[jira] [Commented] (CLOUDSTACK-9404) Network ACL rules in VPCs are applied in an inverted order

Tue, 28 Jun 2016 08:19:07 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15353178#comment-15353178
 ] 

ASF subversion and git services commented on CLOUDSTACK-9404:
-------------------------------------------------------------

Commit 3952e3e83e29fb79fbc409b29255813bd77ee1ac in cloudstack's branch 
refs/heads/4.7 from [~williamstev...@gmail.com]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=3952e3e ]

Merge pull request #1581 from pdube/network-acl-rules-order

CLOUDSTACK-9404 Fixed ordering of network ACL rules being sent to the VR. The 
comparator was inverted.

Issue: https://issues.apache.org/jira/browse/CLOUDSTACK-9404

In this example, I created rules with the port numbers the same as the rule 
numbers.

Chain ACL_INBOUND_eth2 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             225.0.0.50
ACCEPT     all  --  anywhere             vrrp.mcast.net
DROP       tcp  --  anywhere             anywhere             tcp dpt:netstat
DROP       tcp  --  anywhere             anywhere             tcp dpt:10
DROP       tcp  --  anywhere             anywhere             tcp dpt:5
DROP       tcp  --  anywhere             anywhere             tcp dpt:3
DROP       tcp  --  anywhere             anywhere             tcp dpt:2
DROP       all  --  anywhere             anywhere

We can see above that the rules are inverted.

After the fix:

Chain ACL_INBOUND_eth2 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             225.0.0.50
ACCEPT     all  --  anywhere             vrrp.mcast.net
DROP       tcp  --  anywhere             anywhere             tcp dpt:2
DROP       tcp  --  anywhere             anywhere             tcp dpt:3
DROP       tcp  --  anywhere             anywhere             tcp dpt:5
DROP       tcp  --  anywhere             anywhere             tcp dpt:10
DROP       tcp  --  anywhere             anywhere             tcp dpt:netstat
DROP       all  --  anywhere             anywhere

* pr/1581:
  Added ASF license to unit test file
  Added unit test to verify ordering
  Fixed ordering of network ACL rules being sent to the VR. The comparator was 
inverted

Signed-off-by: Will Stevens <williamstev...@gmail.com>


> Network ACL rules in VPCs are applied in an inverted order
> ----------------------------------------------------------
>
>                 Key: CLOUDSTACK-9404
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9404
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.7.2, 4.8.0, 4.9.0
>            Reporter: Patrick D.
>            Assignee: Patrick D.
>
> Found the issue in the agent code. The comparator is inverted



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to