Hi ,
I did a couple of tests more and i can confirm the issue (CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC router version 4.6


See an example:

I have an egress rules like following:
Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type: EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1

Then I add this rule:
Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type: EgressProtocol: ALL

Checking the VR, in file /etc/iptables/router_rules.v4, the rules are applied in wrong order:
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT


But then if i restart the VPC and clean up, I check again iptables and now is correct order:
-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT
-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP

Is the VPC rotuer version 4.6 the latest one?

I really apprecciate if somebody else can confirm this issue

Best,

David

------ Mensaje original ------
De: "Simon Weller" <swel...@ena.com>
Para: "users@cloudstack.apache.org" <users@cloudstack.apache.org>; "David Amorín" <david.amo...@adderglobal.com>
Enviado: 05/10/2016 18:35:48
Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)

Try doing a restart with network cleanup and see if that fixes your problem. The fixes are in the system iso and that will required a redeploy.



- Si


--------------------------------------------------------------------------------
From: David Amorín <david.amo...@adderglobal.com>
Sent: Wednesday, October 5, 2016 11:18 AM
To: Simon Weller; users@cloudstack.apache.org
Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)

Yes, we did the upgrade from 4.5.2 to 4.9.0




------ Mensaje original ------
De: "Simon Weller" <swel...@ena.com>
Para: "users@cloudstack.apache.org" <users@cloudstack.apache.org>; "David Amorín" <david.amo...@adderglobal.com>
Enviado: 05/10/2016 18:11:26
Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)

Was this an upgrade from an older release?



--------------------------------------------------------------------------------
From: David Amorín <david.amo...@adderglobal.com>
Sent: Wednesday, October 5, 2016 10:11 AM
To:users@cloudstack.apache.org
Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404)

We are running 4.9.0 and we are still facing the issues of the ACL Rules
(CLOUDSTACK-9404)



------ Mensaje original ------
De: "Simon Weller" <swel...@ena.com>
Para: "users@cloudstack.apache.org" <users@cloudstack.apache.org>;
"David Amorín" <david.amo...@adderglobal.com>
Enviado: 04/10/2016 18:02:22
Asunto: Re: Network ACL rules in VPCs are applied in an inverted order
(CLOUDSTACK-9404)

>David,
>
>
>What version are you currently running?
>
>
>I believe 2 patches got into 4.9.0 related to this. #1581 and #1616.
>
>
>At least #1581 was also merged into 4.8.x for the next point release.
>
>
>- Si
>
>________________________________
>From: David Amorín <david.amo...@adderglobal.com>
>Sent: Tuesday, October 4, 2016 10:47 AM
>To: users@cloudstack.apache.org
>Subject: Network ACL rules in VPCs are applied in an inverted order
>(CLOUDSTACK-9404)
>
>Hi all,
>I see this bug is already resolved
>
>https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in
>...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404>
>issues.apache.org
>Linked Applications. Loading... Dashboards
>
>
>
>
>Do you know if will be available on 4.9.1?
>
>Thanks
>
>David
>
>
>
>
>

Reply via email to