[jira] [Commented] (CLOUDSTACK-9404) Network ACL rules in VPCs are applied in an inverted order

Mon, 13 Jun 2016 12:15:07 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15327982#comment-15327982
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9404:
--------------------------------------------

GitHub user pdube reopened a pull request:

    https://github.com/apache/cloudstack/pull/1581

    CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR.

     The comparator was inverted.
    
    Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
    
    In this example, I created rules with the port numbers the same as the rule 
numbers.
    
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             225.0.0.50
    ACCEPT     all  --  anywhere             vrrp.mcast.net
    DROP       tcp  --  anywhere             anywhere             tcp 
dpt:netstat
    DROP       tcp  --  anywhere             anywhere             tcp dpt:10
    DROP       tcp  --  anywhere             anywhere             tcp dpt:5
    DROP       tcp  --  anywhere             anywhere             tcp dpt:3
    DROP       tcp  --  anywhere             anywhere             tcp dpt:2
    DROP       all  --  anywhere             anywhere
    
    We can see above that the rules are inverted.
    
    After the fix:
    
    Chain ACL_INBOUND_eth2 (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             225.0.0.50
    ACCEPT     all  --  anywhere             vrrp.mcast.net
    DROP       tcp  --  anywhere             anywhere             tcp dpt:2
    DROP       tcp  --  anywhere             anywhere             tcp dpt:3
    DROP       tcp  --  anywhere             anywhere             tcp dpt:5
    DROP       tcp  --  anywhere             anywhere             tcp dpt:10
    DROP       tcp  --  anywhere             anywhere             tcp 
dpt:netstat
    DROP       all  --  anywhere             anywhere


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/pdube/cloudstack network-acl-rules-order

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1581.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1581
    
----
commit caf4a48075e0f59b5d101efdd3ac6b1bee8f4f39
Author: Patrick Dube <pd...@cloudops.com>
Date:   2016-06-02T17:15:38Z

    Fixed ordering of network ACL rules being sent to the VR. The comparator 
was inverted

commit 4c97a3981dc0d543e02f62f2bb4fc2eb805545c6
Author: Patrick Dube <pd...@cloudops.com>
Date:   2016-06-02T17:44:39Z

    Added unit test to verify ordering

commit 9cdd23fdc77e643d886c3af8cb0a60f9c4ddf84f
Author: Patrick Dube <pd...@cloudops.com>
Date:   2016-06-03T12:48:47Z

    Added ASF license to unit test file

----


> Network ACL rules in VPCs are applied in an inverted order
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-9404
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.7.2, 4.8.0, 4.9.0
>            Reporter: Patrick D.
>            Assignee: Patrick D.
>
> Found the issue in the agent code. The comparator is inverted



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to