[ https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15327982#comment-15327982 ]
ASF GitHub Bot commented on CLOUDSTACK-9404: -------------------------------------------- GitHub user pdube reopened a pull request: https://github.com/apache/cloudstack/pull/1581 CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR. The comparator was inverted. Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404 In this example, I created rules with the port numbers the same as the rule numbers. Chain ACL_INBOUND_eth2 (1 references) target prot opt source destination ACCEPT all -- anywhere 225.0.0.50 ACCEPT all -- anywhere vrrp.mcast.net DROP tcp -- anywhere anywhere tcp dpt:netstat DROP tcp -- anywhere anywhere tcp dpt:10 DROP tcp -- anywhere anywhere tcp dpt:5 DROP tcp -- anywhere anywhere tcp dpt:3 DROP tcp -- anywhere anywhere tcp dpt:2 DROP all -- anywhere anywhere We can see above that the rules are inverted. After the fix: Chain ACL_INBOUND_eth2 (1 references) target prot opt source destination ACCEPT all -- anywhere 225.0.0.50 ACCEPT all -- anywhere vrrp.mcast.net DROP tcp -- anywhere anywhere tcp dpt:2 DROP tcp -- anywhere anywhere tcp dpt:3 DROP tcp -- anywhere anywhere tcp dpt:5 DROP tcp -- anywhere anywhere tcp dpt:10 DROP tcp -- anywhere anywhere tcp dpt:netstat DROP all -- anywhere anywhere You can merge this pull request into a Git repository by running: $ git pull https://github.com/pdube/cloudstack network-acl-rules-order Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/1581.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1581 ---- commit caf4a48075e0f59b5d101efdd3ac6b1bee8f4f39 Author: Patrick Dube <pd...@cloudops.com> Date: 2016-06-02T17:15:38Z Fixed ordering of network ACL rules being sent to the VR. The comparator was inverted commit 4c97a3981dc0d543e02f62f2bb4fc2eb805545c6 Author: Patrick Dube <pd...@cloudops.com> Date: 2016-06-02T17:44:39Z Added unit test to verify ordering commit 9cdd23fdc77e643d886c3af8cb0a60f9c4ddf84f Author: Patrick Dube <pd...@cloudops.com> Date: 2016-06-03T12:48:47Z Added ASF license to unit test file ---- > Network ACL rules in VPCs are applied in an inverted order > ---------------------------------------------------------- > > Key: CLOUDSTACK-9404 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Affects Versions: 4.7.2, 4.8.0, 4.9.0 > Reporter: Patrick D. > Assignee: Patrick D. > > Found the issue in the agent code. The comparator is inverted -- This message was sent by Atlassian JIRA (v6.3.4#6332)