You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Jayapal Reddy (JIRA)" <ji...@apache.org> on 2013/07/09 10:37:48 UTC
[jira] [Resolved] (CLOUDSTACK-3352) NTier: Replace Network ACL
doesn't remove old ACL rules on the Private Gateway when new empty acl is
applied
[ https://issues.apache.org/jira/browse/CLOUDSTACK-3352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jayapal Reddy resolved CLOUDSTACK-3352.
---------------------------------------
Resolution: Fixed
Steps to verify:
1. Create a private gateway and and associate with non empty acl.
2. check the router iptables rules for acl rules
3. Edit the private gateway and associate with empty cal
4. Check the router iptables rules. Make sure that the previous acl items got removed.
> NTier: Replace Network ACL doesn't remove old ACL rules on the Private Gateway when new empty acl is applied
> ------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3352
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3352
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Reporter: Chandan Purushothama
> Assignee: Jayapal Reddy
> Priority: Blocker
> Fix For: 4.2.0
>
>
> =======
> ACL List:
> =======
> mysql> select * from network_acl where id=3;
> +----+-------------+--------------------------------------+--------+-------------+
> | id | name | uuid | vpc_id | description |
> +----+-------------+--------------------------------------+--------+-------------+
> | 3 | Atoms-ACL-1 | 593ef61a-09af-43a4-8bb5-7038d3904377 | 1 | Atoms-ACL-1 |
> +----+-------------+--------------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> =============
> ACL List Items:
> =============
> mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=3;
> +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
> | id | start_port | end_port | state | protocol | created | traffic_type | cidr | number | action |
> +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
> | 5 | 18 | 29 | Active | tcp | 2013-07-02 19:06:47 | Ingress | 10.223.131.172/32 | 3 | Allow |
> | 6 | 17 | 37 | Active | tcp | 2013-07-02 19:08:25 | Ingress | 10.223.195.103/32 | 5 | Deny |
> | 7 | 16 | 36 | Active | tcp | 2013-07-02 21:27:16 | Egress | 10.223.131.172/32 | 4 | Deny |
> | 8 | 15 | 35 | Active | tcp | 2013-07-02 21:28:08 | Egress | 10.223.195.103/32 | 6 | Allow |
> +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
> 4 rows in set (0.00 sec)
> ==============================
> Private Gateway is assigned this ACL:
> ==============================
> mysql> select * from vpc_gateways \G
> *************************** 1. row ***************************
> id: 1
> uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20
> ip4_address: 10.223.60.30
> netmask: 255.255.255.192
> gateway: 10.223.60.1
> vlan_tag: 600
> type: Private
> network_id: 206
> vpc_id: 1
> zone_id: 1
> created: 2013-07-02 22:17:02
> account_id: 3
> domain_id: 1
> state: Ready
> removed: NULL
> source_nat: 1
> network_acl_id: 3
> 1 row in set (0.01 sec)
> =====================
> On the VPC Virtual Router:
> =====================
> root@r-3-NTIERRR:~# ifconfig eth4
> eth4 Link encap:Ethernet HWaddr 06:04:5a:00:00:22
> inet addr:10.223.60.30 Bcast:10.223.60.63 Mask:255.255.255.192
> inet6 addr: fe80::404:5aff:fe00:22/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1748 errors:0 dropped:0 overruns:0 frame:0
> TX packets:887 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:80522 (78.6 KiB) TX bytes:37690 (36.8 KiB)
> Interrupt:27
> root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4
> :ACL_OUTBOUND_eth4 - [0:0]
> -A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4
> -A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT
> -A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP
> -A ACL_OUTBOUND_eth4 -j DROP
> :ACL_INBOUND_eth4 - [0:0]
> -A FORWARD -o eth4 -j ACL_INBOUND_eth4
> -A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT
> -A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP
> -A ACL_INBOUND_eth4 -j DROP
> root@r-3-NTIERRR:~#
> ** Replace the ACL List to the one mentioned below
> mysql> select * from network_acl where id=4;
> +----+-------------+--------------------------------------+--------+-------------+
> | id | name | uuid | vpc_id | description |
> +----+-------------+--------------------------------------+--------+-------------+
> | 4 | Atoms-ACL-2 | 0bcb8639-9b3b-487b-9b19-6237b3c309b9 | 1 | Atoms-ACL-2 |
> +----+-------------+--------------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=4;
> Empty set (0.00 sec)
> ** Observe the change in the acl id on the private gateway record
> mysql> select * from vpc_gateways \G
> *************************** 1. row ***************************
> id: 1
> uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20
> ip4_address: 10.223.60.30
> netmask: 255.255.255.192
> gateway: 10.223.60.1
> vlan_tag: 600
> type: Private
> network_id: 206
> vpc_id: 1
> zone_id: 1
> created: 2013-07-02 22:17:02
> account_id: 3
> domain_id: 1
> state: Ready
> removed: NULL
> source_nat: 1
> network_acl_id: 4
> 1 row in set (0.00 sec)
> **Observe that the VPC Virtual Router still has the old rules on the Private Gateway
> root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4
> :ACL_OUTBOUND_eth4 - [0:0]
> -A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4
> -A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT
> -A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP
> -A ACL_OUTBOUND_eth4 -j DROP
> :ACL_INBOUND_eth4 - [0:0]
> -A FORWARD -o eth4 -j ACL_INBOUND_eth4
> -A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT
> -A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP
> -A ACL_INBOUND_eth4 -j DROP
> root@r-3-NTIERRR:~#
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira