cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-9404) Network ACL rules in VPCs are applied in an inverted order
Date Tue, 28 Jun 2016 15:21:57 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15353199#comment-15353199
] 

ASF subversion and git services commented on CLOUDSTACK-9404:
-------------------------------------------------------------

Commit 3952e3e83e29fb79fbc409b29255813bd77ee1ac in cloudstack's branch refs/heads/master from
[~williamstevens@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=3952e3e ]

Merge pull request #1581 from pdube/network-acl-rules-order

CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR. The comparator was
inverted.

Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404

In this example, I created rules with the port numbers the same as the rule numbers.

Chain ACL_INBOUND_eth2 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             225.0.0.50
ACCEPT     all  --  anywhere             vrrp.mcast.net
DROP       tcp  --  anywhere             anywhere             tcp dpt:netstat
DROP       tcp  --  anywhere             anywhere             tcp dpt:10
DROP       tcp  --  anywhere             anywhere             tcp dpt:5
DROP       tcp  --  anywhere             anywhere             tcp dpt:3
DROP       tcp  --  anywhere             anywhere             tcp dpt:2
DROP       all  --  anywhere             anywhere

We can see above that the rules are inverted.

After the fix:

Chain ACL_INBOUND_eth2 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             225.0.0.50
ACCEPT     all  --  anywhere             vrrp.mcast.net
DROP       tcp  --  anywhere             anywhere             tcp dpt:2
DROP       tcp  --  anywhere             anywhere             tcp dpt:3
DROP       tcp  --  anywhere             anywhere             tcp dpt:5
DROP       tcp  --  anywhere             anywhere             tcp dpt:10
DROP       tcp  --  anywhere             anywhere             tcp dpt:netstat
DROP       all  --  anywhere             anywhere

* pr/1581:
  Added ASF license to unit test file
  Added unit test to verify ordering
  Fixed ordering of network ACL rules being sent to the VR. The comparator was inverted

Signed-off-by: Will Stevens <williamstevens@gmail.com>


> Network ACL rules in VPCs are applied in an inverted order
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-9404
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.7.2, 4.8.0, 4.9.0
>            Reporter: Patrick D.
>            Assignee: Patrick D.
>
> Found the issue in the agent code. The comparator is inverted



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message