You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ra...@apache.org on 2013/07/09 10:16:22 UTC
git commit: updated refs/heads/master to 44b219e
Updated Branches:
refs/heads/master 4779a0059 -> 44b219ec7
network acl concepts CLOUDSTACK-2806
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/44b219ec
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/44b219ec
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/44b219ec
Branch: refs/heads/master
Commit: 44b219ec75399a2f2ceb91c389ec53f27afab9f1
Parents: 4779a00
Author: radhikap <ra...@citrix.com>
Authored: Tue Jul 9 13:45:29 2013 +0530
Committer: radhikap <ra...@citrix.com>
Committed: Tue Jul 9 13:45:58 2013 +0530
----------------------------------------------------------------------
docs/en-US/configure-acl.xml | 86 ++++++++++++++++++++++++++++++++++-----
1 file changed, 75 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/44b219ec/docs/en-US/configure-acl.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/configure-acl.xml b/docs/en-US/configure-acl.xml
index 1def9ea..e4d5dad 100644
--- a/docs/en-US/configure-acl.xml
+++ b/docs/en-US/configure-acl.xml
@@ -25,6 +25,53 @@
default, all incoming and outgoing traffic to the guest networks is blocked. To open the ports,
you must create a new network ACL. The network ACLs can be created for the tiers only if the
NetworkACL service is supported.</para>
+ <section id="network-acl">
+ <title>About Network ACL Lists</title>
+ <para>In &PRODUCT; terminology, Network ACL is a group of Network ACL items. Network ACL items
+ are nothing but numbered rules that are evaluated in order, starting with the lowest numbered
+ rule. These rules determine whether traffic is allowed in or out of any tier associated with
+ the network ACL. You need to add the Network ACL items to the Network ACL, then associate the
+ Network ACL with a tier. Network ACL is associated with a VPC and can be assigned to multiple
+ VPC tiers within a VPC. A Tier is associated with a Network ACL at all the times. Each tier
+ can be associated with only one ACL.</para>
+ <para>The default Network ACL is used when no ACL is associated. Default behavior is all the
+ incoming and outgoing traffic is blocked to the tiers. Default network ACL cannot be removed
+ or modified. Contents of the default Network ACL is:</para>
+ <informaltable>
+ <tgroup cols="5" align="left" colsep="1" rowsep="1">
+ <colspec colnum="1" colname="c1" colwidth="31.5pt"/>
+ <colspec colnum="2" colname="c2" colwidth="58.5pt"/>
+ <colspec colnum="3" colname="c3" colwidth="66.0pt"/>
+ <colspec colnum="4" colname="c4" colwidth="48.0pt"/>
+ <colspec colnum="5" colname="c5" colwidth="58.5pt"/>
+ <thead>
+ <row>
+ <entry><para>Rule</para></entry>
+ <entry><para>Protocol</para></entry>
+ <entry><para>Traffic type</para></entry>
+ <entry><para>Action</para></entry>
+ <entry><para>CIDR</para></entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><para>1</para></entry>
+ <entry><para>All</para></entry>
+ <entry><para>Ingress</para></entry>
+ <entry><para>Deny</para></entry>
+ <entry><para>0.0.0.0/0</para></entry>
+ </row>
+ <row>
+ <entry><para>2</para></entry>
+ <entry><para>All</para></entry>
+ <entry><para>Egress</para></entry>
+ <entry><para>Deny</para></entry>
+ <entry><para>0.0.0.0/0</para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </section>
<section id="acl-list">
<title>Creating ACL Lists</title>
<orderedlist>
@@ -123,6 +170,10 @@
traffic is allowed in the VPC. </para>
<itemizedlist>
<listitem>
+ <para><emphasis role="bold">Rule Number</emphasis>: The order in which the rules are
+ evaluated.</para>
+ </listitem>
+ <listitem>
<para><emphasis role="bold">CIDR</emphasis>: The CIDR acts as the Source CIDR for the
Ingress rules, and Destination CIDR for the Egress rules. To accept traffic only from
or to the IP addresses within a particular address block, enter a CIDR or a
@@ -130,6 +181,10 @@
traffic. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
</listitem>
<listitem>
+ <para><emphasis role="bold">Action</emphasis>: What action to be taken. Allow traffic or
+ block.</para>
+ </listitem>
+ <listitem>
<para><emphasis role="bold">Protocol</emphasis>: The networking protocol that sources
use to send traffic to the tier. The TCP and UDP protocols are typically used for data
exchange and end-user communications. The ICMP protocol is typically used to send
@@ -154,7 +209,8 @@
sent.</para>
</listitem>
<listitem>
- <para><emphasis role="bold">Action</emphasis>: What action to be taken. </para>
+ <para><emphasis role="bold">Traffic Type</emphasis>: The type of traffic: Incoming or
+ outgoing.</para>
</listitem>
</itemizedlist>
</listitem>
@@ -181,7 +237,9 @@
<para>Create a tier in the VPC.</para>
<para>Select the desired ACL list while creating a tier.</para>
</listitem>
- <listitem><para>Click OK.</para></listitem>
+ <listitem>
+ <para>Click OK.</para>
+ </listitem>
</orderedlist>
</section>
<section id="assign-acl-tier">
@@ -205,17 +263,23 @@
<listitem>
<para>Select the tier for which you want to assign the custom ACL.</para>
</listitem>
- <listitem><para>Click the Replace ACL List icon.<inlinemediaobject>
- <imageobject>
- <imagedata fileref="./images/replace-acl-icon.png"/>
- </imageobject>
- <textobject>
+ <listitem>
+ <para>Click the Replace ACL List icon.<inlinemediaobject>
+ <imageobject>
+ <imagedata fileref="./images/replace-acl-icon.png"/>
+ </imageobject>
+ <textobject>
<phrase>replace-acl-icon.png: button to replace an ACL list</phrase>
</textobject>
- </inlinemediaobject></para>
- <para>The Replace ACL List dialog is displayed.</para></listitem>
- <listitem><para>Select the desired ACL list.</para></listitem>
- <listitem><para>Click OK.</para></listitem>
+ </inlinemediaobject></para>
+ <para>The Replace ACL List dialog is displayed.</para>
+ </listitem>
+ <listitem>
+ <para>Select the desired ACL list.</para>
+ </listitem>
+ <listitem>
+ <para>Click OK.</para>
+ </listitem>
</orderedlist>
</section>
</section>