cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Amorín <david.amo...@adderglobal.com>
Subject Re[6]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)
Date Mon, 17 Oct 2016 09:16:03 GMT
Hi ,
I did a couple of tests more and i can confirm the issue 
(CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC 
router version 4.6

See an example:

I have an egress rules like following:
Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type: 
EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1

Then I add this rule:
Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type: 
EgressProtocol: ALL

Checking the VR, in file /etc/iptables/router_rules.v4, the rules are 
applied in wrong order:
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j 
ACCEPT


But then if i restart the VPC and clean up, I check again iptables and 
now is correct order:
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j 
ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP

Is the VPC rotuer version 4.6 the latest one?

I really apprecciate if somebody else can confirm this issue

Best,

David

------ Mensaje original ------
De: "Simon Weller" <sweller@ena.com>
Para: "users@cloudstack.apache.org" <users@cloudstack.apache.org>; 
"David Amorín" <david.amorin@adderglobal.com>
Enviado: 05/10/2016 18:35:48
Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted 
order (CLOUDSTACK-9404)

>Try doing a restart with network cleanup and see if that fixes your 
>problem. The fixes are in the system iso and that will required a 
>redeploy.
>
>
>
>- Si
>
>
>--------------------------------------------------------------------------------
>From: David Amorín <david.amorin@adderglobal.com>
>Sent: Wednesday, October 5, 2016 11:18 AM
>To: Simon Weller; users@cloudstack.apache.org
>Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted 
>order (CLOUDSTACK-9404)
>
>Yes, we did the upgrade from 4.5.2 to 4.9.0
>
>
>
>
>------ Mensaje original ------
>De: "Simon Weller" <sweller@ena.com>
>Para: "users@cloudstack.apache.org" <users@cloudstack.apache.org>; 
>"David Amorín" <david.amorin@adderglobal.com>
>Enviado: 05/10/2016 18:11:26
>Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an inverted 
>order (CLOUDSTACK-9404)
>
>>Was this an upgrade from an older release?
>>
>>
>>
>>--------------------------------------------------------------------------------
>>From: David Amorín <david.amorin@adderglobal.com>
>>Sent: Wednesday, October 5, 2016 10:11 AM
>>To:users@cloudstack.apache.org
>>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted 
>>order (CLOUDSTACK-9404)
>>
>>We are running 4.9.0 and we are still facing the issues of the ACL 
>>Rules
>>(CLOUDSTACK-9404)
>>
>>
>>
>>------ Mensaje original ------
>>De: "Simon Weller" <sweller@ena.com>
>>Para: "users@cloudstack.apache.org" <users@cloudstack.apache.org>;
>>"David Amorín" <david.amorin@adderglobal.com>
>>Enviado: 04/10/2016 18:02:22
>>Asunto: Re: Network ACL rules in VPCs are applied in an inverted order
>>(CLOUDSTACK-9404)
>>
>> >David,
>> >
>> >
>> >What version are you currently running?
>> >
>> >
>> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>> >
>> >
>> >At least #1581 was also merged into 4.8.x for the next point release.
>> >
>> >
>> >- Si
>> >
>> >________________________________
>> >From: David Amorín <david.amorin@adderglobal.com>
>> >Sent: Tuesday, October 4, 2016 10:47 AM
>> >To: users@cloudstack.apache.org
>> >Subject: Network ACL rules in VPCs are applied in an inverted order
>> >(CLOUDSTACK-9404)
>> >
>> >Hi all,
>> >I see this bug is already resolved
>> >
>> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>> >issues.apache.org
>> >Linked Applications. Loading... Dashboards
>> >
>> >
>> >
>> >
>> >Do you know if will be available on 4.9.1?
>> >
>> >Thanks
>> >
>> >David
>> >
>> >
>> >
>> >
>> >
>>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message