Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-10135

ACL rules order is not maintained for ACL_OUTBOUND in VPC VR

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 4.10.0.0
    • None
    • Virtual Router
    • Security Level: Public (Anyone can view this level - this is the default.)
    • None

    Description

      Repro steps
      1.Create a vpc with super cidr(172.16.0.0/16)
      2. created a custom acl with at least 3 ACL_OUTBOUND rules with number oder like 15, 10, 20
      3. Create a tier with the above ACL
      4.Deploy an instance in the tier
      5.In router the ACL rules wont be as per the sequence number oder

      Attachments

        Issue Links

          Activity

            bhaisaab Rohit Yadav added a comment -

            PR accepted

            bhaisaab Rohit Yadav added a comment - PR accepted

            Commit 4f1539ee707c2d5cf48b454139b64998ddb484ac in cloudstack's branch refs/heads/master from yvsubhash
            [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=4f1539e ]

            CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313)

            (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            jira-bot ASF subversion and git services added a comment - Commit 4f1539ee707c2d5cf48b454139b64998ddb484ac in cloudstack's branch refs/heads/master from yvsubhash [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=4f1539e ] CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313) (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            Commit f250b3ae0cf7efeef486f15474b606299d17318e in cloudstack's branch refs/heads/master from yvsubhash
            [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f250b3a ]

            CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313)

            (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            jira-bot ASF subversion and git services added a comment - Commit f250b3ae0cf7efeef486f15474b606299d17318e in cloudstack's branch refs/heads/master from yvsubhash [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f250b3a ] CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313) (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            Commit f250b3ae0cf7efeef486f15474b606299d17318e in cloudstack's branch refs/heads/4.10 from yvsubhash
            [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f250b3a ]

            CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313)

            (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            jira-bot ASF subversion and git services added a comment - Commit f250b3ae0cf7efeef486f15474b606299d17318e in cloudstack's branch refs/heads/4.10 from yvsubhash [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f250b3a ] CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313) (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)
            githubbot ASF GitHub Bot added a comment -

            rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344822195

            Thanks for merging @resmo however, let's wait for tests to come back before we merge PRs. I'll kick tests on the master/baseline smoketest PR #2289

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344822195 Thanks for merging @resmo however, let's wait for tests to come back before we merge PRs. I'll kick tests on the master/baseline smoketest PR #2289 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org

            Commit 4f1539ee707c2d5cf48b454139b64998ddb484ac in cloudstack's branch refs/heads/4.10 from yvsubhash
            [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=4f1539e ]

            CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313)

            (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            jira-bot ASF subversion and git services added a comment - Commit 4f1539ee707c2d5cf48b454139b64998ddb484ac in cloudstack's branch refs/heads/4.10 from yvsubhash [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=4f1539e ] CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313) (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            Commit f250b3ae0cf7efeef486f15474b606299d17318e in cloudstack's branch refs/heads/4.9 from yvsubhash
            [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f250b3a ]

            CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313)

            (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)

            jira-bot ASF subversion and git services added a comment - Commit f250b3ae0cf7efeef486f15474b606299d17318e in cloudstack's branch refs/heads/4.9 from yvsubhash [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f250b3a ] CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313) (cherry picked from commit 60bec39b9ddb72c9badda49dc39c4105596bcb90)
            githubbot ASF GitHub Bot added a comment -

            blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344530600

            Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1254

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344530600 Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1254 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            resmo commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344529623

            cherry-picking to 4.9 and 4.10

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - resmo commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344529623 cherry-picking to 4.9 and 4.10 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org

            Commit 60bec39b9ddb72c9badda49dc39c4105596bcb90 in cloudstack's branch refs/heads/master from yvsubhash
            [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=60bec39 ]

            CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313)

            jira-bot ASF subversion and git services added a comment - Commit 60bec39b9ddb72c9badda49dc39c4105596bcb90 in cloudstack's branch refs/heads/master from yvsubhash [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=60bec39 ] CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND in VPC VR (#2313)
            githubbot ASF GitHub Bot added a comment -

            resmo closed pull request #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313

            This is a PR merged from a forked repository.
            As GitHub hides the original diff on merge, it is displayed below for
            the sake of provenance:

            As this is a foreign pull request (from a fork), the diff is supplied
            below (as it won't show otherwise due to GitHub magic):

            diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
            index 9c6c2e56772..035125e4fea 100755
            — a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
            +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
            @@ -167,7 +167,7 @@ def compare(self, list):
            cpy = cpy.replace('-A', '-I')
            if isinstance(fw[1], int):

            1. if the rule is for ACLs, we want to insert them in order, right before the DROP all
            • if rule_chain.startswith("ACL_INBOUND"):
              + if rule_chain.startswith("ACL_INBOUND") or rule_chain.startswith("ACL_OUTBOUND"):
              rule_count = self.chain.get_count(rule_chain)
              cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), rule_count))
              else:

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - resmo closed pull request #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py index 9c6c2e56772..035125e4fea 100755 — a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py @@ -167,7 +167,7 @@ def compare(self, list): cpy = cpy.replace('-A', '-I') if isinstance(fw [1] , int): if the rule is for ACLs, we want to insert them in order, right before the DROP all if rule_chain.startswith("ACL_INBOUND"): + if rule_chain.startswith("ACL_INBOUND") or rule_chain.startswith("ACL_OUTBOUND"): rule_count = self.chain.get_count(rule_chain) cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), rule_count)) else: ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344525090

            LGTM

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344525090 LGTM ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344524902

            @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344524902 @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344524667

            @blueorangutan package

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-344524667 @blueorangutan package ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343488530

            @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343488530 @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343488265

            @blueorangutan test

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343488265 @blueorangutan test ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            resmo commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343399473

            Related https://issues.apache.org/jira/browse/CLOUDSTACK-10043 we are verifying

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - resmo commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343399473 Related https://issues.apache.org/jira/browse/CLOUDSTACK-10043 we are verifying ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343212053

            Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1234

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343212053 Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1234 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343199858

            @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - blueorangutan commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343199858 @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343199651

            LGTM, pending testing.
            @blueorangutan package

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - rhtyd commented on issue #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313#issuecomment-343199651 LGTM, pending testing. @blueorangutan package ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org
            githubbot ASF GitHub Bot added a comment -

            yvsubhash opened a new pull request #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i…
            URL: https://github.com/apache/cloudstack/pull/2313

            …n VPC VR

            Repro steps
            1.Create a vpc with super cidr(172.16.0.0/16)
            2. created a custom acl with at least 3 ACL_OUTBOUND rules with number oder like 15, 10, 20
            3. Create a tier with the above ACL
            4.Deploy an instance in the tier
            5.In router the ACL rules wont be as per the sequence number order

            ----------------------------------------------------------------
            This is an automated message from the Apache Git Service.
            To respond to the message, please log on GitHub and use the
            URL above to go to the specific comment.

            For queries about this service, please contact Infrastructure at:
            users@infra.apache.org

            githubbot ASF GitHub Bot added a comment - yvsubhash opened a new pull request #2313: CLOUDSTACK-10135 ACL rules order is not maintained for ACL_OUTBOUND i… URL: https://github.com/apache/cloudstack/pull/2313 …n VPC VR Repro steps 1.Create a vpc with super cidr(172.16.0.0/16) 2. created a custom acl with at least 3 ACL_OUTBOUND rules with number oder like 15, 10, 20 3. Create a tier with the above ACL 4.Deploy an instance in the tier 5.In router the ACL rules wont be as per the sequence number order ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org

            People

              Unassigned Unassigned
              yvsubhash subhash yedugundla
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: