[
https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15314212#comment-15314212
]
ASF GitHub Bot commented on CLOUDSTACK-9404:
--------------------------------------------
GitHub user pdube reopened a pull request:
https://github.com/apache/cloudstack/pull/1581
CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR.
The comparator was inverted.
Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
In this example, I created rules with the port numbers the same as the rule
numbers.
Chain ACL_INBOUND_eth2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere 225.0.0.50
ACCEPT all -- anywhere vrrp.mcast.net
DROP tcp -- anywhere anywhere tcp
dpt:netstat
DROP tcp -- anywhere anywhere tcp dpt:10
DROP tcp -- anywhere anywhere tcp dpt:5
DROP tcp -- anywhere anywhere tcp dpt:3
DROP tcp -- anywhere anywhere tcp dpt:2
DROP all -- anywhere anywhere
We can see above that the rules are inverted.
After the fix:
Chain ACL_INBOUND_eth2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere 225.0.0.50
ACCEPT all -- anywhere vrrp.mcast.net
DROP tcp -- anywhere anywhere tcp dpt:2
DROP tcp -- anywhere anywhere tcp dpt:3
DROP tcp -- anywhere anywhere tcp dpt:5
DROP tcp -- anywhere anywhere tcp dpt:10
DROP tcp -- anywhere anywhere tcp
dpt:netstat
DROP all -- anywhere anywhere
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/pdube/cloudstack network-acl-rules-order
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1581.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1581
----
commit caf4a48075e0f59b5d101efdd3ac6b1bee8f4f39
Author: Patrick Dube <[email protected]>
Date: 2016-06-02T17:15:38Z
Fixed ordering of network ACL rules being sent to the VR. The comparator
was inverted
commit 4c97a3981dc0d543e02f62f2bb4fc2eb805545c6
Author: Patrick Dube <[email protected]>
Date: 2016-06-02T17:44:39Z
Added unit test to verify ordering
commit 9cdd23fdc77e643d886c3af8cb0a60f9c4ddf84f
Author: Patrick Dube <[email protected]>
Date: 2016-06-03T12:48:47Z
Added ASF license to unit test file
----
> Network ACL rules in VPCs are applied in an inverted order
> ----------------------------------------------------------
>
> Key: CLOUDSTACK-9404
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.7.2, 4.8.0, 4.9.0
> Reporter: Patrick D.
> Assignee: Patrick D.
>
> Found the issue in the agent code. The comparator is inverted
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
