136.133.0/26-10.136.72.64/26-10.136.97.0/24-10.136.33.0/24-10.136.64.128/26-10.136.197.0/26-10.136.66.64/26-10.136.160.0/24-10.136.74.0/26-10.136.196.128/26-10.136.64.0/2
6-10.136.1.192/26-10.136.192.64/26-10.137.5.0/24-10.135.2.0/26-10.136.130.64/26-10.136.12.0/26-10.136.1.128/26-10.136.132.128/26-10.136.1.64/26-10.136.64.192/26-10.136.73.0/26-10.136.69.0/26-10.136.34.0/24-10.136.73.128/26-10.136.100.0/24-10.13
6.38.0/24-10.135.3.0/26-10.136.65.0/26-10.136.10.64/26-10.136.6.0/26-10.136.131.0/26-10.136.194.64/26-10.136.67.64/26-10.136.7.0/26-10.137.0.0/24-10.136.193.64/26-10.136.197.64/26-10.136.9.0/26-10.136.162.0/24-10.136.4.64/26-10.136.195.0/26-10.
136.129.64/26-10.136.36.0/24-10.137.192.0/24-10.136.192.0/26-10.136.68.64/26-10.136.71.0/26-10.137.64.0/24-10.136.74.64/26-10.136.130.0/26-10.135.5.0/26-10.136.132.64/26-10.136.2.192/26-10.136.194.0/26-10.136.128.192/26-10.137.1.0/24-10.136.192
.128/26-10.136.3.64/26-10.136.8.0/26-10.137.65.0/24-10.136.64.64/26-10.136.192.192/26-10.136.193.0/26-10.137.193.0/24-10.136.2.128/26-10.136.73.64/26-10.136.37.0/24",
                "first_port": 135,
                "last_port": 135,
                "type": "tcp"
            },

This generates broken iptables commands:

iptables -t filter -I ACL_INBOUND_eth3 4 -p tcp -s 195.66.90.59/32-195.66.90.65/32 -m tcp
--dport 3389 -j ACCEPT

The '-' should be a comma.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message