This is an automated email from the ASF dual-hosted git repository. rohit pushed a commit to branch 4.13 in repository https://gitbox.apache.org/repos/asf/cloudstack.git
View the commit online: https://github.com/apache/cloudstack/commit/dcc798d7aa30b446cf8c8cb9c6a749de510d8218 The following commit(s) were added to refs/heads/4.13 by this push: new dcc798d vpc: fix acl rule with protocol number is not applied correctly in vpc vr (#3678) dcc798d is described below commit dcc798d7aa30b446cf8c8cb9c6a749de510d8218 Author: Wei Zhou <[email protected]> AuthorDate: Thu Nov 21 06:59:22 2019 +0100 vpc: fix acl rule with protocol number is not applied correctly in vpc vr (#3678) When add a acl rule with protocol number, the iptables rules in vpc vr is not applied correctly. for example, when add an ingress acl rule (protocol number:50, cidr: 2.2.2.2/32), we expect to have a iptables rule: "-A ACL_INBOUND_eth2 -s 2.2.2.2/32 -p esp -j ACCEPT" the actual rule is "-A ACL_INBOUND_eth2 -j DROP" It is because the rules in json are not correct. network_acl.json.a8c52dca-0278-4e1c-b72b-987ca7121f4f.gz:{"device":"eth2","mac_address":"02:00:7d:27:00:02","private_gateway_acl":false,"nic_ip":"192.168.11.12","nic_netmask":"28","ingress_rules":[{"type":"protocol","protocol":50,"cidr":"ACCEPT","allowed":false},{"type":"all","cidr":"0.0.0.0/0","allowed":true},],"egress_rules":[],"type":"networkacl"} Fixes: #3602 --- .../agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java index 7247766..c16e926 100644 --- a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java +++ b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetNetworkAclConfigItem.java @@ -79,7 +79,7 @@ public class SetNetworkAclConfigItem extends AbstractConfigItemFacade { // If we check the size of the array, it will fail to setup the network. // So, let's catch the exception and continue in the loop. try { - aclRule = new ProtocolAclRule(ruleParts[5], false, Integer.parseInt(ruleParts[1])); + aclRule = new ProtocolAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[1])); } catch (final Exception e) { s_logger.warn("Problem occured when reading the entries in the ruleParts array. Actual array size is '" + ruleParts.length + "', but trying to read from index 5."); continue; @@ -104,4 +104,4 @@ public class SetNetworkAclConfigItem extends AbstractConfigItemFacade { return super.generateConfigItems(configuration); } -} \ No newline at end of file +}
