You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Chandan Purushothama (JIRA)" <ji...@apache.org> on 2013/07/26 01:23:48 UTC
[jira] [Closed] (CLOUDSTACK-3199) NTier: Adding New Network ACL
Rule Items in a Network ACL Container doesnt apply the rules to the Private
Gateway on the VPC Virtual Router
[ https://issues.apache.org/jira/browse/CLOUDSTACK-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chandan Purushothama closed CLOUDSTACK-3199.
--------------------------------------------
Verified on 4.2 Build.
> NTier: Adding New Network ACL Rule Items in a Network ACL Container doesnt apply the rules to the Private Gateway on the VPC Virtual Router
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3199
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3199
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Reporter: Chandan Purushothama
> Assignee: Jayapal Reddy
> Priority: Blocker
> Fix For: 4.2.0
>
>
> Observe from the Information given below that the Newly added Network ACL Items are getting applied to the Guest Network Tier but are not applied to the Private Gateway present on the Virtual Router. Both the network tier and the private gateway use the same Network ACL Container.
> ==================
> On VPC Virtual Router:
> ==================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -i eth3 -m state --state NEW -j ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j DROP
> -A ACL_INBOUND_eth2 -s 10.223.131.0/24 -p tcp -m tcp --dport 45:85 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j DROP
> -A ACL_INBOUND_eth2 -s 10.216.133.50/32 -p tcp -m tcp --dport 50:99 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.192/26 -p tcp -m tcp --dport 105:145 -j DROP
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j ACCEPT
> -A ACL_INBOUND_eth3 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> root@r-3-NTIERAGN:~# ifconfig eth2 | grep Bcast
> inet addr:192.168.11.1 Bcast:192.168.11.255 Mask:255.255.255.0
> root@r-3-NTIERAGN:~# ifconfig eth3 | grep Bcast
> inet addr:10.223.57.160 Bcast:10.223.57.191 Mask:255.255.255.192
> ==============
> On the Database:
> ==============
> mysql> select * from vpc_gateways where id=2 \G
> *************************** 1. row ***************************
> id: 2
> uuid: cf8e69db-620c-4b61-a1d3-4f595b6c6050
> ip4_address: 10.223.57.160
> netmask: 255.255.255.192
> gateway: 10.223.57.129
> vlan_tag: 572
> type: Private
> network_id: 210
> vpc_id: 1
> zone_id: 1
> created: 2013-06-24 23:06:20
> account_id: 3
> domain_id: 1
> state: Ready
> removed: NULL
> source_nat: 1
> network_acl_id: 4
> 1 row in set (0.00 sec)
> mysql> select * from networks where id in (208,210);
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> | id | name | uuid | display_text | traffic_type | broadcast_domain_type | broadcast_uri | gateway | cidr | mode | network_offering_id | physical_network_id | data_center_id | guru_name | state | related | domain_id | account_id | dns1 | dns2 | guru_data | set_fields | acl_type | network_domain | reservation_id | guest_type | restart_required | created | removed | specify_ip_ranges | vpc_id | ip6_gateway | ip6_cidr | network_cidr | display_network | network_acl_id |
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> | 208 | Atoms-VPC-Net-2 | c81066f7-f3ed-4aab-8f86-be8d3bab32ed | Atoms-VPC-Net-2 | Guest | Vlan | vlan://2580 | 192.168.11.1 | 192.168.11.0/24 | Dhcp | 12 | 200 | 1 | ExternalGuestNetworkGuru | Implemented | 208 | 1 | 3 | NULL | NULL | NULL | 0 | Account | atomsvpcnet1.lab.vmops.com | 175f7abb-a55b-4932-b394-24137ee1203b | Isolated | 0 | 2013-06-21 21:24:45 | NULL | 0 | 1 | NULL | NULL | NULL | 1 | 4 |
> | 210 | vpc-Atoms-VPC-1-privateNetwork | 42919011-267e-4eed-9af8-241e3dc78df0 | vpc-Atoms-VPC-1-privateNetwork | Guest | Vlan | vlan://572 | 10.223.57.129 | 10.223.57.128/26 | Static | 5 | 200 | 1 | PrivateNetworkGuru | Setup | 210 | 1 | 1 | NULL | NULL | NULL | 0 | Account | NULL | NULL | Isolated | 0 | 2013-06-24 23:06:20 | NULL | 0 | 1 | NULL | NULL | NULL | 1 | NULL |
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> 2 rows in set (0.00 sec)
> mysql> select id,acl_id,start_port,end_port,state,protocol,created,traffic_type,cidr,number from network_acl_item where acl_id=4;
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | id | acl_id | start_port | end_port | state | protocol | created | traffic_type | cidr | number |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | 11 | 4 | 20 | 40 | Active | tcp | 2013-06-24 21:54:51 | Ingress | 10.223.131.172/32 | 1 |
> | 12 | 4 | 21 | 51 | Active | tcp | 2013-06-24 21:57:20 | Ingress | 10.223.195.103/32 | 2 |
> | 13 | 4 | 20 | 40 | Active | tcp | 2013-06-25 23:22:12 | Ingress | 10.223.131.172/32 | 3 |
> | 14 | 4 | 50 | 99 | Active | tcp | 2013-06-25 23:24:19 | Ingress | 10.216.133.50/32 | 4 |
> | 15 | 4 | 45 | 85 | Active | tcp | 2013-06-25 23:36:05 | Ingress | 10.223.131.193/24 | 5 |
> | 17 | 4 | 105 | 145 | Active | tcp | 2013-06-25 23:39:40 | Ingress | 10.223.131.193/26 | 6 |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> 6 rows in set (0.00 sec)
> =====================
> On the Management Server:
> =====================
> 2013-06-25 16:39:40,957 DEBUG [agent.transport.Request] (Job-Executor-30:job-89) Seq 1-1278678427: Executing: { Cmd , MgmtId: 7471666038533, via: 1, Ver: v1, Flags: 100001, [{"routing.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"ACCEPT","number":1},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[21,51],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.195.103/32"],"trafficType":"Ingress","action":"DROP","number":2},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"DROP","number":3},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[50,99],"revoked":false,"alreadyAdded":true,"cidrList":["10.216.133.50/32"],"trafficType":"Ingress","action":"ACCEPT","number":4},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[45,85],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.193/24"],"trafficType":"Ingress","action":"ACCEPT","number":5},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[105,145],"revoked":false,"alreadyAdded":false,"cidrList":["10.223.131.193/26"],"trafficType":"Ingress","action":"DROP","number":6}],"nic":{"deviceId":3,"networkRateMbps":200,"defaultNic":false,"uuid":"6b89e7c9-6eb1-4598-8a6d-66f37980f321","ip":"192.168.11.1","netmask":"255.255.255.0","gateway":"192.168.11.1","mac":"02:00:51:de:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2580","isolationUri":"vlan://2580","isSecurityGroupEnabled":false},"accessDetails":{"router.guest.ip":"192.168.11.1","guest.vlan.tag":"2580","zone.network.type":"Advanced","router.ip":"169.254.0.161","router.name":"r-3-NTIERAGN"},"wait":0}}] }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira