David,
Can you post your question to the dev list? You're more likely to get a response there. - Si ________________________________ From: David Amorín <[email protected]> Sent: Tuesday, October 25, 2016 9:23 AM To: [email protected]; [email protected] Subject: Re[7]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404) Sorry to bring up an old question, just want to ask again if somebody can confirm this issue (inverted order of the ACL rules) with CS 4.9 and VPC router version 4.6 Thanks, David ------ Mensaje original ------ De: "David Amorín" <[email protected]> Para: "[email protected]" <[email protected]> Enviado: 17/10/2016 11:16:03 Asunto: Re[6]: Network ACL rules in VPCs are applied in an inverted order (CLOUDSTACK-9404) >Hi , >I did a couple of tests more and i can confirm the issue >(CLOUDSTACK-9404) still happens with the version CS 4.9 using the VPC >router version 4.6 > >See an example: > >I have an egress rules like following: >Rule number: 101CIDR: 8.8.8.8/32Action: Allow, Traffic Type: >EgressProtocol: ICMP, ICMPtype: -1, ICMPCode: -1 > >Then I add this rule: >Rule number: 1002CIDR: 0.0.0.0/0Action: Deny, Traffic Type: >EgressProtocol: ALL > >Checking the VR, in file /etc/iptables/router_rules.v4, the rules are >applied in wrong order: >-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT >-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT >-A ACL_OUTBOUND_eth2 -j DROP >-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j >ACCEPT > > >But then if i restart the VPC and clean up, I check again iptables and >now is correct order: >-A ACL_OUTBOUND_eth2 -d 224.0.0.18/32 -j ACCEPT >-A ACL_OUTBOUND_eth2 -d 225.0.0.50/32 -j ACCEPT >-A ACL_OUTBOUND_eth2 -d 8.8.8.8/32 -p icmp -m icmp --icmp-type any -j >ACCEPT >-A ACL_OUTBOUND_eth2 -j DROP > >Is the VPC rotuer version 4.6 the latest one? > >I really apprecciate if somebody else can confirm this issue > >Best, > >David > >------ Mensaje original ------ >De: "Simon Weller" <[email protected]> >Para: "[email protected]" <[email protected]>; >"David Amorín" <[email protected]> >Enviado: 05/10/2016 18:35:48 >Asunto: Re: Re[4]: Network ACL rules in VPCs are applied in an inverted >order (CLOUDSTACK-9404) > >>Try doing a restart with network cleanup and see if that fixes your >>problem. The fixes are in the system iso and that will required a >>redeploy. >> >> >> >>- Si >> >> >>-------------------------------------------------------------------------------- >>From: David Amorín <[email protected]> >>Sent: Wednesday, October 5, 2016 11:18 AM >>To: Simon Weller; [email protected] >>Subject: Re[4]: Network ACL rules in VPCs are applied in an inverted >>order (CLOUDSTACK-9404) >> >>Yes, we did the upgrade from 4.5.2 to 4.9.0 >> >> >> >> >>------ Mensaje original ------ >>De: "Simon Weller" <[email protected]> >>Para: "[email protected]" <[email protected]>; >>"David Amorín" <[email protected]> >>Enviado: 05/10/2016 18:11:26 >>Asunto: Re: Re[2]: Network ACL rules in VPCs are applied in an >>inverted order (CLOUDSTACK-9404) >> >>>Was this an upgrade from an older release? >>> >>> >>> >>>-------------------------------------------------------------------------------- >>>From: David Amorín <[email protected]> >>>Sent: Wednesday, October 5, 2016 10:11 AM >>>To:[email protected] >>>Subject: Re[2]: Network ACL rules in VPCs are applied in an inverted >>>order (CLOUDSTACK-9404) >>> >>>We are running 4.9.0 and we are still facing the issues of the ACL >>>Rules >>>(CLOUDSTACK-9404) >>> >>> >>> >>>------ Mensaje original ------ >>>De: "Simon Weller" <[email protected]> >>>Para: "[email protected]" <[email protected]>; >>>"David Amorín" <[email protected]> >>>Enviado: 04/10/2016 18:02:22 >>>Asunto: Re: Network ACL rules in VPCs are applied in an inverted >>>order >>>(CLOUDSTACK-9404) >>> >>> >David, >>> > >>> > >>> >What version are you currently running? >>> > >>> > >>> >I believe 2 patches got into 4.9.0 related to this. #1581 and #1616. >>> > >>> > >>> >At least #1581 was also merged into 4.8.x for the next point >>>release. >>> > >>> > >>> >- Si >>> > >>> >________________________________ >>> >From: David Amorín <[email protected]> >>> >Sent: Tuesday, October 4, 2016 10:47 AM >>> >To: [email protected] >>> >Subject: Network ACL rules in VPCs are applied in an inverted order >>> >(CLOUDSTACK-9404) >>> > >>> >Hi all, >>> >I see this bug is already resolved >>> > >>> >https://issues.apache.org/jira/browse/CLOUDSTACK-9404 >>> >[CLOUDSTACK-9404] Network ACL rules in VPCs are applied in >>> >...<https://issues.apache.org/jira/browse/CLOUDSTACK-9404> >>> >issues.apache.org >>> >Linked Applications. Loading... Dashboards >>> > >>> > >>> > >>> > >>> >Do you know if will be available on 4.9.1? >>> > >>> >Thanks >>> > >>> >David >>> > >>> > >>> > >>> > >>> > >>>
