You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2013/07/05 13:41:48 UTC
[jira] [Commented] (CLOUDSTACK-234) create/delete firewa/lb/pf
rule: send ip assoc command only on first rule is created on the IP and
last rule is revoked on the IP
[ https://issues.apache.org/jira/browse/CLOUDSTACK-234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13700618#comment-13700618 ]
ASF subversion and git services commented on CLOUDSTACK-234:
------------------------------------------------------------
Commit 1e1ccb8e1ee82fd2639c20bee2bcc7cf744afe16 in branch refs/heads/CLOUDSTACK-234 from [~murali.reddy]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=1e1ccb8 ]
CLOUDSTACK-234: create/delete firewa/lb/pf rule: send ip assoc command
only on first rule is created on the IP and last rule is revoked on the
IP
Current suboptima logic of IP Assoc
- On associate IP to GuestNetwork there is an IPAssoc command sent to
corresponding network service providers of the network
- On every rule apply on IP associated with the network send IP assoc
to the network service providers
- On every rule deletion on IP associated with a network sernd IP assoc
command to the network service providers
With this fix logic of IP assoc is changed as below which eliminates
executio of unnessary and expensive IpAssocCommand resource command
- On associate IP to GuestNetwork, associate IP only to the network,
Untill any service is associated with the IP dont send IP Assoc
- On creation of first rule on the IP send IPAssoc to corresponding
network service provider. Since IP is used for a service, IPAssoc
need to be sent to correpondign service provider
- On deletion of last rule on the IP send IPAssoc to corresponding
network service provider. When last rule is deleted, IP has no
service associated with it, so send IP assoc to service provider to
remove the IP association
> create/delete firewa/lb/pf rule: send ip assoc command only on first rule is created on the IP and last rule is revoked on the IP
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-234
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-234
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server
> Affects Versions: 4.0.0
> Reporter: Alena Prokharchyk
> Assignee: Murali Reddy
> Fix For: 4.2.0
>
>
> We have to improve the logic for creating/deleting any kind of firewall rules. At the moment ipAssoc is being called when:
> * the first rule for the ip address is being created
> * the last rule for the IP address is being removed
> As a part of ipAssoc command, we send all ip addresses assigned to the guest network of the rule. The behavior has to be fixed the way we send ip assoc only for the ip address the rule is being created for.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira