[ https://issues.apache.org/jira/browse/CLOUDSTACK-6214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13931120#comment-13931120 ]
angeline shen commented on CLOUDSTACK-6214: ------------------------------------------- Verifify with latest build CloudPlatform-QA-4.3.0.0-0.402-rhel6.3.tar.gz MS: 10.223.130.160 host: 10.223.51.4 XS 6.2 nw offer isolated specify VLAN VPC LB type: public LB chk vpn dhcp dns lb userdata sourceNAT staticNAT PF nwACL account 1. Create VPC Configure NW ACL list - Add ACL list > vpc4ACL4 vpc4ACL4 > ACL list rules> add rule 1: 0.0.0.0/0 allow ALL Ingress add rule 2: 0.0.0.0/0 allow ALL Egress 2. Create NW offering 6214: Guest type: isolated specify VLAN: check VPC : check LB type: public LB Supported services: VPN - VR Dhcp - VR DNS - VR Firewall - Uncheck Load balancer - VR User data - VR Source NAT - VR Static NAT - VR Port forwarding - VR networkACL - check supported source NAT type: per account 3. Vpc4 > create NW tier vpc4G4 with nw offering 6214 4. Vpc4G4 > Deploy VM 5. Login host 10.223.51.4 - login to VR r-3-VM [ashen@localhost ~]$ ssh root@10.223.51.3 root@10.223.51.3's password: [root@Rack2Host19 ~]# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.181 -p 3922 Linux r-3-VM 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 6. r-3-VM: root@r-3-VM:~# ifconfig eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:03:b5 inet addr:169.254.3.181 Bcast:169.254.255.255 Mask:255.255.0.0 inet6 addr: fe80::c00:a9ff:fefe:3b5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:416 errors:0 dropped:0 overruns:0 frame:0 TX packets:395 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:53884 (52.6 KiB) TX bytes:66554 (64.9 KiB) Interrupt:25 eth1 Link encap:Ethernet HWaddr 06:2b:70:00:00:13 inet addr:10.223.123.17 Bcast:10.223.123.63 Mask:255.255.255.192 inet6 addr: fe80::42b:70ff:fe00:13/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:31 errors:0 dropped:0 overruns:0 frame:0 TX packets:89 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2122 (2.0 KiB) TX bytes:7170 (7.0 KiB) Interrupt:24 eth2 Link encap:Ethernet HWaddr 02:00:7f:16:00:02 inet addr:10.4.1.1 Bcast:10.4.1.255 Mask:255.255.255.0 inet6 addr: fe80::7fff:fe16:2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:23 errors:0 dropped:0 overruns:0 frame:0 TX packets:26 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2314 (2.2 KiB) TX bytes:3238 (3.1 KiB) Interrupt:26 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1318 (1.2 KiB) TX bytes:1318 (1.2 KiB) 7. check iptables [root@Rack2Host19 ~]# iptables-save # Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014 *mangle :PREROUTING ACCEPT [455:46866] :INPUT ACCEPT [455:46866] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [402:55390] :POSTROUTING ACCEPT [402:55390] :ACL_OUTBOUND_eth2 - [0:0] :VPN_STATS_eth1 - [0:0] -A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark 0x1/0xffffffff -A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff -A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2 -A FORWARD -j VPN_STATS_eth1 -A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A ACL_OUTBOUND_eth2 -j ACCEPT -A ACL_OUTBOUND_eth2 -j DROP -A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525 -A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524 COMMIT # Completed on Tue Mar 11 22:13:02 2014 # Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [402:55390] :ACL_INBOUND_eth2 - [0:0] :NETWORK_STATS_eth1 - [0:0] -A INPUT -d 224.0.0.18/32 -j ACCEPT -A INPUT -d 225.0.0.50/32 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -d 10.4.1.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A FORWARD -j NETWORK_STATS_eth1 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.4.0.0/16 ! -d 10.4.0.0/16 -j ACCEPT -A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2 -A ACL_INBOUND_eth2 -j ACCEPT -A ACL_INBOUND_eth2 -j DROP -A NETWORK_STATS_eth1 -s 10.4.0.0/16 -o eth1 -A NETWORK_STATS_eth1 -d 10.4.0.0/16 -i eth1 COMMIT # Completed on Tue Mar 11 22:13:02 2014 # Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014 *nat :PREROUTING ACCEPT [27:2450] :INPUT ACCEPT [27:2450] :OUTPUT ACCEPT [10:1288] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth1 -j SNAT --to-source 10.223.123.17 -A POSTROUTING -s 10.4.1.0/24 -o eth2 -j SNAT --to-source 10.4.1.1 COMMIT # Completed on Tue Mar 11 22:13:02 2014 8. . Per Kishan's email: > On VR, verify that ACLs are applied using iptables. > e.g: If an egress ACL is added to eth2, related rules will be in > chain ACL_INBOUND_eth2 Does following ACL rule lines look correct? [ashen@localhost 6214]$ grep ACL ipt4 :ACL_OUTBOUND_eth2 - [0:0] -A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j ACL_OUTBOUND_eth2 -A ACL_OUTBOUND_eth2 -j ACCEPT -A ACL_OUTBOUND_eth2 -j DROP :ACL_INBOUND_eth2 - [0:0] -A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2 -A ACL_INBOUND_eth2 -j ACCEPT -A ACL_INBOUND_eth2 -j DROP > VPC: when guest network is in Setup state, on its initial nicPlug to the VR, > corresponding network rules are not getting applied > -------------------------------------------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-6214 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6214 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Network Controller > Affects Versions: 4.3.0 > Reporter: Alena Prokharchyk > Assignee: Alena Prokharchyk > Priority: Critical > Fix For: 4.3.0 > > > Steps to reproduce: > ========================== > 1) Create VPC > 2) Add networkACLList and a rule to it > 3) In VPC, create a network from NetworkOffering with specifyVlan=true. > Network is created in Setup state. > 4) Start user vm in the network. > Bug: network ACLs are not applied although the guest nic is plugged to the VR. -- This message was sent by Atlassian JIRA (v6.2#6252)