[jira] [Commented] (CLOUDSTACK-9404) Network ACL rules in VPCs are applied in an inverted order

Thu, 09 Jun 2016 13:52:44 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15323321#comment-15323321
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9404:
--------------------------------------------

Github user dmabry commented on the issue:

    https://github.com/apache/cloudstack/pull/1581
  
    I tested this in our lab with advanced networking verified the patch is 
working as expected.  I used the following test process.
    
    1. Created an acl and applied it to 1 VPC Network Tier.
    ``` 
    10  192.168.10.0/24 Allow   ALL             Ingress          
    20  192.168.20.0/24 Allow   ALL             Ingress         
    30  192.168.30.0/24 Allow   ALL             Ingress         
    ```
    2. iptables looked like the following on the VPC VR
    ```
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            225.0.0.50          
    ACCEPT     all  --  0.0.0.0/0            224.0.0.18          
    ACCEPT     all  --  192.168.10.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.20.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.30.0/24      0.0.0.0/0           
    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
    ```
    3. I added an additional rule of:
    ```
    40  192.168.40.0/24 Allow   TCP             80      80                      
Ingress 
    ```
    4. iptables looked like the following on the VPC VR
    ```
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            225.0.0.50          
    ACCEPT     all  --  0.0.0.0/0            224.0.0.18          
    ACCEPT     all  --  192.168.10.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.20.0/24      0.0.0.0/0           
    ACCEPT     all  --  192.168.30.0/24      0.0.0.0/0           
    ACCEPT     tcp  --  192.168.40.0/24      0.0.0.0/0            tcp dpt:80
    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
    ```
    
    In summary, it looks like this patch works verified by manual testing in my 
lab.
    
    In short, LGTM based on testing.


> Network ACL rules in VPCs are applied in an inverted order
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-9404
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.7.2, 4.8.0, 4.9.0
>            Reporter: Patrick D.
>            Assignee: Patrick D.
>
> Found the issue in the agent code. The comparator is inverted



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to