You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/06/02 17:29:59 UTC

[jira] [Commented] (CLOUDSTACK-9404) Network ACL rules in VPCs are applied in an inverted order

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15312720#comment-15312720 ] 

ASF GitHub Bot commented on CLOUDSTACK-9404:
--------------------------------------------

GitHub user pdube opened a pull request:

    https://github.com/apache/cloudstack/pull/1581

    CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR.

     The comparator was inverted.
    
    Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
    
    In this example, I created rules with the port numbers the same as the rule numbers.
    
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             225.0.0.50
    ACCEPT     all  --  anywhere             vrrp.mcast.net
    DROP       tcp  --  anywhere             anywhere             tcp dpt:netstat
    DROP       tcp  --  anywhere             anywhere             tcp dpt:10
    DROP       tcp  --  anywhere             anywhere             tcp dpt:5
    DROP       tcp  --  anywhere             anywhere             tcp dpt:3
    DROP       tcp  --  anywhere             anywhere             tcp dpt:2
    DROP       all  --  anywhere             anywhere
    
    We can see above that the rules are inverted.
    
    After the fix:
    
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             225.0.0.50
    ACCEPT     all  --  anywhere             vrrp.mcast.net
    DROP       tcp  --  anywhere             anywhere             tcp dpt:2
    DROP       tcp  --  anywhere             anywhere             tcp dpt:3
    DROP       tcp  --  anywhere             anywhere             tcp dpt:5
    DROP       tcp  --  anywhere             anywhere             tcp dpt:10
    DROP       tcp  --  anywhere             anywhere             tcp dpt:netstat
    DROP       all  --  anywhere             anywhere


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/pdube/cloudstack network-acl-rules-order

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1581.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1581
    
----

----


> Network ACL rules in VPCs are applied in an inverted order
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-9404
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.7.2, 4.8.0, 4.9.0
>            Reporter: Patrick D.
>            Assignee: Patrick D.
>
> Found the issue in the agent code. The comparator is inverted



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)