Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 56C21186BC for ; Thu, 7 Jan 2016 11:07:40 +0000 (UTC) Received: (qmail 68975 invoked by uid 500); 7 Jan 2016 11:07:40 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 68944 invoked by uid 500); 7 Jan 2016 11:07:40 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 68935 invoked by uid 500); 7 Jan 2016 11:07:40 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 68932 invoked by uid 99); 7 Jan 2016 11:07:40 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Jan 2016 11:07:40 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id D7BFE2C1F56 for ; Thu, 7 Jan 2016 11:07:39 +0000 (UTC) Date: Thu, 7 Jan 2016 11:07:39 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-9213) As a user I want to be able to use multiple ip's/cidrs in an ACL MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-9213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15087199#comment-15087199 ] ASF GitHub Bot commented on CLOUDSTACK-9213: -------------------------------------------- Github user remibergsma commented on the pull request: https://github.com/apache/cloudstack/pull/1311#issuecomment-169631870 LGTM, verified it working properly: ![screen shot 2016-01-06 at 14 51 17](https://cloud.githubusercontent.com/assets/1630096/12169101/c3583e0a-b536-11e5-97fc-77e0f0abbec0.png) ![screen shot 2016-01-06 at 14 50 34](https://cloud.githubusercontent.com/assets/1630096/12169082/a51c4120-b536-11e5-95f1-5b944a8f81e5.png) ![screen shot 2016-01-06 at 14 52 17](https://cloud.githubusercontent.com/assets/1630096/12169092/b4ec0f18-b536-11e5-8bb7-bca7f334969e.png) > As a user I want to be able to use multiple ip's/cidrs in an ACL > ---------------------------------------------------------------- > > Key: CLOUDSTACK-9213 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9213 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Virtual Router > Affects Versions: 4.7.0, 4.7.1 > Reporter: Wilder Rodrigues > Assignee: Wilder Rodrigues > Priority: Critical > Fix For: 4.7.2 > > > If you add multiple cidrs, separated by comma when adding acl item, this doesn't work. Used to work in 4.4 and supported by iptables. > This is an supported command, but CloudStack sends it in the wrong way: > Example: > "eth3": { > "device": "eth3", > "egress_rules": [ > { > "allowed": true, > "cidr": "0.0.0.0/0", > "first_port": 53, > "last_port": 53, > "type": "tcp" > }, > { > "allowed": true, > "cidr": "10.136.70.0/26-10.136.128.128/26-10.136.10.128/26-10.136.3.0/26-10.137.69.0/24-10.136.196.64/26-10.136.224.0/24-10.136.128.64/26-10.136.66.0/26-10.136.5.64/26-10.136.128.0/26-10.137.128.0/24-10.136.69.64/26-10.136.96.0/ > 24-10.136.132.0/26-10.136.75.64/26-10.136.4.0/26-10.136.12.64/26-10.136.10.0/26-10.136.1.0/26-10.136.9.128/26-10.136.226.0/24-10.136.196.0/26-10.136.11.64/26-10.136.32.0/24-10.136.75.0/26-10.136.161.0/24-10.136.98.0/24-10.136.65.128/26-10.136.7 > 2.0/26-10.136.72.128/26-10.136.68.0/26-10.136.65.192/26-10.137.4.0/24-10.136.6.64/26-10.136.67.0/26-10.136.133.64/26-10.136.2.64/26-10.136.102.0/24-10.136.9.64/26-10.136.225.0/24-10.136.101.0/24-10.137.68.0/24-10.136.2.0/26-10.136.5.0/26-10.136 > .11.0/26-10.136.65.64/26-10.137.129.0/24-10.135.6.0/26-10.136.129.0/26-10.136.133.0/26-10.136.72.64/26-10.136.97.0/24-10.136.33.0/24-10.136.64.128/26-10.136.197.0/26-10.136.66.64/26-10.136.160.0/24-10.136.74.0/26-10.136.196.128/26-10.136.64.0/2 > 6-10.136.1.192/26-10.136.192.64/26-10.137.5.0/24-10.135.2.0/26-10.136.130.64/26-10.136.12.0/26-10.136.1.128/26-10.136.132.128/26-10.136.1.64/26-10.136.64.192/26-10.136.73.0/26-10.136.69.0/26-10.136.34.0/24-10.136.73.128/26-10.136.100.0/24-10.13 > 6.38.0/24-10.135.3.0/26-10.136.65.0/26-10.136.10.64/26-10.136.6.0/26-10.136.131.0/26-10.136.194.64/26-10.136.67.64/26-10.136.7.0/26-10.137.0.0/24-10.136.193.64/26-10.136.197.64/26-10.136.9.0/26-10.136.162.0/24-10.136.4.64/26-10.136.195.0/26-10. > 136.129.64/26-10.136.36.0/24-10.137.192.0/24-10.136.192.0/26-10.136.68.64/26-10.136.71.0/26-10.137.64.0/24-10.136.74.64/26-10.136.130.0/26-10.135.5.0/26-10.136.132.64/26-10.136.2.192/26-10.136.194.0/26-10.136.128.192/26-10.137.1.0/24-10.136.192 > .128/26-10.136.3.64/26-10.136.8.0/26-10.137.65.0/24-10.136.64.64/26-10.136.192.192/26-10.136.193.0/26-10.137.193.0/24-10.136.2.128/26-10.136.73.64/26-10.136.37.0/24", > "first_port": 135, > "last_port": 135, > "type": "tcp" > }, > This generates broken iptables commands: > iptables -t filter -I ACL_INBOUND_eth3 4 -p tcp -s 195.66.90.59/32-195.66.90.65/32 -m tcp --dport 3389 -j ACCEPT > The '-' should be a comma. -- This message was sent by Atlassian JIRA (v6.3.4#6332)