You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "manasaveloori (JIRA)" <ji...@apache.org> on 2013/06/24 12:18:20 UTC
[jira] [Reopened] (CLOUDSTACK-2819) [VPC][ACL]VPC tier accepting
empty ACL list.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-2819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
manasaveloori reopened CLOUDSTACK-2819:
---------------------------------------
While applying the empty ACL list observed following messages in the log.
2013-06-24 20:46:40,290 DEBUG [network.vpc.NetworkACLManagerImpl] (Job-Executor-26:job-23) New network ACL is empty. Revoke existing rules before applying ACL
2013-06-24 20:46:40,295 DEBUG [network.vpc.NetworkACLManagerImpl] (Job-Executor-26:job-23) Found no network ACL Items for network id=206
2013-06-24 20:46:40,300 DEBUG [network.vpc.NetworkACLManagerImpl] (Job-Executor-26:job-23) Updated network: 206 with Network ACL Id: 3, Applying ACL items
2013-06-24 20:46:40,310 DEBUG [network.vpc.NetworkACLManagerImpl] (Job-Executor-26:job-23) Applying NetworkACL for network: 206 with Network ACL service provider
2013-06-24 20:46:40,320 DEBUG [network.element.VpcVirtualRouterElement] (Job-Executor-26:job-23) Virtual router elemnt doesn't need to apply firewall rules on the backend; virtual router doesn't exist in the network 206.
But Empty list is getting updated for the tier network
************ 7. row ***************************
id: 206
name: tier1
uuid: 4e24f0bf-bbad-40d0-9241-c7674d8da493
display_text: tier1
traffic_type: Guest
broadcast_domain_type: Vlan
broadcast_uri: NULL
gateway: 10.0.1.1
cidr: 10.0.1.0/24
mode: Dhcp
network_offering_id: 11
physical_network_id: 200
data_center_id: 1
guru_name: ExternalGuestNetworkGuru
state: Allocated
related: 206
domain_id: 1
account_id: 2
dns1: NULL
dns2: NULL
guru_data: NULL
set_fields: 0
acl_type: Account
network_domain: cs2cloud.internal
reservation_id: NULL
guest_type: Isolated
restart_required: 0
created: 2013-06-24 14:26:01
removed: NULL
specify_ip_ranges: 0
vpc_id: 1
ip6_gateway: NULL
ip6_cidr: NULL
network_cidr: NULL
display_network: 1
network_acl_id: 3----------------------Empty ACL list
7 rows in set (0.00 sec)
> [VPC][ACL]VPC tier accepting empty ACL list.
> --------------------------------------------
>
> Key: CLOUDSTACK-2819
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-2819
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Network Controller
> Affects Versions: 4.2.0
> Reporter: manasaveloori
> Assignee: Kishan Kavala
> Fix For: 4.2.0
>
>
> Steps:
> 1. Have a CS with advanced zone.
> 2. Create a VPC and a tier .
> 3. Create a ACL list under network ACL lists. Leave the ACL list empty.
> 4. Apply default_allow for tier network.
> 5. View the configuration in VR(iptables –L –nv –t mangle).
> 6. Now replace the ACL list for the tier with the one created in step3.
> 7. Now the configuration in VR does not change.
> Follow the steps 4 to 7 with default_deny .The same can be observed.
> Expected behavior:
> Should not allow the user to apply the empty ACL list to network.
> network_acl_id is changing as we replace the ACL list under networks table.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira