You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Jayapal Reddy (JIRA)" <ji...@apache.org> on 2013/07/05 06:19:48 UTC
[jira] [Commented] (CLOUDSTACK-3352) NTier: Replace Network ACL
doesn't replace the ACL rules on the Private Gateway
[ https://issues.apache.org/jira/browse/CLOUDSTACK-3352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13700448#comment-13700448 ]
Jayapal Reddy commented on CLOUDSTACK-3352:
-------------------------------------------
I there is are not ACL items on the the ACL the frame work will not sent rules to the router element.
I think this case is true to the network tier also.
> NTier: Replace Network ACL doesn't replace the ACL rules on the Private Gateway
> -------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3352
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3352
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Reporter: Chandan Purushothama
> Assignee: Jayapal Reddy
> Priority: Blocker
> Fix For: 4.2.0
>
>
> =======
> ACL List:
> =======
> mysql> select * from network_acl where id=3;
> +----+-------------+--------------------------------------+--------+-------------+
> | id | name | uuid | vpc_id | description |
> +----+-------------+--------------------------------------+--------+-------------+
> | 3 | Atoms-ACL-1 | 593ef61a-09af-43a4-8bb5-7038d3904377 | 1 | Atoms-ACL-1 |
> +----+-------------+--------------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> =============
> ACL List Items:
> =============
> mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=3;
> +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
> | id | start_port | end_port | state | protocol | created | traffic_type | cidr | number | action |
> +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
> | 5 | 18 | 29 | Active | tcp | 2013-07-02 19:06:47 | Ingress | 10.223.131.172/32 | 3 | Allow |
> | 6 | 17 | 37 | Active | tcp | 2013-07-02 19:08:25 | Ingress | 10.223.195.103/32 | 5 | Deny |
> | 7 | 16 | 36 | Active | tcp | 2013-07-02 21:27:16 | Egress | 10.223.131.172/32 | 4 | Deny |
> | 8 | 15 | 35 | Active | tcp | 2013-07-02 21:28:08 | Egress | 10.223.195.103/32 | 6 | Allow |
> +----+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+--------+
> 4 rows in set (0.00 sec)
> ==============================
> Private Gateway is assigned this ACL:
> ==============================
> mysql> select * from vpc_gateways \G
> *************************** 1. row ***************************
> id: 1
> uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20
> ip4_address: 10.223.60.30
> netmask: 255.255.255.192
> gateway: 10.223.60.1
> vlan_tag: 600
> type: Private
> network_id: 206
> vpc_id: 1
> zone_id: 1
> created: 2013-07-02 22:17:02
> account_id: 3
> domain_id: 1
> state: Ready
> removed: NULL
> source_nat: 1
> network_acl_id: 3
> 1 row in set (0.01 sec)
> =====================
> On the VPC Virtual Router:
> =====================
> root@r-3-NTIERRR:~# ifconfig eth4
> eth4 Link encap:Ethernet HWaddr 06:04:5a:00:00:22
> inet addr:10.223.60.30 Bcast:10.223.60.63 Mask:255.255.255.192
> inet6 addr: fe80::404:5aff:fe00:22/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1748 errors:0 dropped:0 overruns:0 frame:0
> TX packets:887 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:80522 (78.6 KiB) TX bytes:37690 (36.8 KiB)
> Interrupt:27
> root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4
> :ACL_OUTBOUND_eth4 - [0:0]
> -A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4
> -A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT
> -A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP
> -A ACL_OUTBOUND_eth4 -j DROP
> :ACL_INBOUND_eth4 - [0:0]
> -A FORWARD -o eth4 -j ACL_INBOUND_eth4
> -A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT
> -A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP
> -A ACL_INBOUND_eth4 -j DROP
> root@r-3-NTIERRR:~#
> ** Replace the ACL List to the one mentioned below
> mysql> select * from network_acl where id=4;
> +----+-------------+--------------------------------------+--------+-------------+
> | id | name | uuid | vpc_id | description |
> +----+-------------+--------------------------------------+--------+-------------+
> | 4 | Atoms-ACL-2 | 0bcb8639-9b3b-487b-9b19-6237b3c309b9 | 1 | Atoms-ACL-2 |
> +----+-------------+--------------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> mysql> select id,start_port,end_port,state,protocol,created,traffic_type,cidr,number,action from network_acl_item where acl_id=4;
> Empty set (0.00 sec)
> ** Observe the change in the acl id on the private gateway record
> mysql> select * from vpc_gateways \G
> *************************** 1. row ***************************
> id: 1
> uuid: 16300ab6-a039-49f7-a83b-f5eea4c40b20
> ip4_address: 10.223.60.30
> netmask: 255.255.255.192
> gateway: 10.223.60.1
> vlan_tag: 600
> type: Private
> network_id: 206
> vpc_id: 1
> zone_id: 1
> created: 2013-07-02 22:17:02
> account_id: 3
> domain_id: 1
> state: Ready
> removed: NULL
> source_nat: 1
> network_acl_id: 4
> 1 row in set (0.00 sec)
> **Observe that the VPC Virtual Router still has the old rules on the Private Gateway
> root@r-3-NTIERRR:~# iptables-save | grep ACL | grep eth4
> :ACL_OUTBOUND_eth4 - [0:0]
> -A PREROUTING -i eth4 -m state --state NEW -j ACL_OUTBOUND_eth4
> -A ACL_OUTBOUND_eth4 -d 10.223.195.103/32 -p tcp -m tcp --dport 15:35 -j ACCEPT
> -A ACL_OUTBOUND_eth4 -d 10.223.131.172/32 -p tcp -m tcp --dport 16:36 -j DROP
> -A ACL_OUTBOUND_eth4 -j DROP
> :ACL_INBOUND_eth4 - [0:0]
> -A FORWARD -o eth4 -j ACL_INBOUND_eth4
> -A ACL_INBOUND_eth4 -s 10.223.131.172/32 -p tcp -m tcp --dport 18:29 -j ACCEPT
> -A ACL_INBOUND_eth4 -s 10.223.195.103/32 -p tcp -m tcp --dport 17:37 -j DROP
> -A ACL_INBOUND_eth4 -j DROP
> root@r-3-NTIERRR:~#
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira