[
https://issues.apache.org/jira/browse/CLOUDSTACK-9213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15085431#comment-15085431
]
ASF GitHub Bot commented on CLOUDSTACK-9213:
--------------------------------------------
Github user wilderrodrigues commented on the pull request:
https://github.com/apache/cloudstack/pull/1311#issuecomment-169303235
Ping @remibergsma @miguelaferreira @michaelandersen
* Environment
- Management Server on CentOS 7.1
- 1 KVM Host on CentOS 7.1
- Agent + Common built from 4.7 source
* Manual tests
* Network ACL JSON file
```
root@r-3-VM:~#
root@r-3-VM:~# less /etc/cloudstack/networkacl.json
{
"eth2": {
"device": "eth2",
"egress_rules": [],
"ingress_rules": [
{
"allowed": true,
"cidr": "10.0.0.0/8,0.0.0.0/0",
"first_port": 22,
"last_port": 22,
"type": "tcp"
}
],
"mac_address": "02:00:7e:56:00:02",
"nic_ip": "10.0.1.1",
"nic_netmask": "26",
"private_gateway_acl": false,
"type": "networkacl"
},
"id": "networkacl"
}
/etc/cloudstack/networkacl.json (END)
```
* SSH into VM
```
sbpltk1zffh04:sbp_dev wrodrigues$ ssh [email protected]
The authenticity of host '192.168.23.5 (192.168.23.5)' can't be established.
RSA key fingerprint is 11:d8:17:ce:62:cf:f9:23:78:fe:ec:34:c3:90:6a:fc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.5' (RSA) to the list of known hosts.
[email protected]'s password:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=48 time=9.879 ms
64 bytes from 8.8.8.8: seq=1 ttl=48 time=9.777 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.777/9.828/9.879 ms
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 02:00:76:53:00:01 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.28/26 brd 10.0.1.63 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::76ff:fe53:1/64 scope link
valid_lft forever preferred_lft forever
#
```
* ACL inbound (iptables)
```
Chain ACL_INBOUND_eth2 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
225.0.0.50
0 0 ACCEPT all -- any any anywhere
vrrp.mcast.net
2 128 ACCEPT tcp -- any any anywhere
anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any 10.0.0.0/8
anywhere tcp dpt:ssh
0 0 DROP all -- any any anywhere
anywhere
```
I will run the integration tests now.
> As a user I want to be able to use multiple ip's/cidrs in an ACL
> ----------------------------------------------------------------
>
> Key: CLOUDSTACK-9213
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9213
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.7.0, 4.7.1
> Reporter: Wilder Rodrigues
> Assignee: Wilder Rodrigues
> Priority: Critical
> Fix For: 4.7.2
>
>
> If you add multiple cidrs, separated by comma when adding acl item, this
> doesn't work. Used to work in 4.4 and supported by iptables.
> This is an supported command, but CloudStack sends it in the wrong way:
> Example:
> "eth3": {
> "device": "eth3",
> "egress_rules": [
> {
> "allowed": true,
> "cidr": "0.0.0.0/0",
> "first_port": 53,
> "last_port": 53,
> "type": "tcp"
> },
> {
> "allowed": true,
> "cidr":
> "10.136.70.0/26-10.136.128.128/26-10.136.10.128/26-10.136.3.0/26-10.137.69.0/24-10.136.196.64/26-10.136.224.0/24-10.136.128.64/26-10.136.66.0/26-10.136.5.64/26-10.136.128.0/26-10.137.128.0/24-10.136.69.64/26-10.136.96.0/
> 24-10.136.132.0/26-10.136.75.64/26-10.136.4.0/26-10.136.12.64/26-10.136.10.0/26-10.136.1.0/26-10.136.9.128/26-10.136.226.0/24-10.136.196.0/26-10.136.11.64/26-10.136.32.0/24-10.136.75.0/26-10.136.161.0/24-10.136.98.0/24-10.136.65.128/26-10.136.7
> 2.0/26-10.136.72.128/26-10.136.68.0/26-10.136.65.192/26-10.137.4.0/24-10.136.6.64/26-10.136.67.0/26-10.136.133.64/26-10.136.2.64/26-10.136.102.0/24-10.136.9.64/26-10.136.225.0/24-10.136.101.0/24-10.137.68.0/24-10.136.2.0/26-10.136.5.0/26-10.136
> .11.0/26-10.136.65.64/26-10.137.129.0/24-10.135.6.0/26-10.136.129.0/26-10.136.133.0/26-10.136.72.64/26-10.136.97.0/24-10.136.33.0/24-10.136.64.128/26-10.136.197.0/26-10.136.66.64/26-10.136.160.0/24-10.136.74.0/26-10.136.196.128/26-10.136.64.0/2
> 6-10.136.1.192/26-10.136.192.64/26-10.137.5.0/24-10.135.2.0/26-10.136.130.64/26-10.136.12.0/26-10.136.1.128/26-10.136.132.128/26-10.136.1.64/26-10.136.64.192/26-10.136.73.0/26-10.136.69.0/26-10.136.34.0/24-10.136.73.128/26-10.136.100.0/24-10.13
> 6.38.0/24-10.135.3.0/26-10.136.65.0/26-10.136.10.64/26-10.136.6.0/26-10.136.131.0/26-10.136.194.64/26-10.136.67.64/26-10.136.7.0/26-10.137.0.0/24-10.136.193.64/26-10.136.197.64/26-10.136.9.0/26-10.136.162.0/24-10.136.4.64/26-10.136.195.0/26-10.
> 136.129.64/26-10.136.36.0/24-10.137.192.0/24-10.136.192.0/26-10.136.68.64/26-10.136.71.0/26-10.137.64.0/24-10.136.74.64/26-10.136.130.0/26-10.135.5.0/26-10.136.132.64/26-10.136.2.192/26-10.136.194.0/26-10.136.128.192/26-10.137.1.0/24-10.136.192
> .128/26-10.136.3.64/26-10.136.8.0/26-10.137.65.0/24-10.136.64.64/26-10.136.192.192/26-10.136.193.0/26-10.137.193.0/24-10.136.2.128/26-10.136.73.64/26-10.136.37.0/24",
> "first_port": 135,
> "last_port": 135,
> "type": "tcp"
> },
> This generates broken iptables commands:
> iptables -t filter -I ACL_INBOUND_eth3 4 -p tcp -s
> 195.66.90.59/32-195.66.90.65/32 -m tcp --dport 3389 -j ACCEPT
> The '-' should be a comma.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
