[
https://issues.apache.org/jira/browse/CLOUDSTACK-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chandan Purushothama closed CLOUDSTACK-3199.
--------------------------------------------
Verified on 4.2 Build.
> NTier: Adding New Network ACL Rule Items in a Network ACL Container doesnt
> apply the rules to the Private Gateway on the VPC Virtual Router
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3199
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3199
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: 4.2.0
> Reporter: Chandan Purushothama
> Assignee: Jayapal Reddy
> Priority: Blocker
> Fix For: 4.2.0
>
>
> Observe from the Information given below that the Newly added Network ACL
> Items are getting applied to the Guest Network Tier but are not applied to
> the Private Gateway present on the Virtual Router. Both the network tier and
> the private gateway use the same Network ACL Container.
> ==================
> On VPC Virtual Router:
> ==================
> root@r-3-NTIERAGN:~# iptables-save | grep ACL
> :ACL_OUTBOUND_eth2 - [0:0]
> :ACL_OUTBOUND_eth3 - [0:0]
> -A PREROUTING -i eth3 -m state --state NEW -j ACL_OUTBOUND_eth3
> -A PREROUTING -s 192.168.11.0/24 ! -d 192.168.11.1/32 -i eth2 -m state
> --state NEW -j ACL_OUTBOUND_eth2
> -A ACL_OUTBOUND_eth2 -j ACCEPT
> -A ACL_OUTBOUND_eth3 -j ACCEPT
> :ACL_INBOUND_eth2 - [0:0]
> :ACL_INBOUND_eth3 - [0:0]
> -A FORWARD -o eth3 -j ACL_INBOUND_eth3
> -A FORWARD -d 192.168.11.0/24 -o eth2 -j ACL_INBOUND_eth2
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j DROP
> -A ACL_INBOUND_eth2 -s 10.223.131.0/24 -p tcp -m tcp --dport 45:85 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j DROP
> -A ACL_INBOUND_eth2 -s 10.216.133.50/32 -p tcp -m tcp --dport 50:99 -j ACCEPT
> -A ACL_INBOUND_eth2 -s 10.223.131.192/26 -p tcp -m tcp --dport 105:145 -j DROP
> -A ACL_INBOUND_eth2 -j DROP
> -A ACL_INBOUND_eth3 -s 10.223.131.172/32 -p tcp -m tcp --dport 20:40 -j ACCEPT
> -A ACL_INBOUND_eth3 -s 10.223.195.103/32 -p tcp -m tcp --dport 21:51 -j DROP
> -A ACL_INBOUND_eth3 -j DROP
> root@r-3-NTIERAGN:~#
> root@r-3-NTIERAGN:~# ifconfig eth2 | grep Bcast
> inet addr:192.168.11.1 Bcast:192.168.11.255 Mask:255.255.255.0
> root@r-3-NTIERAGN:~# ifconfig eth3 | grep Bcast
> inet addr:10.223.57.160 Bcast:10.223.57.191 Mask:255.255.255.192
> ==============
> On the Database:
> ==============
> mysql> select * from vpc_gateways where id=2 \G
> *************************** 1. row ***************************
> id: 2
> uuid: cf8e69db-620c-4b61-a1d3-4f595b6c6050
> ip4_address: 10.223.57.160
> netmask: 255.255.255.192
> gateway: 10.223.57.129
> vlan_tag: 572
> type: Private
> network_id: 210
> vpc_id: 1
> zone_id: 1
> created: 2013-06-24 23:06:20
> account_id: 3
> domain_id: 1
> state: Ready
> removed: NULL
> source_nat: 1
> network_acl_id: 4
> 1 row in set (0.00 sec)
> mysql> select * from networks where id in (208,210);
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> | id | name | uuid
> | display_text | traffic_type | broadcast_domain_type |
> broadcast_uri | gateway | cidr | mode |
> network_offering_id | physical_network_id | data_center_id | guru_name
> | state | related | domain_id | account_id | dns1 | dns2 |
> guru_data | set_fields | acl_type | network_domain |
> reservation_id | guest_type | restart_required |
> created | removed | specify_ip_ranges | vpc_id | ip6_gateway |
> ip6_cidr | network_cidr | display_network | network_acl_id |
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> | 208 | Atoms-VPC-Net-2 | c81066f7-f3ed-4aab-8f86-be8d3bab32ed
> | Atoms-VPC-Net-2 | Guest | Vlan |
> vlan://2580 | 192.168.11.1 | 192.168.11.0/24 | Dhcp |
> 12 | 200 | 1 | ExternalGuestNetworkGuru |
> Implemented | 208 | 1 | 3 | NULL | NULL | NULL |
> 0 | Account | atomsvpcnet1.lab.vmops.com |
> 175f7abb-a55b-4932-b394-24137ee1203b | Isolated | 0 |
> 2013-06-21 21:24:45 | NULL | 0 | 1 | NULL |
> NULL | NULL | 1 | 4 |
> | 210 | vpc-Atoms-VPC-1-privateNetwork | 42919011-267e-4eed-9af8-241e3dc78df0
> | vpc-Atoms-VPC-1-privateNetwork | Guest | Vlan |
> vlan://572 | 10.223.57.129 | 10.223.57.128/26 | Static |
> 5 | 200 | 1 | PrivateNetworkGuru | Setup
> | 210 | 1 | 1 | NULL | NULL | NULL | 0
> | Account | NULL | NULL
> | Isolated | 0 | 2013-06-24 23:06:20 | NULL |
> 0 | 1 | NULL | NULL | NULL | 1 |
> NULL |
> +-----+--------------------------------+--------------------------------------+--------------------------------+--------------+-----------------------+---------------+---------------+------------------+--------+---------------------+---------------------+----------------+--------------------------+-------------+---------+-----------+------------+------+------+-----------+------------+----------+----------------------------+--------------------------------------+------------+------------------+---------------------+---------+-------------------+--------+-------------+----------+--------------+-----------------+----------------+
> 2 rows in set (0.00 sec)
> mysql> select
> id,acl_id,start_port,end_port,state,protocol,created,traffic_type,cidr,number
> from network_acl_item where acl_id=4;
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | id | acl_id | start_port | end_port | state | protocol | created
> | traffic_type | cidr | number |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> | 11 | 4 | 20 | 40 | Active | tcp | 2013-06-24
> 21:54:51 | Ingress | 10.223.131.172/32 | 1 |
> | 12 | 4 | 21 | 51 | Active | tcp | 2013-06-24
> 21:57:20 | Ingress | 10.223.195.103/32 | 2 |
> | 13 | 4 | 20 | 40 | Active | tcp | 2013-06-25
> 23:22:12 | Ingress | 10.223.131.172/32 | 3 |
> | 14 | 4 | 50 | 99 | Active | tcp | 2013-06-25
> 23:24:19 | Ingress | 10.216.133.50/32 | 4 |
> | 15 | 4 | 45 | 85 | Active | tcp | 2013-06-25
> 23:36:05 | Ingress | 10.223.131.193/24 | 5 |
> | 17 | 4 | 105 | 145 | Active | tcp | 2013-06-25
> 23:39:40 | Ingress | 10.223.131.193/26 | 6 |
> +----+--------+------------+----------+--------+----------+---------------------+--------------+-------------------+--------+
> 6 rows in set (0.00 sec)
> =====================
> On the Management Server:
> =====================
> 2013-06-25 16:39:40,957 DEBUG [agent.transport.Request]
> (Job-Executor-30:job-89) Seq 1-1278678427: Executing: { Cmd , MgmtId:
> 7471666038533, via: 1, Ver: v1, Flags: 100001,
> [{"routing.SetNetworkACLCommand":{"rules":[{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"ACCEPT","number":1},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[21,51],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.195.103/32"],"trafficType":"Ingress","action":"DROP","number":2},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[20,40],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.172/32"],"trafficType":"Ingress","action":"DROP","number":3},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[50,99],"revoked":false,"alreadyAdded":true,"cidrList":["10.216.133.50/32"],"trafficType":"Ingress","action":"ACCEPT","number":4},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[45,85],"revoked":false,"alreadyAdded":true,"cidrList":["10.223.131.193/24"],"trafficType":"Ingress","action":"ACCEPT","number":5},{"id":0,"vlanTag":"2580","protocol":"tcp","portRange":[105,145],"revoked":false,"alreadyAdded":false,"cidrList":["10.223.131.193/26"],"trafficType":"Ingress","action":"DROP","number":6}],"nic":{"deviceId":3,"networkRateMbps":200,"defaultNic":false,"uuid":"6b89e7c9-6eb1-4598-8a6d-66f37980f321","ip":"192.168.11.1","netmask":"255.255.255.0","gateway":"192.168.11.1","mac":"02:00:51:de:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://2580","isolationUri":"vlan://2580","isSecurityGroupEnabled":false},"accessDetails":{"router.guest.ip":"192.168.11.1","guest.vlan.tag":"2580","zone.network.type":"Advanced","router.ip":"169.254.0.161","router.name":"r-3-NTIERAGN"},"wait":0}}]
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
