You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Chandan Purushothama (JIRA)" <ji...@apache.org> on 2013/07/04 01:57:20 UTC
[jira] [Created] (CLOUDSTACK-3352) NTier: Replace Network ACL
doesn't replace the ACL rules on the Private Gateway
Chandan Purushothama created CLOUDSTACK-3352:
------------------------------------------------
Summary: NTier: Replace Network ACL doesn't replace the ACL rules on the Private Gateway
Key: CLOUDSTACK-3352
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3352
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Affects Versions: 4.2.0
Reporter: Chandan Purushothama
Priority: Blocker
Fix For: 4.2.0
=======
ACL List:
=======
mysql> select * from network_acl where id=3;
+----+-------------+--------------------------------------+--------+-------------+
| id | name | uuid | vpc_id | description |
+----+-------------+--------------------------------------+--------+-------------+
| 3 | Atoms-ACL-1 | 593ef61a-09af-43a4-8bb5-7038d3904377 | 1 | Atoms-ACL-1 |
+----+-------------+--------------------------------------+--------+-------------+
1 row in set (0.00 sec)
=============
ACL List Items:
=============
mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=3;
+----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
| id | start_port | end_port | state | protocol | created | traffic_type | cidr | number | action |
+----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
| 5 | 18 | 29 | Active | tcp | 2013-07-02 19:06:47 | Ingress | 10.223.131.172/32 | 3 | Allow |
| 6 | 17 | 37 | Active | tcp | 2013-07-02 19:08:25 | Ingress | 10.223.195.103/32 | 5 | Deny |
| 7 | 16 | 36 | Active | tcp | 2013-07-02 21:27:16 | Egress | 10.223.131.172/32 | 4 | Deny |
| 8 | 15 | 35 | Active | tcp | 2013-07-02 21:28:08 | Egress | 10.223.195.103/32 | 6 | Allow |
+----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
4 rows in set (0.00 sec)
==============================
Private Gateway is assigned this ACL:
==============================
mysql> select * from vpc_gateways \G
*************************** 1. row ***************************
id: 1
uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20
ip4_address: 10.223.60.30
netmask: 255.255.255.192
gateway: 10.223.60.1
vlan_tag: 600
type: Private
network_id: 206
vpc_id: 1
zone_id: 1
created: 2013-07-02 22:17:02
account_id: 3
domain_id: 1
state: Ready
removed: NULL
source_nat: 1
network_acl_id: 3
1 row in set (0.01 sec)
=====================
On the VPC Virtual Router:
=====================
root@r-3-NTIERRR:~# ifconfig eth4
eth4 Link encap:Ethernet HWaddr 06:04:5a:00:00:22
inet addr:10.223.60.30 Bcast:10.223.60.63 Mask:255.255.255.192
inet6 addr: fe80::404:5aff:fe00:22/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1748 errors:0 dropped:0 overruns:0 frame:0
TX packets:887 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:80522 (78.6 KiB) TX bytes:37690 (36.8 KiB)
Interrupt:27
root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4
:ACL_OUTBOUND_eth4 - [0:0]
-A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4
-A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT
-A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP
-A ACL_OUTBOUND_eth4 -j DROP
:ACL_INBOUND_eth4 - [0:0]
-A FORWARD -o eth4 -j ACL_INBOUND_eth4
-A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT
-A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP
-A ACL_INBOUND_eth4 -j DROP
root@r-3-NTIERRR:~#
** Replace the ACL List to the one mentioned below
mysql> select * from network_acl where id=4;
+----+-------------+--------------------------------------+--------+-------------+
| id | name | uuid | vpc_id | description |
+----+-------------+--------------------------------------+--------+-------------+
| 4 | Atoms-ACL-2 | 0bcb8639-9b3b-487b-9b19-6237b3c309b9 | 1 | Atoms-ACL-2 |
+----+-------------+--------------------------------------+--------+-------------+
1 row in set (0.00 sec)
mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=4;
Empty set (0.00 sec)
** Observe the change in the acl id on the private gateway record
mysql> select * from vpc_gateways \G
*************************** 1. row ***************************
id: 1
uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20
ip4_address: 10.223.60.30
netmask: 255.255.255.192
gateway: 10.223.60.1
vlan_tag: 600
type: Private
network_id: 206
vpc_id: 1
zone_id: 1
created: 2013-07-02 22:17:02
account_id: 3
domain_id: 1
state: Ready
removed: NULL
source_nat: 1
network_acl_id: 4
1 row in set (0.00 sec)
**Observe that the VPC Virtual Router still has the old rules on the Private Gateway
root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4
:ACL_OUTBOUND_eth4 - [0:0]
-A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4
-A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT
-A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP
-A ACL_OUTBOUND_eth4 -j DROP
:ACL_INBOUND_eth4 - [0:0]
-A FORWARD -o eth4 -j ACL_INBOUND_eth4
-A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT
-A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP
-A ACL_INBOUND_eth4 -j DROP
root@r-3-NTIERRR:~#
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira