You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/06/02 17:29:59 UTC
[jira] [Commented] (CLOUDSTACK-9404) Network ACL rules in VPCs are
applied in an inverted order
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15312720#comment-15312720 ]
ASF GitHub Bot commented on CLOUDSTACK-9404:
--------------------------------------------
GitHub user pdube opened a pull request:
https://github.com/apache/cloudstack/pull/1581
CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR.
The comparator was inverted.
Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
In this example, I created rules with the port numbers the same as the rule numbers.
Chain ACL_INBOUND_eth2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere 225.0.0.50
ACCEPT all -- anywhere vrrp.mcast.net
DROP tcp -- anywhere anywhere tcp dpt:netstat
DROP tcp -- anywhere anywhere tcp dpt:10
DROP tcp -- anywhere anywhere tcp dpt:5
DROP tcp -- anywhere anywhere tcp dpt:3
DROP tcp -- anywhere anywhere tcp dpt:2
DROP all -- anywhere anywhere
We can see above that the rules are inverted.
After the fix:
Chain ACL_INBOUND_eth2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere 225.0.0.50
ACCEPT all -- anywhere vrrp.mcast.net
DROP tcp -- anywhere anywhere tcp dpt:2
DROP tcp -- anywhere anywhere tcp dpt:3
DROP tcp -- anywhere anywhere tcp dpt:5
DROP tcp -- anywhere anywhere tcp dpt:10
DROP tcp -- anywhere anywhere tcp dpt:netstat
DROP all -- anywhere anywhere
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/pdube/cloudstack network-acl-rules-order
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1581.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1581
----
----
> Network ACL rules in VPCs are applied in an inverted order
> ----------------------------------------------------------
>
> Key: CLOUDSTACK-9404
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Affects Versions: 4.7.2, 4.8.0, 4.9.0
> Reporter: Patrick D.
> Assignee: Patrick D.
>
> Found the issue in the agent code. The comparator is inverted
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)